THE PLANETS: VENUS

准备

攻击机: kali

靶机: THE PLANETS: VENUS NAT 192.168.91.0 网段

下载连接:

https://www.vulnhub.com/entry/the-planets-venus,705/
8b10717b2e9b3e632be8d3ce5d0f2d34.png

信息搜集与利用

主机发现

python3 ping.py -H 192.168.91.0/24

83eb031013640a4f6352caea4fb4ca8c.png

如图所示得到目标靶机IP地址:192.168.91.173

端口扫描

nmap -sV -p- -sS -A 192.168.91.173 -oN venus_nmap.txt

d2fc5500a8f73be31b37aed6ab4df177.png

如上所示只开放了22,8080端口,其中8080和之前两个一样都是由python构成的web页面。

HTTP

http://192.168.91.173:8080/

34ca1954ea56468ba6211d651de0bcae.png

如上图所示,显示 使用 guest:guest来登陆来宾账户,经测试(猜测)我发现当输入用户名和密码都为: venus:venus 时也可以登陆。

933ad210e8f7ee14b20f0914a4b048d5.png

目录扫描

python3 dirsearch.py -u http://192.168.91.173:8080/

扫出来一大堆302重定向,这里就不展示了。

一般来说 python写的网页,要么用的 Flask 框架,要么是 Django框架,这两个框架较为常见,一般来说都有 admin 后台页面,只有当登陆了才能进一步深入。

http://192.168.91.173:8080/admin/login/?next=/admin/

621def2ca7289ac6402966652c2ee5e4.png

如图所示,是 Django 。猜的没错。试一下有没有开启 DEBUG 模式,如果显示报错信息并将所有路由显示出来则证明开启了,若只显示 Not Found 则证明关闭了 DEBUG 模式。经测试发现这里为关闭状态。

尝试弱口令登陆后台,失败!

再次回到第一个登陆页面,现在我们已知有两个用户名和密码:

guest:guest

venus:venus(根据靶机名称猜出来的)

那么有没有可能还有其他用户名呢?所以现在需要爆破。

47915a3782f416a08a9be35c95e6956d.png

在登陆处输入正确的用户名错误的密码将显示: invalid password.

当随便输入一个用户名时会显示: invalid username.
2894df168205e2c77b80c2166754f208.png

因此通过返回信息: invalid username 来爆破用户名即可。

但是又出来一个问题,怎么确保我们的字典里面就有那个正确的用户名呢???现在已知的两个用户名也没啥用,都不能 ssh 登陆。

看了wp : https://medium.com/@mcl0x90/the-planets-venus-vulnhub-write-up-f6727d08bafb

得到了一个用户名和密码:

magellan:venusiangeology1989 (国外大佬爆破出来的。)

flag 1

2455fe6134395e1d9e08c7f6ce7d9db7.png

提权

方法一:

SUID 提权

find / -perm -u=s -type f 2>/dev/null

a911e43535fccf9caf67add3b68b965b.png

如图所示发现 polkit-1/polkit-agent-helper-1 与上一个靶机: MECURY(水星) 一模一样。我们尝试同样的方法将 exp 下载到靶机上面,注意该靶机上没有 git 命令。我们用 wget 下载

d7db0eebc6aa925a8315871288a6f5c7.png

1541861e4dd40ef1ffd70f3759f3a54b.png

然后 unzip cve-2021-4034 解压即可。

然后 make

9b42b836df7ba3b8cbe563339a6ed4ad.png

生成了 可执行文件 cve-2021-4034

运行:

./cve-2021-4034

f63325033d78c450ca983c2dbd4f09bc.png

如图所示得到了 root 权限。

flag 2

92f1169a0e9efde6b6982ca400ea0989.png

此方法与这个系列上一个靶机 提权方法一样。应该来说这个靶机的的重点不是这个。

方法二:

