MyFileServer_3 target machine

Information collection

Use arp-scan to find the IP. After excluding this, we get our target IP as 192.168.187.175

image-20231110111536112

nmap scan port scan

TCP

input the command;

nmap -min-rate 10000 -p- 192.168.187.175

There are more open ports

image-20231110112125842

UDP

input the command:

nmap -sU -min-rate 10000 -p- 192.168.187.175

image-20231110112209556

Processing port information

Since there are many scanning ports, we can process the scanning information first.

input the command:

nmap -min-rate 10000 -p- 192.168.187.175 -oA nmapscan/ports
# -oA Enter the full format of the scan results into the nmapscan/ports file

image-20231110144119824

input the command:

grep open nmapscan/ports.nmap | awk -F '/' '{print $1}'
# Use grep to select each line with the word open in the nmapscan/ports.nmap file
# awk -F '/' '{print $1}' The awk -F here is distinguished by /
#'{print $1}' Enter the first column

image-20231110145117476

input the command:

ports=$(grep open nmapscan/ports.nmap | awk -F '/' '{print $1}'|paste -sd ',')
#paste -sd ',' is to merge the input results into one line and then separate them with commas
#Then assign the entire output result to ports

image-20231110145624539

nmap scan port information

input the command:

nmap -sC -sT -A -p $ports 192.168.187.175

The top one is preferred. Port 21 opens the ftp service, supports anonymous login, and displays the files inside. You can check it out later.

image-20231110150922203

The ssh and http here are common ports. 111 is the rpc port. The content corresponds to the following port.

image-20231110151557639

Ports 139 and 445 are the TCP protocol ports of Samba. 2121 is also an FTP service and also supports anonymous login. 2049 and 20048 are all ports related to NFS.

image-20231110152226284

nmap vulnerability script scanning

input the command:

nmap --script=vuln -p $ports 192.168.187.175

After scanning here, no exploitable vulnerability information was found.

image-20231110161620432

View port 21

Here you can directly use anonymous login to view the content. After successfully entering, you need to enter binary mode to avoid the downloaded file from being damaged and unable to be read.

image-20231110153626832

Then we went inside to check and found a lot of files in the log directory. If you are inexperienced, you need to check them one by one, but we must give priority to checking some files with sensitive names, such as a secure file in it. We should have thought that it might be related to security information, but we don’t have permission to download it here. We spent time checking other files, but we didn’t find any clues.

image-20231110154000412

View port 2121

The 2121 port here is also an ftp service and also supports anonymous login. Let’s try it. Then I realized that it seemed to still have the same formula as before, so I stopped reading.

image-20231110154441224

View samba service port

Here we see that ports 139 and 445 are open, which means the samba service is enabled. This is a file sharing protocol where file information may exist. Let’s go check it out

input the command:

smbmap -H 192.168.187.175

Executable permission files found

You can see that the smbdata file under the target IP has readable and writable file permissions.

image-20231110154856160

We go directly here to see what files are there, and then we see a similar scene, which seems to be the content we saw in ftp before, but now we have permission to download files.

Piece

image-20231110155308475

I saw an id_rsa and a note file below, with some hints for ssh private key login.

image-20231110155532113

Download file

Here we download the files with sensitive information and check them out

image-20231110160310511

View files

View secure files

Discover user password information

When viewing the secure file here, I found user-related information at the bottom.

smbuser:chauthtok

image-20231110160506871

Discover key information

View the contents of the sshd_config file

We are not allowed to perform password authentication here, that is, we cannot log in with a password. Interestingly, it is most likely to use a key.

image-20231110160927343

Discover command prompt information

View note.txt content

image-20231110114202734

Translated, it is said that the find command has been deleted, and a getcap & capsh command is also prompted. We got this information and wrote it down.

image-20231110114223991

Discover ssh key file

View id_rsa file

It should be the key, and as far as the current information collection is concerned, this key should belong to the smbuser user, because I saw this user, and I will try to log in with the private key later.

