m0nk3y's Blog @ D0g3 HomeArchivesTagsCategoriesAboutFriends说说
2020 December Metasploit community CTF
Word count: 2.1k|Reading time: 11 min

环境准备

两台靶机:

2020-12-07 10:51:45.687490 Ubuntu Target 185.245.3.246 m0nk3y
2020-12-07 10:51:45.679223 Kali Jump Host 185.245.3.246 m0nk3y

image-20201207185351417

Kali 作为跳板机去打 内网Ubuntu。

Kali : 3.85.234.26

Ubuntu: 172.15.53.85

题目如下:

![image-20201207190045534](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207190045534.png)

ssh 登录 kali

1
ssh -i metasploit_ctf_kali_ssh_key.pem [email protected]

![](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207190722932.png)

直接开淦

When you find a challenge flag, calculate and submit the MD5 checksum of the PNG image to receive points! Hashes are not case sensitive.

说人话,flag就是找到的图片的 md5值,忽略大小写。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[email protected]:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 172.15.53.84  netmask 255.255.255.240  broadcast 172.15.53.95
        inet6 fe80::866:3aff:fe77:1953  prefixlen 64  scopeid 0x20<link>
        ether 0a:66:3a:77:19:53  txqueuelen 1000  (Ethernet)
        RX packets 686  bytes 70099 (68.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 767  bytes 81674 (79.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 413  bytes 123225 (120.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 413  bytes 123225 (120.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ifconfig, 可以看到内网ip为 172.15.53.84, 而Ubuntu 目标ip为 172.15.53.85 。为同一个内网ip中。

nmap 扫端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[email protected]:~$ nmap -v 172.15.53.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-07 11:17 UTC
Initiating Ping Scan at 11:17
Scanning 172.15.53.85 [2 ports]
Completed Ping Scan at 11:17, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:17
Completed Parallel DNS resolution of 1 host. at 11:17, 0.00s elapsed
Initiating Connect Scan at 11:17
Scanning 172.15.53.85 [1000 ports]
Discovered open port 8080/tcp on 172.15.53.85
Discovered open port 80/tcp on 172.15.53.85
Discovered open port 8888/tcp on 172.15.53.85
Discovered open port 8200/tcp on 172.15.53.85
Discovered open port 9000/tcp on 172.15.53.85
Discovered open port 9009/tcp on 172.15.53.85
Discovered open port 5555/tcp on 172.15.53.85
Discovered open port 9001/tcp on 172.15.53.85
Discovered open port 9010/tcp on 172.15.53.85
Discovered open port 1080/tcp on 172.15.53.85
Completed Connect Scan at 11:17, 0.03s elapsed (1000 total ports)
Nmap scan report for 172.15.53.85
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
80/tcp   open  http
1080/tcp open  socks
5555/tcp open  freeciv
8080/tcp open  http-proxy
8200/tcp open  trivnet1
8888/tcp open  sun-answerbook
9000/tcp open  cslistener
9001/tcp open  tor-orport
9009/tcp open  pichat
9010/tcp open  sdr

开启了80端口,先不忙搭nps隧道啥的,我直接curl 请求一下这个 http web服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[email protected]:~$ curl 172.15.53.85
<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">

  <title>Metasploit CTF</title>
  <link rel="stylesheet" href="css/styles.css?v=1.0">

  <style>
    body {
        margin: 0;
        font-family: sans-serif;
    }

    .h2 {
        font-size: 2em;
        color: #222;
        margin-bottom: 0.2em;
    }

    .container {
        text-align: center;
        display: flex;
        align-items: center;
        justify-content: center;
        flex-direction: column;
        height: 100vh;
    }
  </style>
</head>

<body>
    <div class="container">
        <div>
            <h2>Welcome!</h2>
            <img src="4_of_hearts.png" />
            <p>Your remaining challenges are on other ports</p>
        </div>
    </div>
</body>
</html>

curl 下载一下这个图片。

1
2
3
4
5
6
7
8
[email protected]:~$ curl -O 172.15.53.85/4_of_hearts.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 94015  100 94015    0     0  12.8M      0 --:--:-- --:--:-- --:--:-- 12.8M
[email protected]:~$ ls
4_of_hearts.png  configure_kali.sh
[email protected]:~$ md5sum 4_of_hearts.png
776d1d5ecfb91f71aecad71cb3c7c9d1  4_of_hearts.png

得到这个flag:776d1d5ecfb91f71aecad71cb3c7c9d1。并且给了hint,Your remaining challenges are on other ports。那就再来一个全端口扫描吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[email protected]:~$ nmap -p 1-65535 172.15.53.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-07 11:34 UTC
Nmap scan report for 172.15.53.85
Host is up (0.0037s latency).
Not shown: 65515 closed ports
PORT     STATE SERVICE
80/tcp   open  http
1080/tcp open  socks
1337/tcp open  waste
4545/tcp open  worldscores
5555/tcp open  freeciv
6868/tcp open  acctopus-cc
8080/tcp open  http-proxy
8092/tcp open  unknown
8101/tcp open  ldoms-migr
8123/tcp open  polipo
8200/tcp open  trivnet1
8201/tcp open  trivnet2
8202/tcp open  aesop
8888/tcp open  sun-answerbook
9000/tcp open  cslistener
9001/tcp open  tor-orport
9007/tcp open  ogs-client
9008/tcp open  ogs-server
9009/tcp open  pichat
9010/tcp open  sdr

