Vulnhub:MY FILE SERVER: 1

目录

信息收集

1、arp

2、nmap

3、whatweb

WEB

web信息收集

dirmap

FTP匿名登录

enum4linux

smbclient

showmount

FTP登录

ssh-kegen

ssh登录

提权

系统信息收集

脏牛提权

get root


信息收集

1、arp
┌──(root㉿ru)-[~/kali/vulnhub]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.211.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.211.2   00:50:56:e6:61:4b       VMware, Inc.
192.168.211.1   00:50:56:c0:00:08       VMware, Inc.
192.168.211.130 00:50:56:25:9b:29       VMware, Inc.
192.168.211.254 00:50:56:f5:08:f0       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.499 seconds (102.44 hosts/sec). 4 responded

2、nmap
端口探测

┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -p- 192.168.211.130 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-26 19:52 CST
Nmap scan report for 192.168.211.130
Host is up (0.00093s latency).
Not shown: 64504 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
MAC Address: 00:50:56:25:9B:29 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.38 seconds

服务版本探测

┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -sC -sV -sT -O -p 21,22,80,111,445,2049,2121,20048 192.168.211.130 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 08:40 CST
Nmap scan report for 192.168.211.130
Host is up (0.00041s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.211.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
|   256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_  256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      41241/udp   nlockmgr
|   100021  1,3,4      43133/tcp   nlockmgr
|   100021  1,3,4      58941/tcp6  nlockmgr
|   100021  1,3,4      59449/udp6  nlockmgr
|   100024  1          50743/udp6  status
|   100024  1          52276/udp   status
|   100024  1          53941/tcp6  status
|   100024  1          55401/tcp   status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl     3 (RPC #100227)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:50:56:25:9B:29 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 3.X|2.6.X|4.X|5.X (97%), Synology DiskStation Manager 5.X (95%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 3.4 - 3.10 (97%), Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (97%), Linux 3.10 (97%), Synology DiskStation Manager 5.2-5644 (95%), Linux 2.6.32 (93%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 - 3.10 (91%), Linux 3.2 - 3.16 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix

Host script results:
|_clock-skew: mean: -2d06h22m13s, deviation: 3h10m28s, median: -2d04h32m15s
| smb2-time: 
|   date: 2024-03-26T20:08:33
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2024-03-27T01:38:35+05:30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.18 seconds

根据信息收集,21、2121都可以进行匿名登录ftp服务器,20048使用的是RPC协议,111、2049则是nfs服务!

3、whatweb
┌──(root㉿ru)-[~/kali/vulnhub]
└─# whatweb -v 192.168.211.130
WhatWeb report for http://192.168.211.130
Status    : 200 OK
Title     : My File Server
IP        : 192.168.211.130
Country   : RESERVED, ZZ

Summary   : Apache[2.4.6], HTTPServer[CentOS][Apache/2.4.6 (CentOS)]

Detected Plugins:
[ Apache ]
  The Apache HTTP Server Project is an effort to develop and 
  maintain an open-source HTTP server for modern operating 
  systems including UNIX and Windows NT. The goal of this 
  project is to provide a secure, efficient and extensible 
  server that provides HTTP services in sync with the current 
  HTTP standards. 

  Version      : 2.4.6 (from HTTP Server Header)
  Google Dorks: (3)
  Website     : http://httpd.apache.org/

[ HTTPServer ]
  HTTP server header string. This plugin also attempts to 
  identify the operating system from the server header. 