参考国外大佬的 wp, 个人觉得很难。就放弃了。

总结

  1. 与上一个水星靶机一样可以利用 cev-2021-4034 来提权(简单,适合我这种菜鸡!)
  2. 爆破密码需要有强大的字典,这里我直接看了wp 的答案。
%23%23%20%E5%87%86%E5%A4%87%0A%E6%94%BB%E5%87%BB%E6%9C%BA%3A%20kali%0A%E9%9D%B6%E6%9C%BA%3A%20THE%20PLANETS%3A%20VENUS%20NAT%20192.168.91.0%20%E7%BD%91%E6%AE%B5%0A%E4%B8%8B%E8%BD%BD%E8%BF%9E%E6%8E%A5%3A%0Ahttps%3A%2F%2Fwww.vulnhub.com%2Fentry%2Fthe-planets-venus%2C705%2F%0A!%5B8b10717b2e9b3e632be8d3ce5d0f2d34.png%5D(en-resource%3A%2F%2Fdatabase%2F4421%3A1)%0A%0A%23%23%20%E4%BF%A1%E6%81%AF%E6%90%9C%E9%9B%86%E4%B8%8E%E5%88%A9%E7%94%A8%0A%0A%23%23%23%20%E4%B8%BB%E6%9C%BA%E5%8F%91%E7%8E%B0%0A%0A%0Apython3%20ping.py%20-H%20192.168.91.0%2F24%0A%0A!%5B83eb031013640a4f6352caea4fb4ca8c.png%5D(en-resource%3A%2F%2Fdatabase%2F4423%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%BE%97%E5%88%B0%E7%9B%AE%E6%A0%87%E9%9D%B6%E6%9C%BAIP%E5%9C%B0%E5%9D%80%EF%BC%9A192.168.91.173%0A%0A%23%23%23%20%E7%AB%AF%E5%8F%A3%E6%89%AB%E6%8F%8F%0A%0A**nmap%20-sV%20-p-%20-sS%20-A%20192.168.91.173%20-oN%20venus_nmap.txt**%0A%0A!%5Bd2fc5500a8f73be31b37aed6ab4df177.png%5D(en-resource%3A%2F%2Fdatabase%2F4425%3A1)%0A%0A%E5%A6%82%E4%B8%8A%E6%89%80%E7%A4%BA%E5%8F%AA%E5%BC%80%E6%94%BE%E4%BA%8622%EF%BC%8C8080%E7%AB%AF%E5%8F%A3%EF%BC%8C%E5%85%B6%E4%B8%AD8080%E5%92%8C%E4%B9%8B%E5%89%8D%E4%B8%A4%E4%B8%AA%E4%B8%80%E6%A0%B7%E9%83%BD%E6%98%AF%E7%94%B1python%E6%9E%84%E6%88%90%E7%9A%84web%E9%A1%B5%E9%9D%A2%E3%80%82%0A%0A%23%23%23%20HTTP%0A%0A**http%3A%2F%2F192.168.91.173%3A8080%2F**%0A%0A!%5B34ca1954ea56468ba6211d651de0bcae.png%5D(en-resource%3A%2F%2Fdatabase%2F4427%3A1)%0A%0A%E5%A6%82%E4%B8%8A%E5%9B%BE%E6%89%80%E7%A4%BA%EF%BC%8C%E6%98%BE%E7%A4%BA%20%E4%BD%BF%E7%94%A8%20guest%3Aguest%E6%9D%A5%E7%99%BB%E9%99%86%E6%9D%A5%E5%AE%BE%E8%B4%A6%E6%88%B7%EF%BC%8C%E7%BB%8F%E6%B5%8B%E8%AF%95%EF%BC%88%E7%8C%9C%E6%B5%8B%EF%BC%89%E6%88%91%E5%8F%91%E7%8E%B0%E5%BD%93%E8%BE%93%E5%85%A5%E7%94%A8%E6%88%B7%E5%90%8D%E5%92%8C%E5%AF%86%E7%A0%81%E9%83%BD%E4%B8%BA%EF%BC%9A%20venus%3Avenus%20%E6%97%B6%E4%B9%9F%E5%8F%AF%E4%BB%A5%E7%99%BB%E9%99%86%E3%80%82%0A%0A!