What is JIS-CTF_VulnUpload target drone strategy?

vulnhub is one of my favorite playgrounds, and every target drone on it is a cool game. Completely finding all flags is only the basic task, and achieving privilege escalation is the ultimate goal. I am not pursuing the fastest capture of the flag, but rather using a complete attack chain to invade the target drone as much as possible. Therefore, some content in this guide may not be directly helpful for capturing the flag, but you should consider it when dealing with real targets.

Target drone "JIS-CTF: VulnUpload" contains 5 flags, beginner difficulty, and takes an average of 1.5 hours to complete the attack. You can get the virtualbox format image from https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/ and you can play it immediately after importing:

The JIS virtual machine is DHCP and I have to find out its IP. The -sn option of nmap is used to detect host survivability:

Quickly, 4 surviving IPs were found. Among them, 56.1 is the IP of my main system, 56.2 is the DHCP server, and 56.5 shows localhost-response as the local machine (kali). Therefore, the IP of JIS is 192.168.56.6.

1. System service discovery

The first priority in getting IP is of course analysis service. The two command line parameters of nmap -O and -sV can be used here:

It can be seen that JIS opens SSH (OpenSSH 7.2p2) on port 22 and HTTP on port 80 (Apache httpd 2.4.18) and other two services. Also, the operating system is ubuntu. These three pieces of information will become the main attack surface in the next stage.

2. System Vulnerability Analysis

For SSH services, I am used to attacking from two aspects: weak passwords and system vulnerabilities. In terms of weak passwords, I used common usernames and common passwords to crack, although the chance is low:

It won’t be finished in a short time, so I’ll put it here first and look at it later.

In terms of finding system vulnerabilities in the SSH service, I recommend the searchsploit tool. Exact search for OpenSSH 7.2p2:

There is a username enumerability vulnerability. Just in case, finding a valid username will help to break the SSH password. Try using EXP immediately:

I have tried it several times, but the results are different. I feel that this EXP is unreliable. Maybe the search conditions are too harsh. Without the version number, search openssh directly to see if there are any other vulnerabilities:

Among them, there are two that can be considered, which are local privilege escalation vulnerabilities and remote command execution. loopholes. Wow, it's very tempting, but unfortunately, I can't use it. For the former, there is currently no stronghold (such as webshell), and there is no right escalation operation. Currently, it can only be released first, and it may be used later; for the latter, the conditions for exploitation are very strict, and the attacker You must gain control of the forwarded agent-socket, and the target must SSH into the machine where the attacker controls the forwarded agent-socket. Only then can the target load the specified *.so to achieve remote command execution. That’s all, we won’t go into depth about the SSH system vulnerabilities for the time being.

Check the apache service to see if there are any exploitable vulnerabilities:

The exact version found during the previous service detection was apache httpd 2.4.18, so there is only one memory leak vulnerability. Not much value.

System vulnerabilities can only be analyzed to this extent at this stage. Although we know that the distribution package is ubuntu, we do not know the specific version and system architecture. It is difficult to accurately find available operating system vulnerabilities. Therefore, there is no need to continue. The system vulnerability level is time-consuming. If we can get the webshell later, we will analyze it in depth when we escalate the privileges. Now we move to the web application level.

3. Web content discovery

The web port found before accessing is automatically redirected to http://192.168.56.6/login.php:

Read There is no valuable information when downloading the html source code; it is not possible to enumerate user names; it may be possible to brute force the weak password. The SSH brute force just now is not over yet, so let’s put the web login brute force first to see if there are any others. page.

Before about 2015, scanning the web port - looking for the web backend - logging into the backend with a weak password - uploading a sentence was a common attack method with a high success rate. Among them, whether the backend address could be found was the key to success. In other words, I need to discover more content on the web. Specifically, I hope to find more files, pages, and subdirectories. It is best to find sensitive files packaged with source code, management pages for backend operation and maintenance, and subdirectories storing business logic to expand the attack surface. Typically, I use a combination of enumeration and crawling to discover web content.