  OS           : CentOS
  String       : Apache/2.4.6 (CentOS) (from server string)

HTTP Headers:
  HTTP/1.1 200 OK
  Date: Tue, 26 Mar 2024 20:04:40 GMT
  Server: Apache/2.4.6 (CentOS)
  Last-Modified: Wed, 19 Feb 2020 07:40:05 GMT
  ETag: "ae-59ee8e599a3f0"
  Accept-Ranges: bytes
  Content-Length: 174
  Connection: close
  Content-Type: text/html; charset=UTF-8


WEB

web信息收集

啥都没有!只有一个跳转链接!

dirmap
┌──(root㉿ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i http://192.168.211.130/ -lcf

                     #####  # #####  #    #   ##   #####
                     #    # # #    # ##  ##  #  #  #    #
                     #    # # #    # # ## # #    # #    #
                     #    # # #####  #    # ###### #####
                     #    # # #   #  #    # #    # #
                     #####  # #    # #    # #    # #   v1.0

[*] Initialize targets...
[+] Load targets from: http://192.168.211.130/
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.211.130/                                                                    
[*] Launching auto check 404
[+] Checking with: http://192.168.211.130/bxqbnwvmvunjdmgtdtwqnpcsnglhslsgycxexiqdgp
[*] Use recursive scan: No                                                                                     
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html; charset=UTF-8][174.00b] http://192.168.211.130/index.html                                     
[200][text/plain; charset=UTF-8][25.00b] http://192.168.211.130/readme.txt                                     
 99% (5697 of 5716) |################################################### | Elapsed Time: 0:00:12 ETA:   0:00:00
发现目录 readme.txt  !!

密码:rootroot1

FTP匿名登录
┌──(root?ru)-[~/kali/vulnhub]
└─# ftp            
ftp> open 192.168.211.130
Connected to 192.168.211.130.
220 (vsFTPd 3.0.2)
Name (192.168.211.130:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -al
229 Entering Extended Passive Mode (|||5838|).
150 Here comes the directory listing.
drwxr-xr-x    3 0        0              16 Feb 18  2020 .
drwxr-xr-x    3 0        0              16 Feb 18  2020 ..
drwxrwxrwx    3 0        0              16 Feb 19  2020 pub
226 Directory send OK.
ftp> 

匿名登录: anonymous:anonymous

ftp> ls -al
229 Entering Extended Passive Mode (|||5182|).
150 Here comes the directory listing.
drwxrwxrwx    3 0        0              16 Feb 19  2020 .
drwxr-xr-x    3 0        0              16 Feb 18  2020 ..
drwxr-xr-x    9 0        0            4096 Feb 19  2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||5863|).
150 Here comes the directory listing.
drwxr-xr-x    9 0        0            4096 Feb 19  2020 .
drwxrwxrwx    3 0        0              16 Feb 19  2020 ..
drwxr-xr-x    2 0        0            4096 Feb 19  2020 anaconda
drwxr-x---    2 0        0              22 Feb 19  2020 audit
-rw-r--r--    1 0        0            7033 Feb 19  2020 boot.log
-rw-------    1 0        0           10752 Feb 19  2020 btmp
-rw-r--r--    1 0        0            9161 Feb 19  2020 cron
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg.old
drwxr-xr-x    2 0        0               6 Feb 19  2020 glusterfs
drwx------    2 0        0              39 Feb 19  2020 httpd
-rw-r--r--    1 0        0          292584 Feb 19  2020 lastlog
-rw-------    1 0        0            3764 Feb 19  2020 maillog
-rw-------    1 0        0         1423423 Feb 19  2020 messages
drwx------    2 0        0               6 Feb 19  2020 ppp
drwx------    4 0        0              43 Feb 19  2020 samba
-rw-------    1 0        0           63142 Feb 19  2020 secure
-rw-------    1 0        0               0 Feb 19  2020 spooler
-rw-------    1 0        0               0 Feb 19  2020 tallylog
drwxr-xr-x    2 0        0              22 Feb 19  2020 tuned
-rw-r--r--    1 0        0           58752 Feb 19  2020 wtmp
-rw-------    1 0        0             100 Feb 19  2020 xferlog
-rw-------    1 0        0           18076 Feb 19  2020 yum.log
226 Directory send OK
虽然可以匿名登录,但是我们都没有权限下载这些文件!

