Information collection
Use arp-scan to find the IP. After excluding this, we get our target IP as 192.168.187.175
nmap scan port scan
TCP
input the command;
nmap -min-rate 10000 -p- 192.168.187.175
There are more open ports
UDP
input the command:
nmap -sU -min-rate 10000 -p- 192.168.187.175
Processing port information
Since there are many scanning ports, we can process the scanning information first.
input the command:
nmap -min-rate 10000 -p- 192.168.187.175 -oA nmapscan/ports # -oA Enter the full format of the scan results into the nmapscan/ports file
input the command:
grep open nmapscan/ports.nmap | awk -F '/' '{print $1}' # Use grep to select each line with the word open in the nmapscan/ports.nmap file # awk -F '/' '{print $1}' The awk -F here is distinguished by / #'{print $1}' Enter the first column
input the command:
ports=$(grep open nmapscan/ports.nmap | awk -F '/' '{print $1}'|paste -sd ',') #paste -sd ',' is to merge the input results into one line and then separate them with commas #Then assign the entire output result to ports
nmap scan port information
input the command:
nmap -sC -sT -A -p $ports 192.168.187.175
The top one is preferred. Port 21 opens the ftp service, supports anonymous login, and displays the files inside. You can check it out later.
The ssh and http here are common ports. 111 is the rpc port. The content corresponds to the following port.
Ports 139 and 445 are the TCP protocol ports of Samba. 2121 is also an FTP service and also supports anonymous login. 2049 and 20048 are all ports related to NFS.
nmap vulnerability script scanning
input the command:
nmap --script=vuln -p $ports 192.168.187.175
After scanning here, no exploitable vulnerability information was found.
View port 21
Here you can directly use anonymous login to view the content. After successfully entering, you need to enter binary mode to avoid the downloaded file from being damaged and unable to be read.
Then we went inside to check and found a lot of files in the log directory. If you are inexperienced, you need to check them one by one, but we must give priority to checking some files with sensitive names, such as a secure file in it. We should have thought that it might be related to security information, but we don’t have permission to download it here. We spent time checking other files, but we didn’t find any clues.
View port 2121
The 2121 port here is also an ftp service and also supports anonymous login. Let’s try it. Then I realized that it seemed to still have the same formula as before, so I stopped reading.
View samba service port
Here we see that ports 139 and 445 are open, which means the samba service is enabled. This is a file sharing protocol where file information may exist. Let’s go check it out
input the command:
smbmap -H 192.168.187.175
Executable permission files found
You can see that the smbdata file under the target IP has readable and writable file permissions.
We go directly here to see what files are there, and then we see a similar scene, which seems to be the content we saw in ftp before, but now we have permission to download files.
Piece
I saw an id_rsa and a note file below, with some hints for ssh private key login.
Download file
Here we download the files with sensitive information and check them out
View files
View secure files
Discover user password information
When viewing the secure file here, I found user-related information at the bottom.
smbuser:chauthtok
Discover key information
View the contents of the sshd_config file
We are not allowed to perform password authentication here, that is, we cannot log in with a password. Interestingly, it is most likely to use a key.
Discover command prompt information
View note.txt content
Translated, it is said that the find command has been deleted, and a getcap & capsh command is also prompted. We got this information and wrote it down.
Discover ssh key file
View id_rsa file
It should be the key, and as far as the current information collection is concerned, this key should belong to the smbuser user, because I saw this user, and I will try to log in with the private key later.
View nfs protocol port
The port number used by the NFS service is 2049. The full name of nfs is Network File Share network shared file mode. The system that enables this service can specify a directory as the service address of nfs and as a shared folder. We can first use the showmount tool to check whether the target machine has a shared folder
input the command:
showmount -e 192.168.187.175
Here we see that the nfs file inside this is /smbdata, which is the same as the previous file name, and the access requirement is that our IP must be in the specified network segment later. I’ve given up here for the time being.
View the web client
Now let’s access the http port. When you open it, it’s basically blank. Click on this link on the page to try it.
I found that it jumped to a new page, which was obviously a page from another website and had little to do with our target drone.
View page source code
No additional information found here either
Directory blasting
Here we use dirsearch and gobuster for directory blasting
input the command:
dirsearch -u http://192.168.187.175
Here you can see that some directories have been exploded. The directory names are very similar to the public key part of ssh login.
input the command:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.187.175 -x html,php,txt -t 50
Nothing found here
We accessed the directory and found the ssh public key part, but it seems that it is not available for the time being.
Try ssh private key login
After summarizing the information obtained, we can only try to log in with the ssh key for the time being. I logged in directly but failed. If we don’t understand the following questions, we can translate them to see what went wrong.
View questions
As you can see here, it turns out that our private key file has too many permissions. It can only be used by the user of the private key and cannot give any permissions to others.
Adjust file permissions
Then we just adjust the permissions directly, and then use the private key to log in. It turns out that using the private key also requires a password. Really vomited
Crack password
We can use ssh2john to generate the hash of the password, and then use john to crack it. You can see that the password was successfully cracked
SSH private key login
This time I entered the password I just cracked and finally logged in successfully.
Elevation of privilege
sudo privilege escalation
Tried sudo to elevate privileges, but the password displayed was incorrect.
suid privilege escalation
I want to use find to find files with suid permissions, but there is no response after execution. Suddenly I remembered that in the previous information collection, there was a note that said that the find command was deleted, which is a bit weird.
View scheduled tasks
There are no files that can be used here.
View kernel version
linpeas.sh scan
There is no other way, try scanning with automated tools. After the scan, two most likely vulnerabilities were found. You can try them later.
Then I continued to see if there was any other information, and then I discovered a surprising information. The shadow file of this target machine was actually displayed in clear text. . . . . .
It’s outrageous. Just put the root user’s encrypted password into the file, and then John can crack it directly.
The waiting time was a little long, about half an hour, but it was finally successfully cracked. (Too outrageous)
Take the flag
Now you can directly switch to the root user and get the flag.
Extra methods
According to the original idea, there is another way, which is to use kernel vulnerabilities to escalate privileges. I used a tool to scan two very likely vulnerabilities before. You can tell from the names that they are dirty.
Let’s search for Niu Tiquan directly.
Under normal circumstances, you need to try it yourself slowly, and then you can finally use this 40616.c file to escalate privileges.
First copy the file to local
Then compile the file
Start an http service locally
Then download the file in the target machine
Then we compiled the file, and an error was reported at first. After checking the error message, we added a reference to pthread and the compilation was successful.
Then execute the file and you will also find that the privileges are elevated to root. (However, this privilege escalation is not stable and will crash in about a minute, so check the flag information quickly)