Shulou(Shulou.com)05/31 Report--

What this article shares with you is about what the strategy of JIS-CTF_VulnUpload target aircraft is. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Vulnhub is one of my favorite playgrounds, and every target on it is a cool game. Complete identification of all flag is only a basic task, and the ultimate goal is to raise rights. I do not seek to capture the flag as quickly as possible, but use a complete attack chain to invade the target as much as possible, so there may be something in this playbook that is not directly helpful to capture the flag, but you should consider it when dealing with real targets.

The target aircraft "JIS-CTF: VulnUpload" contains 5 flag and primary difficulty, and it takes an average of 1.5 hours to complete the attack. You can get an image in virtualbox format from https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/, and you can play it immediately after import:

The JIS virtual machine is DHCP, and I have to find out its IP. The-sn option of nmap is used to detect host viability:

Soon, four surviving IP were found. Among them, 56.1 is my main system IP,56.2 is the DHCP server, 56.5 shows that localhost-response is kali, so the IP of JIS is 192.168.56.6.

I. system service discovery

Of course, the first priority to get IP is the analysis service. The-O and-sV command line arguments of nmap can be used for this:

It is known that JIS has enabled SSH (OpenSSH 7.2p2) on port 22 and HTTP (Apache httpd 2.4.18) on port 80. In addition, the operating system is ubuntu. These three messages will be the main attack surface in the next stage.

Second, system loophole analysis

I am used to attacking SSH services in terms of weak passwords and system vulnerabilities. In terms of weak passwords, I break them with common usernames and passwords, although the chances are slim:

I can't finish running in a short time. Put it here first, and then we'll see it later.

In terms of finding vulnerabilities in SSH services, I recommend the searchsploit tool. Precise search for OpenSSH 7.2p2:

There is a user name enumerable vulnerability, and it just so happens that finding a valid user name will help to break the SSH password. Try EXP now:

Tried several times, the results are not the same, feel that this EXP is unreliable. Maybe the search conditions are too harsh, without the version number, search openssh directly to see if there are any other vulnerabilities:

Among them, there are two vulnerabilities that can be considered, namely, the loophole of local power lifting and the vulnerability of remote command execution. Wow, it's tempting, but unfortunately, it doesn't work. For the former, no stronghold is currently used (such as webshell), and there is no lifting operation, so it can only be released first and may be used later; for the latter, the utilization conditions are very stringent, and the attacker must take control of the forwarded agent-socket, and the target must SSH login to the machine controlled by the attacker before the target can load the specified * .so and execute remote commands. That's all, SSH system vulnerabilities are not in-depth for the time being.

The apache service looks to see if there are any exploitable vulnerabilities:

The exact version found by the previous service probe is apache httpd 2.4.18, so there is only one vulnerability with a memory leak, which is of little value.

At this stage, system vulnerabilities can only be analyzed to this extent. Although we know that the release package is ubuntu, but we do not know the specific version and system architecture, it is difficult to accurately find available operating system vulnerabilities. Therefore, it is not necessary to continue to waste time at the system vulnerability level. If we can get webshell later, we will conduct in-depth analysis when we raise rights, and now move to the web application level.

III. Web content Discovery

The web port found before access is automatically redirected to http://192.168.56.6/login.php:

Take a look at the html source code, there is no valuable information; enumerated user names can not; perhaps you can burst under the weak password, just the SSH burst is not over, web login burst or put aside to see if there are other pages.

Scanning the web port-finding the web backend-logging in with a weak password-uploading before 2015 is a common high-success attack method, in which whether the backend address can be found is the key to success. In other words, I need to find more web content. Specifically, I hope to find more files, pages and subdirectories. It is best to find sensitive files packaged by source code, management pages of background operation and maintenance, and subdirectories that store business logic to expand the attack area. Usually, I am used to finding web content in a combination of enumerations and crawlers.