2121端口进去看了一下,和这个情况一样,也是没有权限的!

只能另寻它路了!

enum4linux
┌──(root㉿ru)-[~/kali/vulnhub]
└─# enum4linux -a -r 192.168.211.130
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 29 09:11:28 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.211.130
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

。。。。。

 ======================================( Users on 192.168.211.130 )======================================

index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: smbuser  Name:   Desc: 

user:[smbuser] rid:[0x3e8]

 ================================( Share Enumeration on 192.168.211.130 )================================

do_connect: Connection to 192.168.211.130 failed (Error NT_STATUS_HOST_UNREACHABLE)

  Sharename       Type      Comment
  ---------       ----      -------
  print$          Disk      Printer Drivers
  smbdata         Disk      smbdata
  smbuser         Disk      smbuser
  IPC$            IPC       IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.211.130

//192.168.211.130/print$  Mapping: DENIED Listing: N/A Writing: N/A
//192.168.211.130/smbdata  Mapping: OK Listing: OK Writing: N/A
//192.168.211.130/smbuser  Mapping: DENIED Listing: N/A Writing: N/A

发现共享目录


smbclient
┌──(root㉿ru)-[~/kali/vulnhub]
└─# smbclient //192.168.211.130/smbdata                
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Feb 20 19:07:55 2020
  ..                                  D        0  Tue Feb 18 19:47:54 2020
  anaconda                            D        0  Tue Feb 18 19:48:15 2020
  audit                               D        0  Tue Feb 18 19:48:15 2020
  boot.log                            N     6120  Tue Feb 18 19:48:16 2020
  btmp                                N      384  Tue Feb 18 19:48:16 2020
  cron                                N     4813  Tue Feb 18 19:48:16 2020
  dmesg                               N    31389  Tue Feb 18 19:48:16 2020
  dmesg.old                           N    31389  Tue Feb 18 19:48:16 2020
  glusterfs                           D        0  Tue Feb 18 19:48:16 2020
  lastlog                             N   292292  Tue Feb 18 19:48:16 2020
  maillog                             N     1982  Tue Feb 18 19:48:16 2020
  messages                            N   684379  Tue Feb 18 19:48:17 2020
  ppp                                 D        0  Tue Feb 18 19:48:17 2020
  samba                               D        0  Tue Feb 18 19:48:17 2020
  secure                              N    11937  Tue Feb 18 19:48:17 2020
  spooler                             N        0  Tue Feb 18 19:48:17 2020
  tallylog                            N        0  Tue Feb 18 19:48:17 2020
  tuned                               D        0  Tue Feb 18 19:48:17 2020
  wtmp                                N    25728  Tue Feb 18 19:48:17 2020
  xferlog                             N      100  Tue Feb 18 19:48:17 2020
  yum.log                             N    10915  Tue Feb 18 19:48:17 2020
  sshd_config                         N     3906  Wed Feb 19 15:46:38 2020