image-20231110161159056

View nfs protocol port

The port number used by the NFS service is 2049. The full name of nfs is Network File Share network shared file mode. The system that enables this service can specify a directory as the service address of nfs and as a shared folder. We can first use the showmount tool to check whether the target machine has a shared folder

input the command:

showmount -e 192.168.187.175

Here we see that the nfs file inside this is /smbdata, which is the same as the previous file name, and the access requirement is that our IP must be in the specified network segment later. I’ve given up here for the time being.

image-20231110163208736

View the web client

Now let’s access the http port. When you open it, it’s basically blank. Click on this link on the page to try it.

image-20231110113341362

I found that it jumped to a new page, which was obviously a page from another website and had little to do with our target drone.

image-20231110113508498

View page source code

No additional information found here either

image-20231110163554828

Directory blasting

Here we use dirsearch and gobuster for directory blasting

input the command:

dirsearch -u http://192.168.187.175

Here you can see that some directories have been exploded. The directory names are very similar to the public key part of ssh login.

image-20231110113549169

input the command:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.187.175 -x html,php,txt -t 50

Nothing found here

image-20231110113956339

We accessed the directory and found the ssh public key part, but it seems that it is not available for the time being.

image-20231110164049552

Try ssh private key login

After summarizing the information obtained, we can only try to log in with the ssh key for the time being. I logged in directly but failed. If we don’t understand the following questions, we can translate them to see what went wrong.

image-20231110162822318

View questions

As you can see here, it turns out that our private key file has too many permissions. It can only be used by the user of the private key and cannot give any permissions to others.

image-20231110165130496

Adjust file permissions

Then we just adjust the permissions directly, and then use the private key to log in. It turns out that using the private key also requires a password. Really vomited

image-20231110165327562

Crack password

We can use ssh2john to generate the hash of the password, and then use john to crack it. You can see that the password was successfully cracked

image-20231110165522444

SSH private key login

This time I entered the password I just cracked and finally logged in successfully.

image-20231110165627514

Elevation of privilege

sudo privilege escalation

Tried sudo to elevate privileges, but the password displayed was incorrect.

image-20231110170544314

suid privilege escalation

I want to use find to find files with suid permissions, but there is no response after execution. Suddenly I remembered that in the previous information collection, there was a note that said that the find command was deleted, which is a bit weird.

image-20231110170723289

View scheduled tasks

There are no files that can be used here.

image-20231110171009422

View kernel version

image-20231110174253656

linpeas.sh scan

There is no other way, try scanning with automated tools. After the scan, two most likely vulnerabilities were found. You can try them later.

image-20231110172813057

Then I continued to see if there was any other information, and then I discovered a surprising information. The shadow file of this target machine was actually displayed in clear text. . . . . .

image-20231110175002218

It’s outrageous. Just put the root user’s encrypted password into the file, and then John can crack it directly.

image-20231110175649512

The waiting time was a little long, about half an hour, but it was finally successfully cracked. (Too outrageous)

image-20231110175929610

Take the flag

Now you can directly switch to the root user and get the flag.

image-20231110180018867

Extra methods

According to the original idea, there is another way, which is to use kernel vulnerabilities to escalate privileges. I used a tool to scan two very likely vulnerabilities before. You can tell from the names that they are dirty.

Let’s search for Niu Tiquan directly.

Under normal circumstances, you need to try it yourself slowly, and then you can finally use this 40616.c file to escalate privileges.

image-20231110184159182

First copy the file to local

image-20231110184357436

Then compile the file

image-20231110184423165

Start an http service locally

image-20231110184443105

Then download the file in the target machine

image-20231110184816764

Then we compiled the file, and an error was reported at first. After checking the error message, we added a reference to pthread and the compilation was successful.

image-20231110184905694

Then execute the file and you will also find that the privileges are elevated to root. (However, this privilege escalation is not stable and will crash in about a minute, so check the flag information quickly)

image-20231110185520854