%5B933ad210e8f7ee14b20f0914a4b048d5.png%5D(en-resource%3A%2F%2Fdatabase%2F4431%3A1)%0A%0A%0A%23%23%23%20%E7%9B%AE%E5%BD%95%E6%89%AB%E6%8F%8F%0A%0A%20python3%20dirsearch.py%20-u%20http%3A%2F%2F192.168.91.173%3A8080%2F%0A%20%0A%20%E6%89%AB%E5%87%BA%E6%9D%A5%E4%B8%80%E5%A4%A7%E5%A0%86302%E9%87%8D%E5%AE%9A%E5%90%91%EF%BC%8C%E8%BF%99%E9%87%8C%E5%B0%B1%E4%B8%8D%E5%B1%95%E7%A4%BA%E4%BA%86%E3%80%82%0A%20%0A%20%E4%B8%80%E8%88%AC%E6%9D%A5%E8%AF%B4%20python%E5%86%99%E7%9A%84%E7%BD%91%E9%A1%B5%EF%BC%8C%E8%A6%81%E4%B9%88%E7%94%A8%E7%9A%84%20Flask%20%E6%A1%86%E6%9E%B6%EF%BC%8C%E8%A6%81%E4%B9%88%E6%98%AF%20Django%E6%A1%86%E6%9E%B6%EF%BC%8C%E8%BF%99%E4%B8%A4%E4%B8%AA%E6%A1%86%E6%9E%B6%E8%BE%83%E4%B8%BA%E5%B8%B8%E8%A7%81%EF%BC%8C%E4%B8%80%E8%88%AC%E6%9D%A5%E8%AF%B4%E9%83%BD%E6%9C%89%20admin%20%E5%90%8E%E5%8F%B0%E9%A1%B5%E9%9D%A2%EF%BC%8C%E5%8F%AA%E6%9C%89%E5%BD%93%E7%99%BB%E9%99%86%E4%BA%86%E6%89%8D%E8%83%BD%E8%BF%9B%E4%B8%80%E6%AD%A5%E6%B7%B1%E5%85%A5%E3%80%82%0A%20%0A%20**http%3A%2F%2F192.168.91.173%3A8080%2Fadmin%2Flogin%2F%3Fnext%3D%2Fadmin%2F**%0A%20%0A%20!%5B621def2ca7289ac6402966652c2ee5e4.png%5D(en-resource%3A%2F%2Fdatabase%2F4429%3A1)%0A%20%0A%20%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%EF%BC%8C%E6%98%AF%20Django%20%E3%80%82%E7%8C%9C%E7%9A%84%E6%B2%A1%E9%94%99%E3%80%82%E8%AF%95%E4%B8%80%E4%B8%8B%E6%9C%89%E6%B2%A1%E6%9C%89%E5%BC%80%E5%90%AF%20DEBUG%20%E6%A8%A1%E5%BC%8F%EF%BC%8C%E5%A6%82%E6%9E%9C%E6%98%BE%E7%A4%BA%E6%8A%A5%E9%94%99%E4%BF%A1%E6%81%AF%E5%B9%B6%E5%B0%86%E6%89%80%E6%9C%89%E8%B7%AF%E7%94%B1%E6%98%BE%E7%A4%BA%E5%87%BA%E6%9D%A5%E5%88%99%E8%AF%81%E6%98%8E%E5%BC%80%E5%90%AF%E4%BA%86%EF%BC%8C%E8%8B%A5%E5%8F%AA%E6%98%BE%E7%A4%BA%20Not%20