    19976192 blocks of size 1024. 18281004 blocks available
smb: \> 

把关键信息下载到本地!
┌──(root?ru)-[~/kali/vulnhub]
└─# cat secure
Feb 18 13:33:38 fileserver polkitd[729]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 13:33:38 fileserver polkitd[729]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 13:33:38 fileserver polkitd[729]: Finished loading, compiling and executing 2 rules
Feb 18 13:33:38 fileserver polkitd[729]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 13:33:39 fileserver sshd[1112]: Server listening on 0.0.0.0 port 22.
Feb 18 13:33:39 fileserver sshd[1112]: Server listening on :: port 22.
Feb 18 13:33:49 fileserver login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Feb 18 13:33:49 fileserver login: ROOT LOGIN ON tty1
Feb 18 13:33:53 fileserver login: pam_unix(login:session): session closed for user root
Feb 18 15:00:18 fileserver polkitd[748]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 15:00:18 fileserver polkitd[748]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 15:00:18 fileserver polkitd[748]: Finished loading, compiling and executing 2 rules
Feb 18 15:00:18 fileserver polkitd[748]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 15:00:21 fileserver sshd[994]: Server listening on 0.0.0.0 port 22.
Feb 18 15:00:21 fileserver sshd[994]: Server listening on :: port 22.
Feb 18 15:00:43 fileserver login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Feb 18 15:00:43 fileserver login: ROOT LOGIN ON tty1
Feb 18 15:03:03 fileserver sshd[2296]: Accepted password for root from 192.168.1.5 port 60252 ssh2
Feb 18 15:03:03 fileserver sshd[2296]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 15:12:45 fileserver polkitd[602]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 15:12:45 fileserver polkitd[602]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 15:12:45 fileserver polkitd[602]: Finished loading, compiling and executing 2 rules
Feb 18 15:12:45 fileserver polkitd[602]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 15:12:47 fileserver sshd[1030]: Server listening on 0.0.0.0 port 22.
Feb 18 15:12:47 fileserver sshd[1030]: Server listening on :: port 22.
Feb 18 15:13:23 fileserver sshd[2156]: Accepted password for root from 192.168.1.5 port 60254 ssh2
Feb 18 15:13:23 fileserver sshd[2156]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 15:26:24 fileserver groupadd[2767]: group added to /etc/group: name=stapusr, GID=156
Feb 18 15:26:24 fileserver groupadd[2767]: group added to /etc/gshadow: name=stapusr
Feb 18 15:26:24 fileserver groupadd[2767]: new group: name=stapusr, GID=156
Feb 18 15:26:24 fileserver groupadd[2772]: group added to /etc/group: name=stapsys, GID=157
Feb 18 15:26:24 fileserver groupadd[2772]: group added to /etc/gshadow: name=stapsys
Feb 18 15:26:24 fileserver groupadd[2772]: new group: name=stapsys, GID=157
Feb 18 15:26:25 fileserver groupadd[2777]: group added to /etc/group: name=stapdev, GID=158
Feb 18 15:26:25 fileserver groupadd[2777]: group added to /etc/gshadow: name=stapdev
Feb 18 15:26:25 fileserver groupadd[2777]: new group: name=stapdev, GID=158
Feb 18 15:48:21 fileserver polkitd[595]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 15:48:21 fileserver polkitd[595]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 15:48:21 fileserver polkitd[595]: Finished loading, compiling and executing 2 rules
Feb 18 15:48:21 fileserver polkitd[595]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 15:48:23 fileserver sshd[987]: Server listening on 0.0.0.0 port 22.
Feb 18 15:48:23 fileserver sshd[987]: Server listening on :: port 22.
Feb 18 15:49:25 fileserver sshd[2153]: Accepted password for root from 192.168.1.5 port 60730 ssh2
Feb 18 15:49:25 fileserver sshd[2153]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 16:26:33 localhost polkitd[734]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 16:26:33 localhost polkitd[734]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 16:26:33 localhost polkitd[734]: Finished loading, compiling and executing 2 rules
Feb 18 16:26:33 localhost polkitd[734]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 16:26:36 localhost sshd[1033]: Server listening on 0.0.0.0 port 22.
Feb 18 16:26:36 localhost sshd[1033]: Server listening on :: port 22.
Feb 18 16:26:40 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Feb 18 16:26:40 localhost login: ROOT LOGIN ON tty1
Feb 18 16:27:39 localhost sshd[2200]: Accepted password for root from 192.168.1.5 port 35254 ssh2
Feb 18 16:27:39 localhost sshd[2200]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 16:39:36 localhost polkitd[486]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 16:39:36 localhost polkitd[486]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 16:39:36 localhost polkitd[486]: Finished loading, compiling and executing 2 rules
Feb 18 16:39:36 localhost polkitd[486]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 16:39:36 localhost sshd[712]: Server listening on 0.0.0.0 port 22.
Feb 18 16:39:36 localhost sshd[712]: Server listening on :: port 22.
Feb 18 16:40:00 localhost sshd[1844]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.5  user=root
Feb 18 16:40:00 localhost sshd[1844]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 16:40:02 localhost sshd[1844]: Failed password for root from 192.168.1.5 port 35374 ssh2
Feb 18 16:40:04 localhost sshd[1844]: Accepted password for root from 192.168.1.5 port 35374 ssh2
Feb 18 16:40:04 localhost sshd[1844]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 16:44:28 localhost proftpd[1911]: localhost (192.168.1.5[192.168.1.5]) - SECURITY VIOLATION: Root login attempted