There are many tools for enumerating web content. In fact, the burp you have has built-in powerful subdirectory enumeration function, but it is often ignored by you. Visit http://192.168.56.6/, and after letting the traffic pass through burp, the initial site directory structure is immediately displayed:

Enable the subdirectory enumeration function through engagement tools - discover content:

Before enumeration, use the firefox plug-in wappalyzer to confirm that the back-end language is php:

Simple setting, let burp only enumerate php type pages, ignore aspx, jsp, etc. Language to improve efficiency:

Soon, many new pages were enumerated:

You see, there are more pages and directories than before, such as logout .php, server-status/. Checking them one by one, there is nothing valuable.

Next, I used another tool, dirsearch, to enumerate subdirectories again, complementing burp to get more web content. Efficiency and configurability are the characteristics of dirsearch. Similarly, use the --extension option to set only php type pages to be enumerated, ignoring other languages ​​such as aspx, jsp and so on:

From the output result out.txt There are 5 pages with successful HTTP response (200):

Visit these pages in sequence and let the traffic pass through burp. The site directory structure is as follows:

Sub Directory enumeration, that's about it. Next, crawl the site.

Climb the site, still use burp:

Soon, the crawling was completed, and many new pages were added:

Friends, after playing so much It's been so long and you haven't even seen a shadow of the flag? Don't worry, it's coming. Search for the flag keyword in burp's site map. The first matching item is http://192.168.56.6/admin_area/:

Get the first flag{7412574125871236547895214}; and also get Go to a set of accounts admin/3v1l_H@ck3r. It may be a web login account or an SSH account. Try it later. The second match obtained by searching for flag is http://192.168.56.6/flag/:

The second match obtained is {8734509128730458630012095}.

4. Web application vulnerability analysis

Use admin/3v1l_H@ck3r to try to log in to http://192.168.56.6/login.php:

Successfully, there is File upload function, check whether there is any file upload vulnerability.

Just upload a php webshell and try:

icesword.php is uploaded successfully. There is an arbitrary file upload vulnerability, but the upload directory is not echoed. Do you still remember the uploads/ and uploaded_files/ directories found during web content discovery? Try to access http://192.168.56.6/uploads/icesword.php. An error message is reported. The resource does not exist. Visit http://192.168.56.6/uploaded_files. /icesword.php, no error is reported but the page has no content. It’s okay. At least it is clear that the upload directory is uploaded_files/.

I use msfvenom to generate MSF’s php rebound Trojan msf_private.php:

Start MSF and listen, then visit http://192.168.56.6/uploaded_files/msf_private.php to get the meterpreter session immediately:

Simply flip through the file:

flag.txt, hint.txt caught my attention. Check it, flag.txt has no access rights; in hint.txt, you get the third flag {7645110034526579012345670}, and a prompt message. If you want to view flag.txt, you must first find out the password of the account technawi:

Next, I need to find the password for user technawi. I plan to look for information related to technawi, both in terms of file names and file contents.

I use meterpreter's built-in search command to find files containing the keyword technawi in the file name:

It shows not found. Strange, if there are technawi users, then there must be /home/technawi/, why can't I find any of them? Enter the shell and confirm again:

This is correct. So, you see, meterpreter's built-in search is unreliable. I checked them one by one and found nothing of value.

Find files containing the keyword technawi in the file content:

Check one by one and find the fourth flag{7845658974123568974185412 in /etc/mysql/conf.d/credentials.txt }, and a set of account numbers technawi/3vilH@ksor:

5. Log in to the system

Use the account number technawi/3vilH@ksor to successfully log in to the system:

Check flag.txt again and get the fifth flag{5473215946785213456975249}:

6. Elevate rights

I said at the beginning that the flag is not for me to play with a target machine. The only goal is to increase power. It is also very interesting. When I was about to check the kernel version and prepare the corresponding exp, I remembered that I had seen the .sudo_as_admin_successful file in the home/ directory of technawi:

Wow, you are lucky. This shows that technawi can use your own password to switch to Root user:

That’s it, all flag collection is completed and privileges are successfully escalated!

The above is the detailed content of What is JIS-CTF_VulnUpload target drone strategy?. For more information, please follow other related articles on the PHP Chinese website!