There are many tools to enumerate web content, in fact, the burp in your hand has a powerful subdirectory enumeration function, but it is often ignored by you. Visit http://192.168.56.6/ to show the initial site directory structure immediately after the traffic passes through burp:

Through engagement tools-discover content, enable the subdirectory enumeration feature:

Before enumerating, use the firefox plug-in wappalyzer to confirm that the back-end language is php:

Simply set up to let burp enumerate only php-type pages and ignore other languages such as aspx, jsp, and so on to improve efficiency:

Soon, a number of new pages were enumerated:

You see, there are more pages and directories than before, such as logout.php, server-status/. Look at it one by one, there is nothing valuable.

Next, I use another tool, dirsearch, to enumerate the subdirectories again to complement burp to get more web content. Efficiency and configurability are the characteristics of dirsearch. Similarly, use the-- extension option to enumerate only pages of type php, ignoring aspx, jsp, and other languages:

There are 5 pages that view the successful HTTP response from the output out.txt:

Visit these pages in turn and let the traffic pass through burp. The site directory structure is as follows:

Subdirectory enumeration, about so far, next, crawl the site.

Climb the station, or with the help of burp:

Soon, after climbing, a lot of new pages were added:

My friend, after playing for so long, you haven't even seen the shadow of a flag? Don't worry, it's coming. Search for the flag keyword in burp's site map, and the first match is http://192.168.56.6/admin_area/:

Get the first flag {7412574125871236547895214}; also get a set of account admin/3v1l_H@ck3r, which may be the login account of web or the account of SSH. Try it later. The second match you get from searching flag is http://192.168.56.6/flag/:

Get the second flag {8734509128730458630012095}.

IV. Analysis of web application vulnerabilities

Try to log in to http://192.168.56.6/login.php with admin/3v1l_H@ck3r:

Successful, there is a file upload function to check whether there are any file upload vulnerabilities.

Try uploading any webshell of php:

Icesword.php uploaded successfully, there is an arbitrary file upload vulnerability, but the upload directory is not echoed. Remember the uploads/ and uploaded_files/ directories found when the web content was found earlier? try to access http://192.168.56.6/uploads/icesword.php, report an error, the resource does not exist, visit http://192.168.56.6/uploaded_files/icesword.php, report no error, but there is no content on the page, nothing, at least make it clear that the upload directory is uploaded_files/.

I use msfvenom to generate MSF's php bounce Trojan msf_private.php:

Start MSF and listen, then visit http://192.168.56.6/uploaded_files/msf_private.php and immediately get a meterpreter session:

Simply flip through the file:

Flag.txt and hint.txt caught my attention. To check it, flag.txt does not have access rights. The third flag {7645110034526579012345670} and a prompt message are obtained in hint.txt. To view flag.txt, you must first find out the password of the account technawi:

Next, I need to find the password of the user technawi. I plan to find information related to technawi in terms of file name and file content.

I use meterpreter's built-in search command to find files with the keyword technawi in their filenames:

Shows that it is not found. Strange, there are technawi users, there must be / home/technawi/, how can not find a single. Enter shell and reconfirm:

That's right. So, you see, meterpreter's built-in search is unreliable. One by one, no valuable content was found.

Find files with the keyword technawi in the contents of the file:

Check one by one and find the fourth flag {784565897412356897185412} and a group of accounts technawi/3vilH@ksor in / etc/mysql/conf.d/credentials.txt:

Log in to the system

Successfully log in to the system with your account technawi/3vilH@ksor:

Check flag.txt again and get the fifth flag {5473215946785213456975249}:

VI. Promotion of rights

As I said at the beginning, flag is not the only goal for me to play with a target machine, and it is also interesting to raise rights. When I was about to check that the kernel version was ready to correspond to exp, I vaguely remembered that I had seen the .sudo _ as_admin_successful file in technawi's home/ directory:

Wow, luckily, this means that technawi can switch to a root user with its own password:

In this way, complete all the flag collection and successfully lift the rights!

The above is what the strategy of JIS-CTF_VulnUpload target aircraft is, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.