Feb 18 16:50:55 localhost polkitd[485]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 16:50:55 localhost polkitd[485]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 16:50:55 localhost polkitd[485]: Finished loading, compiling and executing 2 rules
Feb 18 16:50:55 localhost polkitd[485]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 16:50:55 localhost sshd[711]: Server listening on 0.0.0.0 port 22.
Feb 18 16:50:55 localhost sshd[711]: Server listening on :: port 22.
Feb 18 16:51:23 localhost sshd[1843]: Accepted password for root from 192.168.1.5 port 35548 ssh2
Feb 18 16:51:23 localhost sshd[1843]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 16:51:38 localhost proftpd[1871]: localhost (192.168.1.5[192.168.1.5]) - SECURITY VIOLATION: Root login attempted
Feb 18 16:58:50 localhost polkitd[485]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 16:58:50 localhost polkitd[485]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 16:58:50 localhost polkitd[485]: Finished loading, compiling and executing 2 rules
Feb 18 16:58:50 localhost polkitd[485]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 16:58:51 localhost sshd[711]: Server listening on 0.0.0.0 port 22.
Feb 18 16:58:51 localhost sshd[711]: Server listening on :: port 22.
Feb 18 16:59:55 localhost sshd[1847]: Accepted password for root from 192.168.1.5 port 35552 ssh2
Feb 18 16:59:55 localhost sshd[1847]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 17:01:34 localhost polkitd[490]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 17:01:34 localhost polkitd[490]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 17:01:34 localhost polkitd[490]: Finished loading, compiling and executing 2 rules
Feb 18 17:01:34 localhost polkitd[490]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 17:01:35 localhost sshd[712]: Server listening on 0.0.0.0 port 22.
Feb 18 17:01:35 localhost sshd[712]: Server listening on :: port 22.
Feb 18 17:01:38 localhost sshd[1680]: Accepted password for root from 192.168.1.5 port 35556 ssh2
Feb 18 17:01:38 localhost sshd[1680]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 17:05:36 localhost polkitd[490]: Loading rules from directory /etc/polkit-1/rules.d
Feb 18 17:05:36 localhost polkitd[490]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 18 17:05:36 localhost polkitd[490]: Finished loading, compiling and executing 2 rules
Feb 18 17:05:36 localhost polkitd[490]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 18 17:05:36 localhost sshd[716]: Server listening on 0.0.0.0 port 22.
Feb 18 17:05:36 localhost sshd[716]: Server listening on :: port 22.
Feb 18 17:05:59 localhost sshd[1850]: Accepted password for root from 192.168.1.5 port 35558 ssh2
Feb 18 17:05:59 localhost sshd[1850]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 17:06:58 localhost proftpd[1882]: localhost (192.168.1.5[192.168.1.5]) - SECURITY VIOLATION: Root login attempted
Feb 18 17:13:35 localhost groupadd[1978]: group added to /etc/group: name=input, GID=997
Feb 18 17:13:35 localhost groupadd[1978]: group added to /etc/gshadow: name=input
Feb 18 17:13:35 localhost groupadd[1978]: new group: name=input, GID=997
Feb 18 17:13:35 localhost groupadd[1985]: group added to /etc/group: name=systemd-network, GID=192
Feb 18 17:13:35 localhost groupadd[1985]: group added to /etc/gshadow: name=systemd-network
Feb 18 17:13:35 localhost groupadd[1985]: new group: name=systemd-network, GID=192
Feb 18 17:13:35 localhost useradd[1990]: new user: name=systemd-network, UID=192, GID=192, home=/, shell=/sbin/nologin
Feb 18 17:13:45 localhost useradd[2057]: failed adding user 'dbus', exit code: 9
Feb 18 17:13:47 localhost groupadd[2060]: group added to /etc/group: name=printadmin, GID=996
Feb 18 17:13:47 localhost groupadd[2060]: group added to /etc/gshadow: name=printadmin
Feb 18 17:13:47 localhost groupadd[2060]: new group: name=printadmin, GID=996
Feb 18 17:13:48 localhost groupadd[2069]: group added to /etc/group: name=gluster, GID=995
Feb 18 17:13:48 localhost groupadd[2069]: group added to /etc/gshadow: name=gluster
Feb 18 17:13:48 localhost groupadd[2069]: new group: name=gluster, GID=995
Feb 18 17:13:48 localhost useradd[2074]: new user: name=gluster, UID=998, GID=995, home=/run/gluster, shell=/sbin/nologin
Feb 18 17:14:20 localhost groupadd[2146]: group added to /etc/group: name=wbpriv, GID=88
Feb 18 17:14:20 localhost groupadd[2146]: group added to /etc/gshadow: name=wbpriv
Feb 18 17:14:20 localhost groupadd[2146]: new group: name=wbpriv, GID=88
Feb 18 17:16:14 localhost polkitd[490]: Registered Authentication Agent for unix-process:2348:64295 (system bus name :1.16 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_IN)
Feb 18 17:16:18 localhost polkitd[490]: Unregistered Authentication Agent for unix-process:2348:64295 (system bus name :1.16, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_IN) (disconnected from bus)
Feb 18 17:16:25 localhost polkitd[490]: Registered Authentication Agent for unix-process:2363:65485 (system bus name :1.18 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_IN)
Feb 18 17:16:25 localhost polkitd[490]: Unregistered Authentication Agent for unix-process:2363:65485 (system bus name :1.18, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_IN) (disconnected from bus)
Feb 18 17:16:39 localhost useradd[2389]: new group: name=smbuser, GID=1000
Feb 18 17:16:39 localhost useradd[2389]: new user: name=smbuser, UID=1000, GID=1000, home=/home/smbuser, shell=/bin/bash
Feb 18 17:17:09 localhost passwd: pam_unix(passwd:chauthtok): password changed for smbuser