有点疑问,有些端口,用浏览器无法正常,curl却能返回一些信息。(原来是有联系的。

因为搞其他8080端口需要交互了,所以得弄个转发,在本机操作一下。

nps可以不落地配置文件启动:

1
./npc -server=ip:port -vkey=web界面中显示的密钥

nps建立成功后创建隧道。http 和 socks 代理就行啦。(这个时候可以把kali这台机器当做是我们已经GetShell 后的一台边界主机,因为kali 能出网,也能访问内网应用),kali 机器上安装 npc。

浏览器和proxychains4设置成nps 代理,这样就能在浏览器和 工具都在代理了。(或者直接用Proxifier

![image-20201207210033802](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207210033802.png)

![image-20201207210239170](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207210239170.png)

OK, 代理问题解决好了后,就继续淦。

80端口 4 of Hearts

80端口访问的那张图片的md5.

8080端口

4545端口

![image-20201208003754322](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208003754322.png)

看到simplehttp 和 python,用curl请求一下果然有类似flag的文件,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="8_of_hearts.elf">8_of_hearts.elf</a></li>
<li><a href="8_of_hearts.enc">8_of_hearts.enc</a></li>
</ul>
<hr>
</body>
</html>

用curl -o 这次好像不能下载了, 用wget下载就可以了。

8_of_hearts.elf
8_of_hearts.enc

得到这两个二进制文件。

xxd 查看一下

![image-20201208004140345](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208004140345.png)

拖入IDA,F5一波(x),查看字符串:

![image-20201208005344308](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208005344308.png)

F5一下 main函数:

![image-20201208005832787](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208005832787.png)

6868端口

8092端口

![image-20201208011629368](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208011629368.png)

8101端口

![image-20201207221508164](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207221508164.png)

8200 文件上传GetShell

BP 要先设置 socks ,然后才能正常的抓包和重放。

![image-20201207215251038](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207215251038.png)

有两种错误:

  • Unsupported mime type (文件上传的后缀和content-type 不对应)
  • Unsupported file format(gif以及其他后缀,只能传 jpg 和 png)

![image-20201208000008329](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208000008329.png)

8202端口

![image-20201208012652639](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208012652639.png)

8888端口

![image-20201208012835327](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208012835327.png)

9000端口

![image-20201208013004434](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208013004434.png)

9001端口

![image-20201208013102209](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201208013102209.png)

9010端口 Queen of Hearts

直接访问,给了一个jar包。

![image-20201207211819717](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207211819717.png)

1
2
3
4
5
6
──> java -jar QOH_Client.jar                        ──(一,1207)─┘
Usage:
	java -jar QOH_Client.jar <ip> <port>

	where port is generally 9008
──> proxychains4 java -jar QOH_Client.jar 172.15.53.85 9008

[proxychains] Strict chain … xx.xx.xxx.116:6443 … xx.xx.xxx.116:6080 … 172.15.53.85:9008 … OK
Successfully connected to the server!
Please select an available action from the list below:
[1] Lists available files on the server
[2] Download available files from the server
[3] Authenticate to the server

1
Executing action…
Listing available files to download:

test.txt
queen_of_hearts.png
todo.md

Please select an available action from the list below:
[1] Lists available files on the server
[2] Download available files from the server
[3] Authenticate to the server

2
Executing action…
Checking authentication status…
You are not authenticated. Please authenticate before attempting to download from the server

要拿Queen of Hearts这个题的flag,要知道密码,em,好像不能暴破,先放一下。

9007端口 Red Joker

![image-20201207212225564](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20201207212225564.png)

下载里面就有一个图片,直接 md5 filename 获取flag

1
2
3
┌─(~/CTF/metasploit_ctf/red_joker)─────────────────────────────────────────────────────────────────────────────────────────────────([email protected]:s000)─┐
└─(21:24:29)──> md5 joker_red.png                                                                                                               ──(一,1207)─┘
MD5 (joker_red.png) = ded8965ad103400300b7180b42f55e28

9009

1
2
3
4
5
6
7
└─(01:32:22)──> proxychains4 curl http://172.15.53.85:9009                                                                                      ──(二,1208)─┘
[proxychains] config file found: /usr/local/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.14/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  45.76.110.116:6443  ...  45.76.110.116:6080  ...  172.15.53.85:9009  ...  OK
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Protocol mismatch.

国外友人的WP

https://rushisec.net/metasploit-ctf-2020-writeup/#9ofheartsport53

https://ctftime.org/event/1200/tasks/

挺不错的,就是发现比赛有点晚了,就打了一会儿就给停了vps。

Author: m0nk3y
Link: https://hack-for.fun/d22f.html
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
CTF