Found%20%E5%88%99%E8%AF%81%E6%98%8E%E5%85%B3%E9%97%AD%E4%BA%86%20DEBUG%20%E6%A8%A1%E5%BC%8F%E3%80%82%E7%BB%8F%E6%B5%8B%E8%AF%95%E5%8F%91%E7%8E%B0%E8%BF%99%E9%87%8C%E4%B8%BA%E5%85%B3%E9%97%AD%E7%8A%B6%E6%80%81%E3%80%82%0A%20%0A%20%E5%B0%9D%E8%AF%95%E5%BC%B1%E5%8F%A3%E4%BB%A4%E7%99%BB%E9%99%86%E5%90%8E%E5%8F%B0%EF%BC%8C%E5%A4%B1%E8%B4%A5%EF%BC%81%0A%20%0A%20%E5%86%8D%E6%AC%A1%E5%9B%9E%E5%88%B0%E7%AC%AC%E4%B8%80%E4%B8%AA%E7%99%BB%E9%99%86%E9%A1%B5%E9%9D%A2%EF%BC%8C%E7%8E%B0%E5%9C%A8%E6%88%91%E4%BB%AC%E5%B7%B2%E7%9F%A5%E6%9C%89%E4%B8%A4%E4%B8%AA%E7%94%A8%E6%88%B7%E5%90%8D%E5%92%8C%E5%AF%86%E7%A0%81%3A%0A%20guest%3Aguest%0A%20venus%3Avenus(%E6%A0%B9%E6%8D%AE%E9%9D%B6%E6%9C%BA%E5%90%8D%E7%A7%B0%E7%8C%9C%E5%87%BA%E6%9D%A5%E7%9A%84)%0A%20%E9%82%A3%E4%B9%88%E6%9C%89%E6%B2%A1%E6%9C%89%E5%8F%AF%E8%83%BD%E8%BF%98%E6%9C%89%E5%85%B6%E4%BB%96%E7%94%A8%E6%88%B7%E5%90%8D%E5%91%A2%EF%BC%9F%E6%89%80%E4%BB%A5%E7%8E%B0%E5%9C%A8%E9%9C%80%E8%A6%81%E7%88%86%E7%A0%B4%E3%80%82%0A%20%0A%20!%5B47915a3782f416a08a9be35c95e6956d.png%5D(en-resource%3A%2F%2Fdatabase%2F4433%3A1)%0A%20%0A%20%E5%9C%A8%E7%99%BB%E9%99%86%E5%A4%84%E8%BE%93%E5%85%A5%E6%AD%A3%E7%A1%AE%E7%9A%84%E7%94%A8%E6%88%B7%E5%90%8D%E9%94%99%E8%AF%AF%E7%9A%84%E5%AF%86%E7%A0%81%E5%B0%86%E6%98%BE%E7%A4%BA%3A%20invalid%20password.%0A%20%E5%BD%93%E9%9A%8F%E4%BE%BF%E8%BE%93%E5%85%A5%E4%B8%80%E4%B8%AA%E7%94%A8%E6%88%B7%E5%90%8D%E6%97%B6%E4%BC%9A%E6%98%BE%E7%A4%BA%3A%20invalid%20username.%0A%20!%5B2894df168205e2c77b80c2166754f208.png%5D(en-resource%3A%2F%2Fdatabase%2F4435%3A1)%0A%20%0A%20%E5%9B%A0%E6%AD%A4%E9%80%9A%E8%BF%87%E8%BF%94%E5%9B%9E%E4%BF%A1%E6%81%AF%EF%BC%9A%20invalid%20username%20%E6%9D%A5%E7%88%86%E7%A0%B4%E7%94%A8%E6%88%B7%E5%90%8D%E5%8D%B3%E5%8F%AF%E3%80%82%0A%20%E4%BD%86%E6%98%AF%E5%8F%88%E5%87%BA%E6%9D%A5%E4%B8%80%E4%B8%AA%E9%97%AE%E9%A2%98%EF%BC%8C%E6%80%8E%E4%B9%88%E7%A1%AE%E4%BF%9D