是一些登陆信息!对用户 smbuser进行修改 密码是 chauthtok!

在ssh_config文件中说明,只允许进行密钥登录!不能进行密码登录!

showmount
┌──(root㉿ru)-[~/kali/vulnhub]
└─# showmount -e 192.168.211.130
Export list for 192.168.211.130:
/smbdata 192.168.56.0/24

这里只允许56网段访问,我经过尝试发现,里面并没有可疑文件,应该是经过不同协议挂出来的共享目录而已!

FTP登录
我们使用收集到的账号密码进行登录!

user:smbuser pass:rootroot1

既然这样的话,我们只能上传ssh公钥即可!这样我们就可以使用ssh私钥进行ssh登录了!

ssh-kegen

生成一个私钥,密码是qwer!

我们需要把qwer.pub上传到ftp服务器内!

位置是配置文件的默认位置

.ssh/authorized_keys

如果没有,就在用户名目录下创建一下!

ftp> mkdir .ssh
257 "/home/smbuser/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put ~/kali/vulnhub/qwer.pub authorized_keys
local: /root/kali/vulnhub/qwer.pub remote: authorized_keys
229 Entering Extended Passive Mode (|||5168|).
150 Ok to send data.
100% |****************************************************************************************************************************************************************************************|   561       15.73 MiB/s    00:00 ETA
226 Transfer complete.
561 bytes sent in 00:00 (436.88 KiB/s)


ssh登录

因为我们在smbuser用户下上传的ssh公钥,所以我们使用smbuser用户进行登录!

提权

系统信息收集
[smbuser@fileserver ~]$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1360 2月  19 2020 /etc/passwd
---------- 1 root root  876 2月  19 2020 /etc/shadow

[smbuser@fileserver ~]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/sudo
/usr/bin/staprun
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
[smbuser@fileserver ~]$ 

[smbuser@fileserver ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

我们直接把linpeas上传到靶机进行测试!

从这可以看出靶机的内核版本很低!在脏牛的影响范围内!

果然,那不多说,直接内核提权吧!

脏牛提权

下载到本地,并上传到服务器!

编译错误! 那加上 -lcrypt -lpthread  即可!

提取成功!

get root


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/501826.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

2024UI自动化面试题汇总【建议收藏】

1.你是如何搭建ui自动化框架的? 在搭建ui自动化框架,使用的是po设计模式,也就是把每一个页面所需要 操作的元素和步骤都封装成一个页面类中。然后使用seleniumunittest搭建 四层框架实现数据、脚本、业务逻辑分离(关键字驱动&…

【微服务】配置Nacos管理SpringBoot配置文件(附解压包)

📝个人主页:哈__ 期待您的关注 一、什么是Nacos Nacos可以帮助我们配置和管理微服务,是阿里的一个开源产品,是针对微服务架构中的服务发现、配置管理、服务治理的综合型解决方案。Nacos可以用来实现配置中心和服务注册中心。 …

【3月30日信息差】2G 50/年,4G 618/3年 云服务器全网对比 游戏服务器活动 我的世界 幻兽帕鲁 雾锁王国通用

本文纯原创,侵权必究 【云服务器推荐】价格对比!阿里云 京东云 腾讯云 选购指南视频截图 《最新对比表》已更新在文章头部—腾讯云文档,文章具有时效性,请以腾讯文档为准! 【腾讯文档实时更新】2024年-幻兽帕鲁服务器…

Python数据结构实验 图实验(一)

一、实验目的 1.熟悉图的相关概念,包括有向图、无向图、完全图、子图、路径、简单路径、路径长度、回路等定义; 2.掌握图的各种存储结构,主要包括邻接矩阵和邻接表的相关算法设计; 3.掌握图的…

node.js 入门案例 安装教程

前言 Node.js是一个基于Chrome JavaScript 运行时建立的一个平台。 Node.js是一个事件驱动I/O服务端JavaScript环境,基于Google的V8引擎,V8引擎执行Javascript的速度非常快,性能非常好。 可以让JavaScript在服务器端运行。它具有轻量级、高…

网络安全--内网篇

一、环境 一个简单的域环境,3台机器即可,一个server2012,win7,,win10 二、开始初始的认识内网 在我们日常渗透中,我们进入企业去进行渗透的时候都是处于一个域的环境下,简单来说域一类网络服务而在服务器…

HarmonyOS实战开发-如何实现一个自定义抽奖圆形转盘

介绍 本篇Codelab是基于画布组件、显式动画,实现的一个自定义抽奖圆形转盘。包含如下功能: 通过画布组件Canvas,画出抽奖圆形转盘。通过显式动画启动抽奖功能。通过自定义弹窗弹出抽中的奖品。 相关概念 Stack组件:堆叠容器&am…

JavaScript基础语法–详谈

JavaScript的编写方式 这里小编写一个简单代码,展示JavaScript三种编写方式 HTML代码行内(可以理解为内联样式) a.第一种方式 一个123的网址,通过点击实现浏览器显示welcome字样提升(与浏览器进行交互)…