%E6%88%91%E4%BB%AC%E7%9A%84%E5%AD%97%E5%85%B8%E9%87%8C%E9%9D%A2%E5%B0%B1%E6%9C%89%E9%82%A3%E4%B8%AA%E6%AD%A3%E7%A1%AE%E7%9A%84%E7%94%A8%E6%88%B7%E5%90%8D%E5%91%A2%EF%BC%9F%EF%BC%9F%EF%BC%9F%E7%8E%B0%E5%9C%A8%E5%B7%B2%E7%9F%A5%E7%9A%84%E4%B8%A4%E4%B8%AA%E7%94%A8%E6%88%B7%E5%90%8D%E4%B9%9F%E6%B2%A1%E5%95%A5%E7%94%A8%EF%BC%8C%E9%83%BD%E4%B8%8D%E8%83%BD%20ssh%20%E7%99%BB%E9%99%86%E3%80%82%0A%20%20%0A%20%E7%9C%8B%E4%BA%86wp%20%3A%20https%3A%2F%2Fmedium.com%2F%40mcl0x90%2Fthe-planets-venus-vulnhub-write-up-f6727d08bafb%0A%20%E5%BE%97%E5%88%B0%E4%BA%86%E4%B8%80%E4%B8%AA%E7%94%A8%E6%88%B7%E5%90%8D%E5%92%8C%E5%AF%86%E7%A0%81%3A%20%0Amagellan%3Avenusiangeology1989%20(%E5%AD%97%E5%85%B8%E7%88%86%E7%A0%B4%E5%87%BA%E6%9D%A5%E4%BA%86%E7%9A%84)%0A%0A%23%23%23%20flag%201%0A!%5B2455fe6134395e1d9e08c7f6ce7d9db7.png%5D(en-resource%3A%2F%2Fdatabase%2F4437%3A1)%0A%0A%23%23%23%20%E6%8F%90%E6%9D%83%0A%0A**%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A**%0A%0A%23%23%23%23%20SUID%20%E6%8F%90%E6%9D%83%0A%0A**find%20%2F%20-perm%20-u%3Ds%20-type%20f%202%3E%2Fdev%2Fnull**%0A%0A!%5Ba911e43535fccf9caf67add3b68b965b.png%5D(en-resource%3A%2F%2Fdatabase%2F4439%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%8F%91%E7%8E%B0%20polkit-1%2Fpolkit-agent-helper-1%20%E4%B8%8E%E4%B8%8A%E4%B8%80%E4%B8%AA%E9%9D%B6%E6%9C%BA%3A%20MECURY(%E6%B0%B4%E6%98%9F)%20%20%E4%B8%80%E6%A8%A1%E4%B8%80%E6%A0%B7%E3%80%82%E6%88%91%E4%BB%AC%E5%B0%9D%E8%AF%95%E5%90%8C%E6%A0%B7%E7%9A%84%E6%96%B9%E6%B3%95%E5%B0%86%20exp%20%E4%B8%8B%E8%BD%BD%E5%88%B0%E9%9D%B6%E6%9C%BA%E4%B8%8A%E9%9D%A2%EF%BC%8C%E6%B3%A8%E6%84%8F%E9%9D%B6%E6%9C%BA%E4%B8%8A%E6%B2%A1%E6%9C%89%20git%20%E5%91%BD%E4%BB%A4%E3%80%82%E6%88%91%E4%BB%AC%E7%94%A8%20wget%20%E4%B8%8B%E8%BD%BD%0A%0A!%5Bd7db0eebc6aa925a8315871288a6f5c7.png%5D(en-resource%3A%2F%2Fdatabase%2F4441%3A1)%0A%0A!