【AI模型-机器学习工具部署】远程服务器配置Jupyter notebook或jupyter lab服务

随着AI人工智能的崛起,机器学习、深度学习、模型训练等技术也慢慢泛化,java开发有idea,web开发有vscode,那么AI开发神器肯定离不开jupyter lab(基础版jupyter notebook) Jupyter notebook部署 1. 安装jupy…

基于Python实现多功能翻译助手(上)

创建一个支持多种语言翻译并且允许通过文件拖拽来输入文本的Python窗口应用程序是一个相对复杂的任务,涉及到多个库和组件。以下是一个简化的指南,展示如何使用Python的Tkinter库创建GUI窗口,结合Googletrans库进行翻译,以及使用P…

第十四章 MySQL

一、MySQL 1.1 MySql 体系结构 MySQL 架构总共四层,在上图中以虚线作为划分。 1. 最上层的服务并不是 MySQL 独有的,大多数给予网络的客户端/服务器的工具或者服务都有类似的架构。比如:连接处理、授权认证、安全等。 2. 第二层的架构包括…

Python连接MySQL

提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 文章目录 一、整体思路二、连接流程三、表结构及代码实现 一、整体思路 二、连接流程 三、表结构及代码实现 代码块如下: import pymysqlcon pymysql.connect(h…

websocket 局域网 webrtc 一对一 视频通话的实例

基本介绍 使用websocket来 WebRTC 建立连接时的 数据的传递和交换。 WebRTC 建立连接时,通常需要按照以下顺序执行一些步骤: 1.创建本地 PeerConnection 对象:使用 RTCPeerConnection 构造函数创建本地的 PeerConnection 对象,该…

springboot共享单车系统

摘 要 随着科学技术的飞速发展,各行各业都在努力与现代先进技术接轨,通过科技手段提高自身的优势;对于共享单车管理系统当然也不能排除在外,随着网络技术的不断成熟,带动了共享单车管理系统,它彻底改变了过…

【JavaScript算法】DOM树层级显示

题目描述: 上述表达式的输出结果为 [DIV] [P, SPAN, P, SPAN] [SPAN, SPAN]直接上代码 let tree document.querySelector(".a"); function traverseElRoot(elRoot) {const result [];function traverse(element, level) {if (!result[level]) {resul…

跨境电商IP防关联是什么?有什么作用?

做跨境电商的朋友应该都知道IP防关联这个词,那么为何IP需要防关联呢?今天为大家来解答这个问题。 跨境电商IP防关联是指在跨境电商运营中,通过采取一系列技术手段,确保每个跨境电商账号使用独立的IP地址,以避免账号之间因为IP地址…

博鳌观察|对话百度沈抖:丰富的应用场景是中国AI赶超的最大机会

既要仰望星空,更要脚踏实地。在被巨大的技术风口裹挟了一年多后,我们与大模型的“相处方式”越来越清晰了。 3月28日,在博鳌亚洲论坛2024年年会现场,我们与百度集团执行副总裁、百度智能云事业群总裁沈抖进行了一次深度交流。 在…

智慧公厕厂家如何选择?光明源智能科技打造一流智慧公厕项目

在当今城市化进程中,智慧公厕已经成为提升城市品质、改善市民生活的重要一环。然而,要打造一流的智慧公厕项目,选择合适的厂家显得尤为重要。作为行业领军者,光明源智能科技在智慧公厕领域具有丰富的经验和卓越的技术实力。今天&a…

大数据学习-2024/3/29-oracle使用介绍

在plsql中登录ORACLE数据。 默认用户: 1、sys: 角色:数据库超级管理员账户。 权限:具有最高的权限,可以执行任何操作,包括操作数据字典和控制文件。可以创建和删除数据库对象,授予和回收其他用户…

计算机系统基础 5 物理地址的形成

历史 早期,程序员自己管理主存,通过分解程序并覆盖主存的方式执行程序 取指令和存储操作数所有的地址都是物理地址; 执行速度快,无需进行地址转换; 未采用虚拟存储机制。 1961年有人提出自动执行overlay…