%5B1541861e4dd40ef1ffd70f3759f3a54b.png%5D(en-resource%3A%2F%2Fdatabase%2F4443%3A1)%0A%0A%E7%84%B6%E5%90%8E%20unzip%20cve-2021-4034%20%E8%A7%A3%E5%8E%8B%E5%8D%B3%E5%8F%AF%E3%80%82%0A%0A%E7%84%B6%E5%90%8E%20make%0A%0A!%5B9b42b836df7ba3b8cbe563339a6ed4ad.png%5D(en-resource%3A%2F%2Fdatabase%2F4445%3A1)%0A%0A%E7%94%9F%E6%88%90%E4%BA%86%20%E5%8F%AF%E6%89%A7%E8%A1%8C%E6%96%87%E4%BB%B6%20cve-2021-4034%0A%E8%BF%90%E8%A1%8C%3A%0A.%2Fcve-2021-4034%0A%0A!%5Bf63325033d78c450ca983c2dbd4f09bc.png%5D(en-resource%3A%2F%2Fdatabase%2F4447%3A1)%0A%0A%E5%A6%82%E5%9B%BE%E6%89%80%E7%A4%BA%E5%BE%97%E5%88%B0%E4%BA%86%20root%20%E6%9D%83%E9%99%90%E3%80%82%0A%0A%23%23%23%20flag%202%0A%0A!%5B92f1169a0e9efde6b6982ca400ea0989.png%5D(en-resource%3A%2F%2Fdatabase%2F4449%3A1)%0A%0A%0A%E6%AD%A4%E6%96%B9%E6%B3%95%E4%B8%8E%E8%BF%99%E4%B8%AA%E7%B3%BB%E5%88%97%E4%B8%8A%E4%B8%80%E4%B8%AA%E9%9D%B6%E6%9C%BA%20%E6%8F%90%E6%9D%83%E6%96%B9%E6%B3%95%E4%B8%80%E6%A0%B7%E3%80%82%E5%BA%94%E8%AF%A5%E6%9D%A5%E8%AF%B4%E8%BF%99%E4%B8%AA%E9%9D%B6%E6%9C%BA%E7%9A%84%E7%9A%84%E9%87%8D%E7%82%B9%E4%B8%8D%E6%98%AF%E8%BF%99%E4%B8%AA%E3%80%82%0A%0A**%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A**%0A%0A%E5%8F%82%E8%80%83%E5%9B%BD%E5%A4%96%E5%A4%A7%E4%BD%AC%E7%9A%84%20wp%EF%BC%8C%20%E4%B8%AA%E4%BA%BA%E8%A7%89%E5%BE%97%E5%BE%88%E9%9A%BE%E3%80%82%0A%0A%0A%0A%23%23%23%20%E6%80%BB%E7%BB%93%0A%0A1.%20%E4%B8%8E%E4%B8%8A%E4%B8%80%E4%B8%AA%E6%B0%B4%E6%98%9F%E9%9D%B6%E6%9C%BA%E4%B8%80%E6%A0%B7%E5%8F%AF%E4%BB%A5%E5%88%A9%E7%94%A8%20cev-2021-4034%20%E6%9D%A5%E6%8F%90%E6%9D%83%EF%BC%88%E7%AE%80%E5%8D%95%EF%BC%8C%E9%80%82%E5%90%88%E6%88%91%E8%BF%99%E7%A7%8D%E8%8F%9C%E9%B8%A1%EF%BC%81%EF%BC%89%0A2.%20%E7%88%86%E7%A0%B4%E5%AF%86%E7%A0%81%E9%9C%80%E8%A6%81%E6%9C%89%E5%BC%BA%E5%A4%A7%E7%9A%84%E5%AD%97%E5%85%B8%EF%BC%8C%E8%BF%99%E9%87%8C%E6%88%91%E7%9B%B4%E6%8E%A5%E7%9C%8B%E4%BA%86wp%20%E7%9A%84%E7%AD%94%E6%A1%88%E3%80%82%0A%0A%0A